Researchers develop cloud-based antivirus

By Marcia Savage, Features Editor, Information Security magazine 12 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Researchers at the University of Michigan developed a new cloud-based approach to antivirus (AV) which, according to them, provides better detection of malware than traditional antivirus software.

You don't have to worry about host compatibility issues. You can simply swap out vendors in a matter of minutes. Jon Oberheide, researcher, University of Michigan

According to the researchers, host-based antivirus software is becoming increasingly ineffective, especially against recent malware threats. Their tests showed the average length of time to detect new threats by a single antivirus engine was 48 days. Moreover, the complexity of the software has increased the risk of vulnerabilities in the antivirus engines themselves, which can be used by attackers to compromise a host, the researchers said.

Their approach, CloudAV, provides antivirus protection as an in-cloud network service instead of being installed on individual PCs like traditional antivirus. CloudAV uses a lightweight host agent run on endpoints that identifies new files and sends them to a network service for analysis. The model uses a technique the researchers call N-version protection, which identifies malicious software by using multiple, heterogeneous antivirus detection engines in parallel. They say the approach is similar to N-version programming, which is used to improve software reliability.

The technique improves malware detection while moving the complexity of antivirus engines to a network service. Isolating the engines within virtualized environments eliminates the impact of vulnerabilities in AV engines, the computer scientists said.

They tested CloudAV in a production deployment on a campus network in computer labs spanning multiple departments over six months. They ran 10 antivirus engines including Symantec Corp., McAfee Inc. and Trend Micro Inc., and two behavioral detection programs simultaneously against 7,220 malware samples. CloudAV had a detection rate of 98% against the data set while a single AV engine had a detection rate of 82%. Against recent threats, CloudAV recorded an 88% detection rate compared to a single engine's 52%.

SearchSecurity radio:

For the enterprise, one of the main advantages of CloudAV is it "puts the power back into the hands of the network administrators rather than the AV vendors," said Jon Oberheide, a doctoral candidate in the university's electrical engineering and computer science department and one of the developers of the system.

"You can decide how much protection you need," he said. "If you're willing to spend money for another site license for another vendor, you can easily do that. You don't have to worry about host compatibility issues. You can simply swap out vendors in a matter of minutes."

Addressing the issue of a user being disconnected from the network -- and unable to submit files for analysis -- comes down to a policy decision, Oberheide said. But local caching used by the host agent allows a disconnected user to access files that have been previously analyzed by CloudAV, he said. Additionally, the host agent can be deployed with existing host-based antivirus, which could be enabled if a PC is disconnected.

CloudAV also offers enhanced forensics capabilities and opportunities for application to mobile devices that can't handle resource intensive antivirus software, researchers said. They began developing the model two years ago. Farnam Jahanian, professor of computer science and engineering, along with Oberheide and postdoctoral fellow Evan Cooke, wrote the research paper, CloudAV: N-Version Antivirus in the Network Cloud.

"Everyone is throwing around the term cloud computing, but this is actually an application where it works well," Oberheide said.

"Cloud computing is the newest differentiator for threat protection technology," said Charlotte Dunlap, information security senior analyst at Enterprise Strategy Group Inc. "We're starting to see antivirus and email reputation offerings through cloud computing or hybrid options by antivirus and secure messaging providers, such as Trend Micro and Proofpoint. It makes sense that traditional antimalware and antispam is offered in the cloud to help combat increased threats in a timely manner."

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary