1. No category

In-Cloud Malware Analysis and Detection

In-Cloud Malware Analysis and Detection: State of the Art
Shahid Alam
Ibrahim Sogukpinar
University of Victoria
Victoria, BC, V8P5C2, Canada
Gebze Institute of Technology
41400, Gebze, Kocaeli, Turkey
[email protected]
Issa Traore
University of Victoria
Victoria, BC, V8P5C2, Canada
[email protected]
ABSTRACT
With the advent of Internet of Things, we are facing another wave of malware attacks, that encompass intelligent
embedded devices. Because of the limited energy resources,
running a complete malware detector on these devices is
quite challenging. There is a need to devise new techniques
to detect malware on these devices. Malware detection is
one of the services that can be provided as an in-cloud service. This paper reviews current such systems, discusses
there pros and cons, and recommends an improved in-cloud
malware analysis and detection system. We introduce a new
three layered hybrid system with a lightweight antimalware
engine. These features can provide faster malware detection
response time, shield the client from malware and reduce
the bandwidth between the client and the cloud, compared
to other such systems. The paper serves as a motivation for
improving the current and developing new techniques for
in-cloud malware analysis and detection system.
Categories and Subject Descriptors
D.4.6 [Operating Systems]: Security and Protection—Invasive software; C.2.4 [Computer-Communication Networks]: Distributed Systems—Distributed applications
General Terms
Security, Malware
[email protected]
Yvonne Coady
University of Victoria
Victoria, BC, V8P5C2, Canada
[email protected]
devices, such as smart phones, tablets, routers, switches,
modern SCADA (supervisory control and data acquisition),
PLC (programmable logic controllers) and EPOS (electronic
point of sale) and automotive systems, home devices (scanners, printers, toasters and refrigerators), and medical devices, etc.
These devices are becoming more sophisticated with more
memory and CPU power. That means like others, these devices are also prone to more sophisticated malware (such as
polymorphic and metamorphic) attacks. Because of their
limited energy resources, currently there is a limit to grow
the memory size and CPU power (but is enough to launch a
sophisticated malware attack, such as Stuxnet [6]) on these
devices. Therefore, running a complete malware detector on
these devices if not impossible is quite challenging. There
is a need to devise other techniques to protect, and detect
malware on these devices. Such new techniques can take
advantage of distributed malware detection in a cloud computing environment using multiple detection engines.
Recently, researchers in academia and industry have started
studying and examining the use of cloud for malware analysis and detection. This paper reviews current such systems,
discusses there pros and cons, and recommends an improved
in-cloud malware analysis and detection system. We introduce a new three layered hybrid system with a lightweight
antimalware engine. These features can provide faster malware detection response time, shield the client from malware
and reduce the bandwidth between the client and the cloud,
compared to other such systems.
Keywords
Cloud computing, In-cloud services, Malware analysis, Malware detection
1.
INTRODUCTION
With the advent of Internet of Things [23], we are facing another wave of malware attacks, that encompass intelligent
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are not
made or distributed for profit or commercial advantage and that copies bear
this notice and the full citation on the first page. Copyrights for components
of this work owned by others than ACM must be honored. Abstracting with
credit is permitted. To copy otherwise, or republish, to post on servers or to
redistribute to lists, requires prior specific permission and/or a fee. Request
permissions from [email protected].
SIN’14, September 9 - 11, 2014, Glasgow, Scotland, UK
c 2014 ACM 978-1-4503-3033-6/14/09 ...$15.00.
Copyright http://dx.doi.org/10.1145/2659651.2659730
1.1
Cloud Computing
Cloud computing is an environment where a program or
application runs on a number of computers connected
through a communication network. Any user (client) who
has permission to access the cloud can perform different
tasks using the cloud, such as running applications and
storing data, etc. These tasks may run on one computer
or many connected computers at the same time. These
computers can be physical or virtual. One physical server
may be running multiple independent virtual servers, each
appearing to the user as one physical device. These virtual
servers are disassociated from the physical server, hence
can move around and scale up and down on the fly without
affecting the client.
