Translations:
- Chinese: / 中文: README_CN
Owlyshield
An AI antivirus written in Rust
Explore the Doc
Access training data
·
Read the technical doc
·
Request Feature
Table of Contents
-
Owlyshield
- Open-source philosophy
- How does it work?
- How was the model trained?
- Community vs commercial versions
-
Getting Started
- Prerequisites
- Installation
- Roadmap
- Contributing
- License
- Contact
- Acknowledgments
Owlyshield
Owlyshield is an open-source AI-driven antivirus engine written in Rust.
Open-source philosophy
We at SitinCloud 🇫🇷 strongly believe that cybersecurity products should always be open-source:
- In addition to the source code, we provide a complete wiki and code documentation,
- You are able to check the product does not add a new vulnerability which could be used to exploit your systems,
- We provide specific entrypoints in the code to make interfacing with third-party tools easy (specifically SIEM and EDRs).
How does it work?
- A minifilter (a file system filter driver) intercepts I/O request packets (IRPs) to collect metadata about what happens on the disks (DriverMsg in the sources),
- Owlyshield-predict uses the previously created DriverMsgs to compute features submitted to a RNN (a special type of neural network wich works on sequences),
- If the RNN predicts a malware, owlyshield-predict asks the minifilter to kill the malicious processes and send a very detailed report about what happened to your SIEM tools (and/or a local file).
How was the model trained?
The model was trained with malwares from the real world collected from very diverse places on the internet (dark web, by sharing with researchers, analysis of thousands of downloads with virustotal).
We ran them on Windows VMs with owlyshield working in a specific mode (--features record) to save the IRPs. Owlyshield-predict with --features replay was then used to write the learning dataset (a csv file).
Owlyshare is the place where we share those vast collections of malwares with cybersecurity researchers. You may apply for an access by sending us an email.
Community vs commercial versions
Both versions share the same source code. The commercial version adds the following features:
- Driver signing of the minifilter, allowing it to be installed without having to start Windows in test-signing mode (see Prerequisites),
- A webapp gathering all incidents data to help IT staff to understand the scope of the attack within the company networks and act accordingly (or classify it as a false positive),
- Interfaces with your log management tools (we even provide an API),
- Scheduled tasks to auto-update the application.
(back to top)
Getting Started
Prerequisites
- Install the Microsoft Visual C++ Redistributable packages
- Disable "Driver Signature Enforcement" at Windows startup. This is only required if you did not get a copy of the driver signed by Microsoft for SitinCloud (we provide it for free if you are a contributor).
Installation
We regularly release installers (in the Releases GitHub section). You may need to enable the driver signin mode (the Signed Driver is part of the commercial version) as explained in Prequisites.
Please refer to the Wiki if you prefer to build it yourself.
(back to top)
Roadmap
- Release the windows driver (minifilter)
- Documentation
- Source code doc
- Wiki
- Pre-print
- Model (RNN)
- behavioral features
- static features
- TBTT with TFlite (it does not support stateful LSTMs)
- connectors
- strategy pattern
- connector with Sitincloud's interface
- others connectors with proprietary and open-source projects
- Linux Driver?
Suggestions are welcome (see Contributing).
See the open issues for a full list of proposed features (and known issues).
(back to top)
Contributing
We help our contributors by providing them with:
- A copy of the driver signed by Microsoft,
- A free access to Owlyshare, the place where we store our learning data (and vast collections of malwares) if needed,
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
(back to top)
License
Distributed under the EUPL v1.2 license. See LICENSE.txt for more information.
(back to top)
Contact
Damien LESCOS - @DamienLescos - [email protected]
Project Link: https://github.com/SitinCloud/Owlyshield/
Company Link: SitinCloud
(back to top)
Acknowledgments
- RansomWatch
- Behavioural machine activity for benign and malicious Win7 64-bit executables
(back to top)
