Recently, more and more information technology companies have been looking into “cloud computing” technology to fulfill their Web hosting, data storage and processing needs. Cloud computing means data processing when the required computing capacities are provided as an Internet service. Therefore, the cloud computing clients don't need to worry about an infrastructure—this is done by the services provider. On the one hand, it is a very convenient tool for common users, which do not have to worry about complex software and hardware interfaces, but on the other hand, these responsibilities are transferred to the providers.
Cloud data processing means a distributed processing of various data types at various levels. In one case, that may mean provision of hardware and system software (Infrastructure as a Service) for use. In other cases, an entire platform for development, testing, applications support is provided (Platform as a Service). Currently, one of the most familiar options is the software provision service (Software as a Service). Other trends of hardware and software provision for some abstract and scalable service are also being developed. For simplicity, we will hereinafter call cloud data processing a “cloud service”.
Currently, there are many different cloud computing options. For example, Google Apps allows editing various types of documents on line, with only an Internet browser, while the data is stored on Google servers. One of the latest Google developments—the Chrome operating system (OS)—also uses browser in the key role of a tool for access to other resources, providing for reduced client computer (such as netbook) loading, good reliability and simplicity of operation (the entire infrastructure is located on the server). Another good example of cloud computing is the OnLive platform, which offers real time enjoyment of the latest computer games even on computers with very limited hardware capabilities (same netbooks or tablets) by processing all the game data on the server and its transmission to the client in a multi-media format. Microsoft is currently developing its Azure platform for creation of distributed web applications. The platform operating principles solve the scaling and resource access issues in exchange for subscription fee for used resources.
FIG. 1 illustrates a high-level schematic diagram of the above-described cloud services. A cloud service 120 is shown as software and hardware resources 110, which may be requested by users of personal computers (PC) 100. This model development is being currently actively pursued and, as noted earlier, it puts upon the cloud service 120 provider significant responsibilities associated with such issues as user data safety and security, as well as convenient scalability of the provided software and hardware resources 110.
Considering the cloud computing advantages, it is no wonder that it attracted interest of antivirus software companies which lately saw the number of threats increasing beyond all conceivable limits. Hereinafter, threats will mean various malicious software such as Trojans, network worms, viruses, and other undesirable software, as well as links to web pages with malicious and other undesirable software, licensed software vulnerabilities, etc. Undesirable software may include crimeware, spyware, and software blocking data or computer operability (ransomware). FIG. 2 illustrates quantitative growth of new unique malware files intercepted and analyzed by ZAO Kaspersky Laboratory. It is evident that the growth is clearly exponential, which is determined by a number of recently arising causes. At the same time, capabilities of antivirus companies—hardware for processing new threats, as well as personnel (virus analysts)—are fairly limited and cannot be increased at the same pace with the volume of threats. One of the reasons for the increase of new unique malware volume is the massive development of telecommunications, including the Internet, and the corresponding fast growth of quantity of users. This, in turn, stimulates development of various web-based online services: Internet banking, virtual money (such as WebMoney), live journals and blogging, migration of many software structures to the web (the already mentioned Google Apps is a good example). Correspondingly, the current generation of cybercriminals is actively using their developments in the form of malware for web attacks designed to steal and extort money. As of late, their activities have affected not only the banking (so-called bank Trojans), but have spread into hacking popular online games accounts, as well as extortions using Trojan-Ransom type software. A number of factors enable their success and the corresponding increase in malware as shown in FIG. 2: insufficient security of many online services, shortcomings or complete absence of Internet crime laws in a number of countries and sometimes just basic illiteracy of computer users regarding computer security.
It shall be admitted that the existing methods of malware protection, represented usually by signature and heuristic detection, are practically exhausted their potential. Heuristic analysis is based on search of specific features peculiar to malware (code fragments, certain register keys, filenames or processes), but debugging of each heuristic scan scenario takes a lot of time and the risk of errors (false positive detection) is always present. The efficiency of heuristic detection methods is currently stalled at 60-70%, which is actually the maximum possible level.
The traditional signature analysis still allows to quickly and precisely identify a malware, but only if it is known. The signatures are being constantly updated (as of now, already on the hourly basis), which brings about an evident negative—such protection by its nature allows malware some time to spread as shown in FIG. 3. There may be hours or even days from the moment of malware release before a virus protection company obtains its sample (usually executable file), analyses it, detects its malicious behavior, puts it in signature database, and tests it before updates are released to the antivirus servers. The entire process may take hours and sometimes days, with the situation being constantly exacerbated by the fact that it is not always possible to automate all the malware detection procedure steps.
Currently, other detection methods based on different principles are being actively developed by virus protection industry. Symantec's technique is based on so-called Wisdom of the Crowd using reputation for the unknown executable file. The reputation is created by users which manually determine the degree of danger represented by the file. This is not a new idea—James Surowiecki book “The Wisdom of Crowds” contains a theory based on interesting facts that a large group of non-experts may make better decisions than the experts. Therefore, the more users “voted” the file as malicious, the more “malicious” reputation is assigned to such file. On the one hand, it allows relying on majority opinion, but at the same time that factor is an error generator due to the fact that the majority of users is not computer security experts and therefore may make wrong decisions, which may result in blocking anon-malicious software. Moreover, the vast majority of malware belongs to the Trojan class, i.e. the programs which “imitate” safe and useful programs, which causes inexperienced users to easily trust them. If common software, such as a calculator (calc.exe) is infested with a virus, a common user, not possessing sufficient level of expertise, will not be able to come to correct conclusion.
Another technology, such as McAfee's Artemis, offers to analyze the unknown executable file fingerprints. This technique sequence starts with user's antivirus application detecting a suspicious file, for example, encrypted or packed. Hereinafter, packed file shall mean an executable file, which was specially compressed and contains additional unpacking routines. UPX is a classic example of the program for compression of executable files. After detection of a suspicious file, which was not found in the local (i.e. user side) ‘whitelist’ and ‘blacklist’ software database, an antivirus application transmits an executive file imprint (hash-sum) to the server where the imprint is checked for being a malware hash-sum. This eliminates the FIG. 3 problem associated with the time delay in users' database updates. But this approach is also not free of drawbacks, since the virus protection company must possess the imprint (hash-sum) of the particular file (‘clean’ or malware), which, in turn, leads to a problem of timely obtaining that file by virus protection company. Since huge quantities of executable files are generated every minute, it is very difficult to promptly obtain such files.
But the latest successful developments in cloud computing area currently led to creation of a range of related problems. One of them is associated with the case that when a large number of users are working with the cloud service, each user at any moment in time is most commonly perceived as a unit with equal rights and capabilities for all. Commercial cloud services use various business models for differentiating user capabilities. For example, Azure will charge different fees for using different resource volumes. But if the users themselves directly participate in the cloud service operations, it becomes necessary to split them into groups using some criteria set, which will enable to better organize the service operations and, in particular, for faster and more precise threat detection. This, for one, is applicable to the “Wisdom of the Crowd” technique.
The present invention is concerned with a solution of the task of using many users' expertise in malware detection by creating user classes and subdividing them in accordance with their roles.