Some of the advantages of cloud computing are on-demand
self service, broad network access, resource pooling, rapid
elasticity and measured service [15]. Despite these advantages, there are some disadvantages, such as, network
connectivity and downtime, lack of security and privacy
in the cloud, limited control and increased vulnerability.
Giving all the information to a third party (the cloud host
company) may put the data on risk. Large companies may
afford a private cloud, but smaller companies may have
to rely on a third party cloud service provider. Such a
company has to make sure the service provider is reliable
and will keep their information secure.
Recently, CodeSpaces, a source code hosting platform that
enables development and collaboration for software teams,
is shut down because of a distributed denial-of-service
(DDoS) attack on its servers hosted in Amazon EC2
cloud [16]. In our opinion for the cloud computing to
become ubiquitous, it needs to provide more security,
trust and privacy to its clients [7, 24]. Security is still the
top inhibitor for cloud computing, but the concern over
security is declining year-over-year. In a 2013 survey of 855
respondents on the future of cloud computing, including
business users, IT decision makers and cloud vendors, 46%
listed security as their number one concern, compared to
55% the last year [25].
The word in-cloud used in this paper refers to the services
provided by a cloud to it’s users, such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure
as a Service (IaaS) [15]. Malware analysis and detection
is one of the services that can be provided as an in-cloud
service. Companies like Panda Security [22] have already
started providing such a service.
2.
STATE OF THE ART
This Section discusses the previous research efforts for
in-cloud malware analysis and detection, and compares
them with the system proposed in this paper. We only
discuss academic research efforts, because we are not able to
find any public documents for the only commercial in-cloud
malware analysis and detection system [22]. We also did
not include patents filed for such systems [5]. Our focus is
on a complete in-cloud malware detection system (client
and the cloud), so we do not cover research efforts that
only investigate in-cloud services for malware detection.
Interested readers are referred to [8, 13, 14, 21] for cloudbased malware detection, that may have the potential to be
used in a complete in-cloud malware analysis and detection
system.
Oberheide et al. [17, 18] make a case and propose an
architecture to use the Cloud for malware analysis and
detection. The system proposed combines multiple antimalware engines in a cloud, and move the malware detection
from the clients to the cloud. The proposed system is called
CloudAV and consists of three components. The first component is the client software, an agent on the client to send
new files to the cloud for analysis. The second component
is the network service, that receives files, analyses them
using multiple antimalware engines and sends the report
back to the client. The third component is the archival
and forensic service, a database of analysed files. CloudAV
has also been extended for mobile devices [19], to reduce
on-device resource consumption and software complexity.
A mobile agent is developed to interface with the CloudAV
network service. A mobile specific behavioral engine is also
added to detect malware. By migrating security services
to cloud-based malware analysis and detection service,
CloudAV provides enhanced protection capabilities to the
client. The system proposed in this paper, in addition to
providing all the components of CloudAV, also adds a LWE
(lightweight antimalware engine), that can further reduce
the malware detection response time.
Martignoni et al. [12] propose a behavior-based malware
analysis framework in the cloud that allows the users to
send a file to the cloud to be executed and analyse for
malware detection. The file is executed on the client. The
cloud simulates the execution by using the output produced
by the file executed on the client. This way the cloud is able
to fully (in an accurate way) simulate the execution of the
file. Multiple execution instances of the cloud component,
executing the same file, are run. Each of these instances
use different execution environment, to see how each
environment affects the behavior of the malware. Results
of these analysis are correlated to produce the final result.
The problem with this approach is the use of bandwidth
resources. Part of the program will not be running locally
but on the network, and depending on the number of calls
made to the client, can consume considerable amount of
the available bandwidth. Running a part of the malware
on the client can expose the client to the malware, and will
still require an intelligent monitoring on the end host. The
system proposed in this paper separates the execution of
the file (dynamic analysis) under detection from the client,
by running it either inside a LWE or antimalware engines.
Portokalidis et al. [20] propose, running a replica of the
phone (android) on a security server in a cloud. A tracer
on the phone records all information needed to replay
the application. This trace is send to the cloud over an
encrypted channel. A replayer on the cloud executes the
application within an emulator. The trace transmission is
synchronized using a loose model. That is, the synchronization is done only when the device is awake and connected
to the internet or when it is recharging. They use dynamic
taint analysis (DTA) on the replica running on the cloud.
