Tuesday, August 26, 2008

Moving Security to the Cloud

Combining scanning approaches could keep PCs safe from viruses.

By Kate Greene

Credit: Technology Review

Most people know better than to connect a computer to the Internet without first installing up-to-date antivirus software. But even the best software protection won't catch every new virus, and performing a thorough system scan can require plenty of processor power, slowing some computers to a crawl.

New research from the University of Michigan suggests that computers could be better protected from viruses without sacrificing performance if antivirus software were moved from the PC to "the cloud"--a collection of servers that work seamlessly as one powerful machine. Using this approach, researchers found that they could detect 35 percent more recent viruses than a single antivirus program (88 percent compared with 73 percent). Moreover, using the distributed software, called Cloud AV, they caught 98 percent of all malicious software, compared with 83 percent, on average, for a single antivirus solution.

"We were concerned about the fact that the detection coverage of antivirus software from most popular vendors was poor," says Farnam Jahanian, a professor of computer science and engineering at the University of Michigan. If a single PC could use a combination of antivirus services, Jahanian says, security could be improved, but this would be a huge drain on resources. "We can run multiple programs, in parallel, and by doing that we're moving the antivirus functionality into the network cloud and addressing the limitations of antivirus services that reside only on the personal computer," he adds.

Jahanian and his colleague Jon Oberheide started by scanning 10,000 malware samples collected over the past year using several different antivirus programs. Oberheide notes that each program had its own strengths and weaknesses and that malware missed by one program would often be caught by another. So, to make the most of each program, the researchers installed 12 different antivirus programs on servers running the University of Michigan's College of Engineering network. Volunteers also installed a small piece of software on their computer to detect the arrival of any new file, whether that was an e-mail attachment or a downloaded program.

New files are converted into a unique string of characters, or a "hash," of less than 100 bytes, which is sent to Cloud AV for analysis. If a file can't be identified, it is sent in its entirety for full analysis. Other files can be identified as either safe or a threat based on hashes stored in a database maintained by Cloud AV.