Anti-virus systems with cloud architecture

Introduction

Information occupies one of the most important places in the life of our society, therefore the protection of information is an integral part of its use.

The protection of information is most often considered in the context of the protection of its carriers. Media protection requires sophisticated and diverse software and hardware. With the existence of many architectural solutions of carriers, there is the same set of their protections.

Protection methods

Malicious software is constantly being improved, in connection with this, antivirus vendors are constantly updating the database of already known signatures (code sections of a known virus software that detects this software) or completely prohibit software modification and addition, as well as files in critical places on the computer.

To combat the new threats, they use heuristic and signature-based analysis and proactive (behavioral) protection, which analyze the software in the process and identify suspicious actions. Also often used method checks checksums.
')

New methods of masking

Now conceptually new rootkits based on working outside the operating system have begun to appear.

One of these methods is used in Boot rootkits. They rewrite the boot record (MBR - master boot record) and after loading the BIOS execute malicious code, and only then the operating system is loaded.

More interesting is the class of rootkits, which are based on the use of hardware virtualization called Blue Pill (English "Blue Pill"). For the first time, this class of rootkits was publicly demonstrated in the form of a demonstration program by Joanna Rutkovskaya at the Black Hat Briefings conference on August 3, 2006 as a sample implementation for the Microsoft Windows Vista operating system [1].

Disguise Method - Blue Pill

The Blue Pill concept is to capture a running instance of the operating system (it is captured when the OS starts) with a thin hypervisor and virtualizing it with the rest of the computer.

The previous operating system will still maintain links to all devices and files in it, but almost everything, including hardware interrupts, data requests, and even system time will be intercepted by the hypervisor, which will send fake replies.

The only way to discover the “blue pill” is to determine if the implementation loaded into the virtual environment does not function as expected. Virtualization can be detected during a time attack based on external time sources [1].

Existing protection methods

The implementation of protection against such threats is divided into two classes:

1. Complete prohibition of work or modification of information outside the OS at the hardware level;
2. Timely detection and neutralization of threats during the operation of the OS (RedPill (English "Red Pill") [2], time attack, performance attack [1]).

Protection at the hardware level is difficult to implement and expensive, and there are currently no reliable ways to detect and neutralize such threats.

The method of detecting the virtualization form by the thin hypervisor “Red Pill” was proposed by Joanna Rutkovskaya. It is based on counting the number of interrupt vector tables in the main memory of a computer. This method can adequately work only on systems with a single processor core.

Attacks in time and in performance are based on the distortion of the time and speed characteristics of a computer when a hypervisor is deployed.

Cloud computing and the future of anti-virus systems

With the development of telecommunication systems, many antivirus companies have begun to pay attention to cloud computing [3, 4, 5].

The concept of cloud computing is to provide end users with remote dynamic access to services, applications (including operating systems and various infrastructure) and computing resources of various capacities [Fig. 1] [6].

Figure 1 - The Internet cloud and its users

Cloud computing is divided into two types:

1. Platform clouds;
2. Service clouds;

Platform clouds provide access to any platform. This may be an operating system, a system for scientific calculations, etc.

Cloud services provide only services. Typically, users do not have access to broad cloud settings, data, and configurations. Anti-virus systems are beginning to actively use both types of clouds.

Platform clouds are highly specialized and usually serve as a large calculator and accumulator of statistics on the performance of desktop anti-virus systems or a database of the latest signatures. Cloud services are used to provide users with the ability to download suspicious files to the cloud and anti-virus analysis without consuming user’s computer resources [5].

Organization of antivirus work with the cloud

The details of the work of commercial anti-virus systems with anti-virus clouds are hidden commercial secrets. But analyzing open sources we can distinguish several ways of organizing the work of anti-virus clouds:

• Work with metadata and hash functions of executable files. Their analysis in the cloud by an expert system [7];
• Transfer of actual virus signatures in frequent and small portions on the user's computer [5];
• SONAR technology (setting hazard points of an application, on operations performed by it and analyzing in the cloud) [3].

All the above technologies have their advantages and disadvantages, but cloud computing is starting to play the main role here. Antivirus cloud computing takes over all the problems inherent in clouds. They also add antivirus software problems [7].

Disadvantages of modern cloud antivirus systems

Modern cloud antiviruses operate with such concepts as metadata, hash functions, rating system of hazard assessment of objects. All these approaches do not provide a fitting rebuff to fundamentally new software. They are extensively fighting threats, only increasing equipment capacity and speeding up response times to new epidemics.

Also a serious problem is the operation of antivirus systems in unprotected environments [Fig. 2.]. For this reason, many anti-virus tools contain integrity protection mechanisms, but this problem is still relevant today [8, 9].