DTA is very expensive and impractical for smartphones,
hence more powerful hardware of cloud is used for DTA.
The application needs to be run on the phone and then
a complete trace is transmitted to the cloud, therefore it
suffers the same problems as mentioned above of bandwidth
and exposing the client to malware.
Liu et al. [10, 11] propose an approach to correlate
retrospective malware detection results for the detection
of malware attacks. The approach is implemented on
Hadoop, an open source cloud computing platform, and
is based on PE (portable executable) file format. Each
client has a monitoring agent that monitors the PE file
created/written logs and send them to a server in the cloud.
These logs are used to build a relationship among PE files,
and these relations are then used to capture the changes.
A file is represented by three attributes, it’s hash, name
and size, called file attribute vector. Changes in these
attributes mean a change in the file. A change in the file
can be suspicious, and can be used to detect the presence
of a malware. A user of this system can query it to find
suspicious files. There are two different type of queries; one
using file attributes and the other using file relations. This
system only detect if the file is suspicious or not, therefore
the system itself cannot be used for malware detection
but can be integrated with a complete malware detection
system.
Jarabek et al. [9] propose a lightweight antimalware called
ThinAV for android that use third party online (in-cloud)
malware scanning services.
ThinAV uses Kaspersky,
VirusChief, VirusTotal, and ComDroid. All these services
are freely available to public. ThinAV uses there publically
available APIs to interface with them. The paper also
discusses the performance of these four engines. ThinAV
has two main components, the client and the server. The
client submits applications for scanning and the server
submits received files to the third party scanning services.
ThinAV is a good example of a client using free in-cloud
malware analysis and detection services.
Zonouz et al. [27] propose a cloud-based framework for
smartphones malware detection, named Secloud.
The
prototype framework is implemented for Android. A client
agent resides on the smartphone and an emulator on the
cloud. The client agent collects user and sensor input from
the device and send it to the Secloud’s emulator. It also
listens to the notifications from the Secloud’s emulator
and performs the requested actions. The emulator runs
an emulated replica of the registered device and keeps it
synchronized with the device. The emulation environment
runs third party security solutions for malware detection.
Once a misbehavior is detected, the emulator sends a
notification to the client agent on the device to take the
required actions. This approach is similar to [20]. In [20]
replaying everything incurs a high overhead traffic, whereas
in Secloud, only device input is logged, communicated and
replayed in the replica. The application needs to be run on
the phone before inputs are captured and sent to the cloud,
therefore it suffers the same problems as mentioned above
of bandwidth and exposing the client to malware.
Barakat et al. [4] use cloud computing to support and
enhance the malware analysis process. They used Cuckoo
Sandbox, a behavior analysis antimalware engine for
malware analysis, and used CloudStack, an open source
cloud-based environment written in java, for providing the
cloud service model. Cuckoo Sandbox was modified to work
in the cloud. The paper is a good introduction of how
to setup such an environment for malware analysis and
detection. Two systems were implemented and compared,
one with cloud and other without cloud. Same settings
were used on both systems. Cloud-based system was
faster compared to the stand-alone system. Initially the
stand-alone system was faster but after 100 samples the
cloud-based system performed better. Overall time saved,
after 100 samples, on average was 22.93%. The timing
results show that despite using the cloud the time, for a
dataset of 100 – 3000 malware samples, ranges from 1985 –
62621 seconds. These timings can be improved by efficient
use of the cloud by the antimalware engine and also using a
LWE as proposed in this paper. That is where the Cuckoo
sandbox lacked. It can be improved by running VM sessions
in parallel, and parallelizing other parts of the antimalware
engine as done in [2].
Zhang et al. [26] propose a technique similar to CloudAV.
The authors use the following multiple engines in the cloud
to detect malware. Threat expert, CW sandbox, Anubis,
Joe sandbox and Cuckoo sandbox. According to the results
presented in the paper the detection rate of each engine is
very low. The authors claim that combining them will improve the detection rate, but the results for the combined
detection rate are not presented in the paper.
3.
