The CloudAV™ Architecture: N-Version Antivirus in the Network Cloud

Project Summary:

Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host-based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing complexity has resulted in vulnerabilities that are being exploited by malware. These limitations motivate a fundamentally new deployment model for malware detection provided by antivirus software.

We advocate a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This new model provides several important benefits:

CloudAV is a production quality in-cloud antivirus system, which includes a lightweight, cross-platform host agent (Win32, Linux, FreeBSD, Sendmail/Postfix milter, Nokia Maemo) and a network service with ten antivirus engines (Avast, AVG, BitDefender, ClamAV, F-Prot, F-Secure, Kaspersky, McAfee, Symantec, and Trend Micro) and two behavioral detection engines (Norman Sandbox, CWSandbox).

   

CloudAV Publications:
CloudAV: N-Version Antivirus in the Network Cloud
Jon Oberheide, Evan Cooke, and Farnam Jahanian
Proc. of the 17th USENIX Security Symposium, July 2008.
[pdf] [bibtex]

Virtualized In-Cloud Security Services for Mobile Devices
Jon Oberheide, Kaushik Veeraraghavan, Evan Cooke, Jason Flinn, and Farnam Jahanian
Workshop on Virtualization in Mobile Computing (MobiVirt'08), June 2008.
[pdf] [bibtex]

Rethinking Antivirus: Executable Analysis in the Network Cloud
Jon Oberheide, Evan Cooke, and Farnam Jahanian
USENIX Workshop on Hot Topics in Security (HotSec'07), August 2007.
[pdf] [bibtex]

Publications by our research group...