Giters

alicimertcan / Owlyshield

Owlyshield is an open-source AI-driven behaviour based antiransomware engine written in Rust.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Translations:


Logo

Owlyshield

An AI antivirus written in Rust
Explore the Doc

Access training data · Read the technical doc · Request Feature

Table of Contents
  1. Owlyshield
  2. Getting Started
  3. Roadmap
  4. Contributing
  5. License
  6. Contact
  7. Acknowledgments

Gif Demo Owlyshield

Owlyshield

Owlyshield is an open-source AI-driven antivirus engine written in Rust.

Open-source philosophy

We at SitinCloud 🇫🇷 strongly believe that cybersecurity products should always be open-source:

  1. In addition to the source code, we provide a complete wiki and code documentation,
  2. You are able to check the product does not add a new vulnerability which could be used to exploit your systems,
  3. We provide specific entrypoints in the code to make interfacing with third-party tools easy (specifically SIEM and EDRs).

How does it work?

  1. A minifilter (a file system filter driver) intercepts I/O request packets (IRPs) to collect metadata about what happens on the disks (DriverMsg in the sources),
  2. Owlyshield-predict uses the previously created DriverMsgs to compute features submitted to a RNN (a special type of neural network wich works on sequences),
  3. If the RNN predicts a malware, owlyshield-predict asks the minifilter to kill the malicious processes and send a very detailed report about what happened to your SIEM tools (and/or a local file).

Components

How was the model trained?

The model was trained with malwares from the real world collected from very diverse places on the internet (dark web, by sharing with researchers, analysis of thousands of downloads with virustotal).

We ran them on Windows VMs with owlyshield working in a specific mode (--features record) to save the IRPs. Owlyshield-predict with --features replay was then used to write the learning dataset (a csv file).

Owlyshare is the place where we share those vast collections of malwares with cybersecurity researchers. You may apply for an access by sending us an email.

Community vs commercial versions

Both versions share the same source code. The commercial version adds the following features:

  • Driver signing of the minifilter, allowing it to be installed without having to start Windows in test-signing mode (see Prerequisites),
  • A webapp gathering all incidents data to help IT staff to understand the scope of the attack within the company networks and act accordingly (or classify it as a false positive),
  • Interfaces with your log management tools (we even provide an API),
  • Scheduled tasks to auto-update the application.

(back to top)

Getting Started

Prerequisites

  1. Install the Microsoft Visual C++ Redistributable packages
  2. Disable "Driver Signature Enforcement" at Windows startup. This is only required if you did not get a copy of the driver signed by Microsoft for SitinCloud (we provide it for free if you are a contributor).

Installation

We regularly release installers (in the Releases GitHub section). You may need to enable the driver signin mode (the Signed Driver is part of the commercial version) as explained in Prequisites.

Please refer to the Wiki if you prefer to build it yourself.

(back to top)

Roadmap

  • Release the windows driver (minifilter)
  • Documentation
    • Source code doc
    • Wiki
    • Pre-print
  • Model (RNN)
    • behavioral features
    • static features
    • TBTT with TFlite (it does not support stateful LSTMs)
  • connectors
    • strategy pattern
    • connector with Sitincloud's interface
    • others connectors with proprietary and open-source projects
  • Linux Driver?

Suggestions are welcome (see Contributing).

See the open issues for a full list of proposed features (and known issues).

(back to top)

Contributing

We help our contributors by providing them with:

  • A copy of the driver signed by Microsoft,
  • A free access to Owlyshare, the place where we store our learning data (and vast collections of malwares) if needed,

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

(back to top)

License

Distributed under the EUPL v1.2 license. See LICENSE.txt for more information.

(back to top)

Contact

Damien LESCOS - @DamienLescos - opensource@sitincloud.com

Project Link: https://github.com/SitinCloud/Owlyshield/

Company Link: SitinCloud

(back to top)

Acknowledgments

(back to top)

About

Owlyshield is an open-source AI-driven behaviour based antiransomware engine written in Rust.

License:European Union Public License 1.2

Languages

Language:Rust 65.3%Language:C++ 27.5%Language:C 5.2%Language:Inno Setup 1.9%