Figure 2 - Problems of working in unprotected environments

Cloud anti-virus systems have made only a small step towards the development of all cloud computing capabilities. These steps are designed to reduce the consumption of user resources, speed up the update of virus signatures [7] and create an expert base of modern threats. Such a decision will not become a “silver bullet” [10]. It did not introduce new methods of dealing with malware, but only modified the already very outdated approaches.

Protection against rootkits with hardware virtualization

All approaches used in the work of modern anti-virus systems are helpless against rootkits running outside the OS and fundamentally new malware [1, 11].

Malicious programs in the form of a thin hypervisor partially or not at all use OS resources, do not infect its files, work with computer hardware without using OS drivers, they are completely invisible for modern anti-virus systems, including cloud ones.

Cloud computing can solve this problem by moving the infection decision making system to a secure cloud environment.

Cloud Antivirus with Secure Runtime

The cloud is used for serious calculations to reduce the load on clients. In anti-virus systems, it serves as a fast channel for the distribution of new anti-virus databases, as well as an accumulator of known threats.

You can go ahead and make the whole cloud one big anti-virus environment. In this case, only users acting as sensors will be located on the users computer. They will cyclically take readings of the characteristics of client computers, and send them to the cloud. A statistical calculation of changes in the characteristics of user computers will be carried out in the cloud. In this case, when a user is infected with a new virus, the cloud will enter the distorted indications of the characteristics of the computer in its database, and the expert system will conclude that the computer is infected. If the user's computer is connected to the network, but there is no connection with the client of the anti-virus system, then this computer is considered compromised, and measures should be taken to detect and neutralize the malware.

The main, and the most difficult, in this approach will be to identify the characteristics of computers that are distorted when malware is introduced into a user's computer, and to transfer them safely to the cloud computer.

Such an approach will make it possible to react to new threats much faster, because there is only one node making the decision. This will allow avoiding epidemics that are now becoming increasingly widespread.

In client computers, antivirus software should still have the means of self-defense, secure transmission over the network, as well as detection of “elementary” virus threats (“elementary” threats that this anti-virus system can fight).

The concept of creating a secure execution environment

In the ideal case, a protected execution environment is considered to be the execution of programs whose actions and their possible consequences are completely known. These programs are executed in the OS, about which everything is also known (for example, there is access to the source codes). Thus, the possibility of hidden implementation of software "bookmarks" and undocumented features will be excluded. The OS runs on a computer and devices that are assembled from components manufactured under proper control by known technology. In this case, the possibility of introducing hardware "bookmarks" and undocumented features will be excluded. And then food, premises, buildings, etc. Also, access to work with computers should be strictly regulated and limited to a trusted circle of persons.

In life, the creation of a real protected environment is necessary for various government and military departments. Especially if they are dealing with state secrets, the security of the country depends on their work.
In other areas of the use of computers, this mode is almost not used in view of its high cost and reduced flexibility.

A lot of hardware and software solutions on the current market cannot provide a secure execution environment, so programs acquire protection mechanisms: integrity monitoring, anti-debugging techniques, packaging and obfukation (writing trash code into an executable module, in order to complicate the study of software).

A protected environment should be understood as the collection of information, analysis and decision-making on the infection of a client computer in an environment that is outside the area of ​​information collection. This environment has greater reliability and controllability compared to the client computer, and cannot be compromised due to infection of the client computer.

Creation of a protected runtime environment requires serious material and resource costs, as well as serious complication of software. When data are not a state secret, it is believed that protection will be effective if more resources are required to overcome it than the data itself costs. Therefore, it is always necessary to find trade-offs that allow for obtaining reasonably reliable software or hardware solutions at an acceptable cost.

Evaluation of the security and effectiveness of the proposed solution

The client computer may be compromised, but the cloud will remain in a working state, because the cloud only receives data from the client for statistics and calculations, any necessary information can be sent back.

If the client of the anti-virus system completely refuses, the cloud can notify the user about the existing problems with his computer in any other available way (mobile text message, email, the website of the anti-virus system).

In this case, only the client part can fail, the cloud calculator remains operable regardless of the state of the client computers.

Of course, when exchanging cloud messages with the client of the anti-virus system, a sufficient level of quality control of incoming messages should be provided, integrity monitoring and identification of the client computer should be implemented.

The proposed solution is more efficient than conventional desktop anti-virus systems with a centralized signature database update server:

• By performance. All computational operations are transferred to the cloud, thereby reducing the load on the user's computer;
• By latency. The rate of detection of new threats and alerts available customers about the new danger increases;
• By security. The cloud can not be compromised by the client, so the database of threats will always be relevant and intact;
• By relevance. The expert system in the decision on the infection takes into account all the data collected from client computers. There are more opportunities for analysis than the approach with the identification of signatures.
• On the introduction of new solutions. New methods for detecting and neutralizing virus threats will be primarily introduced into the cloud, thereby reducing the impact on decision-making when software is outdated on a client computer.

