Download
security and privacy in cloud computing n.
Skip this Video
Loading SlideShow in 5 Seconds..
Security and Privacy in Cloud Computing PowerPoint Presentation
Download Presentation
Security and Privacy in Cloud Computing

Security and Privacy in Cloud Computing

116 Views Download Presentation
Download Presentation

Security and Privacy in Cloud Computing

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security and Privacy in Cloud Computing Ragib HasanJohns Hopkins Universityen.600.412 Spring 2011 Lecture 10 04/18/2011

  2. Malware and Clouds • Goal: To explore how clouds can be used in malware detection, and how malware can use clouds. • Review Assignment #9: • CloudAV: N-Version Antivirus in the Network Cloud, USENIX Security, 2008. en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  3. Cloud-AV: Putting the Antivirus on Clouds Main premise: • Executable analysis currently provided by host-based antivirus software can be more efficiently and effectively provided as an in-cloud network service. • Or • Anti-Virus-as-a-service en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  4. Problems with host-based Anti-Virus • Vulnerability window: • There is a significant vulnerability window between when a threat first appears and when antivirus vendors generate a signature. • Undetected malware: • a substantial percentage of malware is never detected by antivirus software • Vulnerable Anti-Virus: • Malware is actually using vulnerabilities in antivirus software itself as a means to infect systems en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  5. Solution Approach • Antivirus as a network service: • Run the Anti-virus on a cloud, while running a lightweight agent on user machines • N-version protection • Run multiple versions/vendor Anti-Virus/scanners on the cloud to ensure better detection en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  6. N-version programming Idea: Generate multiple functionally equivalent programs independently (by different teams) from the same initial specifications • Goal: Reduce possibility of bugs N version protection: • Run multiple scanners in parallel, to increase detection rate en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  7. Advantages of cloud based anti-Virus Better detection of malicious software Enhanced forensics capabilities Retrospective detection Improved deployability and management No vendor lock-in … service is vendor agnostic en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  8. System Architecture 3 major components: a lightweight host agent run on end hosts a network service that receives files from hosts and identifies malicious or unwanted content; and an archival and forensics service that stores information about analyzed files and provides a management interface for operators. en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  9. Host agent • A lightweight process running on host • Can be Implemented on Windows, Mac, Linux clients • Tasks: • Capture accesses to executable files, • hashe files to extract unique ID, • check ID against local black/white lists, • send unknown executable files to network cloud service en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  10. Network service • Consists of multiple Anti-Virus, scanners, and behavioral analysis tools • Behavioral analysis tools attempt to detect anomaly by analyzing app behavior in a sandbox • Combines scan results from multiple tools and sends report to host agent en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  11. Forensic storage service Stores information about scan logs, hosts Can assist in forensic analysis and retroactive scans en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  12. Challenges • Network latency: • unlike existing antivirus software, files must transported into the network for analysis; • Analysis scheme: • an efficient analysis system must be constructed to handle the analysis of files from many different hosts using many different detection engines in parallel; and • Comparison with local scanners: • the performance of the system must be similar or better than existing detection systems such as antivirus software. en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  13. Evaluations: Performance of multiple Anti-Virus engines en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  14. Disadvantages Disconnected operation: • Host agent can’t detect new malicious files without network connectivity Lack of context: • Scanners do not have access to large local context Handling new malware: • Difficult to detect non executable malware (e.g., malicious word documents) en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  15. Discussion What other services can be run on a cloud? en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  16. Using Clouds for Malware • Clouds can be used by malicious parties • Misuse can include: • Cloud based botnets • Cloud based spammers • Cloud based cracking services • WPACracker.com – Claims to break WPA passwords for $17 in under 20 minutes, using a cloud en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan

  17. Discussion Is it realistic / feasible for a spammer to use a cloud? en.600.412 Spring 2011 Lecture 10 | JHU | Ragib Hasan