Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/20 11 Security and Privacy in Cloud Computing
Security and Privacy in Cloud Computing
Feb 25, 2016
Security and Privacy in Cloud Computing. Ragib Hasan Johns Hopkins University en.600.412 Spring 2011. Lecture 10 04/ 18/ 2011. Malware and Clouds. Goal : To explore how clouds can be used in malware detection, and how malware can use clouds. Review Assignment #9 : - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Ragib HasanJohns Hopkins Universityen.600.412 Spring 2011
Lecture 1004/18/2011
Security and Privacy in Cloud Computing
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 2
Malware and Clouds
• Goal: To explore how clouds can be used in malware detection, and how malware can use clouds.
• Review Assignment #9:– CloudAV: N-Version Antivirus in the Network
Cloud, USENIX Security, 2008.
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 3
Cloud-AV: Putting the Antivirus on Clouds
Main premise: – Executable analysis currently provided by host-
based antivirus software can be more efficiently and effectively provided as an in-cloud network service.
– Or
– Anti-Virus-as-a-service4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 4
Problems with host-based Anti-Virus
• Vulnerability window: – There is a significant vulnerability window between
when a threat first appears and when antivirus vendors generate a signature.
• Undetected malware:– a substantial percentage of malware is never detected
by antivirus software• Vulnerable Anti-Virus:– Malware is actually using vulnerabilities in antivirus
software itself as a means to infect systems
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 5
Solution Approach
• Antivirus as a network service:– Run the Anti-virus on a cloud, while running a
lightweight agent on user machines
• N-version protection– Run multiple versions/vendor Anti-Virus/scanners
on the cloud to ensure better detection
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 6
N-version programming
Idea: Generate multiple functionally equivalent programs independently (by different teams) from the same initial specifications– Goal: Reduce possibility of bugs
N version protection: – Run multiple scanners in parallel, to increase
detection rate
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 7
Advantages of cloud based anti-Virus
• Better detection of malicious software• Enhanced forensics capabilities• Retrospective detection• Improved deployability and management• No vendor lock-in … service is vendor agnostic
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 8
System Architecture
4/18/2011
3 major components:1. a lightweight host agent run on end hosts2. a network service that receives files from hosts and identifies malicious or
unwanted content; and 3. an archival and forensics service that stores information about analyzed files
and provides a management interface for operators.
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 9
Host agent
• A lightweight process running on host– Can be Implemented on Windows, Mac, Linux
clients• Tasks:– Capture accesses to executable files, – hashe files to extract unique ID, – check ID against local black/white lists, – send unknown executable files to network cloud
service
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 10
Network service
• Consists of multiple Anti-Virus, scanners, and behavioral analysis tools– Behavioral analysis tools attempt to detect
anomaly by analyzing app behavior in a sandbox• Combines scan results from multiple tools and
sends report to host agent
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 11
Forensic storage service
• Stores information about scan logs, hosts• Can assist in forensic analysis and retroactive
scans
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 12
Challenges
• Network latency:– unlike existing antivirus software, files must transported
into the network for analysis; • Analysis scheme: – an efficient analysis system must be constructed to handle
the analysis of files from many different hosts using many different detection engines in parallel; and
• Comparison with local scanners:– the performance of the system must be similar or better
than existing detection systems such as antivirus software.
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 13
Evaluations: Performance of multiple Anti-Virus engines
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 14
Disadvantages
Disconnected operation:– Host agent can’t detect new malicious files
without network connectivityLack of context:– Scanners do not have access to large local context
Handling new malware:– Difficult to detect non executable malware (e.g.,
malicious word documents)
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 15
Discussion
• What other services can be run on a cloud?
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 16
Using Clouds for Malware
• Clouds can be used by malicious parties• Misuse can include:– Cloud based botnets– Cloud based spammers– Cloud based cracking services• WPACracker.com – Claims to break WPA passwords for
$17 in under 20 minutes, using a cloud
4/18/2011
en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan 17
Discussion
• Is it realistic / feasible for a spammer to use a cloud?
4/18/2011
Related Documents
