Home
We at SitinCloud strongly believe that cybersecurity products should always be open-source:
- Critical decisions about your company cybersecurity strategy cannot be based only on marketing propaganda
- Interface the software with third-party tools, or even customize it, should be easy, or at least possible
- Check the software does not add a new vulnerability to your organisation is critical. This cannot be done with closed sources products whose vulnerabilities are only known from attackers (see our blog for a real life example involving fortinet)
Owlyshield is an open-source AI-driven behaviour based antivirus engine written in Rust. As of now, the model was specifically trained to detect and kill ransomwares but we think this technology can be used in a more general way to detect other malwares categories.
Cybersecurity is a game where attacking players have a significant advantage over their victims:
- Sophisticated weaponry is available for free or at very little cost
- Crypto-currencies have made collecting ransom and laundering it easy and risk-free
- SMEs and even mid-caps use a plethora of third-party softwares over which they have no knowledge or control
What we see everyday:
- Critical sofwares, used daily to manage company core activities like ERPs, full of security holes waiting to be exploited, and editors shirking their resposabilities ("we have no bounty program, hide it behind a VPN")
- Critical state organisations and large corporations be victims of unsubtle attacks (for example, Sopra-Steria and three public hospitals were severy hit by the Ryuk Ransomware in France this year)
- IT services relying entirely on closed proprietary security products they don't know anything about ("We lost our data with a ransomware last year. But now we bought XYZ and feel protected"). This is not a sound defense strategy
Both versions share the same source code. The commercial version adds the following features:
- Driver signing of the minifilter, allowing it to be intalled without having to start Windows in test-signing mode
- A webapp gathering all incidents data to help IT staff to understand the scope of the attack within the company networks and act accordingly (or classify it as a false positive)
- Interfaces with your log management tools (we even provide an API)
- Scheduled tasks to auto-update the whole application
Processes creation defines a family tree where nodes have a unique parent. All processes are children of the Windows System process (pid = 4). This allows us to define subfamilies identified by a group id (which obviously has nothing to do with the Linux one):
Owlyshield collects and analyse meta-data on inputs and outputs (I/O) using a RNN to monitor and kill suspect processes.
As of now, this model has been trained exclusively on ransomwares (our training exemples set cardinality exceeds 110,000 ransomwares).
Owlyshield consists of the following components:
- Runtime components:
- Owlyshield Predict - the prediction unit (user space) collects data from the minifilter to make prediction about running processes. This is a Windows service that depends on the minifilter
- Installer - to make the installation easier (creation of the two predict and minifilter services and their registry keys)
- RustWinToast - a basic exe to toast notifications
- Driver components:
- Owlyshield Minifilter - the driver (user space), intercepts i/o operations and processes creations that will be used by Owlyshield Predict. The minifilter is also responsible for killing suspect processes families
- Deep Learning:
- Keras script used to train the model and create the tflite file used by Owlyshield Predict
We plan to make the following components available to the community in the next future:
- The malwares to cybersecurity researchers through a new online platform we are working on, including the 100,000 ransomwares we used to train our model