These days, when you scan Internet resources or take part in discussions, you inevitably come across materials and comments related to the use of cloud technology in antivirus protection.
The opinions are many, ranging from accusations against vendors that they are indulging in blatant PR campaigns in the complete absence of any benefits offered by the antivirus cloud, to assertions that these so-called clouds are a universal panacea. Both Internet users and security professionals are engaged in these discussions today, and no one can seem to agree.
The objective of this article is to make an attempt to really get to the bottom of the situation. We will address only the real-time collaboration of personal antivirus products installed on user computers with the vendor's cloud infrastructure. This article will not discuss SaaS/hosted services.
For the sake of simplicity, we will use the term “antivirus cloud" to refer to an antivirus company's system used to process information obtained from user computers to identify new, as yet undetected threats. Anticipating objections against using the word “cloud” in such a way, collaboration, we refer to the already standard practice of using the term in this context. Discussions of the appropriateness of the use of this name are beyond the scope of this article.
This article will provide an answer to the question: what is an antivirus cloud, really, and what are its pros and cons? This article is aimed primarily at readers who are interested in learning more about cloud-based antivirus protection, gaining an understanding of the general principles of how an antivirus cloud works, and what it offers in terms of protection.
Over the past 20 years, antivirus protection has primarily been based on signature analysis and heuristic analysis. This was quite sufficient to effectively counteract malicious content, since:
However, in 2003-2004, we saw the development of mass communication, a rapid growth in the number of Internet users, and the arrival of Internet business, which created attractive conditions for cybercriminals. At first malicious programs were created simply for the fun of it or to prove a virus writer’s skill. Later, as opportunities arose to make money from the virtual property of others, and to steal others' funds, cybercriminals started proactively developing malware in order to make money.
Increase in the number of unique malicious files detected by Kaspersky Lab
In addition to the increase in the number of new malicious files, we also saw an upswing in the number of different ways used to steal money: cybercriminals developed even more effective techniques for conducting attacks.
Antivirus developers continued to improve heuristic methods to detect malware and introduced automatic systems and/or automatic detection features in their products. The latter led to a marked increase in the volume of updates that approached a threshold where update downloads were becoming a major inconvenience for users.
Annual increase in the number of antivirus updates in MB (incl. 2010 forecasts)
The ongoing battle between cybercriminals and antivirus companies has grown more intense, and each side has proactively examined the enemy’s tools and methods. In 2008–2009, the speed at which new malicious programs appeared reached a new level and typical update systems were no longer sufficient to counteract the threats. According to a study conducted in the second quarter of 2010 by NSS Labs, antivirus companies required anywhere from 4.62 to 92.48 hours to block Internet threats. Improving response time to threats using typical antivirus updates was impossible, since the time required to detect threats, analyze them, and test antivirus updates had already reached a minimum.
It would seem that response time could be improved by using heuristic detection methods, which help block threats as soon as they appear without waiting for the release of antivirus database updates. However, heuristic methods detect, on average, just 50–70% of threats, which means that 30–50% of all emergent threats are left undetected by heuristic methods.
As a result, the main questions that the antivirus industry has had to consider recently are:
These questions have forced antivirus developers to devote more attention to the development of alternative methods of detecting and blocking today's threats. The use of antivirus cloud technologies is one such method.
As stated above, this article uses the term “antivirus cloud” to refer to the infrastructure that an antivirus company uses in order to process information obtained from the computers of those who use a specific personal product in order to identify new, as-of-yet undetectable threats, in addition to performing a number of other tasks. The technologies used to store and process user data remain in the background. The antivirus program sends a request to the cloud to see if there is any information available about a particular program, activity, link, or resource. The response will either be “yes, there is information, or “no, there is no information.”
How does the cloud differ from antivirus updates?
Options for user communication with antivirus infrastructure
An update system assumes one way interaction between the antivirus company and the user: from the AV vendor to the user. There is no feedback from the user, which is why it is not possible to promptly identify suspicious activity, or obtain information about a spreading threat or its sources. Often, antivirus companies face delays as they have to obtain this kind of data via additional data channels.
In contrast, the cloud approach is bilateral. A number of computers connected to the cloud via a central server inform the cloud of sources of infection and any suspicious activity that have been detected. After processing the information, it becomes accessible to other computers that are connected to the cloud. In fact, users are able to share information via the antivirus company’s infrastructure (not directly with one another!) about attacks launched against them and the sources of those attacks. The result is an integrated, distributed intellectual antivirus network which functions as a single whole.
