A Cloud-Based Real-Time Mechanism to Protect End Hosts against Malware
Round 1
Reviewer 1 Report
The authors present a mechanism called "Skywalker" that makes every program to be verified by VirusTotal before being executed in the host. This prevents the need for complete host system analysis and guarantees an updated antivirus check every time the program is executed. The first time a program is scanned it can take some significant time, but the subsequent executions are much faster (below half a second). I find the proposed solution very interesting, given if we can guarantee an optimal access to the Internet. However, the paper focus on a service that is already provided by VirusTotal Enterprise.
In paragraph 67-75 the author state some benefits of the use of Skywalker, like the lack for complete system scan and the avoidance of antivirus vulnerabilities, however the delay in the execution of a program is much higher than having it analysed by an installed antivirus and the fact that Skywalker itself may have vulnerabilities that could also be exploited, and it also need maintenance. Moreover, Virustotal may also have vulnerabilities and maintenance schedules. So, all of the four major goals described in paragraph 76-83 are, to some extent, compromised.
The two tips presented in paragraph 174-183 are important to save time and bandwidth and show care the authors had with system performance.
In paragraph 259-271 the authors identified a threshold of 1/3 of the number of antivirus Virustotal uses to detect an infection. Why did the authors used this value? How did the authors obtained this value? Should I be confident that there is no problem if only less than 1/3 of the antivirus report a problem?
As the authors state in their section 4.5 Limitations, using Skywalker makes the start of the program taking a very long time, which is a huge limitation of this solution. The authors should have done some of the proposed solutions they discuss in this section and based this paper on them. This way it would be a more mature paper and closer to something that could eventually be used in real life. Like it is now, it is rather useless in practice.
Author Response
Please see the attachment
Author Response File: Author Response.pdf
Reviewer 2 Report
The authors developed a cloud-based real-time defense mechanism named Skywalker to allow users to safely utilize antivirus without the above problems. The approach runs an app in the cloud after verifying for malicious contents with antivirus, the runtime performance shows limited delay.
As a new runtime approach, the idea is original and novel. The approach suffers some potential issue though. For example, what if no internet connection available, this approach will not work at all. Secondly, the capability of antivirus is limited in terms of signature, so if a program is malicious and no signature is available yet, then it will run and the mechanism fails. The authors should discuss some strategies to overcome these limitations to have their approach more practical.
Author Response
Please see the attachment.
Author Response File: Author Response.pdf