Embed Size (px)
DESCRIPTION
Security and Privacy in Cloud Computing. Ragib Hasan Johns Hopkins University en.600.412 Spring 2011. Lecture 10 04/ 18/ 2011. Malware and Clouds. Goal : To explore how clouds can be used in malware detection, and how malware can use clouds. Review Assignment #9 : - PowerPoint PPT Presentation
Citation preview
Ragib HasanJohns Hopkins Universityen.600.412 Spring 2011
Lecture 1004/18/2011
Security and Privacy in Cloud Computing
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 2
Malware and Clouds
• Goal: To explore how clouds can be used in malware detection, and how malware can use clouds.
• Review Assignment #9:– CloudAV: N-Version Antivirus in the Network
Cloud, USENIX Security, 2008.
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 3
Cloud-AV: Putting the Antivirus on Clouds
Main premise: – Executable analysis currently provided by host-
based antivirus software can be more efficiently and effectively provided as an in-cloud network service.
– Or
– Anti-Virus-as-a-service4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 4
Problems with host-based Anti-Virus
• Vulnerability window: – There is a significant vulnerability window between
when a threat first appears and when antivirus vendors generate a signature.
• Undetected malware:– a substantial percentage of malware is never detected
by antivirus software• Vulnerable Anti-Virus:– Malware is actually using vulnerabilities in antivirus
software itself as a means to infect systems
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 5
Solution Approach
• Antivirus as a network service:– Run the Anti-virus on a cloud, while running a
lightweight agent on user machines
• N-version protection– Run multiple versions/vendor Anti-Virus/scanners
on the cloud to ensure better detection
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 6
N-version programming
Idea: Generate multiple functionally equivalent programs independently (by different teams) from the same initial specifications– Goal: Reduce possibility of bugs
N version protection: – Run multiple scanners in parallel, to increase
detection rate
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 7
Advantages of cloud based anti-Virus
• Better detection of malicious software• Enhanced forensics capabilities• Retrospective detection• Improved deployability and management• No vendor lock-in … service is vendor agnostic
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 8
System Architecture
4/18/2011
3 major components:1. a lightweight host agent run on end hosts2. a network service that receives files from hosts and identifies malicious or
unwanted content; and 3. an archival and forensics service that stores information about analyzed files
and provides a management interface for operators.
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 9
Host agent
• A lightweight process running on host– Can be Implemented on Windows, Mac, Linux
clients• Tasks:– Capture accesses to executable files, – hashe files to extract unique ID, – check ID against local black/white lists, – send unknown executable files to network cloud
service
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 10
Network service
• Consists of multiple Anti-Virus, scanners, and behavioral analysis tools– Behavioral analysis tools attempt to detect
anomaly by analyzing app behavior in a sandbox• Combines scan results from multiple tools and
sends report to host agent
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 11
Forensic storage service
• Stores information about scan logs, hosts• Can assist in forensic analysis and retroactive
scans
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 12
Challenges
• Network latency:– unlike existing antivirus software, files must transported
into the network for analysis; • Analysis scheme: – an efficient analysis system must be constructed to handle
the analysis of files from many different hosts using many different detection engines in parallel; and
• Comparison with local scanners:– the performance of the system must be similar or better
than existing detection systems such as antivirus software.
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 13
Evaluations: Performance of multiple Anti-Virus engines
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 14
Disadvantages
Disconnected operation:– Host agent can’t detect new malicious files
without network connectivityLack of context:– Scanners do not have access to large local context
Handling new malware:– Difficult to detect non executable malware (e.g.,
malicious word documents)
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 15
Discussion
• What other services can be run on a cloud?
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 16
Using Clouds for Malware
• Clouds can be used by malicious parties• Misuse can include:– Cloud based botnets– Cloud based spammers– Cloud based cracking services• WPACracker.com – Claims to break WPA passwords for
$17 in under 20 minutes, using a cloud
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 17
Discussion
• Is it realistic / feasible for a spammer to use a cloud?
4/18/2011
