scispace - formally typeset
Proceedings ArticleDOI: 10.1109/ICACCCT.2016.7831709

Cache implementation using collective intelligence on cloud based antivirus architecture

01 May 2016-pp 593-595
Abstract: Antivirus is most widely used to detect and stop malware and other unwanted files. Cloud antivirus is a malware detector architecture where virus definitions and other behaviors of suspicious files is analyzed on cloud and controlled by a light weight Agent on client system. We suggest using two-way caching scheme where local-cache is stored on client system and cloud-cache is present on network cloud, where we store virus definitions and behaviors according to collective intelligence techniques. Local-cache is used to detect the virus and other malware files while offline and cloud-cache uses the Artificial Intelligence Techniques for whole client base to get the most susceptible and prone virus and malware definitions thus increasing the optimality of virus definition search and hence the speed of the whole process gets increased.

...read more

Topics: Cryptovirology (60%), Malware (57%), Cloud computing (53%)
Citations
  More

Open accessPosted Content
Abstract: Machine Learning (ML) has been widely applied to cybersecurity, and is currently considered state-of-the-art for solving many of the field's open issues. However, it is very difficult to evaluate how good the produced solutions are, since the challenges faced in security may not appear in other areas (at least not in the same way). One of these challenges is the concept drift, that actually creates an arms race between attackers and defenders, given that any attacker may create novel, different threats as time goes by (to overcome defense solutions) and this "evolution" is not always considered in many works. Due to this type of issue, it is fundamental to know how to correctly build and evaluate a ML-based security solution. In this work, we list, detail, and discuss some of the challenges of applying ML to cybersecurity, including concept drift, concept evolution, delayed labels, and adversarial machine learning. We also show how existing solutions fail and, in some cases, we propose possible solutions to fix them.

...read more

2 Citations


Journal ArticleDOI: 10.1016/J.FSIDI.2021.301220
01 Sep 2021-
Abstract: An everyday growing number of malware variants target end-users and organizations. To reduce the amount of individual malware handling, security analysts apply techniques for finding similarities to cluster samples. A popular clustering method relies on similarity hashing functions, which create short representations of files and compare them to produce a score related to the similarity level between them. Despite the popularity of those functions, the limits of their application to malware samples have not been extensively studied so-far. To help in bridging this gap, we performed a set of experiments to characterize the application of these functions on long-term, realistic malware analysis scenarios. To do so, we introduce SHAVE, an ideal model of similarity hashing-based antivirus engine. The evaluation of SHAVE consisted of applying two distinct hash functions (ssdeep and sdhash) to a dataset of 21 thousand actual malware samples collected over four years. We characterized this dataset based on the performed clustering, and discovered that: (i) smaller groups are prevalent than large ones; (ii) the threshold value chosen may significantly change the conclusions about the prevalence of similar samples in a given dataset; (iii) establishing a ground-truth for similarity hashing functions comparison has its issues, since the clusters originated from traditional AV labeling routines may result from a completely distinct approach; (iv) the application of similarity hashing functions improves traditional AVs’ detection rates by up to 40%; and finally (v) taking specific binary regions into account (e.g., instructions), leads to better classification results than hashing the entire binary file.

...read more

Topics: Malware analysis (66%), Hash function (55%), Similarity (network science) (54%) ...read more

1 Citations

References
  More

Open accessJournal ArticleDOI: 10.2498/CIT.1001391
Mladen A. Vouk1Institutions (1)
30 Dec 2008-
Abstract: "Cloud" computing – a relatively recent term, builds on decades of research in virtualization, distributed computing, utility computing, and more recently networking, web and software services. It implies a service oriented architecture, reduced information technology overhead for the end-user, great flexibility, reduced total cost of ownership, on-demand services and many other things. This paper discusses the concept of “cloud” computing, some of the issues it tries to address, related research topics, and a “cloud” implementation available today.

...read more

Topics: Cloud computing (71%), Utility computing (70%), Cloud computing security (67%) ...read more

906 Citations


Proceedings ArticleDOI: 10.1109/ITI.2008.4588381
Mladen A. Vouk1Institutions (1)
23 Jun 2008-
Abstract: ldquoCloudrdquo computing - a relatively recent term, builds on decades of research in virtualization, distributed computing, utility computing, and more recently networking, web and software services. It implies a service oriented architecture, reduced information technology overhead for the end-user, great flexibility, reduced total cost of ownership, on-demand services and many other things. This paper discusses the concept of ldquocloudrdquo computing, issues it tries to address, related research topics, and a ldquocloudrdquo implementation available today.

