CloudAV: N-Version Antivirus in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department, University.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Advertisements

Benefits of CA Technology & HVB Bank Romania Study Case Bucharest, May 31, 2005.

Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.

May 23, 2007 Archiving ACE: A Novel Software Platform to Ensure the Integrity of Digital Archives Sangchul Song and Joseph JaJa Institute for Advanced.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

The Evolution of the Kaspersky Lab Approach to Corporate Security Petr Merkulov, Chief Product Officer, Kaspersky Lab Kaspersky Lab Cyber Conference, Cancun,

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology.

Security Guidelines and Management

EICAR 2009, 12 May 2009 Checkvir Realtime Anti-Malware Testing and Certification Dr. Ferenc Leitold, Veszprog Ltd.

Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

Life in a Dangerous World: Developing effective strategies against Virus, Worms and Other Threats Marshall Breeding Vanderbilt University

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Speaker ： Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.

MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

Authors:Jon Oberheide, Kaushik Veeraraghavan, Evan Cooke, Jason Flinn, Farnam Jahanian Electrical Engineering and Electrical Engineering and Computer Science.

Cloud-based Antivirus Project Proposal By Yuli Deng, Guofu Xiong.

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

What’s new in SEP Presenter’s Name Here Presenter’s Title Here.

May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Getting it Done: Understanding the Security Features of Windows Vista Kai Axford, CISSP, MCSE-Security.

Agency Introduction to DDM Dell Desktop Manager (DDM) Implementation.

SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.

Global Mobile Anti-malware Market WEBSITE Single User License: US$ 2500 No of Pages: 55 Corporate User License: US$

Antivirus Software Troy Behmer. Outline Topics covered: – What is Antivirus software (AVS)? – What are the advantages and disadvantages of AVS? – What.

Boris Ulík Technology Solutions Professional Microsoft Slovakia Microsoft ® System Center 2012: System Center Endpoint Protection 2012.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

CMSC 818J: Privacy enhancing technologies Lecture 2.

SYMANTEC ENDPOINT SECURITY SERVICE PROVIDERS | ALLIANCE PRO IT HYDERABAD (CORPORATE OFFICE) ALLIANCE PRO IT PRIVATE LIMITED, 3A, HYNDAVA TECHNO PARK, TECHNO.

SYMANTEC ENDPOINT SECURITY SERVICE PROVIDERS | ALLIANCE PRO IT HYDERABAD (CORPORATE OFFICE) ALLIANCE PRO IT PRIVATE LIMITED, 3A, HYNDAVA TECHNO PARK, TECHNO.

Advanced Endpoint Security Data Connectors-Charlotte January 2016

BUILD SECURE PRODUCTS AND SERVICES

Three steps to prevent Malware infection

Exchange Online Advanced Threat Protection

CloudAV N-Version Antivirus in the Network Cloud

Barracuda Web Security Flex

Barracuda Web Filtering Service

MadeCR: Correlation-based Malware Detection for Cognitive Radio

Techniques, Tools, and Research Issues

Configuring Windows Firewall with Advanced Security

Compliance with hardening standards

Joseph JaJa, Mike Smorul, and Sangchul Song

Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.

Jon Peppler, Menlo Security Channels

Securing Cloud-Native Applications Jason Schmitt CEO

Software-Defined Secure Networks in Action

Autonomous Aggregate Data Analytics in Untrusted Cloud

Intrusion Prevention Systems

THE INTERNET MOTION SENSOR: A Distributed Blackhole Monitoring System

K!M SAA LOGICAL SECURITY Strong Adaptive Authentication

Security Overview: Honeypots

Marcial Quinones-Cardona

Introduction to Internet Worm

Cybersecurity Simplified: Ransomware

Presentation transcript:

CloudAV: N-Version Antivirus in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department, University of Michigan USENIX Security /05/21 Presented by Seungbae Kim * Slides are borrowed from the author’s presentation file

Contents Motivation and Limitations of Antivirus AV as an In-Cloud Network Service Implementation Evaluation Conclusion CloudAV: N-Version Antivirus in the Network Cloud 1/19

Antivirus Widely deployed Last line of defense Over $10 billion market in 2008 Over 50% of security software revenue CloudAV: N-Version Antivirus in the Network Cloud 2/19

