A study of the relationship between antivirus regressions and label changes

AntiVirus (AV) products use multiple components to detect malware. A component which is found in virtually all AVs is the signature-based detection engine: this component assigns a particular signature label to a malware that the AV detects. In previous analysis [1-3], we observed cases of regressions in several different AVs: i.e. cases where on a particular date a given AV detects a given malware but on a later date the same AV fails to detect the same malware. We studied this aspect further by analyzing the only externally observable behaviors from these AVs, namely whether AV engines detect a malware and what labels they assign to the detected malware. In this paper we present the results of the analysis about the relationship between the changing of the labels with which AV vendors recognize malware and the AV regressions.

[1]  H. S. Kim,et al.  Commercial Antivirus Software Effectiveness: An Empirical Study , 2011, Computer.

[2]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[3]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[4]  Marc Dacier,et al.  SGNET: Implementation insights , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[5]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[6]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[7]  Ilir Gashi,et al.  Does Malware Detection Improve with Diverse AntiVirus Products? An Empirical Study , 2013, SAFECOMP.

[8]  Olivier Thonnard,et al.  An Experimental Study of Diversity with Off-the-Shelf AntiVirus Engines , 2009, 2009 Eighth IEEE International Symposium on Network Computing and Applications.

[9]  Peter G. Bishop,et al.  Diversity for Security: A Study with Off-the-Shelf AntiVirus Engines , 2011, 2011 IEEE 22nd International Symposium on Software Reliability Engineering.

[10]  Marc Dacier,et al.  SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models , 2008, 2008 Seventh European Dependable Computing Conference.

[11]  Evangelos P. Markatos,et al.  Comprehensive shellcode detection using runtime heuristics , 2010, ACSAC '10.

[12]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[13]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .