The CloudAV™ Architecture: N-Version Antivirus in the Network Cloud |
Project Summary:
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host-based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing complexity has resulted in vulnerabilities that are being exploited by malware. These limitations motivate a fundamentally new deployment model for malware detection provided by antivirus software.
We advocate a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This new model provides several important benefits:
- Better detection of malicious software: Antivirus engines have complementary detection capabilities and a combination of many different engines can improve the overall identification of malicious and unwanted software. This model enables identification of malicious and unwanted software by multiple, heterogeneous detection engines in parallel, a technique we term N-version protection.
- Eliminating the impact of antivirus vulnerabilities: By moving the complexity of antivirus engines to the network service and isolating the engines within virtualized environments, CloudAV eliminates the impact of the numerous vulnerabilities present in antivirus engines that may be leveraged by an attacker to compromise a host.
- Retrospective detection of previously infected hosts: When signature updates are received, previously analyzed files can be re-scanned, allowing the detection of malicious software and identification of hosts that have been infected by them.
- Enhanced forensics capabilities: Information about what hosts accessed what files provides an incredibly rich database of information for forensics and intrusion analysis. Such information provides temporal relationships between file access events on the same or different hosts.
- Improved deployability and management: Moving detection off the host and into the network significantly simplifies host software enabling deployment on a wider range of platforms and enabling administrators to centrally control signatures and enforce file access policies.
CloudAV is a production quality in-cloud antivirus system, which includes a lightweight, cross-platform host agent (Win32, Linux, FreeBSD, Sendmail/Postfix milter, Nokia Maemo) and a network service with ten antivirus engines (Avast, AVG, BitDefender, ClamAV, F-Prot, F-Secure, Kaspersky, McAfee, Symantec, and Trend Micro) and two behavioral detection engines (Norman Sandbox, CWSandbox).
CloudAV Publications:
CloudAV: N-Version Antivirus in the Network CloudJon Oberheide, Evan Cooke, and Farnam Jahanian
Proc. of the 17th USENIX Security Symposium, July 2008.
[pdf] [bibtex]
Virtualized In-Cloud Security Services for Mobile Devices
Jon Oberheide, Kaushik Veeraraghavan, Evan Cooke, Jason Flinn, and Farnam Jahanian
Workshop on Virtualization in Mobile Computing (MobiVirt'08), June 2008.
[pdf] [bibtex]
Rethinking Antivirus: Executable Analysis in the Network Cloud
Jon Oberheide, Evan Cooke, and Farnam Jahanian
USENIX Workshop on Hot Topics in Security (HotSec'07), August 2007.
[pdf] [bibtex]