DISCUSSION
It is difficult to detect new generation of malware, such as
polymorphic and metamorphic malware, in an in-cloud malware analysis and detection system. To detect these malware
antimalware software uses behavioral detection techniques,
that are closely tied to the system/environment (local running processes and threads etc) they are running on. It is
difficult to provide such environment inside a cloud.
A cloud can use virtual machines to replicate the client
local system. To replicate a system fully, it needs to be
replayed deterministically in the cloud. Concurrency and
interprocess communication in an application can cause
nondeterminism, while replaying such an application.
Access to threads needs to be serialised for deterministic replay, but this can miss some of the exceptions
thrown when in the original (non-serialised) application
two or more threads access an object at the same time.
A malware may be hidden at this location (exception)
in the application. In this case the replay will miss
detecting this malware. Moreover, replicating each different system fully is not practical and may consume lot of
network bandwidth, the client computing power and energy.
Cloud computing is still immature and there are no standard APIs used by the cloud vendors, so most of the cloud
users have to re-write applications, when they switch cloud
platforms. Therefore, in most cases, an antimalware engine
will have to be re-written (the part that communicates
with the cloud) if moved to another cloud. This problem
will solve itself when the cloud users start demanding
standardization and interoperability.
Based on the discussion above and the review presented in
Section 2 we list some of the pros and cons of state of the
art in-cloud malware analysis and detection system.
3.1
Pros
1. The system decreases the complexity of the monitoring
software on the client.
2. The system Improves detection rate by combining multiple antimalware engines.
3. The system is extensible. Other antimalware engines
can be easily added.
4. The system is easy to deploy. Updating of the malware signatures is centralised. Instead of updating
signatures on each client, a single signature update is
required.
Cloud
Cloud
Antimalware engines
Antimalware engines
Report
e1
e2
e3
.
.
.
.
.
.
Report
em
e1
Client
e2
e3
.
.
.
.
.
em
Client
Malware signatures
File
.
Signature
s1 s2
Malware signatures
File
s3 sk
Signature
s1 s2
LWA
s3 sk
LWA
Suspicious file
Suspicious file
Suspicious file
Signature
LWE
LWE
Suspicious file
Signature
Report
LWA = Light weight agent
LWE = Light weight antimalware engine
LWA = Light weight agent
LWE = Light weight antimalware engine
Disassembler
(a) Lightweight antimalware
engine located in-cloud
Disassembler
(b) Lightweight antimalware
engine located in-client
Figure 1: An overview of the hybrid in-cloud layered malware analysis and detection system
5. The system provides deep malware analysis, such as
dynamic analysis, for resource constrained devices.
6. The system provides correlation of information between antimalware engines, such as sharing the behavior of a malware file, that can enhance the malware
detection.
3.2
Cons
1. The system increases the false positive rate. More antimalware engines can produce more false positives.
2. The system’s malware detection response time can increase, compared to using a single antimalware engine
on the client.
3. The system requires the development of an intelligent
agent on the client that can monitor and filter different
types of files and data.
4. Running a file on the client and then replicating on the
cloud, can expose the client to a possible malware.
5. Replicating each different client system fully on the
cloud is not practical and may consume lot of network
bandwidth, the client computing power and energy.
6. Without full replication of the client on the cloud, the
system makes it difficult to detect new generation of
malware, such as polymorphic and metamorphic malware.
7. The system is highly dependent on the availability of
the cloud and network connectivity. If the cloud is not
available, it can delay the detection.
8. The system is highly dependent on the trust and privacy provided by the cloud. Will the user trust the
cloud that she/he is sending the file to analyse and
detect using multiple antimalware engines? Morevoer,
the user may not trust some of the third party antimalware engines hosted on the cloud.
9. The system requires license from each vendor of the
antimalware engine.
4.
PROPOSED SOLUTION
Cloud computing have the potential to be used for malware
detection for intelligent devices, that do not have the resources to run a sophisticated malware detector. We call
such a system distributed malware detection system. As discussed above, there are still lot of challenges and impediments to using an in-cloud malware analysis and detection
system. We need to mitigate these effects before such a system becomes a reality.