It is worth mentioning that few anti-virus systems have a full-fledged cloud architecture. This is due to the novelty of cloud computing, as an approach to ensuring anti-virus security.

Identification of control characteristics

Security experts have suggested several ways to determine the load of a thin hypervisor to the primary OS:

• Attack on time;
• Performance attack;
• The method of counteraction "Red pill".

The time attack is based on an external time source. This time source is controlled by the execution time of commands and individual operations on the user computer. If there is a loaded hypervisor in memory, its code is also executed, and it also interferes with the operation of the OS and individual programs. When executing an extraneous code on a computer, the execution time of commands is distorted, and an attack by time becomes feasible.

The performance attack is based on a decrease in the performance of the user computer when executing a foreign code on it.
The “Red Pill” countermeasures method is based on counting the number of interrupt vector tables in computer RAM. This method can adequately work only on systems with a single processor core.

The actual method of detecting a thin hypervisor can be considered control of the composition and characteristics of the equipment. A working hypervisor, for complete control over the user computer, must completely virtualize the work of operating the OS with the equipment. Due to the diversity and differences in the characteristics of the equipment, a thin hypervisor must have a huge set of sub-modules for working with equipment. In this case, you can rely on the same reaction time and performance of individual equipment when searching for a hypervisor. Naturally, all analysis should be conducted on a secure computer or cloud.

For example, when checking the RAM of a user computer, its volume will decrease when a thin hypervisor is running. Some security experts have expressed the view that during checks of this kind, the hypervisor can unload itself from memory, thereby hiding from the antivirus. With such actions of the hypervisor, standard methods of anti-malware software become available: disk scanning, signature analysis, analysis of boot areas, etc.

It is worth paying attention to the technology of dynamic changes in the performance of processors, buses, memory and storage devices. In modern portable computers, there are many technologies designed to save energy when working on batteries, reduce noise and heating equipment. In most cases, these technologies dynamically change the performance of a computer to achieve the desired effect. In such cases, the interpretation of statistical data received from the client should be modified to reflect changing performance (input of correction factors). In this paper, issues of dynamic changes in computer performance are not considered, because they do not affect the demonstration of the presented approaches and algorithms.

A time attack, a performance attack, the Red Pill counter method, equipment control, all these methods of detecting the work of a thin hypervisor will seriously repel malware when properly implementing an antivirus and making an infection decision system in a secure environment, such as a cloud.

findings

The advantages of cloud antivirus include:

• Security of the decision making environment;
• Improved performance;
• Reduced response time to new threats;
• Maintaining the relevance of the database of threats;
• Accelerated introduction of new anti-malware tools;
• Hidden decision making logic;
• The inability to verify the effectiveness of masking a new malware without entering information about it in the database of cloud threats;
• Minimize false positives.

There are also disadvantages too; many of them arise due to the use of cloud computing, so all the drawbacks of cloud computers are inherent in cloud anti-virus systems:

• Problems downloading network connections on slow links;
• Impossibility of effective anti-virus scanning by user request without a serious increase in the number of client calls to the cloud;
• The inoperability of the anti-virus system in the absence of a connection to the cloud (local computer, without connecting to the network).

As you can see, the advantages of cloud anti-virus systems are much greater. The current accelerated development of telecommunications networks will make most of the problems of using cloud computing irrelevant. Also a very big advantage is the secure runtime created. It allows you to bring modern anti-virus tools to a new level in the fight against modern threats.

List of used sources

1. The blue pill concept ru.wikipedia.org/wiki/Blue_Pill
2. The concept of "red pill" ru.wikipedia.org/wiki/Red_Pill
3. Ilyin, Stepan. Cloud computing against viruses www.xakep.ru/magazine/xa/130/034/1.asp
4. Krupin, Andrei. Cloud Antivirus www.computerra.ru/terralab/softerra/424961
5. Krupin, Andrei. Cloud antiviruses in theory and practice www.3dnews.ru/software/cloud-ativiruses-1
6. About cloud computing www.parallels.com/ru/spp/understandingclouds
7. Mashevsky, Yuri. Anti-virus weather forecast: cloudy www.antivirus-navigator.com/articles/kaspersky-cloud.htm
8. A small study of self-defense products Dr. Web habrahabr.ru/blogs/virus/110508
9. Antivirus self-defense habrahabr.ru/blogs/virus/98322
10. Fredrick Brooks. Mythical man-month or how software systems are created. Publisher "Symbol Plus", 2001.
11. Whistler Bootkit habrahabr.ru/blogs/virus/96850