Andreas Marx and Maik Morgenstern presented their paper “Why in-the-cloud scanning is not a solution” at the recent Virus Bulletin 2009 conference. The paper provided a list of the shortcomings of cloud-based security. Over the past year or so there have been several discussions on this topic, but Marx and Morgenstern have done a good job articulating the issues. However, I’d like to counter their issues with some thoughts:
Issue #1: The implementations are not proactive, but reactive in nature, despite better response times to new threats.
Reality: Replacing hash signatures with intelligent static signatures can both defeat code obfuscation and detect polymorphic malware. Furthermore, it consumes far fewer resources than emulation-based behavior detection. Trend Micro’s intelligent pattern project, an automatic pattern generation system, shows that an intelligent static pattern can proactively detect hundreds of malware belonging to similar families at millisecond speeds without triggering false positives on more than 20 million benign samples.
Issue #2: While detection rates are maximized (which looks good in test results), the risk of false positives is increased.
Reality: A few years ago, Security Information Management (SIM) emerged as a solution for solving the problem of the overwhelming log volume of Intrusion Detection System (IDS). SIM includes a set of sensors which ensure that IDS events are collected, analyzed, and responded to in the shortest period of time possible. By centralizing this information, events from distributed IDS sensors can be correlated and categorized. The benefit of correlation is the sharp decrease of false positives.
The Trend Micro™ Smart Protection Network™ is similar to reputation-based SIM in that data centers aggregate URLs, emails, scripts, and files from heterogeneous data collectors. During the correlation process, Smart Protection Network measures the relationship of security events to determine the threat potential, keeping false positives at a very low and tolerable level.
Issue #3: The results of ‘in-the-cloud’ scanning can be based on much more input data of both good and malicious files but causes an additional performance impact on the client-, network- and server-side.
Reality: In order to maintain a balanced workload between the desktop and cloud, the agent requires a light-weight and intelligent signature database that is smaller than traditional signature databases. When a suspicious file cannot be determined, the agent can then send the file or fingerprint to the local server for the further verification, thus saving bandwidth by not sending too many packets into the cloud. Embedding the emulator into the desktop and local server allows the agent to inspect the hidden payloads of obfuscated programs. Bandwidth will be saved because the hash value of the dumped data rather than the file itself is sent to the cloud.
Issue #4: Due to the time required to answer a query, only on-demand scanners and files which are executed are checked, but not all accessed files (as a ‘traditional’ on-access guard would work).
Reality: In-the-cloud doesn’t mean moving all hash values into the cloud. Normally, in-the-cloud can be divided into three parts: light-weight cloud agent, local server, and data center. As previously mentioned the cloud agent includes a light-weight and intelligent signature database. Each pattern inside can detect polymorphic malware belonging to the same family. Also, the emulator can be embedded inside the desktop agent or local server. Behavior patterns will be used to scan the behavior information coming from the emulator. The local scan server always keeps the latest local pattern files from the data center. Therefore, in-the-cloud can still support on-access scanning module.