There are different possibilities and combinations of using a
cloud for malware analysis and detection. Static analysis is
more suitable for real-time malware detection than dynamic
analysis. For a complete malware analysis and detection
system, a combination of these two techniques are used, and
is called a hybrid system. This paper focuses more on a
hybrid system, because it is more suitable for in-cloud based
malware analysis and detection.
We call an antimalware engine, lightweight, if it provides
real-time malware analysis and detection on resource constrained devices, such as notebooks, smart phones, tablets,
and other high end devices. Currently these devices have
upto 2-core processors (except few notebooks that have 4core processors) and can have at least a memory of size 2 GB
or more. Other devices, such as home devices and medical
devices, with comparatively less resources, may not be able
to run such a lightweight antimalware engine (LWE). The
LWE normally employs simple, or some sophisticated, static
analysis techniques. For some examples of such a LWE,
readers are referred to [1, 2, 3].
Figure 1 gives an overview of the hybrid in-cloud layered
malware analysis and detection system proposed in this paper. There are two new features that make this system different from other such systems. The use of three layers for
malware analysis and detection, and the LWE as described
above. The three layers are, the lightweight agent (LWA),
the LWE and the set of antimalware engines. The LWA is
normally a file scanner but can also act as a lightweight detector based on simple signature based techniques. The antimalware engine employ more sophisticated malware analysis and detection techniques (static, dynamic or hybrid),
and hence requires more resources than the LWE.
The client, can run either a LWA or a LWE depending on
the resources available, that can scan/detect files and send
only a suspicious file to the cloud for further analysis and
detection. The cloud can run multiple malware detection
engines to analyse the file, shown as e1 , e2 , e3 . . . . . em in
Figure 1, where m is the number of antimalware engines currently available in the cloud. These antimalware engines can
be developed in-house or licensed from antimalware vendors.
If the file is a malware an appropriate action (quarantined,
repaired, erased) is taken and the device is informed. If the
file is benign an appropriate message is sent back to the device. After a new malware is found its signature s is stored
in the database of malware signatures, shown as s1 , s2 , s3 .
. . . . sk in Figure 1, where k is the current number of malware signatures in the database. This database of malware
signatures is shared among the antimalware engines and the
LWE.
It is difficult for a static analysis tool to support different
platforms. A client in general will have a different platform
than a cloud server, and this makes porting an in-cloud LWE
to the client non-trivial. We use the techniques proposed in
[1, 2] to make the LWE portable. Therefore, the LWE can be
located in the cloud or the client. This portability of LWE
makes this system optimizable for different devices. In case
of a client, e.g, a resource constrained device, that cannot
afford to run a LWE, the engine can be moved to the cloud.
The LWE can be run as a proxy server inside the cloud, so
that all the resource constrained clients in the subnet have
only one LWE. Most cloud-based systems have their own
web proxies (for providing content filtering, SSL inspection
and malware protection, etc), that can be used to host the
LWE for such purposes.
The in-cloud antimalware engines are only used if the LWE
fails to detect the file as a malware, i.e, the file is still
suspicious (either benign or malware). The successful use
of the LWE (i.e, it detects the malware) can considerably
reduce the response time of malware detection. As the
technology improves, the devices become more complex
with more memory and CPU power. To keep pace with this
increase in the resources, the LWE can be updated with
more sophisticated antimalware engine.
The LWE with its characteristics mentioned above has the
potential to provide a faster malware detection response
time for an in-cloud system, compared to other such systems
discussed in Section 2. Creating the following layers, LWA,
LWE and antimalware engines, separates the execution of
the file (dynamic analysis) under detection from the client.
This in addition to shielding the client from the malware,
also helps in reducing the bandwidth required, compared to
some other such systems discussed in Section 2.
4.1
Summary
The system proposed in this paper and presented in Figure
1 mitigates, to a certain extent, some of the problems (1 –
6) mentioned in Section 3.2.
The LWE in the proposed system mitigates the effect of the
problems 2, 3, 4 and 5 by providing a lightweight antimalware engine that can be located in-cloud or in-client, and
hence provides a faster malware detection response time.
