【 摘 要 】

Antivirus software installed on each end host in an or ganization has become the defacto security mechanism used to defend against unwanted executables. We argue that the executable analysis currently provided by host based antivirus software can be more efficiently and ef fectively provided as an incloud network service. In stead of running complex analysis software on every end host, we suggest that each end host run a lightweight pro cess to acquire executables entering a system, send them into the network for analysis, and then run or quarantine them based on a threat report returned by the network service. An executable analysis service run inside an en terprise network or by a service provider could integrate antivirus software, behavioral simulation, and other anal ysis engines from multiple vendors providing better de tection of malware and simplify client software enabling deployment on a broader range of devices. To explore this idea we construct a prototype composed of a Win dows based host agent and an incloud analysis service and evaluate it using a diverse dataset of 5066 unique malicious executables. By correlating information be tween multiple detection engines, our system provides over 98% detection coverage of the malicious executa bles using eight antivirus engines and two behavioral en gines compared to a 54% to 86% detection rate using the

【 预 览 】

附件列表

Files	Size	Format	View
Rethinking Antivirus: Executable Analysis in the Network Cloud	228KB	PDF	download