CloudAV: N-Version Antivirus in the Network Cloud
Jon Oberheide, Evan Cooke, Farnam Jahanian
Electrical Engineering and Computer Science Department
University of Michigan, Ann Arbor, MI 48109
fjonojono, emcooke, farnamg@umich.edu
Abstract
Antivirus software is one of the most widely used tools
for detecting and stopping malicious and unwanted files.
However, the long term effectiveness of traditional hostbased
antivirus is questionable. Antivirus software fails
to detect many modern threats and its increasing complexity
has resulted in vulnerabilities that are being exploited
by malware. This paper advocates a new model
for malware detection on end hosts based on providing
antivirus as an in-cloud network service. This model enables
identification of malicious and unwanted software
by multiple, heterogeneous detection engines in parallel,
a technique we term ‘N-version protection’. This
approach provides several important benefits including
better detection of malicious software, enhanced forensics
capabilities, retrospective detection, and improved
deployability and management. To explore this idea we
construct and deploy a production quality in-cloud antivirus
system called CloudAV. CloudAV includes a
lightweight, cross-platform host agent and a network service
with ten antivirus engines and two behavioral detection
engines. We evaluate the performance, scalability,
and efficacy of the system using data from a real-world
deployment lasting more than six months and a database
of 7220 malware samples covering a one year period.
Using this dataset we find that CloudAV provides 35%
better detection coverage against recent threats compared
to a single antivirus engine and a 98% detection rate
across the full dataset. We show that the average length
of time to detect new threats by an antivirus engine is 48
days and that retrospective detection can greatly minimize
the impact of this delay. Finally, we relate two case
studies... [continues]
Jon Oberheide, Evan Cooke, Farnam Jahanian
Electrical Engineering and Computer Science Department
University of Michigan, Ann Arbor, MI 48109
fjonojono, emcooke, farnamg@umich.edu
Abstract
Antivirus software is one of the most widely used tools
for detecting and stopping malicious and unwanted files.
However, the long term effectiveness of traditional hostbased
antivirus is questionable. Antivirus software fails
to detect many modern threats and its increasing complexity
has resulted in vulnerabilities that are being exploited
by malware. This paper advocates a new model
for malware detection on end hosts based on providing
antivirus as an in-cloud network service. This model enables
identification of malicious and unwanted software
by multiple, heterogeneous detection engines in parallel,
a technique we term ‘N-version protection’. This
approach provides several important benefits including
better detection of malicious software, enhanced forensics
capabilities, retrospective detection, and improved
deployability and management. To explore this idea we
construct and deploy a production quality in-cloud antivirus
system called CloudAV. CloudAV includes a
lightweight, cross-platform host agent and a network service
with ten antivirus engines and two behavioral detection
engines. We evaluate the performance, scalability,
and efficacy of the system using data from a real-world
deployment lasting more than six months and a database
of 7220 malware samples covering a one year period.
Using this dataset we find that CloudAV provides 35%
better detection coverage against recent threats compared
to a single antivirus engine and a 98% detection rate
across the full dataset. We show that the average length
of time to detect new threats by an antivirus engine is 48
days and that retrospective detection can greatly minimize
the impact of this delay. Finally, we relate two case
studies... [continues]
Cite This Essay
- APA
-
(2010, 02). Antivrus Softawre. StudyMode.com. Retrieved 02, 2010, from http://www.studymode.com/essays/Antivrus-Softawre-287394.html
- MLA
-
"Antivrus Softawre" StudyMode.com. 02 2010. 02 2010 <http://www.studymode.com/essays/Antivrus-Softawre-287394.html>.
- CHICAGO
-
"Antivrus Softawre." StudyMode.com. 02, 2010. Accessed 02, 2010. http://www.studymode.com/essays/Antivrus-Softawre-287394.html.