This portability of LWE also provides more accurate malware detection for polymorphic and metamorphic malware
by running in-client real-time malware analysis [1, 2], and
in some cases (where in-client LWE detects the malware)
eliminates the need for replicating the client system on the
cloud, hence reducing the bandwidth required. To separate
the execution from the client, the in-client LWE does not
run the suspicious application for malware analysis and detection (i.e, malware detection in the in-client LWE is based
on static analysis). This action (running the suspicious application, i.e, dynamic analysis) is only carried out by either
the in-cloud LWE or the antimalware engines hosted in the
cloud, and hence shields the client from the malware.
In addition to using the correlation of results from the antimalware engines to reduce the false positives, the system
proposed with the LWE helps mitigate to a certain extent
(where in-client or in-cloud LWE detects the malware) the
effect of increased false positives (problem 1).
5.
CONCLUSION
Malware detection is one of the services that can be provided
as an in-cloud service. In this paper we have reviewed current such systems and discussed there pros and cons. The
paper not only serves as a collection of recent references and
information for easy comparison and analysis, but also as
a motivation for improving the current and developing new
techniques for in-cloud malware analysis and detection system. We have recommended an improved in-cloud malware
analysis and detection system, by introducing a new three
layered hybrid system with a lightweight antimalware engine. These features can provide faster malware detection
response time, shield the client from malware and reduce
the bandwidth between the client and the cloud.
Currently we are implementing the hybrid in-cloud layered
malware analysis and detection system proposed in this paper. To take advantage of the distributed nature of a cloud,
we are also planning to parallelize different components of
the system. In the future we will carry out an empirical
evaluation of the system, by measuring and comparing, the
performance of the system on a cloud with the performance
of the system on a stand alone server.
References
[1] Shahid Alam, R. Nigel Horspool, and Issa Traore.
MAIL: Malware Analysis Intermediate Language - A
Step Towards Automating and Optimizing Malware
Detection. In Security of Information and Networks,
SIN ’13, New York, NY, USA, November 2013. ACM
SIGSAC.
[2] Shahid Alam, R. Nigel Horspool, and Issa Traore.
MARD: A Framework for Metamorphic Malware Analysis and Real-Time Detection. In Advanced Information
Networking and Applications, Research Track – Security and Privacy, AINA ’14, Washington, DC, USA,
May 2014. IEEE Computer Society.
[3] Shahid Alam, Ibrahim Sogukpinar, R. Nigel Horspool,
and Issa Traore. Sliding Window of Difference and Control Flow Weight for Metamorphic Malware Detection.
Journal of Computer Virology and Hacking Techniques,
in print, 2014.
[4] OsamahL. Barakat, ShaifulJ. Hashim, RajaSyamsulAzmirB. Raja Abdullah, AbdulRahman Ramli, Fazirulhisyam Hashim, Khairulmizam Samsudin, and Mah-
mud Ab Rahman. Malware analysis performance enhancement using cloud computing. Journal of Computer Virology and Hacking Techniques, 10(1):1–10,
2014.
[16] Stephanie Mlot. CodeSpaces.com closed its doors this
week, following a 12-hour security breach that completely wiped its servers.
http://www.pcmag.com/
article2/0,2817,2459765,00.asp, June 2014.
[5] Igor Barash, Gary Guseinov, Achal S Khetarpal, Bing
Liu, and Serge Zilber. Systems and methods for operating an anti-malware network on a cloud computing
platform, June 29 2010. US Patent App. 12/826,583.
[17] Jon Oberheide, Evan Cooke, and Farnam Jahanian. Rethinking antivirus: Executable analysis in the network
cloud. In 2nd USENIX Workshop on Hot Topics in
Security (HotSec 2007), 2007.
[6] Critical Infrastructure Protection M Edwards. An analysis of a cyberattack on a nuclear plant: The stuxnet
worm. Critical Infrastructure Protection, 116:59, 2014.
[18] Jon Oberheide, Evan Cooke, and Farnam Jahanian.
CloudAV: N-Version Antivirus in the Network Cloud.
In USENIX Security Symposium, pages 91–106, 2008.
[7] Diogo AB Fernandes, Liliana FB Soares, João V
Gomes, Mário M Freire, and Pedro RM Inácio. Security issues in cloud environments: a survey. International Journal of Information Security, 13(2):113–170,
2014.
