Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
10.1145/3374664.3375748acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

TrustAV: Practical and Privacy Preserving Malware Analysis in the Cloud

Published: 16 March 2020 Publication History

Abstract

While the number of connected devices is constantly growing, we observe an increased incident rate of cyber attacks that target user data. Typically, personal devices contain the most sensitive information regarding their users, so there is no doubt that they can be a very valuable target for adversaries. Typical defense solution to safeguard user devices and data, are based in malware analysis mechanisms. To amortize the processing and maintenance overheads, the outsourcing of network inspection mechanisms to the cloud has become very popular recently. However, the majority of such cloud-based applications usually offers limited privacy preserving guarantees for data processing in third-party environments. In this work, we propose TrustAV, a practical cloud-based malware detection solution destined for a plethora of device types. TrustAV is able to offload the processing of malware analysis to a remote server, where it is executed entirely inside, hardware supported, secure enclaves. By doing so, TrustAV is capable to shield the transfer and processing of user data even in untrusted environments with tolerable performance overheads, ensuring that private user data are never exposed to malicious entities or honest-but-curious providers. TrustAV also utilizes various techniques in order to overcome performance overheads, introduced by the Intel SGX technology, and reduce the required enclave memory --a limiting factor for malware analysis executed in secure enclave environments-- offering up to 3x better performance.