...read more

Topics: Utility computing (71%), Services computing (68%), Cloud computing (65%) ...read more

586 Citations


Open accessProceedings Article
Jon Oberheide1, Evan Cooke1, Farnam Jahanian1Institutions (1)
28 Jul 2008-
Abstract: Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host-based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing complexity has resulted in vulnerabilities that are being exploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model enables identification of malicious and unwanted software by multiple, heterogeneous detection engines in parallel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced forensics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud antivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network service with ten antivirus engines and two behavioral detection engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly minimize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.

...read more

Topics: Malware (57%)

350 Citations


Open accessProceedings Article
Eamonn Keogh1, Padhraic Smyth2Institutions (2)
14 Aug 1997-
Abstract: The problem of efficiently and accurately locating patterns of interest in massive time series data sets is an important and non-trivial problem in a wide variety of applications, including diagnosis and monitoring of complex systems, biomedical data analysis, and exploratory data analysis in scientific and business time series. In this paper a probabilistic approach is taken to this problem. Using piecewise linear segmentations as the underlying representation, local features (such as peaks, troughs, and plateaus) are defined using a prior distribution on expected deformations from a basic template. Global shape information is represented using another prior on the relative locations of the individual features. An appropriately defined probabilistic model integrates the local and global information and directly leads to an overall distance measure between sequence patterns based on prior knowledge. A search algorithm using this distance measure is shown to efficiently and accurately find matches for a variety of patterns on a number of data sets, including engineering sensor data from space Shuttle mission archives. The proposed approach provides a natural framework to support user-customizable "query by content" on time series data, taking prior domain information into account in a principled manner.

...read more

Topics: Probabilistic logic (56%), Exploratory data analysis (54%), Prior probability (54%) ...read more

280 Citations


Open accessJournal ArticleDOI: 10.1109/TDSC.2015.2457918
Abstract: Cloud services are prominent within the private, public and commercial domains. Many of these services are expected to be always on and have a critical nature; therefore, security and resilience are increasingly important aspects. In order to remain resilient, a cloud needs to possess the ability to react not only to known threats, but also to new challenges that target cloud infrastructures. In this paper we introduce and discuss an online cloud anomaly detection approach, comprising dedicated detection components of our cloud resilience architecture. More specifically, we exhibit the applicability of novelty detection under the one-class support Vector Machine (SVM) formulation at the hypervisor level, through the utilisation of features gathered at the system and network levels of a cloud node. We demonstrate that our scheme can reach a high detection accuracy of over $90$ percent whilst detecting various types of malware and DoS attacks. Furthermore, we evaluate the merits of considering not only system-level data, but also network-level data depending on the attack type. Finally, the paper shows that our approach to detection using dedicated monitoring components per VM is particularly applicable to cloud scenarios and leads to a flexible detection system capable of detecting new malware strains with no prior knowledge of their functionality or their underlying instructions.

...read more

  • Fig. 9. SAE Detection of various Zeus samples using end-system data and a tuned classifier
    Fig. 9. SAE Detection of various Zeus samples using end-system data and a tuned classifier
  • Fig. 7. Results of detection for Kelihos-5 using end-system features and a variety of kernel parameters
    Fig. 7. Results of detection for Kelihos-5 using end-system features and a variety of kernel parameters
  • Fig. 11. Detection of Zeus-1433 with live migration occuring 5 minutes before the infection
    Fig. 11. Detection of Zeus-1433 with live migration occuring 5 minutes before the infection
  • Fig. 4. Visualization for the experimental setup for malware analysis under VM migration.
    Fig. 4. Visualization for the experimental setup for malware analysis under VM migration.
Topics: Cloud computing security (64%), Cloud computing (62%), Anomaly detection (56%) ...read more

117 Citations


Performance
Metrics
No. of citations received by the Paper in previous years
YearCitations
20211
20201
Network Information
Related Papers (5)
09 Sep 2014

Shahid Alam, Ibrahim Sogukpinar +2 more

09 Sep 2010

Xufei Zheng, Yonghui Fang

01 Jan 2022

G. Shruthi, Purohit Shrinivasacharya