[8] Keith Harrison, Behzad Bordbar, Syed TT Ali, Chris I
Dalton, and Andrew Norman. A framework for detecting malware in cloud by identifying symptoms. In
Enterprise Distributed Object Computing Conference
(EDOC), 2012 IEEE 16th International, pages 164–
172. IEEE, 2012.
[9] Chris Jarabek, David Barrera, and John Aycock.
Thinav: truly lightweight mobile cloud-based antimalware. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 209–218.
ACM, 2012.
[10] Shun-Te Liu and Yi-Ming Chen. Retrospective detection of malware attacks by cloud computing. In Proceedings of the 2010 International Conference on CyberEnabled Distributed Computing and Knowledge Discovery, CYBERC ’10, pages 510–517, Washington, DC,
USA, 2010. IEEE Computer Society.
[11] Shun-Te Liu and Yi-Ming Chen. Retrospective detection of malware attacks by cloud computing. International Journal of Information Technology, Communications and Convergence, 1(3):280–296, 2011.
[12] Lorenzo Martignoni, Roberto Paleari, and Danilo Bruschi. A framework for behavior-based malware analysis in the cloud. In Information Systems Security, pages
178–192. Springer, 2009.
[13] C.A. Martinez, G.I. Echeverri, and A.G.C. Sanz. Malware detection based on cloud computing integrating
intrusion ontology representation. In Communications
(LATINCOM), 2010 IEEE Latin-American Conference
on, pages 1–6, Sept 2010.
[14] Mohammad M Masud, Tahseen M Al-Khateeb,
Kevin W Hamlen, Jing Gao, Latifur Khan, Jiawei Han,
and Bhavani Thuraisingham. Cloud-based malware detection for evolving data streams. ACM Transactions
on Management Information Systems (TMIS), 2(3):16,
2011.
[15] Peter Mell and Timothy Grance. The NIST Definition
of Cloud Computing. Special Publication 800-145, 2011.
[19] Jon Oberheide, Kaushik Veeraraghavan, Evan Cooke,
Jason Flinn, and Farnam Jahanian. Virtualized incloud security services for mobile devices. In Proceedings of the First Workshop on Virtualization in Mobile
Computing, pages 31–35. ACM, 2008.
[20] Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis, and Herbert Bos. Paranoid Android: Versatile Protection for Smartphones. In Proceedings of
the 26th Annual Computer Security Applications Conference, ACSAC ’10, pages 347–356, New York, NY,
USA, 2010. ACM.
[21] Matthias Schmidt, Lars Baumgartner, Pablo Graubner,
David Bock, and Bernd Freisleben. Malware detection
and kernel rootkit prevention in cloud computing environments. In Parallel, Distributed and Network-Based
Processing (PDP), 2011 19th Euromicro International
Conference on, pages 603–610. IEEE, 2011.
[22] Panda Security. From Traditional Antivirus to Collective Intelligence (2007). http://www.pandasecurity.
com/usa/enterprise/downloads/docs/product/
whitepapers/02dwn_wp_antivirus_evolution.pdf,
Last accessed: August 4, 2014.
[23] Antonio Skarmeta and M.Victoria Moreno. Internet of
Things. In Willem Jonker and Milan Petkovi?, editors,
Secure Data Management, pages 48–53. Springer International Publishing, 2014.
[24] Subashini Subashini and V Kavitha. A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications,
34(1):1–11, 2011.
[25] North Bridge Venture Partners. 2013 Future of Cloud
Computing 3rd Annual Survey Results. http://www.
nbvp.com/2013-cloud-computing-survey, Last accessed: August 4, 2014.
[26] Zhenyu Zhang, Wujun Zhang, Jianfeng Wang, and Xiaofeng Chen. An Effective Cloud-Based Active Defense
System against Malicious Codes. In Information and
Communication Technology, pages 690–695. Springer,
2014.
[27] Saman Zonouz, Amir Houmansadr, Robin Berthier,
Nikita Borisov, and William Sanders. Secloud: A cloudbased comprehensive and lightweight security solution
for smartphones. Computers & Security, 37:215–227,
2013.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz