SplitScreen: Enabling Efficient, Distributed Malware Detection

  • Cha, Sang-Kil (Electrical and Computer Engineering department, Carnegie Mellon University) ;
  • Moraru, Iulian (The Computer Science Department, Carnegie Mellon University) ;
  • Jang, Ji-Yong (Electrical and Computer Engineering department, Carnegie Mellon University) ;
  • Truelove, John (The Computer Science Department, Carnegie Mellon University) ;
  • Brumley, David (The Computer Science Department, Carnegie Mellon University) ;
  • Andersen, David G. (The Computer Science Department, Carnegie Mellon University)
  • Received : 2011.01.17
  • Published : 2011.04.30

Abstract

We present the design and implementation of a novel anti-malware system called SplitScreen. SplitScreen performs an additional screening step prior to the signature matching phase found in existing approaches. The screening step filters out most non-infected files (90%) and also identifiesmalware signatures that are not of interest (99%). The screening step significantly improves end-to-end performance because safe files are quickly identified and are not processed further, and malware files can subsequently be scanned using only the signatures that are necessary. Our approach naturally leads to a network-based anti-malware solution in which clients only receive signatures they needed, not every malware signature ever created as with current approaches. We have implemented SplitScreen as an extension to ClamAV, the most popular open source anti-malware software. For the current number of signatures, our implementation is $2{\times}$ faster and requires $2{\times}$ less memory than the original ClamAV. These gaps widen as the number of signatures grows.

Keywords

References

  1. Symantec global internet security threat report. [Online]. Available: http://www.symantec.com/about/news/release/article.jsp?prid=20090413_01
  2. F-secure: Silent growth of malware accelerates. [Online]. Available: http://www.f-secure.com/en EMEA/security/security-lab/latest-threats/security-threat-summaries/2008-2.html
  3. G. Ollmann, "The evolution of commercial malware development kits and colour-by-numbers custom malware," Computer Fraud & Security, vol. 9, 2008.
  4. T. Kojm. (2008). Introduction to ClamAV. [Online]. Available: http://www.clamav.net/doc/webinars/Webinar-TK-2008-06-11.pdf
  5. O. Erdogan and P. Cao, "Hash-AV: Fast virus signature scanning by cacheresident filters," Int. J. Security Netw., vol. 50, no. 2, 2007.
  6. I. Moraru and D. G. Andersen, "Exact pattern matching with feed-forward bloom filters," in Proc. ALENEX, 2011.
  7. J. Oberheide, E. Cooke, and F. Jahanian. "CloudAV: N-version antivirus in the network cloud," in Proc. USENIX, 2008.
  8. C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang, "Effective and efficient malware detection at the end host," in Proc. USENIX, 2009.
  9. T. Kojm. Clamav. [Online]. Available: http://www.clamav.net
  10. P.-C. Lin, Z.-X. Li, Y.-D. Lin, Y.-C. Lai, and F. Lin, "Profiling and accelerating string matching algorithms in three network content security applications," IEEE Commun. Surveys Tuts., vol. 8, pp. 24-37, Apr. 2006.
  11. A. V. Aho and M. J. Corasick, "Efficient string matching: An aid to bibliographic search," Commun. of the ACM, vol. 18, pp. 333-340, 1975. https://doi.org/10.1145/360825.360855
  12. S. Wu and U. Manber, "A fast algorithm for multi-pattern searching," Technical Report TR-94-17, University of Arizona, 1994.
  13. R. S. Boyer and J. S. Moore, "A fast string searching algorithm," Commun. of the ACM, vol. 20, pp. 762-772, 1977. https://doi.org/10.1145/359842.359859
  14. B. H. Bloom, "Space/time trade-offs in hash coding with allowable errors," Commun. of the ACM, vol. 13, pp. 422-426, 1970. https://doi.org/10.1145/362686.362692
  15. A. Broder and M. Mitzenmacher, "Network applications of bloom filters: A survey," Internet Mathematics, pp. 636-646, 2002.
  16. R. M. Karp and M. O. Rabin, "Efficient randomized pattern-matching algorithms," IBM J. Research and Development, vol. 31, no. 2, pp. 249-260, 1987. https://doi.org/10.1147/rd.312.0249
  17. S. Ballmer. (2007). [Online]. Available: http://www.microsoft.com/msft/speech/FY07/BallmerFAM2007.mspx
  18. AdaptiveMobile. Cyber Criminals Target Smartphones as Malware Increases by a Third in 2010. [Online]. Available: http://www.adaptivemobile.com/press-centre/press-releases
  19. R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and X. Wang, "Soundminer: A stealthy and context-aware sound trojan for smartphones," in Proc. 18th Ann. Netw. Distributed Syst. Security Symp., 2011.
  20. P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, and T. La Porta, "On cellular botnets: Measuring the impact of malicious devices on a cellular network core," in Proc. 16th ACM Conf. Comput. Commun. Security, 2009, pp 223-234.
  21. J. D. Cohen, "Recursive hashing functions for n-grams," ACM Trans. Inf. Syst., vol. 15, no. 3, pp. 291-320, 1997. https://doi.org/10.1145/256163.256168
  22. A. Kirsch and M. Mitzenmacher, "Less hashing, same performance: Building a better Bloom filter," Random Structures & Algorithms, vol. 33, no. 2, pp. 187-218, 2008. https://doi.org/10.1002/rsa.20208
  23. H. Song, T. Sproull, M. Attig, and J. Lockwood, "Snort offloader: A reconfigurable hardware NIDS filter," Int. Conf. Field Programmable Logic and Applications, 2005., pp. 493-498, 2005.
  24. S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. Lockwood, "Deep packet inspection using parallel Bloom filters," IEEE Micro, vol. 24, pp. 52-61, Jan. 2004. https://doi.org/10.1109/MM.2004.1268997
  25. D. Venugopal and G. Hu, "Efficient signature based malware detection on mobile devices," Mobile Inf. Syst., vol. 4, no. 1, pp. 33-49, 2008. https://doi.org/10.1155/2008/712353
  26. A. Bose, X. Hu, K. G. Shin, and T. Park, "Behavioral detection of malware on mobile handsets," in Proc. 6th Int. Conf. Mobile Syst., Appl., Services, 2008, pp. 225-238.
  27. L. Liu, G. Yan, X. Zhang, and S. Chen, "Virusmeter: Preventing your cellphone from spies," in Recent Advances in Intrusion Detection, vol. 5758 of Lecture Notes in Computer Science, pp. 244-264. Springer Berlin/Heidelberg, 2009.
  28. H. Kim, J. Smith, and K. G. Shin, "Detecting energy-greedy anomalies and mobile malware variants," in Proc. 6th Int. Conf. Mobile Syst., Appl., Services, New York, USA, 2008, pp. 239-252.
  29. Y. Miretskiy, A. Das, C. P. Wright, and E. Zadok, "AVFS: An on-access anti-virus file system," in Proc. 13th USENIX Security Symp., 2004.
  30. V. Vasudevan, J. Franklin, D. Andersen, A. Phanishayee, L. Tan, M. Kaminsky, and I. Moraru, "FAWNdamentally power-efficient clusters," in Proc. 12th Workshop on Hot Topics in Operating Syst., 2009.