Locality-preserving hashing in multidimensional spaces
STOC '97 Proceedings of the twenty-ninth annual ACM symposium on Theory of computing
BASE: using abstraction to improve fault tolerance
SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Exploiting underlying structure for detailed reconstruction of an internet-scale event
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
The N-Version Approach to Fault-Tolerant Software
IEEE Transactions on Software Engineering
Rethinking antivirus: executable analysis in the network cloud
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
SpyProxy: execution-based detection of malicious web content
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
An email worm vaccine architecture
ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience
The nepenthes platform: an efficient approach to collect malware
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Monitoring smartphones for anomaly detection
Mobile Networks and Applications
Leveraging complexity in software for cybersecurity
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Malware detection using statistical analysis of byte-level file content
Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics
Virtualized in-cloud security services for mobile devices
Proceedings of the First Workshop on Virtualization in Mobile Computing
A Framework for Behavior-Based Malware Analysis in the Cloud
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Server-side detection of malware infection
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications
Static analysis of executables for collaborative malware detection on android
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Evaluating security products with clinical trials
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Implicit authentication for mobile devices
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
SplitScreen: enabling efficient, distributed malware detection
NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
Behavioral clustering of HTTP-based malware and signature generation using malicious network traces
NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
PolyPack: an automated online packing service for optimal antivirus evasion
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
BLADE: an attack-agnostic approach for preventing drive-by malware infections
Proceedings of the 17th ACM conference on Computer and communications security
Authentication in the clouds: a framework and its application to mobile users
Proceedings of the 2010 ACM workshop on Cloud computing security workshop
CANVuS: context-aware network vulnerability scanning
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Ethical proactive threat research
FC'10 Proceedings of the 14th international conference on Financial cryptograpy and data security
Paranoid Android: versatile protection for smartphones
Proceedings of the 26th Annual Computer Security Applications Conference
Vision: automated security validation of mobile apps at app markets
MCS '11 Proceedings of the second international workshop on Mobile cloud computing and services
SECaaS: security as a service for cloud-based applications
Proceedings of the Second Kuwait Conference on e-Services and e-Systems
SMURFEN: a system framework for rule sharing collaborative intrusion detection
Proceedings of the 7th International Conference on Network and Services Management
IceShield: detection and mitigation of malicious websites with a frozen DOM
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
SP 800-144. Guidelines on Security and Privacy in Public Cloud Computing
SP 800-144. Guidelines on Security and Privacy in Public Cloud Computing
A system for the proactive, continuous, and efficient collection of digital forensic evidence
Digital Investigation: The International Journal of Digital Forensics & Incident Response
MalPEFinder: fast and retrospective assessment of data breaches in malware attacks
Security and Communication Networks
Communications of the ACM
Improving malware classification: bridging the static/dynamic gap
Proceedings of the 5th ACM workshop on Security and artificial intelligence
Babel: a secure computer is a polyglot
Proceedings of the 2012 ACM Workshop on Cloud computing security workshop
Security add-ons for mobile platforms
NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
ThinAV: truly lightweight mobile cloud-based anti-malware
Proceedings of the 28th Annual Computer Security Applications Conference
CodeShield: towards personalized application whitelisting
Proceedings of the 28th Annual Computer Security Applications Conference
Scalable fine-grained behavioral clustering of HTTP-based malware
Computer Networks: The International Journal of Computer and Telecommunications Networking
ADAM: an automatic and extensible platform to stress test android anti-virus systems
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
PREC: practical root exploit containment for android devices
Proceedings of the 4th ACM conference on Data and application security and privacy
| Hi-index | 0.02 |
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host-based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing complexity has resulted in vulnerabilities that are being exploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model enables identification of malicious and unwanted software by multiple, heterogeneous detection engines in parallel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced forensics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud antivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network service with ten antivirus engines and two behavioral detection engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly minimize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.