Escolar Documentos
Profissional Documentos
Cultura Documentos
Machine?
Wei Yan Nirwan Ansari
Trend Micro, Inc. New Jersey Institute of Technology
U.S.A. U.S.A.
wei yan@trendmicro.com nirwan.ansari@njit.edu
Abstract— Customers always complain that anti-virus soft- softwares. The other discontents, for examples, are long scan
wares bog down their computers by consuming much of PC time and false positives. Fortunately, industry companies have
memories and resources. With the popularity and variety of zero- accepted these complaints and improved their security applica-
day threats over the Internet, security companies have to keep
on inserting new virus signatures into their databases. However, tions. Symantec (www.symantec.com) successfully overhauled
is the increasing size of the signature file the sole reason to its system to make Norton products run faster in 2006.
drag computers to a crawl during the virus scan? This paper
outlines other three reasons for slowing down software-protected A. Is AV dead?
computers, which actually are not directly related to the signature Traditional emergency response teams involve malware col-
file. First, the rising time consumption of de-obfuscating binary
payloads by using the emulation technology requires anti-virus lection, signature generation, and signature database updating.
softwares take more time to scan a packed file than an unpacked However, owing to the flood of malwares, security companies
file. Second, New Technology File System causes self-similarity usually receive thousands of suspicious samples daily from
in file index searching and data block accessing. Even if file sizes honeypots and customers submissions. It is very time consum-
fit the log-normal distribution, there are still many “spikes” of ing and resource intensive for them to analyze these samples
high virus-scanning latency which cannot be ignored. Last but not
least, temporal changes in file size, file type, and storage capacity manually and generate signatures.
in modern operation systems are slowing down virus scan. The Is signature-based virus detection technology dead? There
paper also discusses the cloud-based security infrastructure for exist some concerns out there that this approach cannot catch
deploying a light-weight and fast anti-virus products. up with the flood of new viruses based on the fact that security
vendors usually update virus signatures every hour, or even
I. I NTRODUCTION
twenty minutes. However, most customers are not willing to
It is important to understand that the current threat landscape remove security softwares out of their machines because they
is changing and we have seen a large volume of new malwares still think these applications are worthwhile and must-have.
captured by security vendors each day. Why is this happening? Signature-based virus recognition has been used for more than
It is the online malware generators that enable script kiddies to two decades, and it is one of the most cost-effective and mature
easily create new viruses and rootkits, and challenge Anti-virus methodologies to detect viruses while keeping a low false rate.
(AV) pattern update schemes. For example, Panda Security The debate still goes on.
(www.pandasecurity.com), a security company, has detected One alternative solution is the whitelisting technology. Can
more samples in 2008 than in the previous more than 17 years whitelisting paradigm replace blacklisting? Blacklisting aims
combined. These threats came from softwares, appliances, and to store hash values or fingerprints of malicious programs
web services. This surge in malware infringement on Internet whereas whitelisting lists benign applications and system files.
security calls for urgent demands on security products. Almost all AV products use the blacklisting method, and
Generally speaking, an AV scanner is a software applica- the blacklist is actually the signature file. On the contrary,
tion for checking whether a computer has been infected by whitelisting-based tools only allow operating systems to access
spyware, rootkits, or other malwares. To search an executable benign files and websites, and always block non-listed names.
file for viruses, a scanner typically scans segments at certain At the time of writing, there are about millions of malwares
offsets for known signatures. It also automatically checks for listed in the blacklist, and tens of millions in the whitelist. If
threats in attachments received through emails, and any file op- security companies are already working around the clock to
erations. The signature file usually employs prior knowledge, cope with new blacklist samples, whitelisting protection might
and the scanner detects computer viruses via a scan engines. not be workable due to even more benign files appearing each
Moreover, automatic updates immunize users to defend against day.
new virus outbreaks.
Increasingly, the first thing computer users will do after re- B. Why my machine slows down?
installing operation systems is to install security softwares. The signature file can be considered as a malicious fin-
Then, they may notice slowdowns in their machines after the gerprint database which is updated frequently to cover the
installations; this is one of the top complaints about security latest threats. It works with the scan engine to detect threats.