References

[1]
[n.d.]. AVG AntiVirus for Android.
[2]
[n.d.]. Avira: Download security, privacy, and speed-enhancing apps for Android and iOS. https://www.avira.com/en/mobile-security.
[3]
[n.d.]. Cisco Visual Networking Index: Forecast and Trends, 2017- 2022. https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visualnetworking- index-vni/white-paper-c11--741490.html.
[4]
[n.d.]. ClamAV | Cisco Talos Intelligence Group. https://www.talosintelligence. com/clamav.
[5]
[n.d.]. Google Play Protect. https://www.android.com/play-protect/.
[6]
[n.d.]. Monthly Threat Report (March 2019), Symantec. https://www.symantec. com/security-center/publications/monthlythreatreport.
[7]
Yousra Aafer,Wenliang Du, and Heng Yin. 2013. Droidapiminer: Mining api-level features for robust malware detection in android. In International conference on security and privacy in communication systems. Springer, 86--103.
[8]
Vitor Monte Afonso, Matheus Favero de Amorim, André Ricardo Abed Grégio, Glauco Barroso Junquera, and Paulo Lício de Geus. 2015. Identifying Android malware using dynamically obtained features. Journal of Computer Virology and Hacking Techniques 11, 1 (2015), 9--17.
[9]
Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Daniel O'Keeffe, Mark L Stillwell, et al. 2016. SCONE: Secure Linux Containers with Intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation.
[10]
Andrew Baumann, Marcus Peinado, and Galen Hunt. 2015. Shielding applications from an untrusted cloud with haven. ACM Transactions on Computer Systems (TOCS) 33, 3 (2015), 8.
[11]
Andrea Biondo, Mauro Conti, Lucas Davi, Tommaso Frassetto, and Ahmad-Reza Sadeghi. 2018. The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel {SGX}. In 27th {USENIX} Security Symposium ({USENIX} Security 18). 1213--1227.
[12]
Anat Bremler-Barr, Yotam Harchol, David Hay, and Yaron Koral. 2014. Deep packet inspection as a service. In Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies. ACM.
[13]
Sang Kil Cha, Iulian Moraru, Jiyong Jang, John Truelove, David Brumley, and David G Andersen. 2010. SplitScreen: Enabling Efficient, Distributed Malware Detection. In NSDI. 377--390.
[14]
Swarup Chandra, Vishal Karande, Zhiqiang Lin, Latifur Khan, Murat Kantarcioglu, and Bhavani Thuraisingham. 2017. Securing data analytics on sgx with randomization. In European Symposium on Research in Computer Security. Springer.
[15]
Victor Costan and Srinivas Devadas. [n.d.]. Intel SGX explained. Technical Report. Cryptology ePrint Archive, Report 2016/086, 2016.
[16]
Dimitris Deyannis, Rafail Tsirbas, Giorgos Vasiliadis, Raffaele Montella, Sokol Kosta, and Sotiris Ioannidis. 2018. Enabling GPU-assisted antivirus protection on android devices through edge offloading. In Proceedings of the 1st International Workshop on Edge Systems, Analytics and Networking. ACM, 13--18.
[17]
David Goltzsche, Signe Rüsch, Manuel Nieke, Sébastien Vaucher, Nico Weichbrodt, Valerio Schiavoni, Pierre-Louis Aublin, Paolo Cosa, Christof Fetzer, Pascal Felber, et al. 2018. EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 386--397.
[18]
George Hatzivasilis, Konstantinos Fysarakis, Ioannis Askoxylakis, and Alexander Bilanakos. 2018. CloudNet Anti-malware Engine: GPU-Accelerated Network Monitoring for Cloud Services. In International Workshop on Information and Operational Technology Security Systems. Springer, 122--133.
[19]
Hahnsang Kim, Joshua Smith, and Kang G Shin. 2008. Detecting energy-greedy anomalies and mobile malware variants. In Proceedings of the 6th international conference on Mobile systems, applications, and services. ACM, 239--252.
[20]
Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, and Zhi Liu. 2016. Embark: securely outsourcing middleboxes to the cloud. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16).
[21]
Lei Liu, Guanhua Yan, Xinwen Zhang, and Songqing Chen. 2009. Virusmeter: Preventing your cellphone from spies. In International Workshop on Recent Advances in Intrusion Detection. Springer, 244--264.
[22]
Nick Nikiforakis, Marco Balduzzi, Steven Van Acker, Wouter Joosen, and Davide Balzarotti. 2011. Exposing the Lack of Privacy in File Hosting Services. In LEET.
[23]
Jon Oberheide, Evan Cooke, and Farnam Jahanian. 2008. CloudAV: N-version Antivirus in the Network Cloud. In Proceedings of the 17th Conference on Security Symposium (SS'08).
[24]
Jon Oberheide, Evan Cooke, and Farnam Jahanian. 2008. CloudAV: N-Version Antivirus in the Network Cloud. In USENIX Security Symposium. 91--106.
[25]
Jon Oberheide, Kaushik Veeraraghavan, Evan Cooke, Jason Flinn, and Farnam Jahanian. 2008. Virtualized in-cloud security services for mobile devices. In Proceedings of the first workshop on virtualization in mobile computing. ACM, 31--35.
[26]
Vasilis Pappas, Vasileios P Kemerlis, Angeliki Zavou, Michalis Polychronakis, and Angelos D Keromytis. 2013. CloudFence: Data flow tracking as a cloud service. In International Workshop on Recent Advances in Intrusion Detection. Springer, 411--431.
[27]
Rishabh Poddar, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy. 2018. SafeBricks: Shielding Network Functions in the Cloud. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI'18).
[28]
Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis, and Herbert Bos. 2010. Paranoid Android: versatile protection for smartphones. In Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 347--356.
[29]
Christian Priebe, Kapil Vaswani, and Manuel Costa. 2018. EnclaveDB: A Secure Database using SGX. In EnclaveDB: A Secure Database using SGX. IEEE, 0.
[30]
Martin Roesch et al. 1999. Snort: Lightweight intrusion detection for networks. In Lisa, Vol. 99. 229--238.
[31]
Brendan Saltaformaggio, Rohit Bhatia, Zhongshu Gu, Xiangyu Zhang, and Dongyan Xu. 2015. Vcr: App-agnostic recovery of photographic evidence from android device memory images. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 146--157.
[32]
Vasily A Sartakov, Stefan Brenner, Sonia Ben Mokhtar, Sara Bouchenak, Gaël Thomas, and Rüdiger Kapitza. 2018. EActors: Fast and flexible trusted computing using SGX. In Proceedings of the 19th International Middleware Conference.
[33]
Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. 2015. VC3: trustworthy data analytics in the cloud using SGX. In IEEE Symposium on Security and Privacy.
[34]
Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, and Vyas Sekar. 2012. Making middleboxes someone else's problem: network processing as a cloud service. ACM SIGCOMM Computer Communication Review 42, 4 (2012), 13--24.
[35]
Justine Sherry, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy. 2015. Blindbox: Deep packet inspection over encrypted traffic. ACM SIGCOMM Computer Communication Review 45, 4 (2015), 213--226.
[36]
Shweta Shinde, Dat Le Tien, Shruti Tople, and Prateek Saxena. 2017. Panoply: Low-TCB Linux Applications With SGX Enclaves. In NDSS.
[37]
Junliang Shu, Yuanyuan Zhang, Juanru Li, Bodong Li, and Dawu Gu. 2017. Why data deletion fails? A study on deletion flaws and data remanence in Android systems. ACM Transactions on Embedded Computing Systems (TECS) 16, 2 (2017), 61.
[38]
Hao Sun, XiaofengWang, Jinshu Su, and Peixin Chen. 2015. Rscam: Cloud-based anti-malware via reversible sketch. In International Conference on Security and Privacy in Communication Systems. Springer, 157--174.
[39]
Hongliang Tian, Yong Zhang, Chunxiao Xing, and Shoumeng Yan. 2017. SGXKernel: A Library Operating System Optimized for Intel SGX. In Proceedings of the Computing Frontiers Conference. ACM, 35--44.
[40]
Eran Toch, Claudio Bettini, Erez Shmueli, Laura Radaelli, Andrea Lanzi, Daniele Riboni, and Bruno Lepri. 2018. The privacy implications of cyber security systems: A technological survey. ACM Computing Surveys (CSUR) 51, 2 (2018), 36.
[41]
Bohdan Trach, Alfred Krohmer, Franz Gregor, Sergei Arnautov, Pramod Bhatotia, and Christof Fetzer. 2018. ShieldBox: Secure Middleboxes using Shielded Execution. In Proceedings of the Symposium on SDN Research. ACM, 2.
[42]
Chia-Che Tsai, Donald E Porter, and Mona Vij. 2017. Graphene-SGX: A practical library OS for unmodified applications on SGX. In 2017 USENIX Annual Technical Conference (USENIX ATC).
[43]
Marten Van Dijk, Ari Juels, Alina Oprea, Ronald L Rivest, Emil Stefanov, and Nikos Triandopoulos. 2012. Hourglass schemes: how to prove that cloud files are encrypted. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 265--280.
[44]
Giorgos Vasiliadis and Sotiris Ioannidis. 2010. Gravity: a massively parallel antivirus engine. In International Workshop on Recent Advances in Intrusion Detection. Springer, 79--96.
[45]
Cong Wang, Qian Wang, Kui Ren, and Wenjing Lou. 2010. Privacy-preserving public auditing for data storage security in cloud computing. In 2010 proceedings ieee infocom. Ieee, 1--9.
[46]
Jia Xu, Ee-Chien Chang, and Jianying Zhou. 2013. Weak leakage-resilient clientside deduplication of encrypted data in cloud storage. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, 195--206.
[47]
Chao Yang, Zhaoyan Xu, Guofei Gu, Vinod Yegneswaran, and Phillip Porras. 2014. Droidminer: Automated mining and characterization of fine-grained malicious behaviors in android applications. In European symposium on research in computer security. Springer, 163--182.
[48]
Hanlin Zhang, Yevgeniy Cole, Linqiang Ge, SixiaoWei,Wei Yu, Chao Lu, Genshe Chen, Dan Shen, Erik Blasch, and Khanh D Pham. 2016. ScanMe mobile: a cloudbased Android malware analysis service. ACM SIGAPP Applied Computing Review 16, 1 (2016), 36--49.
[49]
Wenting Zheng, Ankur Dave, Jethro G Beekman, Raluca Ada Popa, Joseph E Gonzalez, and Ion Stoica. 2017. Opaque: An Oblivious and Encrypted Distributed Analytics Platform. In NSDI. 283--298.

