Researchers at the University of Michigan developed a new cloud-based approach to antivirus (AV) which, according to them, provides better detection of malware than traditional antivirus software.
According to the researchers, host-based antivirus software is becoming increasingly ineffective, especially against recent malware threats. Their tests showed the average length of time to detect new threats by a single antivirus engine was 48 days. Moreover, the complexity of the software has increased the risk of vulnerabilities in the antivirus engines themselves, which can be used by attackers to compromise a host, the researchers said.
Their approach, CloudAV, provides antivirus protection as an in-cloud network service instead of being installed on individual PCs like traditional antivirus. CloudAV uses a lightweight host agent run on endpoints that identifies new files and sends them to a network service for analysis. The model uses a technique the researchers call N-version protection, which identifies malicious software by using multiple, heterogeneous antivirus detection engines in parallel. They say the approach is similar to N-version programming, which is used to improve software reliability.
The technique improves malware detection
They tested CloudAV in a production deployment on a campus network in computer labs spanning multiple departments over six months. They ran 10 antivirus engines including Symantec Corp., McAfee Inc. and Trend Micro Inc., and two behavioral detection programs simultaneously against 7,220 malware samples. CloudAV had a detection rate of 98% against the data set while a single AV engine had a detection rate of 82%. Against recent threats, CloudAV recorded an 88% detection rate compared to a single engine's 52%.
For the enterprise, one of the main advantages of CloudAV is it "puts the power back into the hands of the network administrators rather than the AV vendors," said Jon Oberheide, a doctoral candidate in the university's electrical engineering and computer science department and one of the developers of the system.
"You can decide how much protection you need," he said. "If you're willing to spend money for another site license for another vendor, you can easily do that. You don't have to worry about host compatibility issues. You can simply swap out vendors in a matter of minutes."
Addressing the issue of a user being disconnected from the network -- and unable to submit files for analysis -- comes down to a policy decision, Oberheide said. But local caching used by the host agent allows a disconnected user to access files that have been previously analyzed by CloudAV, he said. Additionally, the host agent can be deployed with existing host-based antivirus, which could be enabled if a PC is disconnected.
CloudAV also offers enhanced forensics capabilities and opportunities for application to mobile devices that can't handle resource intensive antivirus software, researchers said. They began developing the model two years ago. Farnam Jahanian, professor of computer science and engineering, along with Oberheide and postdoctoral fellow Evan Cooke, wrote the research paper, CloudAV: N-Version Antivirus in the Network Cloud.
"Everyone is throwing around the term cloud computing, but this is actually an application where it works well," Oberheide said.
In June, Trend Micro announced Smart Protection Network, which combines cloud-based technologies with a lightweight client for malware protection. The company expects to start integrating the technology into its product portfolio in 2009.
"Cloud computing is the newest differentiator for threat protection technology," said Charlotte Dunlap, information security senior analyst at Enterprise Strategy Group Inc. "We're starting to see antivirus and email reputation offerings through cloud computing or hybrid options by antivirus and secure messaging providers, such as Trend Micro and Proofpoint. It makes sense that traditional antimalware and antispam is offered in the cloud to help combat increased threats in a timely manner."