Investigating the detection capabilities of antiviruses under concurrent attacks

Cyber security is a major concern of computing systems. Different security controls are developed to mitigate or prevent cyber attacks. Such controls include cryptography, firewalls, intrusion detection systems, access controls, and strong authentication. These controls mainly protect the secure-system properties: confidentiality, integrity, and availability. The Antivirus software (AV) is considered the last line of defense against variety of security threats. The AV maintains a database of virus signatures against which it checks data. Had a match occurred, the AV would have reacted to the threat. Given the importance of the AV, different attacking techniques have been developed to evade the AV detection and render it useless. In this paper, we want to check how the AV behaves under pressure. We make the AV extremely busy in order to bypass its detection. We test several commercial AVs against three scenarios: when data flow from the hard drive (HD) into the main memory (reading), when data flow from the main memory into the HD (writing), and when data flow through the network (sending and receiving). This paper shows that when the AV is overloaded, some malwares can evade detection (in the reading scenario) and enjoy the existence for much more time on the HD (in the writing scenario). Finally, we show that the AVs (or at least the ones we tested in this paper) do not check network data as long as they are not written to or read from the HD.

[1]  David R. Kaeli,et al.  Characterizing antivirus workload execution , 2005, CARN.

[2]  Mohammed I. Al-Saleh The impact of the antivirus on the digital evidence , 2013, Int. J. Electron. Secur. Digit. Forensics.

[3]  Philippe Lagadec,et al.  OpenDocument and Open XML security (OpenOffice.org and MS Office 2007) , 2008, Journal in Computer Virology.

[4]  Sotiris Ioannidis,et al.  GrAVity: A Massively Parallel Antivirus Engine , 2010, RAID.

[5]  Mohammed I. Al-Saleh,et al.  Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software , 2011, LEET.

[6]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[7]  Peter G. Bishop,et al.  Diversity for Security: A Study with Off-the-Shelf AntiVirus Engines , 2011, 2011 IEEE 22nd International Symposium on Software Reliability Engineering.

[8]  Farid Daryabar,et al.  INVESTIGATION OF MALWARE DEFENCE AND DETECTION TECHNIQUES , 2011 .

[9]  Suhaimi Ibrahim,et al.  Evolution of Computer Virus Concealment and Anti-Virus Techniques: A Short Survey , 2011, ArXiv.

[10]  Erez Zadok,et al.  Avfs: An On-Access Anti-Virus File System , 2004, USENIX Security Symposium.

[11]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[12]  Sébastien Josse,et al.  How to Assess the Effectiveness of your Anti-virus? , 2006, Journal in Computer Virology.

[13]  Designing a CAM-based coprocessor for boosting performance of antivirus software , 2004 .

[14]  Marco Ramilli,et al.  Multi-stage delivery of malware , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[15]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[16]  Yuan-Cheng Lai,et al.  A Hybrid Algorithm of Backward Hashing and Automaton Tracking for Virus Scanning , 2011, IEEE Transactions on Computers.

[17]  Mohammed I. Al-Saleh,et al.  Antivirus performance characterisation: system-wide view , 2013, IET Inf. Secur..

[18]  Nathanael Paul,et al.  Disk-level behavioral malware detection , 2008 .

[19]  Marco Ramilli,et al.  Multiprocess malware , 2011, 2011 6th International Conference on Malicious and Unwanted Software.