Cited By

View all
  • (2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
  • (2023)An Evaluation of Real-time Malware Detection in IoT Devices: Comparison of Machine Learning Algorithms with RapidMiner2023 IEEE International Conference on Electro Information Technology (eIT)10.1109/eIT57321.2023.10187265(077-082)Online publication date: 18-May-2023
  • (2023)Privacy-Preserving Content-Based Similarity Detection Over in-the-Cloud MiddleboxesIEEE Transactions on Cloud Computing10.1109/TCC.2022.316932911:2(1854-1870)Online publication date: 1-Apr-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy
March 2020
392 pages
ISBN:9781450371070
DOI:10.1145/3374664
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 March 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. antivirus
  2. data processing
  3. intel sgx
  4. mobile
  5. privacy
  6. trusted execution environment

Qualifiers

  • Research-article

Funding Sources

Conference

CODASPY '20
Sponsor:

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)44
  • Downloads (Last 6 weeks)5
Reflects downloads up to 09 Nov 2024

Other Metrics

Citations

Cited By

View all
  • (2023)Intel Software Guard Extensions Applications: A SurveyACM Computing Surveys10.1145/359302155:14s(1-38)Online publication date: 17-Jul-2023
  • (2023)An Evaluation of Real-time Malware Detection in IoT Devices: Comparison of Machine Learning Algorithms with RapidMiner2023 IEEE International Conference on Electro Information Technology (eIT)10.1109/eIT57321.2023.10187265(077-082)Online publication date: 18-May-2023
  • (2023)Privacy-Preserving Content-Based Similarity Detection Over in-the-Cloud MiddleboxesIEEE Transactions on Cloud Computing10.1109/TCC.2022.316932911:2(1854-1870)Online publication date: 1-Apr-2023
  • (2023)Intelligent Malware Detection System Based on Behavior Analysis in Cloud Computing Environment2023 International Conference on Circuit Power and Computing Technologies (ICCPCT)10.1109/ICCPCT58313.2023.10245065(109-113)Online publication date: 10-Aug-2023
  • (2023)Partial Outsourcing of Malware Dynamic Analysis Without Disclosing File Contents2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00098(717-722)Online publication date: Jun-2023
  • (2022)A Step Towards On-Path Security Function OutsourcingProceedings of the 23rd International Conference on Distributed Computing and Networking10.1145/3491003.3491007(175-187)Online publication date: 4-Jan-2022
  • (2022)Decision Trees to Detect Malware in a Cloud Computing Environment2022 International Conference on Electronic Systems and Intelligent Computing (ICESIC)10.1109/ICESIC53714.2022.9783547(299-303)Online publication date: 22-Apr-2022
  • (2022)AntiViruses under the microscopeComputers and Security10.1016/j.cose.2021.102500112:COnline publication date: 1-Jan-2022
  • (2021)A Survey on Encrypted Network Traffic Analysis Applications, Techniques, and CountermeasuresACM Computing Surveys10.1145/345790454:6(1-35)Online publication date: 13-Jul-2021
  • (2021)Intelligent Behavior-Based Malware Detection System on Cloud Computing EnvironmentIEEE Access10.1109/ACCESS.2021.30873169(83252-83271)Online publication date: 2021
  • Show More Cited By

View Options

Get Access

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media