sitincloud/owlyshield

Owlyshield open source security platform

An OSS security platform written in rust with security threat detection

Translations:

  • Chinese: / 中文: README_CN

Owlyshield

An AI antivirus written in Rust
Explore the Doc

Access training data · Read the technical doc · Request Feature

Table of Contents
  1. Owlyshield
    • Open-source philosophy
    • How does it work?
    • How was the model trained?
    • Community vs commercial versions
  2. Getting Started
    • Prerequisites
    • Installation
  3. Roadmap
  4. Contributing
  5. License
  6. Contact
  7. Acknowledgments

Owlyshield

Owlyshield is an open-source AI-driven antivirus engine written in Rust.

Open-source philosophy

We at SitinCloud 🇫🇷 strongly believe that cybersecurity products should always be open-source:

  1. In addition to the source code, we provide a complete wiki and code documentation,
  2. You are able to check the product does not add a new vulnerability which could be used to exploit your systems,
  3. We provide specific entrypoints in the code to make interfacing with third-party tools easy (specifically SIEM and EDRs).

How does it work?

  1. A minifilter (a file system filter driver) intercepts I/O request packets (IRPs) to collect metadata about what happens on the disks (DriverMsg in the sources),
  2. Owlyshield-predict uses the previously created DriverMsgs to compute features submitted to a RNN (a special type of neural network wich works on sequences),
  3. If the RNN predicts a malware, owlyshield-predict asks the minifilter to kill the malicious processes and send a very detailed report about what happened to your SIEM tools (and/or a local file).

How was the model trained?

The model was trained with malwares from the real world collected from very diverse places on the internet (dark web, by sharing with researchers, analysis of thousands of downloads with virustotal).

We ran them on Windows VMs with owlyshield working in a specific mode (--features record) to save the IRPs. Owlyshield-predict with --features replay was then used to write the learning dataset (a csv file).

Owlyshare is the place where we share those vast collections of malwares with cybersecurity researchers. You may apply for an access by sending us an email.

Community vs commercial versions

Both versions share the same source code. The commercial version adds the following features:

  • Driver signing of the minifilter, allowing it to be installed without having to start Windows in test-signing mode (see Prerequisites),
  • A webapp gathering all incidents data to help IT staff to understand the scope of the attack within the company networks and act accordingly (or classify it as a false positive),
  • Interfaces with your log management tools (we even provide an API),
  • Scheduled tasks to auto-update the application.

(back to top)

Getting Started

Prerequisites

  1. Install the Microsoft Visual C++ Redistributable packages
  2. Disable "Driver Signature Enforcement" at Windows startup. This is only required if you did not get a copy of the driver signed by Microsoft for SitinCloud (we provide it for free if you are a contributor).

Installation

We regularly release installers (in the Releases GitHub section). You may need to enable the driver signin mode (the Signed Driver is part of the commercial version) as explained in Prequisites.

Please refer to the Wiki if you prefer to build it yourself.

(back to top)

Roadmap

  • Release the windows driver (minifilter)
  • Documentation
    • Source code doc
    • Wiki
    • Pre-print
  • Model (RNN)
    • behavioral features
    • static features
    • TBTT with TFlite (it does not support stateful LSTMs)
  • connectors
    • strategy pattern
    • connector with Sitincloud's interface
    • others connectors with proprietary and open-source projects
  • Linux Driver?

Suggestions are welcome (see Contributing).

See the open issues for a full list of proposed features (and known issues).

(back to top)

Contributing

We help our contributors by providing them with:

  • A copy of the driver signed by Microsoft,
  • A free access to Owlyshare, the place where we store our learning data (and vast collections of malwares) if needed,

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

(back to top)

License

Distributed under the EUPL v1.2 license. See LICENSE.txt for more information.

(back to top)

Contact

Damien LESCOS - @DamienLescos - [email protected]

Project Link: https://github.com/SitinCloud/Owlyshield/

Company Link: SitinCloud

(back to top)

Acknowledgments

  • RansomWatch
  • Behavioural machine activity for benign and malicious Win7 64-bit executables

(back to top)

Versions

Find the latest versions by id

v0.9.0a - Nov 16, 2021

The installer creates a "Owlyshield Service" service with a dependency on the minifilter.

Please note the minifilter is not signed, which implies you have to disable "Driver Signature Enforcement" in the advanced boot options (hold Shift and click restart, then F8) as explained here.

Please contact us to get the driver signed by Microsoft.

We advise you to start the "Owlyshield Service" service manually, or use the automatic-delayed mode.

Information - Updated Jan 03, 2022

Stars: 18
Forks: 2
Issues: 0
IDE

3.5K

Rust Language Server (RLS)

The RLS provides a server that runs in the background, providing IDEs,

Rust Language Server (RLS)

Rust lang bookmarking tool

Rust and Rocket used bookmarking tool for search bar

Rust lang bookmarking tool

Rust Language Security

execrices: RUSTSEC-2021-0001

Rust Language Security

False Positive for rust-lang/rust#83583

The deprecation lint proc_macro_derive_resolution_fallback is intended to catch proc macro generated code that refers to items from parent modules that should not be in scope:

False Positive for rust-lang/rust#83583

rust_icu: low-level rust language bindings for the ICU library

See: The latest version of this file is available at

rust_icu: low-level rust language bindings for the ICU library

Rust lang exercises

Personal tips and drills in my journey as a beginner rustacean

Rust lang exercises

😍 Rust Language

👍 Download and execute rustup

😍 Rust Language

TensorFlow Rust provides idiomatic Rust language

bindings for Documentation

TensorFlow Rust provides idiomatic Rust language

Rust Language Learning material

Rust is blazingly fast systems programming language that prevents segfaults and guarantees thread safety

Rust Language Learning material
Facebook Instagram Twitter GitHub Dribbble
Privacy