Presentation is loading. Please wait.

Presentation is loading. Please wait.

CloudAV: N-Version Antivirus in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department, University.

Published byRichard Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "CloudAV: N-Version Antivirus in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department, University."— Presentation transcript:

1 CloudAV: N-Version Antivirus in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department, University of Michigan USENIX Security 2008 2009/05/21 Presented by Seungbae Kim (sbkim@mmlab.snu.ac.kr)sbkim@mmlab.snu.ac.kr * Slides are borrowed from the author’s presentation file

2 Contents Motivation and Limitations of Antivirus AV as an In-Cloud Network Service Implementation Evaluation Conclusion CloudAV: N-Version Antivirus in the Network Cloud 1/19

3 Antivirus Widely deployed Last line of defense Over $10 billion market in 2008 Over 50% of security software revenue CloudAV: N-Version Antivirus in the Network Cloud 2/19

4 Antivirus Limitations Detection Coverage –Low detection rates –Slow response to emerging threats AV Software Vulnerabilities –Complexity leads to security risk –Inherently high privileges CloudAV: N-Version Antivirus in the Network Cloud 3/19

5 Detection Degradation CloudAV: N-Version Antivirus in the Network Cloud 4/19

6 Antivirus Limitations Detection Coverage –Low detection rates –Slow response to emerging threats AV Software Vulnerabilities –Complexity leads to security risk –Inherently high privileges CloudAV: N-Version Antivirus in the Network Cloud 5/19

7 CloudAV In-Cloud Detection –Moving the detection of malicious and unwanted files from end hosts into the network –Significantly lowers the complexity of host-based monitoring software N-Version Protection –Using a set of heterogeneous detection engines to provide analysis results on a file CloudAV: N-Version Antivirus in the Network Cloud 6/19

8 AV as an In-Cloud Network Service By providing antivirus as an in-cloud service: –Analyze files using multiple detection engines in parallel –Collect forensic data –Retrospectively detect previously infected hosts –Simplify host software –Centralize management and policy enforcement CloudAV: N-Version Antivirus in the Network Cloud 7/19

9 Architecture Lightweight host agent runs on desktops, laptops, and other devices Network service hosts the backend file analysis engines and fields requests from the host agent Archival and forensics service stores information on file analysis results CloudAV: N-Version Antivirus in the Network Cloud 8/19

10 Lightweight Host Agent Access to each file is trapped and diverted to a handling routine Generate a unique identifier for the file (eg. cryptographic hash) Compare UID to local and remote cache of previously analyzed files; send file to network service if not in either cache CloudAV: N-Version Antivirus in the Network Cloud 9/19

11 Network Service Receives incoming analysis requests from host agent File analyzed by collection of engines (N-version protection) Shared remote cache maintained in network service CloudAV: N-Version Antivirus in the Network Cloud 10/19

12 Network Service N-Version Protection –Multiple, independent implementations for the detection of malware –Independent vendors have heterogeneous detection routines, malware collection methodologies, and response times –Leverage heterogeneity to increase coverage CloudAV: N-Version Antivirus in the Network Cloud 11/19

13 Network Service Result Aggregation –The results from the different detections engines must be combined –To determine whether a file is safe to open, access, or execute Threat Report –The result of the aggregation process –Can contain a variety of metadata and analysis results about a file CloudAV: N-Version Antivirus in the Network Cloud 12/19

14 Archival and Forensics Service File access information –Sent by the host agent and stored securely by the network service The behavioral profiles of malicious software –Generated by the behavioral detection engines CloudAV: N-Version Antivirus in the Network Cloud 13/19

15 Retrospective Detection Detect previously unknown threats Network service with RD: –Host sends 0-day to network service, 0-day evades all detection engines, 0-day archived, host becomes infected –Vendor releases new signatures to address threat. Network service rescans archived files, detects threat! –Administrator notifies of infected hosts and quarantines them CloudAV: N-Version Antivirus in the Network Cloud 14/19

16 Implementation Host Agent –Platforms Windows 2000/XP/Vista, Linux 2.4/2.6, FreeBSD 6 –Simple and lightweight host agent Win32 host agent: ~1500 LOC Linux/BSD host agent: <300 LOC, Python Network Service –Backend analysis engines 10 antivirus engines: –Avast, AVG, BitDefender, ClamAV, F-Prot, F-Secure, Kaspersky, McAfee, Symantec, Trend Micro 2 behavioral engines –Norman Sandbox, CWSandbox CloudAV: N-Version Antivirus in the Network Cloud 15/19

17 Evaluation Malware Dataset –Obtained through Arbor Malware Library (AML) Distributed darknet honeypots, Spam traps, Honeyclient –7220 malware samples –Collected over a year period November 12 th, 2006 to November 11 th, 2007 CloudAV: N-Version Antivirus in the Network Cloud 16/19

18 N-Version Protection CloudAV: N-Version Antivirus in the Network Cloud 17/19

19 Retrospective Detection CloudAV: N-Version Antivirus in the Network Cloud 18/19

20 Conclusion Traditional host-based antivirus –Low detection rate –Slow response to emerging threats –Complexity leads to security risk CloudAV –In-cloud detection & N-version protection Simplify host software, Better detection, Retrospective detection, Centralized management CloudAV: N-Version Antivirus in the Network Cloud 19/19

Download ppt "CloudAV: N-Version Antivirus in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department, University."

Similar presentations

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Benefits of CA Technology & HVB Bank Romania Study Case Bucharest, May 31, 2005.

Benefits of CA Technology & HVB Bank Romania Study Case Bucharest, May 31, 2005.
Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.

Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
By Joshua T. I. Towers. 13.3 $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.

Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.
May 23, 2007 Archiving 2007 1 ACE: A Novel Software Platform to Ensure the Integrity of Digital Archives Sangchul Song and Joseph JaJa Institute for Advanced.

May 23, 2007 Archiving ACE: A Novel Software Platform to Ensure the Integrity of Digital Archives Sangchul Song and Joseph JaJa Institute for Advanced.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
The Evolution of the Kaspersky Lab Approach to Corporate Security Petr Merkulov, Chief Product Officer, Kaspersky Lab Kaspersky Lab Cyber Conference, Cancun,

The Evolution of the Kaspersky Lab Approach to Corporate Security Petr Merkulov, Chief Product Officer, Kaspersky Lab Kaspersky Lab Cyber Conference, Cancun,
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology.

Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology.
Security Guidelines and Management

Security Guidelines and Management
EICAR 2009, 12 May 2009 Checkvir Realtime Anti-Malware Testing and Certification Dr. Ferenc Leitold, Veszprog Ltd.

EICAR 2009, 12 May 2009 Checkvir Realtime Anti-Malware Testing and Certification Dr. Ferenc Leitold, Veszprog Ltd.
Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.
Life in a Dangerous World: Developing effective strategies against Virus, Worms and Other Threats Marshall Breeding Vanderbilt University

Life in a Dangerous World: Developing effective strategies against Virus, Worms and Other Threats Marshall Breeding Vanderbilt University
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영 2015. 04. 21.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.

Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.
MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.

MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.

Similar presentations

Ads by Google