Diversity for Security: A Study with Off-the-Shelf AntiVirus Engines

We have previously reported [1] the results of an exploratory analysis of the potential gains in detection capability from using diverse AntiVirus products. The analysis was based on 1599 malware samples collected from a distributed honey pot deployment over a period of 178 days. The malware samples were sent to the signature engines of 32 different AntiVirus products hosted by the Virus Total service. The analysis suggested significant gains in detection capability from using more than one AntiVirus product in a one-out-of-two intrusion-tolerant setup. In this paper we present new analysis of this dataset to explore the detection gains that can be achieved from using more diversity (i.e. more than two AntiVirus products), how diversity may help to reduce the "at risk time" of a system and a preliminary model-fitting using the hyper-exponential distribution.

[1]  Lorenzo Strigini,et al.  Protective Wrapping of Off-the-Shelf Components , 2005, ICCBSS.

[2]  Bev Littlewood,et al.  Validation of ultrahigh dependability for software-based systems , 1993, CACM.

[3]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[4]  Olivier Thonnard,et al.  An Experimental Study of Diversity with Off-the-Shelf AntiVirus Engines , 2009, 2009 Eighth IEEE International Symposium on Network Computing and Applications.

[5]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[6]  Marc Dacier,et al.  SGNET: Implementation insights , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[7]  Lorenzo Strigini,et al.  Fault Tolerance Against Design Faults , 2005 .

[8]  Karl N. Levitt,et al.  The design and implementation of an intrusion tolerant system , 2002, Proceedings International Conference on Dependable Systems and Networks.

[9]  Corrado Leita SGNET : automated protocol learning for the observation of malicious threats , 2008 .

[10]  H. S. Kim,et al.  Commercial Antivirus Software Effectiveness: An Empirical Study , 2011, Computer.

[11]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[12]  Julio Canto,et al.  Large scale malware collection : lessons learned , 2008 .