Combining multiple vendor offerings in a virus-scan service delivered via cloud computing technology could be very effective in detecting malware, according to research from the University of Michigan.
The new approach – dubbed CloudAV – could also provide solid protection for mobile devices, according to computer engineers from the Ann Arbor-based university.
They presented CloudAV at the USENIX Security Symposium held last week in San Jose, Calif.
A diagram shows how anti-virus in the cloud works.
Researchers found many anti-virus programs were susceptible to an attack.
The approach combines virus-detection engines of up to 12 popular security vendors running in parallel on virtual machines.
A light-weight software agent is deployed on the client machine. Every suspicious file coming on to a user’s computer is sent into the cloud to be examined by the detection system.
“Anti-virus software is widely deployed by most organizations,” says Farnam Jahanian, professor of computer science and engineering at the university. “What surprised us is in our study even viruses that had been out for a year weren’t being detected by traditional anti-virus software.”
A six-month test pitted CloudAV against the security engines offered up by 12 popular vendors: Avast, AVG, BitDefender, ClamAV, CWSandbox, F-Prot, F-Secure, Kaspersky, McAfee, Norman Sandbox, Symantec and Trend Micro.
Each program was tested against 7,220 malware samples collected over a year.
CloudAV proved to be 35 per cent more effective at detecting recent threats compared to a single virus scan engine, sporting an 88 per cent detection rate for zero-day viruses. A typical user of virus scan software waits 48 days between the time new malware surfaces on the Web and the time they are protected from it.
“Attackers have a leg up in the arms race as far as malware goes,” says John Oberheide, a doctoral student working on the CloudAV project. “But when you combine the capability of all members of the security software community, you can make up for the weaknesses.”
The so-called “window of exposure” – or amount of time users are susceptible to new malware threats – is a challenge security vendors are always trying to address, says Shiva Mandalam, director of marketing at McAfee Avert Labs.
“From the time researchers discover malware, to the time [the antidote] is pushed up to the desktop, there is definitely risk of exposure,” Mandalam says. McAfee software, he says, attempts to reduce this risk.
McAfee’s Site Advisor service looks at possible malicious behaviour on Web pages visited by its users. If anything is suspicious, users are warned with a toolbar on their browser to exercise caution.
Overall, McAfee is open to a cloud-computing approach to anti-virus service, Mandalam says. The vendor’s Total Protection service even combines server-side protection with client-side protection to help filter out malware and spam.
“We believe there’s a lot that can be done in the cloud,” he says. “But there are a lot of threats going around and we believe you need a combination of both. There needs to be an agent that resides on the desktop as well.”
For example, even when a client is disconnected from the network, you would still require protection against malware potentially introduced into the machine via USB flash drives, Mandalam adds.
CloudAV researchers are optimistic their product will work well with mobile devices.
“We’re expecting attacks on mobile devices to grow over time,” Jahanian says. “But these devices are constrained for power and resources, so the idea of running heavyweight security software is a difficult concept.”
Portable media has been identified by Symantec as a point of concern for digital security in the near future. External storage devices – which are experiencing rapid and widespread growth – could constitute another attack channel, the vendor’s latest Internet Security Threat Report says.
One example of malware being spread by a portable device is the Fujacks worm. It was found on a media player manufactured in China and then imported by a Dutch company.
Because the CloudAV host-based client is lightweight, and the actual processing is done in the cloud, it could go easy on mobile device resources while providing good security.
A test done on Nokia’s Emo system shows it places less of a burden on power consumption than other mobile security products, according to Oberheide.
It’s also offers better security than other offerings on the market, including McAfee’s and Kaspersky’s products, the doctoral student adds.
“Those programs only protect against a small number of viruses right now,” he says. “We can scale up our protection, without scaling up the resources needed on a device.”
CloudAV protected the Nokia device from more than 5 million virus signatures, compared to the several hundred guarded against by the other products, Oberheide adds.
McAfee’s Mandalam can’t disagree that a cloud approach to anti-virus makes sense.
“For mobile, you’re pretty much always connected to your service providers,” he says. “I see the value there.”
For now the CloudAV service isn’t being considered for commercial use, Jahanian says. It’s purely a research activity.
But the service has been deployed on the Michigan campus. Other universities and some enterprises have expressed interest in it, but there are many licensing issues to work out since CloudAV can use the engines of multiple vendors.
For McAfee, partnering with other vendors to provide a cloud-based service would depend on the details of the plan, Mandalam says. But there’s already a basis for collaboration through the security research community.
Having multiple engines might have its merits, he adds.
“No engine catches everything itself, or covers the entire malware world.”