Researchers develop cloud-based antivirus
primesuspect
Beepin n' BoopinDetroit, MI Icrontian
Researchers from the University of Michigan have developed "CloudAV," a next-generation anti-virus technology. CloudAV seeks to improve PC resource utilization and virus detection rates by shifting the burden of virus analysis into the computing "cloud."
Jon Oberheide and Evan Cooke, working under the guidance of Professor Farnam Jahanian, tout the cloud's significant advantages over traditional client-side anti-virus:
The engine currently consists of detection routines and signatures from Avast, AVG, BitDefender, ClamAV, F-Prot, F-Secure, Kaspersky, McAfee, Symantec, and Trend Micro. Analysis reveals (PDF) that the combined signature databases of these varied anti-virus applications yields a 91% detection rate.
While the technology sounds similar to centralized anti-virus, such as Symantec Corporate, it is quite different. Today's corporate anti-virus products centrally manage user policies while leaving the burden of scanning and detection on the client end. Under this model, a significant processor and memory footprint is incurred.
Behavioral analysis is one of the more exciting aspects of this technology, according to the developers. Cooke and Oberheide explained that "behavioral analysis allows us to open a file in an emulated environment and trace the execution of a file through a system." The cloud has enough resources to execute a potentially infected file in a virtual sandbox to determine its impact. This is a significant advance in anti-virus technology that would be impractical to run on a desktop, much less a smartphone.
Other new functionality includes the caching of files in the cloud so that detection isn't a constant resource drain. Once a file signature is cached, it does not need to be reanalyzed. In effect, a single user that may be running Microsoft PowerPoint would submit the signature data for that version of PowerPoint to all PowerPoint users in the cloud. Because a single computer can contribute all the necessary information, deployments that have a swath of similarly-configured computers would benefit from reduced network overhead.
While the technology is being used in a production environment on the University of Michigan campus, there are no plans to commercialize the product. Agents have been developed for Windows, Linux, BSD, Nokia Maemo, and sendmail. Cooke and Oberheide envision implementations of these clients for ISP, campus and corporate deployments.
We were concerned about privacy in the cloud; specifically, we wondered whether or not we would want our ISP to scan sensitive files for us. They envisioned a hybrid system with a lightweight detection engine on the client side for files somehow tagged as private. Meanwhile the CloudAV technology would remain for system files, executables, and other non-sensitive information.
You can find more information on their website, including links to white papers about the technology.
Jon Oberheide and Evan Cooke, working under the guidance of Professor Farnam Jahanian, tout the cloud's significant advantages over traditional client-side anti-virus:
- The cloud aggregates the detection results of many anti-virus engines; a feat that would be improbable, if not impossible, on a client system.
- The cloud offers enough resources to provide virtual behavioral analysis.
- The client buys reduced disk and CPU usage at the cost of increased network utilization.
- The burden of application maintenance is completely removed from the client side.
The engine currently consists of detection routines and signatures from Avast, AVG, BitDefender, ClamAV, F-Prot, F-Secure, Kaspersky, McAfee, Symantec, and Trend Micro. Analysis reveals (PDF) that the combined signature databases of these varied anti-virus applications yields a 91% detection rate.
While the technology sounds similar to centralized anti-virus, such as Symantec Corporate, it is quite different. Today's corporate anti-virus products centrally manage user policies while leaving the burden of scanning and detection on the client end. Under this model, a significant processor and memory footprint is incurred.
Behavioral analysis is one of the more exciting aspects of this technology, according to the developers. Cooke and Oberheide explained that "behavioral analysis allows us to open a file in an emulated environment and trace the execution of a file through a system." The cloud has enough resources to execute a potentially infected file in a virtual sandbox to determine its impact. This is a significant advance in anti-virus technology that would be impractical to run on a desktop, much less a smartphone.
Other new functionality includes the caching of files in the cloud so that detection isn't a constant resource drain. Once a file signature is cached, it does not need to be reanalyzed. In effect, a single user that may be running Microsoft PowerPoint would submit the signature data for that version of PowerPoint to all PowerPoint users in the cloud. Because a single computer can contribute all the necessary information, deployments that have a swath of similarly-configured computers would benefit from reduced network overhead.
While the technology is being used in a production environment on the University of Michigan campus, there are no plans to commercialize the product. Agents have been developed for Windows, Linux, BSD, Nokia Maemo, and sendmail. Cooke and Oberheide envision implementations of these clients for ISP, campus and corporate deployments.
We were concerned about privacy in the cloud; specifically, we wondered whether or not we would want our ISP to scan sensitive files for us. They envisioned a hybrid system with a lightweight detection engine on the client side for files somehow tagged as private. Meanwhile the CloudAV technology would remain for system files, executables, and other non-sensitive information.
You can find more information on their website, including links to white papers about the technology.
0
Comments