final presentation 4/21/2010 by guofu xiong, yuli deng
TRANSCRIPT
CLOUD-BASED ANTI-VIRUS Final Presentation4/21/2010
By Guofu Xiong, Yuli Deng
Outline
Project Goal Roadmap System Configuration Technical Solutions Demo Summary
Project Goal
Build a demonstrative system to study the concept of Cloud-Based Anti-Virus Learn the Cloud-Based Anti-Virus pros
and cons Complete deploying the system Integrate the SSE into our project to
enable the white/black list function
RoadmapTasks \ Time
By 2/13
By 2/20
By 3/1 By 3/11
By 4/3 By 4/15
By 4/21
Task 1 :Preparation
Task 2 :Setting environment
Task 3 :Self-Developed program
Task 4 :AntiVirus Proxy
Task 5 :Test and deploy
System Configuration
Hardware 2 virtual machines running on the
mobicloud. Software
Ubuntu 10.10 HAVP Squid3 C-ICAP Clamav scan engine with its library AVG scan engine CURL library
Technical Solutions
1. Client software + Server side code + 3rd party cloud scan engines
2. (Anti-virus proxy) Squid + C-ICAP + Clamav
3. (Anti-virus proxy) HAVP + Clamav & AVG
4. (Anti-virus proxy) Squid + C-ICAP & SSE + HAVP + Clamav & AVG
Solution 1 : Workflow Features: A simple server utilizes current online Cloud AV engines(Symantec, Trend,..) An windows client programC++ is expected to be used for codingSteps:(1) User enters a URL;(2) Agent sends the URL to the server;(3) Server downloads the target file and send it to the 3rd
party scan engines;(4) Scan engines return result;(5) Server sends result to the user agent;(6) User agent decides action.
Solution 1 : Pros and ConsPros: Workflow is simple, easy to develop
and deploy.Cons: The process of transferring a file
from the server to the 3rd party scan engines is time-consuming.
Hard to retrieve various types of URL address from mobile phone and download them.
Solution 2 : Workflow
Steps:(1) User browsed/download the URL in their agent;(2) User agent sends requests to Internet through squid proxy;(3) Squid gets data from the Internet, C-ICAP gets them and hands
to scan clamav;(4) Clamav reports result;(5) Squid reports results to the users.
* .This solution is first implemented by Zhibin, Xinyi and Tianyi
Squid ProxyInternet
C-ICAP
ClamAV
User
URL Filter
Step 2Step 2
Step 3
Step 3 Step 4
Step 4
Step 5
Step 1
Solution 2 : Pro and Cons
Pros: Able to utilize anti-virus scan engine and
black/white function at the same time. Effective. Easy for end users to configure.Cons: Unable to utilize different scan engines at
the same time. (Only Clamav is used). Buffered data in squid will not be scanned if
users try to access this data again in some conditions.
Solution 3 : Workflow
Steps:(1) User browses/downloads a URL in their agent;(2) User agent sends requests through proxy (user-> HAVP ->
Internet);(3) HAVP receives data from the Internet and sends them to scan
engines;(4) HAVP sends data to the user at the same time but holds the end
section of data;(5) If scan engines report virus, stop sending data to client and report
to the user.
HAVPInternet
ClamAV
User Brower
AVG
Step 2Step 2
Step 3
Step 3
Step 5
Step 4 &5
Step 1
Step 5
Solution 3 : Pros and ConsPros: Efficient, almost no delay in user browsing. Able to utilize different scans engines at
the same time. Easy for users to configure.Cons: Can’t integrate SSE. Can’t buffer internet traffic. Weaknesses in HAVP: File bigger than “hold
back data” would be ignored by HAVP.
Final Solution : Workflow
Steps:(1) User browses/downloads a URL in their agent;(2) User agent sends requests through proxy (user -> Squid -> HAVP
-> Internet);(3) C-ICAP gets the URL and send to SSE, if phishing, send back
result;(4) HAVP receives data from the Internet and send them to scan
engines;(5) HAVP sends data to the user at the same time but holds the end
section of data;(6) If scan engines report virus, stop sending data to client and
report to the user.
Squid Proxy InternetHAVP
ClamAV
User Brower
AVG
Step 2Step 2
Step 4Step 5 or 6Step 3&5or6
Step 1
Step 4
C-ICAPSSE
Step 3
Step 2
Step 4
Step 6
Step 6
Final Solution : Pros and Cons
Pros: Utilized various kinds of scan engines. Enabled the white/black list function with SSE. Squid(with its components) and HAVP(with its
components) can be located in different machines. Easy for end users to configure. Enable to buffer data to increase the speed.Cons: The scan/filter procedure decreases the speed of browsing
and downloading. (The speed is most affected by the slowest component)
HAVP has weaknesses (Addressed before). Buffered data in squid will not be scanned if accessed by
users in some conditions.
Demo Time
Summary
Cloud-based anti-virus is a promising trend for the security field for its advantages;
There are many existing modules available for us to utilize;
More functions will lead to the decrease in the speed of browsing the Internet;
The hardware require for cloud-based anti-virus is very high.
Acknowledgements
Thanks for Zhibin and Xinyi’s previous solution. Part of our final solution is based on their work.
Thanks for Tianyi on providing mobicloud platform for our project;
Thanks for Dr. Huang who give us the instructions and the opportunity to learn and practice.
Any Question?
Thank you!