Research On Multi-Engine Detection In Cloud-based Defense System

With the rapid development of Internet, the increasing number of malware andcybercrime brought great threat to network and system security. Anti-virus softwareis widely installed in computer system to defense against threats. Signature-baseddetection is the most successful techniques used in antivirus software. However, securityvendor could not keep up with the generation speed of new malware since malwareincreases at exponential rate and updating signature database comsumes more computerresources. Cloud-based security is current security research trend for solving this probem.The cloud side takes advantage of the processing capacity of cloud computing to interactwith massive clients, forming a real time monitering network to malware. The massiveclients send suspicious file and other information for detetion and the cloud service willanalyze this information, and then distribute the results to clients.This paper attempts to move traditional host-based antivirus engine into the cloud.The clients only retain lightweight host intrusion prevention software, intercepting thelocal file access and uploading the file to the cloud for multi-engine scanning. The cloudservice use comprehensive decision-making algorithm to process the independentscanning results. This algorithm can greatly improve the comprehensive detection rate ofcloud compared to traditional antivirus software. The clients are also responsible foruploading local network alert messages to cloud for analysis. The cloud can reduce thefalse positive and return the real alerts by clustering and correlation. In addition, the cloudperforms dynamic analysis to suspicious files combining with hardware virtualizationtechnology. The external program will trace system call of program execution in virtualmachines.Finally, in order to test the applicability of the cloud defense system, all kinds ofmalware are running in clients, the cloud service successfully detects those malware. Thecloud also scans1789malware samples and achive a detcion rate of95.6%. Theevaluation shows that the multi-engine detection can provide a full range of securitydefense to clients.