The main difference between the cloud and existing antivirus technologies is the object being detected. While earlier generations of technologies (such as signatures, for example) worked with objects in the form of files, an antivirus cloud work with metadata. Consider this example to understand what metadata is: let us presume that we have a file — it is an object. Information about that file is metadata, which includes the file’s unique identifier (the hash function), data about how the file came to be in the system, how it behaved, etc. New threats are identified in the cloud using metadata even though the files themselves are not actually transmitted to the cloud for initial analysis. This approach facilitates real-time collection of data from tens of millions of voluntary participants in a distributed antivirus network in order to identify as yet undetected malware.
For example, if an antivirus user opts-in to the Kaspersky Security Network (KSN), the product will start to send two different kinds of metadata to Kaspersky Lab:
It should be stressed that this information is only transferred with the user’s consent.
The expert system identifies threats and checks for decision making errors, then looks for the sources spreading the threat. The sources, once located, also undergo automatic checks, in order to rule out any false positives. The data obtained by the expert system about the newly emergent threats and their sources is then promptly made available to all product users.
Metadata about infections is used to train expert systems, which consequently respond quickly to the latest malware and cybercriminal techniques by automatically identifying active threats on users' computers. Information used by the system for self-learning includes verdicts received from signature and heuristic detection. It should be emphasizes that the most effective user protection is achieved by using a combined approach meshing an antivirus cloud with other technologies already used to counteract threats.
By gathering and processing data about suspicious activity from each participant in the network, the cloud is, essentially, a powerful expert system designed to analyze cybercriminal activity. Data needed to block attacks is provided to all of participants in the cloud network, which helps prevent subsequent infection.
The longest stage of the process is the analysis of the data obtained from user metadata in order to identify unknown malicious programs — however, even this process takes just a few minutes.
As a result, the only real drawback that cannot currently be resolved is the dependency of user protection on the existence of a stable connection. Kaspersky Security Network will have resolved all of the other issues in the next version of its cloud protection.
There is yet another category of issues with cloud protection that is often discussed on the Internet and is viewed by those involved in the discussion as drawbacks. However, these points are not, in fact, flaws. We would like to address these issues and explain why they should not be seen as weak areas.
We have reviewed the circumstances that led to the creation of antivirus clouds, and addressed in brief how cloud protection works, and its pros and cons.
Where does the cloud fit within today’s antivirus industry? Is there any true benefit to using cloud technology, and does it offer anything fundamentally new?
The cloud approach is certainly no silver bullet against cybercriminals. But cloud protection has already proven itself to have a number of major advantages: it identifies and blocks new threats at a high speed, and it doesn’t only block threats — it also blocks the sources spreading them. This helps us envisage a new direction of development in the antivirus industry. Furthermore, all of these advantages can be automated using an expert system which offers a low rate of false positives.
The cloud is not just a fad — it is an effective user protection technology. As these technologies develop, their role and significance within the antivirus industry will continue to grow.
However, we should not see an antivirus cloud as merely a separate user protection technology. Without a doubt, cloud systems can function completely automatically, without using any of the rich experience the industry has accumulated in threat detection. However, the effectiveness of this kind of approach is far from ideal. Maximum protection can be achieved by combining the security technologies we have already mastered with antivirus cloud systems. The result of this combined approach is superior to using only one or the other: it offers the rapid response time of cloud systems to as yet unknown threats, while retaining a high level of detection and proactivity, a low margin of error, and offering complete threat data.
If you have any questions, send them to Yury.Mashevsky (at) Kaspersky (dot) com, and they will be addressed in future articles.
For questions in languages other than Russian or English, please send an email to your local Kaspersky Lab office, where we will translate your question before passing it on to the author. Thank you!
2010 Sep 30, 17:29
Great article! :)
2011 Nov 09, 09:03
Thanks for your article
Nice article Yuri, im follow your articles
2011 Dec 15, 12:05
i like kaspersky
2011 Dec 30, 15:42
i like kaspersky
2012 Jan 01, 17:03
I trust and follow Kaspersky instructions
2012 Sep 19, 13:14
Thank you, I have chosen to use Kaspersky 2012.
2012 Nov 30, 15:45
Complimenti bellissimo articolo a dire il vero questo articolo mi ha pure aiutato quindi non posso fare altro che ringraziare Kaspersky per avermi dato la possibilitÓ di leggerlo e anche lodarvi per i vostri prodotti che uso dal 2008 GRAZIE!!!
2013 Feb 14, 09:59
how to verify our GMX Motorbikes website?
We are using kaspersky anti-virus,firewall for all our office computers.