Intelligent Machines

Moving Security to the Cloud

Combining scanning approaches could keep PCs safe from viruses.

Most people know better than to connect a computer to the Internet without first installing up-to-date antivirus software. But even the best software protection won’t catch every new virus, and performing a thorough system scan can require plenty of processor power, slowing some computers to a crawl.

New research from the University of Michigan suggests that computers could be better protected from viruses without sacrificing performance if antivirus software were moved from the PC to “the cloud”–a collection of servers that work seamlessly as one powerful machine. Using this approach, researchers found that they could detect 35 percent more recent viruses than a single antivirus program (88 percent compared with 73 percent). Moreover, using the distributed software, called Cloud AV, they caught 98 percent of all malicious software, compared with 83 percent, on average, for a single antivirus solution.

“We were concerned about the fact that the detection coverage of antivirus software from most popular vendors was poor,” says Farnam Jahanian, a professor of computer science and engineering at the University of Michigan. If a single PC could use a combination of antivirus services, Jahanian says, security could be improved, but this would be a huge drain on resources. “We can run multiple programs, in parallel, and by doing that we’re moving the antivirus functionality into the network cloud and addressing the limitations of antivirus services that reside only on the personal computer,” he adds.

Jahanian and his colleague Jon Oberheide started by scanning 10,000 malware samples collected over the past year using several different antivirus programs. Oberheide notes that each program had its own strengths and weaknesses and that malware missed by one program would often be caught by another. So, to make the most of each program, the researchers installed 12 different antivirus programs on servers running the University of Michigan’s College of Engineering network. Volunteers also installed a small piece of software on their computer to detect the arrival of any new file, whether that was an e-mail attachment or a downloaded program.

New files are converted into a unique string of characters, or a “hash,” of less than 100 bytes, which is sent to Cloud AV for analysis. If a file can’t be identified, it is sent in its entirety for full analysis. Other files can be identified as either safe or a threat based on hashes stored in a database maintained by Cloud AV.

In addition to employing several antivirus services in parallel, Cloud AV makes use of information received from multiple users. Whereas ordinary antivirus software simply looks at the files and activity on one machine, Cloud AV can compare the files on thousands of machines. Catching a virus on one system automatically protects any other machine connected to Cloud AV from the same threat.

“We’re able to do something that’s impossible to do when you run antivirus software only on your desktop,” says Jahanian. This network effect also helps keep bandwidth requirements low because once Cloud AV has analyzed one particular spreadsheet, it doesn’t need to scan the entire file again when it arrives on someone else’s computer.

“Sometimes the best ideas are simple ideas,” says Wenke Lee, a professor at the College of Computing at the Georgia Institute of Technology. Lee adds that the research provides a realistic scenario. “A lot of papers are written using synthetic data or small-scale network traffic, but this work is an actual demonstration of the system’s capabilities,” he says.

Although other companies offer server-side antivirus services, these only use one detection system and can only analyze files being sent across the network. Google provides a similar scanning service, called Google Message Security, for companies that use its Web-based applications. “We very much agree that putting these types of solutions in the cloud makes a lot of sense, given the way that they evolve, morph, and mutate,” says Adam Swidler, head of Google applications security.

But it’s still unclear whether a network-based solution like Cloud AV could be deployed very widely. “If you start putting billions of messages through this process, some questions of scalability arise,” says Swidler.

Another issue is privacy, since such a system logs every file that comes in and out of a computer. This is one more question that has yet to be answered. “When you talk about cloud-computer and data security, you’ve got to be sure, based on the terms of service, that the data is going to be provided to the customer [when he or she wants it] and made secure,” says Swidler.