2000 2004 effects on AV products AV In-the-Cloud service has been advocated as the
file number 30k 90k on-demand scan
next-generation model for virus detection by Trend Micro
file size 108k 189k on-access scan
directory number 2400 8900 on-demand scan (http://www.trendmicro.com) and other AV vendors since
storage capacity 8G 46G on-demand scan June, 2008. It is a software distribution model in which
security services are hosted by vendors and made available
In AV products, on-demand scan is one of the main scan to customers over the Internet. This approach employs a
types, and is a full search and scan in the file system. On- cloud server pool which analyzes and correlates new attacks,
demand scan is at the file level, and it scans all files in the and generates vaccinations online. The cloud infrastructure
hard disk. Whenever virus signatures are updated, users are will sharply reduce computation burdens on the clients, and
recommended to start the on-demand scan to make sure that enhance security products in mitigating new malwares. Fur-
all files are checked with the latest signatures. As shown in thermore, customers only need to maintain a small and light-
Table 3, the mean value of the number of files in the NTFS weight version of a virus signature file instead of the full copy.
file system has grown from 30k to 90k, implying that on- Benefits include easy deployment, low costs of operation, and
command scan will take much more time. In addition, the fast virus detection.
number of directories and the total storage capacity of the Fig. 2 shows the architecture of AV In-the-Cloud service.
whole file system have also increased steadily; this also drags The agent is an on-access scanner deployed at the desktop. It
down machines further. places itself between the applications and the operating system.
On-access scan is another mainstream type of scan imple- The agent automatically examines the local machine’s memory
mented inside the virus scanner. It continually monitors PC and file system whenever these resources are accessed by an
memory and any on-access file operation. The speed of on- application. For any suspicious file, the agent generates the
access scan is largely dependent on the specific size of the hash value or a specific signature of the file, and sends it to the
accessed file. It was observed that the average file size has remote cloud server for security verification. The low-latency
anonymous communication network is used to forward these
requests from the desktop to the remote cloud.
Our work is motivated by the need of explanation why
AV softwares drag down users’ computers. In this paper,
we have showed that the large signature file is not the only
reason for the slowdown. The virtual emulation widely used in
security products has required AV scan engine more time on
de-obfuscating polymorphic viruses than unpacked ones. On
the other hand, low-level NTFS file operations and the recent
changes of file system metadata also delay both on-command
and on-access scan time.
R EFERENCES
[1] W. Yan, Z. Zhang, and N. Ansari “Revealing packed malware,” IEEE
Security and Privacy, vol. 6, no. 5, pp. 65-69, Sep/Oct, 2008
[2] C. Kruegel, W. Robertson, and G. Vigna, “Detecting Kernel-Level Rootk-
its Through Binary Analysis”, Proceedings of 20th Annual Computer
Security Applications Conference, pp. 91-100. Tuscon, AZ, December
2004.
[3] N. Agrawal, W. Bolosky, J. Douceur, and J. Lorch, “A five-year study
of file-system metadata,” Proceedings of the 5th USENIX conference on
File and Storage Technologies, p.3-3, San Jose, CA, February 2007
[4] http://msdn.microsoft.com/msdnmag/issues/02/02/PE/
[5] Linux-NTFS Project, NTFS Documentation, http://www.linux-ntfs.org
[6] R. Nagar, Windows NT File System Internals, O’Reilly, 1997.
[7] W. Leland, M. Taqqu, W. Willinger and D. Wilson, “On the self-similar
nature of Ethernet traffic”, IEEE/ACM Transactions on Networking, vol.
2, no.1 pp. 1-15, 1994.
[8] J. R. Douceur and W. J. Bolosky, “A large-scale study of file-system
contents”, Proceedings of 1999 ACM SIGMETRICS Conference on
Measurement and Modeling of Computer Systems, pp. 59–70, Atlanta,
Georgia, June, 1999.
[9] W. Yan, “Revealing Self-similarity in NTFS File Operations,” poster
paper, Proceedings of the 7th USENIX Conference on File and Storage
Technologies, San Francisco, CA, February 2009