Module owlyshield_ransom::process [−][src]
Expand description
Where the activities of processes are recorded and calculations of features are done, to feed the input tensors used in the crate::predictions module.
A GID is a family of processes
Each windows process has a unique parent. However, there are notable differences with Linux:
- Process creation is achieved by calling CreateProcess, which differs from fork,
- A process can erase its genealogy, and event change its parent! Process Creations are monitored by the minifilter. As all processes are children of Windows System, identified by pid == 4, the minifilter defines subfamilies identified by a unique group id (referred to gid in the code).
How is a GID state maintained over time?
A ProcessRecord instance is associated to each GID identified by the driver. crate::driver_com::shared_def::IOMessage fetched from the minifilter contains data that are aggregated in real time and used for predictions by the RNN.
Time is not a good metric
Let’s consider two scenarios about the performances of the client hardware hosting Owlyshield:
- It is very fast: we would observe a very quick increase in activity over time, resulting in false-positive
- It is very slow: the model would have a bad recall for malwares, as they would have a very slow activity
That’s why Owlyshield uses time-independant metric which is the number of driver messages received from a driver.
Structs
A simple tuple-struct about Windows fileids
A tuple-struct to communicate with the thread in charge of calculating the clusters.
GID state in real-time. This is a central structure.