Skip to content

OxPwned is a hybrid malware detection system that combines YARA/ClamAV signatures with machine learning models to detect known threats, featuring real-time monitoring and Docker-based sandboxing.

License

Notifications You must be signed in to change notification settings

Sampriti2803/OxPwned

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

OxPwned - Hybrid Malware Detection and Trend Analysis System

Overview

OxPwned is a hybrid malware detection system designed for the banking sector. By combining the strengths of signature-based detection and machine learning, it delivers comprehensive protection against both known and zero-day threats. This project was developed as part of PNB's Cybersecurity Hackathon-2024.


Features

  • Dual-Layer Detection: Combines YARA rules and ClamAV for signature-based detection with machine learning models (TensorFlow or PyTorch) for behavioral analysis.
  • Real-Time Alerts: Provides instant notifications and detailed logs for rapid response.
  • Sandbox Testing: Leverages Docker for secure and isolated testing of threats.
  • Scalability: Supports large datasets and evolving malware, with future-proof modular architecture.
  • Resource-Efficient: Optimized for minimal CPU and RAM usage.

Technical Implementation

Tools and Technologies

  • Machine Learning: TensorFlow or PyTorch for detecting unknown malware.
  • Signature Matching: YARA rules and ClamAV for known threats.
  • Monitoring: ELK Stack for real-time visualization and alerts.
  • Sandboxing: Docker for secure testing environments.

Workflow

  1. Input Layer: Scans files and monitors network traffic.
  2. Processing Layer:
    • Matches known threats using signature-based methods.
    • Analyzes behavior of unmatched data with ML models.
  3. Output Layer: Sends alerts and logs to Security Operations Center (SOC) teams.

Dataflow

OxPwned/
├── LICENSE
├── README.md
├── admin/
│   ├── communication/
│   │   ├── receiver.py
│   │   └── utils.py
│   ├── main.py
│   ├── ml/
│   │   └── models/
│   │       ├── predictor.py
│   │       ├── trained_model/
│   │       ├── trainer.py
│   │       ├── training_data/
│   │       └── utils.py
│   ├── monitoring/
│   │   ├── elk_stack/
│   │   └── logger.py
│   ├── reports/
│   │   ├── alerts/
│   │   └── historical/
│   ├── sandbox/
│   │   ├── docker_files/
│   │   └── test_env_setup.py
│   ├── signature_based/
│   │   ├── scanner.py
│   │   ├── signatures/
│   │   │   ├── clamav/
│   │   │   └── yara/
│   │   └── updater.py
│   └── tests/
│       ├── integration/
│       └── unit/
├── configs/
│   ├── admin_config.yaml
│   ├── logging_config.yaml
│   └── terminal_config.yaml
├── docs/
│   ├── architecture.md
│   ├── requirements.md
│   └── user_guide.md
├── logs/
│   ├── admin/
│   └── terminal/
├── requirements.txt
├── scripts/
│   ├── deployment/
│   │   ├── deploy_admin.sh
│   │   ├── deploy_terminal.sh
│   │   └── rollback.sh
│   ├── setup/
│   │   ├── setup_admin.sh
│   │   └── setup_terminal.sh
│   └── testing/
│       ├── coverage.sh
│       ├── run_tests_admin.sh
│       ├── run_tests_terminal.sh
├── shared/
│   ├── interfaces/
│   │   ├── shared_data_schema.json
│   │   └── terminal_to_admin.py
│   └── utils/
│       ├── data_serializer.py
│       ├── network_utilities.py
│       └── threat_levels.py
├── terminal/
│   ├── communication/
│   │   ├── sender.py
│   │   └── utils.py
│   ├── detection/
│   │   ├── pattern_match/
│   │   │   ├── engine.py
│   │   │   ├── heuristic.py
│   │   │   ├── matcher.py
│   │   │   ├── rules/
│   │   │   │   ├── regex_patterns/
│   │   │   │   │   ├── akira_patterns.json
│   │   │   │   │   ├── lockbit_patterns.json
│   │   │   │   │   └── suspicious_traffic_patterns.json
│   │   │   │   └── yara_rules/
│   │   │   ├── threat_intelligence/
│   │   │   │   ├── domain_blacklist.json
│   │   │   │   ├── hashes.json
│   │   │   │   └── ip_blacklist.json
│   │   │   └── utils.py
│   │   └── preprocessing/
│   │       ├── data_cleaner.py
│   │       ├── feature_extractor.py
│   │       ├── network_parser.py
│   │       └── test.py
│   ├── main.py
│   ├── output/
│   │   ├── alerts/
│   │   └── logs/
│   └── tests/
│       ├── integration/
│       └── unit/
└── tests/
    ├── admin/
    ├── shared/
    └── terminal/

Getting Started

Prerequisites

  • Python 3.10+
  • Docker
  • TensorFlow or PyTorch
  • ELK Stack (Elasticsearch, Logstash, Kibana)
  • ClamAV, YARA

Installation

  1. Clone the repository:

    git clone https://github.com/your-repo/OxPwned.git
    cd OxPwned
  2. Install dependencies:

    pip install -r requirements.txt
  3. Configure the system:

  • Edit configs/admin_config.yaml for admin configurations.
  • Adjust logging parameters in logging_config.yaml.
  1. Run setup scripts:

    bash scripts/setup/setup_admin.sh
    bash scripts/setup/setup_terminal.sh

Usage

Admin Console

  1. Start the admin console:
python admin/main.py
  1. Monitor logs and alerts under logs/admin/.

Terminal Console

  1. Launch the terminal console:
python terminal/main.py
  1. Access threat intelligence outputs under terminal/output/alerts/.

Documentation

For detailed architecture and implementation, refer to:

  • docs/architecture.md
  • docs/requirements.md
  • docs/user_guide.md

Contributors


Contributions

Contributions are welcome! Please refer to docs/user_guide.md for guidelines.


License

This project is licensed under the MIT License. See the LICENSE file for details.


Acknowledgments

  • PNB Cybersecurity Hackathon-2024 initiative.
  • Open-source tools and frameworks: TensorFlow, PyTorch, YARA, ClamAV, Docker, and ELK Stack.

About

OxPwned is a hybrid malware detection system that combines YARA/ClamAV signatures with machine learning models to detect known threats, featuring real-time monitoring and Docker-based sandboxing.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •