PriMal: Cloud-Based Privacy-Preserving Malware Detection

  • Hao Sun
  • Jinshu Su
  • Xiaofeng Wang
  • Rongmao Chen
  • Yujing Liu
  • Qiaolin Hu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10343)


The ongoing threat of malware has raised significant security and privacy concerns. Motivated by these issues, the cloud-based detection system is of increasing interest to detect large-scale malware as it releases the burden of client and improves the detection efficiency. However, most existing cloud-based detection systems overlook the data privacy protection during the malware detection. In this paper, we propose a cloud-based anti-malware system named PriMal, which protects the data privacy of both the cloud server and the client, while still achieves usable detection performance. In the PriMal, a newly designed private malware signature set intersection (PMSSI) protocol is involved to enable both the cloud server and client to achieve malware confirmation without revealing the data privacy in semi-honest model. Moreover, we propose the relevant signature engine to reduce the detection range and overhead. The experimental results show that PriMal offers a practical approach to achieve both usable malware detection and strong data privacy preservation.


Privacy preservation Oblivious transfer Cloud-based Malware detection 



This research is supported in part by the project of Guangxi cooperative innovation center of cloud computing and big data No. YD16505. The authors gratefully thank the anonymous reviewers for their helpful comments.


  1. 1.
    Internet security threat report.
  2. 2.
  3. 3.
    Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer and extensions for faster secure computation. In: Proceedings of CCS, Berlin, Germany, pp. 535–548. ACM (2013)Google Scholar
  4. 4.
    Cha, S.K., Moraru, I., Jang, J., Truelove, J., Brumley, D., Andersen, D.G.: Splitscreen: enabling efficient, distributed malware detection. In: Proceedings of NSDI, pp. 12–25. USENIX Association (2010)Google Scholar
  5. 5.
    Choi, B., Chae, J., Jamshed, M., Park, K.: DFC: accelerating string pattern matching for network applications. In: Proceedings of NSDI, pp. 551–565. USENIX Association (2016)Google Scholar
  6. 6.
    ClamAV. Clamavnet (2016).
  7. 7.
    Fan, B., Andersen, D.G., Kaminsky, M., Mitzenmacher, M.D.: Cuckoo filter: practically better than bloom. In: Proceedings of CoNEXT, pp. 75–87 (2014)Google Scholar
  8. 8.
    Goldreich, O.: The Foundations of Cryptography - vol. 2, Basic Applications, vol. 2. Cambridge University Press, New York (2004)CrossRefzbMATHGoogle Scholar
  9. 9.
    Haghighat, M.H., Tavakoli, M., Kharrazi, M.: Payload attribution via character dependent multi-bloom filters. IEEE Trans. Inf. Forensics Secur. 8(5), 705–716 (2013)CrossRefGoogle Scholar
  10. 10.
    Henecka, W., Schneider, T.: Faster secure two-party computation with less memory. In: Proceedings of AsiaCCS, pp. 437–446. ACM (2013)Google Scholar
  11. 11.
    Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_9 CrossRefGoogle Scholar
  12. 12.
    Lan, C., Sherry, J., Popa, R.A., Ratnasamy, S., Liu, Z.: Embark: Securely outsourcing middleboxes to the cloud. In: Proceedings of NSDI, pp. 255–273. USENIX (2016)Google Scholar
  13. 13.
    Melis, L., Asghar, H.J., Cristofaro, E.D., Kaafar, M.A.: Private processing of outsourced network functions: feasibility and constructions. In: Proceedings of SDN-NFV Security, pp. 39–44. ACM (2016)Google Scholar
  14. 14.
    Oberheide, J., Cooke, E., Jahanian, F.: Cloudav: N-version antivirus in the network cloud. In: Proceedings of USENIX Security Symposium, Berkeley, CA, USA, pp. 91–106. USENIX Association (2008)Google Scholar
  15. 15.
    Pinkas, B., Schneider, T., Segev, G., Zohner, M.: Phashing: private set intersection using permutation-based hashing. In: Proceedings of USENIX Security Symposium, pp. 515–530 (2015)Google Scholar
  16. 16.
    Santos, I., Brezo, F., Ugarte-Pedrero, X., Bringas, P.G.: Opcode sequences as representation of executables for data-mining-based unknown malware detection. Inf. Sci. 231, 64–82 (2013)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: Blindbox: deep packet inspection over encrypted traffic. In: Proceedings of SIGCOMM, pp. 213–226. ACM (2015)Google Scholar
  18. 18.
    Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full sha-1. Technical report, Shattered, February 2017Google Scholar
  19. 19.
    Sun, H., Wang, X., Su, J., Chen, P.: RScam: cloud-based anti-malware via reversible sketch. In: Thuraisingham, B., Wang, X.F., Yegneswaran, V. (eds.) SecureComm 2015. LNICSSITE, vol. 164, pp. 157–174. Springer, Cham (2015). doi: 10.1007/978-3-319-28865-9_9 CrossRefGoogle Scholar
  20. 20.
    Wang, X., Yu, H., Wang, W., Zhang, H., Zhan, T.: Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 121–133. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01001-9_7 CrossRefGoogle Scholar
  21. 21.
    Yuan, X., Wang, X., Lin, J., Wang, C.: Privacy-preserving deep packet inspection in outsourced middleboxes. In: Proceedings of INFOCOM, pp. 1–9. IEEE (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Hao Sun
    • 1
  • Jinshu Su
    • 1
    • 2
  • Xiaofeng Wang
    • 1
  • Rongmao Chen
    • 1
  • Yujing Liu
    • 1
  • Qiaolin Hu
    • 3
  1. 1.College of ComputerNational University of Defense TechnologyChangshaChina
  2. 2.Science and Technology on Parallel and Distributed LaboratoryNational University of Defense TechnologyChangshaChina
  3. 3.Air Force Early Warning AcademyWuhanChina

Personalised recommendations