The term cloud computing is something most of IT hears all the time. Recently, security is moving to the cloud as well, with various vendors offering hosted solutions. At the 17th USENIX Symposium earlier this month, researchers from the University of Michigan released a new approach to anti-Virus protection. They call it CloudAV.
CloudAV offers promise for cloud based security. (IMG:J.Anderson)
Cloud computing, or hosting critical infrastructure components offsite often in the hands of a third party, is pitched as a way to offer better management, and lower IT costs. There is still the debate as to whether trusting some critical systems to reside off the network is worth the trade of security and QoS (Quality of Service) over price. Most administrators still enjoy having hands on, direct contact with their infrastructure. While business automation is being sent to the cloud, and is becoming increasingly common, security in the cloud is something that is only just now emerging.
The researchers, Farnam Jahanian, along with doctoral candidate Jon Oberheide and postdoctoral fellow Evan Cooke, both in the Department of Electrical Engineering and Computer Science at the University of Michigan, evaluated twelve traditional anti-Virus software programs against 7,220 malware samples – including viruses collected over a year – offering up something unique when it comes to cloud security.
CloudAV moves anti-Virus functionality into the network cloud and addresses the “fundamental limitations” of traditional host-based antivirus. In their paper, the researchers point out that anti-Virus software from vendors, including Symantec, McAfee, and Trend Micro, are increasingly ineffective at protecting hosts against modern malicious threats. Moreover, the research report details detection rates as low as thirty-five percent against recent Malware. It also points out an average window of vulnerability exceeding forty-eight days, and a concerning number of severe vulnerabilities with the anti-Virus engines themselves.
Traditional anti-Virus software that resides on a personal computer checks documents and programs as they are accessed. Because of performance constraints and program incompatibilities, only one antivirus detector is typically used at a time. CloudAV, however, can support a large number of malicious software detectors that act in parallel to analyze a single incoming file. Each detector operates in its own virtual machine, so the technical incompatibilities and security issues are resolved, Oberheide said.
The vendors tested were Avast, AVG, BitDefender, ClamAV, CWSandbox, F-Prot, F-Secure, Kaspersky, McAfee, Norman Sandbox, Symantec and Trend Micro. What is interesting is the research shows that using all of these vendors offered coverage of ninety-four percent overall. However, as mentioned in the paper, because most of the products were commercial, there is a serious strain on licensing. The cost of licenses would cause some IT shops to baulk at the CloudAV test, and this is pointed out in the paper.
The Tech Herald asked doctoral candidate Jon Oberheide to address the test results, which offered a 94.4% effectiveness rate using the commercial software, and to explain if IT can perform the same tests in-house (using both the Open Source software, as well as what was already purchased). However, using only four Open Source AV packages, the coverage rate is almost identical, ninety-four percent.
“The issue of licensing brings up several interesting points that we briefly discuss in the paper. Of course, using twelve engines together is unlikely for a common organization due to licensing costs, but it does raise interesting questions related to price/performance and ROSI (return on security investment). Perhaps obtaining a site-wide license from another vendor for your organization will indeed result in a positive ROSI. The key here is that you're no longer stuck with the limitations of a single vendor; you now have the flexibility to increase your protection if you so desire. And, as you already mentioned, combining free anti-Virus engines with each other or with an already licensed one can lead to significant increases in detection coverage,” Oberheide said.
Adding, “A major advantage of the CloudAV architecture is that it puts the power back in the hands of the IT and security administrators. Want to switch from a particular vendor because its detection coverage is poor? With CloudAV, a new anti-Virus engine can be swapped into the system in a matter of minutes, seamlessly and completely transparent to all the end hosts participating in the service. This ability allows organizations to break free of vendor lock-in with regards to their security software and has strong implications for the current business model of traditional anti-Virus vendors. Have an anti-Virus false positive that you're sure is a legitimate applications? Instead of contacting the AV vendor, sending them the sample, and waiting for a fixed signature set to be pushed to you, you can simply whitelist the application for your entire network through the management interface.”
The scope of CloudAV is not just for desktops however, as the researchers see it being used with mobile devices such as phones and PDAs as well.
The research website contains the research and the USENIX presentation. Visit it at http://www.eecs.umich.edu/fjgroup/cloudav/
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)