Antivirus Limitations Detection Coverage –Low detection rates –Slow response to emerging threats AV Software Vulnerabilities –Complexity leads to security risk –Inherently high privileges CloudAV: N-Version Antivirus in the Network Cloud 3/19

Detection Degradation CloudAV: N-Version Antivirus in the Network Cloud 4/19

Antivirus Limitations Detection Coverage –Low detection rates –Slow response to emerging threats AV Software Vulnerabilities –Complexity leads to security risk –Inherently high privileges CloudAV: N-Version Antivirus in the Network Cloud 5/19

CloudAV In-Cloud Detection –Moving the detection of malicious and unwanted files from end hosts into the network –Significantly lowers the complexity of host-based monitoring software N-Version Protection –Using a set of heterogeneous detection engines to provide analysis results on a file CloudAV: N-Version Antivirus in the Network Cloud 6/19

AV as an In-Cloud Network Service By providing antivirus as an in-cloud service: –Analyze files using multiple detection engines in parallel –Collect forensic data –Retrospectively detect previously infected hosts –Simplify host software –Centralize management and policy enforcement CloudAV: N-Version Antivirus in the Network Cloud 7/19

Architecture Lightweight host agent runs on desktops, laptops, and other devices Network service hosts the backend file analysis engines and fields requests from the host agent Archival and forensics service stores information on file analysis results CloudAV: N-Version Antivirus in the Network Cloud 8/19

Lightweight Host Agent Access to each file is trapped and diverted to a handling routine Generate a unique identifier for the file (eg. cryptographic hash) Compare UID to local and remote cache of previously analyzed files; send file to network service if not in either cache CloudAV: N-Version Antivirus in the Network Cloud 9/19

Network Service Receives incoming analysis requests from host agent File analyzed by collection of engines (N-version protection) Shared remote cache maintained in network service CloudAV: N-Version Antivirus in the Network Cloud 10/19

Network Service N-Version Protection –Multiple, independent implementations for the detection of malware –Independent vendors have heterogeneous detection routines, malware collection methodologies, and response times –Leverage heterogeneity to increase coverage CloudAV: N-Version Antivirus in the Network Cloud 11/19

Network Service Result Aggregation –The results from the different detections engines must be combined –To determine whether a file is safe to open, access, or execute Threat Report –The result of the aggregation process –Can contain a variety of metadata and analysis results about a file CloudAV: N-Version Antivirus in the Network Cloud 12/19

Archival and Forensics Service File access information –Sent by the host agent and stored securely by the network service The behavioral profiles of malicious software –Generated by the behavioral detection engines CloudAV: N-Version Antivirus in the Network Cloud 13/19

Retrospective Detection Detect previously unknown threats Network service with RD: –Host sends 0-day to network service, 0-day evades all detection engines, 0-day archived, host becomes infected –Vendor releases new signatures to address threat. Network service rescans archived files, detects threat! –Administrator notifies of infected hosts and quarantines them CloudAV: N-Version Antivirus in the Network Cloud 14/19

Implementation Host Agent –Platforms Windows 2000/XP/Vista, Linux 2.4/2.6, FreeBSD 6 –Simple and lightweight host agent Win32 host agent: ~1500 LOC Linux/BSD host agent: <300 LOC, Python Network Service –Backend analysis engines 10 antivirus engines: –Avast, AVG, BitDefender, ClamAV, F-Prot, F-Secure, Kaspersky, McAfee, Symantec, Trend Micro 2 behavioral engines –Norman Sandbox, CWSandbox CloudAV: N-Version Antivirus in the Network Cloud 15/19

Evaluation Malware Dataset –Obtained through Arbor Malware Library (AML) Distributed darknet honeypots, Spam traps, Honeyclient –7220 malware samples –Collected over a year period November 12 th, 2006 to November 11 th, 2007 CloudAV: N-Version Antivirus in the Network Cloud 16/19

N-Version Protection CloudAV: N-Version Antivirus in the Network Cloud 17/19

Retrospective Detection CloudAV: N-Version Antivirus in the Network Cloud 18/19

Conclusion Traditional host-based antivirus –Low detection rate –Slow response to emerging threats –Complexity leads to security risk CloudAV –In-cloud detection & N-version protection Simplify host software, Better detection, Retrospective detection, Centralized management CloudAV: N-Version Antivirus in the Network Cloud 19/19