Rave replicated antivirus engine

Abstract

Os antivírus são uma presença fulcral nas infra-estruturas informáticas nos dias de hoje. Desde estações de trabalho aos mais poderosos servidores, de cada computador pessoal até ao mais avançado centro de dados, na sua grande maioria, existe uma solução de antivírus. Desde que os utilizadores das redes informáticas começaram a partilhar ficheiros e a usar serviços de rede, vírus, worms e outros conteúdos maliciosos tornaram-se uma presença crescente nos computadores. O crescimento exponencial da utilização da Internet acrescido do facto de que as larguras de banda são cada vez maiores levaram-nos a situações onde os vírus (e outras formas de conteúdo malicioso) tiveram constantes aparições infectando milhões de computadores em todo o mundo. Os serviços de correio electrónico (vulgo email) foram o principal método para a propagação deste tipo de conteúdos maliciosos, com variadíssimas situações registadas e confirmadas. Para combater estas novas ameaças, novas soluções de segurança foram desenvolvidas sob o chavão de produtos de anti-malware. Estes incluíam vários motores de detecção para identificar estas ameaças, ou seja, vírus, worms, trojans, spam, phishing, spyware, adware. Esta evolução nas soluções de segurança levou ao aparecimento de questões importantes. Uma das delas estás relacionada com o facto de que com o aumento da complexidade das soluções também aumenta a probabilidade de aparecimento de vulnerabilidades, ou seja, à medida que a complexidade aumenta também aumenta o número de possíveis vulnerabilidades nas soluções que mais tardam poderão ser exploradas. Outra situação tem a ver com o tempo necessário para que a solução de segurança seja executada na sua totalidade o que poderá levar a problemas de desempenho e disponibilidade em aplicações interactivas. Esta tese descreve a arquitectura, concretização e avaliação de resultados do RAVE, um motor replicado de antivírus para proteger as infra-estruturas de email. Baseada em conceitos de tolerância a faltas/intrusões, esta sistema permite o aumento da capacidade de detecção das soluções de anti-malware para infra-estruturas de email ao disponibilizar motores de detecção diferentes que, ao executarem em paralelo, permitem que um número pré-definido de réplicas possam ter faltas arbitrárias mas mantendo-se o sistema “bem comportado” e de acordo com o especificado pelos algoritmos. Ao termos um sistema replicado com várias réplicas, com cada uma a executar um motor de detecção de vírus diferente (e, se possível, executando-se em “cima” de sistemas operativos diferentes), conseguimos obter um sistema com a capacidade de oferecer uma eficiência de detecção muito elevada sem, virtualmente, qualquer quebra de serviço (mesmo durante as actualizações dos anti-vírus) mesmo na presença de falhas arbitrárias num número pré-definido de réplicas, mesmo que estas falhas possam estar a ser provocadas por um intruso com intenções maliciosas. Antivirus is a fundamental presence in every computer infrastructure nowadays. From workstations to powerful servers, from each personal computer to the most advanced datacenter, in the vast majority of all, one or more antivirus solutions are present. Ever since people started to share files and using network services, viruses, worms and other malicious contents have become a growing presence in computers. The exponential growth of Internet usage with increasing higher bandwidth led to situations were virus (as well as worms and other type of malicious content) had constant outbreaks with impressive amounts of infected computers across the entire world. Email was the preferred choice for several of these malicious content outbreaks, with various reported situations. To address the new threats new security solutions were developed under the “umbrella” of antimalware products. These included several detection engines to identify the discussed threats, i.e., virus, worms, trojans, spam, phishing, spyware, adware. This evolution in security solutions led to some important issues. One is related to the fact that solutions complexity is bound to the number of vulnerabilities, i.e., as complexity grows so does the number of possible vulnerabilities that can be later explored. Another issue is the time needed for the solution to execute all stages which can originate performance and availability problems in interactive applications. This thesis describes the design, implementation, and evaluation of RAVE, a Replicated AntiVirus Engine for email infrastructures. Based on fault/intrusion tolerance concepts, this system allows to increase the detection capability of anti-malware (e.g., virus, spam, spyware, phishing, adware) solutions for email infrastructures by having different engines working in parallel, allowing arbitrary faults in a predefined number of replicas and still maintaining a“well behaved” system. By having a replicated system that holds several replicas, each running a different antivirus engine (and, if possible, a different operating system), we obtain a system that offers a very high detection efficiency with virtually no downtime (even during antivirus’ updates) while allowing the arbitrary failure of a predefined number of replicas, even if these failures are provoked by a malicious intruder.

Antivirus is a fundamental presence in every computer infrastructure nowadays. From workstations to powerful servers, from each personal computer to the most advanced datacenter, in the vast majority of all, one or more antivirus solutions are present. Ever since people started to share files and using network services, viruses, worms and other malicious contents have become a growing presence in computers. The exponential growth of Internet usage with increasing higher bandwidth led to situations were virus (as well as worms and other type of malicious content) had constant outbreaks with impressive amounts of infected computers across the entire world. Email was the preferred choice for several of these malicious content outbreaks, with various reported situations. To address the new threats new security solutions were developed under the “umbrella” of antimalware products. These included several detection engines to identify the discussed threats, i.e., virus, worms, trojans, spam, phishing, spyware, adware. This evolution in security solutions led to some important issues. One is related to the fact that solutions complexity is bound to the number of vulnerabilities, i.e., as complexity grows so does the number of possible vulnerabilities that can be later explored. Another issue is the time needed for the solution to execute all stages which can originate performance and availability problems in interactive applications. This thesis describes the design, implementation, and evaluation of RAVE, a Replicated AntiVirus Engine for email infrastructures. Based on fault/intrusion tolerance concepts, this system allows to increase the detection capability of anti-malware (e.g., virus, spam, spyware, phishing, adware) solutions for email infrastructures by having different engines working in parallel, allowing arbitrary faults in a predefined number of replicas and still maintaining a“well behaved” system. By having a replicated system that holds several replicas, each running a different antivirus engine (and, if possible, a different operating system), we obtain a system that offers a very high detection efficiency with virtually no downtime (even during antivirus’ updates) while allowing the arbitrary failure of a predefined number of replicas, even if these failures are provoked by a malicious intruder.