Translations:

• Chinese: / 中文: README_CN
• Español: README_ES
• Français: README_FR
  

Owlyshield

An AI antivirus written in Rust

🧪 Access training data · 📖 Read the technical doc · 💬 Request Feature

🦉 The owl's hoot: troubles-hoot!

Owlyshield is an open-source, AI-driven antivirus engine written in Rust. Traditional antivirus software, which uses static analysis, can only detect known threats. This is why ransom attacks have been on the rise, as hackers can easily adapt and avoid detection. Owlyshield addresses this issue by using behavioural analysis to detect and terminate ransomwares in their early stages of execution.

To ensure that the application runs efficiently, we have implemented multithreading and machine learning algorithms such as random forests, which are known for their speed of computation. We have also put a significant amount of effort into optimizing the performance of Owlyshield.

🖖 Open-source philosophy

At SitinCloud 🇫🇷, we are firm believers that cybersecurity products should always be open-source:

1. In addition to the source code, we provide comprehensive documentation in the form of a complete wiki and code documentation.
2. Open-source products can be considered as sovereign solutions, as there is no risk of any foreign agency introducing hidden backdoors or mass surveillance features that users may not be aware of.
3. We have included specific entry points in the code to facilitate easy integration with third-party tools, such as SIEM and EDRs.

▶️ 2 minutes install

We release installers regularly in the Releases section on GitHub. The Free Edition (community edition) is fully functional and will effectively protect your system against ransomwares. You no longer need to start Windows in test-signing mode, as the signed driver is now included in the community version.

For usage instructions, refer to the Wiki or see Contributing if you prefer to build Owlyshield yourself. Suggestions and feature requests are welcome – see the open issues for a full list of proposed features and known issues.

(back to top)

🤑 Business

↗️ Free vs Pro editions

The Pro Edition (commercial edition) includes the following features:

• A web app that gathers all incident data to help IT staff understand the scope of an attack within a company's networks and take appropriate action (or classify it as a false positive).
• Interfaces with log management tools (we even provide an API).
• Scheduled tasks to automatically update the application.

Within the scope of free version usage, we will do our best to help you find a solution for any issues you may encounter. However, we prioritize support for subscribers to our commercial version and valued added resellers.

💰 Business model

While our products and services can be purchased directly from us (feel free to contact us for a quotation that meets your needs), we believe that it is best for our products to be distributed to end customers indirectly.

Please contact us if you:

• Want to become a distribution partner or use our products as an MSSP – we are open to such partnerships.
• Want to integrate Owlyshield as part of your own EDR/XDR system – we will be happy to provide the best proposal for the appropriate level of professional services to do so.
• Need to protect your critical enterprise servers against crafted attacks or progressive wipers – we can introduce you to our brand-new novelty detection engine based on encoders AI tools (Owlyshield Enterprise Edition).
• Have any questions or would like a presentation of our products.

(back to top)

🤓 Technical

⚙️ How does it work?

1. A minifilter (a file system filter driver) intercepts I/O request packets (IRPs) to collect metadata about disk activity (DriverMsg in the sources).
2. Owlyshield-predict uses the previously created DriverMsgs to compute features submitted to an RNN (a special type of neural network that works with sequences). Both behavioural and static analysis are performed.
3. If the RNN predicts a malware, owlyshield-predict asks the minifilter to kill the malicious processes and send a detailed report about the incident to your SIEM tools (or to a local file).

🤖 How was the model trained?

The model was trained on real-world malware samples collected from various sources on the internet (dark web, shared with researchers, and analysis of thousands of downloads using VirusTotal).

We ran the malware samples on Windows VMs with Owlyshield in record mode (--features record) to save the IRPs. Owlyshield-predict with --features replay was then used to create the learning dataset (a CSV file).

The Malwares-ML repository is the place where we share some of our learning datasets.

(back to top)

🦾 Contributing

We offer free access to the Owlyshield Pro Edition to our contributors.

If you discover an undetected ransomware, please open an issue with the tag "undetected" to help us improve the AI engine and understand the new techniques used to avoid detection.

If you have suggestions on how to improve Owlyshield, you can fork the repository and create a pull request or simply open an issue with the tag "enhancement".

Don't forget to give the project a ⭐! Thank you for your contributions.

To contribute:

1. Fork the project.
2. Create a feature branch: git checkout -b feature/AmazingFeature.
3. Commit your changes: git commit -m 'Add some AmazingFeature'.
4. Push to the branch: git push origin feature/AmazingFeature.
5. Open a pull request.

(back to top)

📖 License

Distributed under the EUPL v1.2 license. See LICENSE.txt for more information.

(back to top)

💌 Contact

Damien LESCOS - @DamienLescos

• opensource@sitincloud.com

Project Link: https://github.com/SitinCloud/Owlyshield/

Company Link: SitinCloud

(back to top)

🙏 Acknowledgments

• RansomWatch
• Behavioural machine activity for benign and malicious Win7 64-bit executables

(back to top)