CLOUD-BASED ANTI-VIRUS Final Presentation4/21/2010

By Guofu Xiong, Yuli Deng

Outline

Project Goal Roadmap System Configuration Technical Solutions Demo Summary

Project Goal

Build a demonstrative system to study the concept of Cloud-Based Anti-Virus Learn the Cloud-Based Anti-Virus pros

and cons Complete deploying the system Integrate the SSE into our project to

enable the white/black list function

RoadmapTasks \ Time

By 2/13

By 2/20

By 3/1 By 3/11

By 4/3 By 4/15

By 4/21

Task 1 :Preparation

Task 2 :Setting environment

Task 3 :Self-Developed program

Task 4 :AntiVirus Proxy

Task 5 :Test and deploy

System Configuration

Hardware 2 virtual machines running on the

mobicloud. Software

Ubuntu 10.10 HAVP Squid3 C-ICAP Clamav scan engine with its library AVG scan engine CURL library

Technical Solutions

1. Client software + Server side code + 3rd party cloud scan engines

2. (Anti-virus proxy) Squid + C-ICAP + Clamav

3. (Anti-virus proxy) HAVP + Clamav & AVG

4. (Anti-virus proxy) Squid + C-ICAP & SSE + HAVP + Clamav & AVG

Solution 1 : Workflow Features: A simple server utilizes current online Cloud AV engines(Symantec, Trend,..) An windows client programC++ is expected to be used for codingSteps:(1) User enters a URL;(2) Agent sends the URL to the server;(3) Server downloads the target file and send it to the 3rd

party scan engines;(4) Scan engines return result;(5) Server sends result to the user agent;(6) User agent decides action.

Solution 1 : Pros and ConsPros: Workflow is simple, easy to develop

and deploy.Cons: The process of transferring a file

from the server to the 3rd party scan engines is time-consuming.

Hard to retrieve various types of URL address from mobile phone and download them.

Solution 2 : Workflow

Steps:(1) User browsed/download the URL in their agent;(2) User agent sends requests to Internet through squid proxy;(3) Squid gets data from the Internet, C-ICAP gets them and hands

to scan clamav;(4) Clamav reports result;(5) Squid reports results to the users.

* .This solution is first implemented by Zhibin, Xinyi and Tianyi

Squid ProxyInternet

C-ICAP

ClamAV

User

URL Filter

Step 2Step 2

Step 3

Step 3 Step 4

Step 4

Step 5

Step 1

Solution 2 : Pro and Cons

Pros: Able to utilize anti-virus scan engine and

black/white function at the same time. Effective. Easy for end users to configure.Cons: Unable to utilize different scan engines at

the same time. (Only Clamav is used). Buffered data in squid will not be scanned if

users try to access this data again in some conditions.

Solution 3 : Workflow

Steps:(1) User browses/downloads a URL in their agent;(2) User agent sends requests through proxy (user-> HAVP ->

Internet);(3) HAVP receives data from the Internet and sends them to scan

engines;(4) HAVP sends data to the user at the same time but holds the end

section of data;(5) If scan engines report virus, stop sending data to client and report

to the user.

HAVPInternet

ClamAV

User Brower

AVG

Step 2Step 2

Step 3

Step 3

Step 5

Step 4 &5

Step 1

Step 5

Solution 3 : Pros and ConsPros: Efficient, almost no delay in user browsing. Able to utilize different scans engines at

the same time. Easy for users to configure.Cons: Can’t integrate SSE. Can’t buffer internet traffic. Weaknesses in HAVP: File bigger than “hold

back data” would be ignored by HAVP.

Final Solution : Workflow

Steps:(1) User browses/downloads a URL in their agent;(2) User agent sends requests through proxy (user -> Squid -> HAVP

-> Internet);(3) C-ICAP gets the URL and send to SSE, if phishing, send back

result;(4) HAVP receives data from the Internet and send them to scan

engines;(5) HAVP sends data to the user at the same time but holds the end

section of data;(6) If scan engines report virus, stop sending data to client and

report to the user.

Squid Proxy InternetHAVP

ClamAV

User Brower

AVG

Step 2Step 2

Step 4Step 5 or 6Step 3&5or6

Step 1

Step 4

C-ICAPSSE

Step 3

Step 2

Step 4

Step 6

Step 6

Final Solution : Pros and Cons

Pros: Utilized various kinds of scan engines. Enabled the white/black list function with SSE. Squid(with its components) and HAVP(with its

components) can be located in different machines. Easy for end users to configure. Enable to buffer data to increase the speed.Cons: The scan/filter procedure decreases the speed of browsing

and downloading. (The speed is most affected by the slowest component)

HAVP has weaknesses (Addressed before). Buffered data in squid will not be scanned if accessed by

users in some conditions.

Demo Time

Summary

Cloud-based anti-virus is a promising trend for the security field for its advantages;

There are many existing modules available for us to utilize;

More functions will lead to the decrease in the speed of browsing the Internet;

The hardware require for cloud-based anti-virus is very high.

Acknowledgements

Thanks for Zhibin and Xinyi’s previous solution. Part of our final solution is based on their work.

Thanks for Tianyi on providing mobicloud platform for our project;

Thanks for Dr. Huang who give us the instructions and the opportunity to learn and practice.

Any Question?

Thank you!