According to computer scientists at the University of Michigan (UM), installing an antivirus software on your personal computer might soon become useless. The research team has used a new approach, called CloudAV, which moves antivirus functionality into the ‘network cloud’ and off personal computers. This next-generation antivirus system ‘virtualizes and parallelizes detection functionality with multiple antivirus engines, significantly increasing overall protection,’ according to the team leader. Even if the results look promising, it should be noted that this is just an academics project for the moment. But read more…

You can see above the architecture of this in-cloud file analysis service, which includes three major components. “The first is a lightweight host agent run on end systems like desktops, laptops, and mobiles devices that identifies new files and sends them into the network for analysis. The second is a network service that receives files from the host agent, identifies malicious and unwanted content, and instructs hosts whether access to the files is safe. The third component is an archival and forensics service that stores information about what files were analyzed and provides a query and alerting interface for operators.” (Credit: UM)

This project has been developed in the Electrical Engineering and Computer Science (EECS) in the Networking and Security Research Group led by Professor Farnam Jahanian. For this CloudAV project, Jahanian worked with doctoral candidate Jon Oberheide and postdoctoral fellow Evan Cooke.

Here is how the CloudAV service could be used. On the figure above, you can see the network component on the top and the various host components on the bottom. You also can see how a ‘malware’ program would not be allowed to run on your personal computing system. Among other advantages, providing antivirus as an in-cloud service allows to analyze files using multiple detection engines in parallel and to Simplify host software for wide deployability. (Credit: UM)

Here are some quotes from the UM news release giving additional details about the project. “‘CloudAV virtualizes and parallelizes detection functionality with multiple antivirus engines, significantly increasing overall protection,’ said Jahanian. Traditional antivirus software that resides on a personal computer checks documents and programs as they are accessed. Because of performance constraints and program incompatibilities, only one antivirus detector is typically used at a time. CloudAV, however, can support a large number of malicious software detectors that act in parallel to analyze a single incoming file. Each detector operates in its own virtual machine, so the technical incompatibilities and security issues are resolved, Oberheide said.”

The research team recently presented a paper called “CloudAV: N-Version Antivirus in the Network Cloud” at the 17th USENIX Security Symposium held in July 2008. Here is a link to the paper (PDF format, 16 pages, 680 KB) which was included in the proceedings of this conference.

Here are two short excerpts from the abstract. “This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model enables identification of malicious and unwanted software by multiple, heterogeneous detection engines in parallel, a technique we term ‘N-version protection.’ This approach provides several important benefits including better detection of malicious software, enhanced forensics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud antivirus system called CloudAV.”

This second quote illustrates the results obtained by the research team. “CloudAV includes a lightweight, cross-platform host agent and a network service with ten antivirus engines and two behavioral detection engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly minimize the impact of this delay.”

The top figure in this post was extracted from this paper. The bottom one was picked from the presentation given at the 17th USENIX Security Symposium (PDF format, 32 pages, 2.11 MB).

If you’re interested in this new approach to antivirus software, you also should read two additional papers.

Virtualized In-Cloud Security Services for Mobile Devices (PDF format, 5 pages, 106 KB), presented at the Workshop on Virtualization in Mobile Computing (MobiVirt’08) in June 2008
Rethinking Antivirus: Executable Analysis in the Network Cloud (PDF format, 5 pages, 228 KB), presented at the USENIX Workshop on Hot Topics in Security (HotSec’07) in August 2007

Sources: University of Michigan news release, August 5, 2008; and various websites

Popularity: 4% [?]