Evaluating detection and treatment effectiveness of commercial anti-malware programs

Commercial anti-malware programs consist of two main components: detection and treatment. Detection accuracy is often used to rank effectiveness of commercial anti-malware programs with less emphasis on the equally important treatment component. Effectiveness measures of commercial anti-malware programs should consider equally detection and treatment. This can be achieved by standardized measurements of both components. This paper presents a novel approach to evaluate the effectiveness of a commercial anti-malware program's detection and treatment components against malicious objects by partitioning true positives to incorporate detection and treatment. This new measurement is used to evaluate the effectiveness of four commercial anti-malware programs in three tests. The results show that several anti-malware programs produced numerous incorrectly treated or untreated true positives and false negatives leaving many infected objects unresolved and thereby active threats in the system. These results further demonstrate that our approach evaluates the detection and treatment components of commercial anti-malware programs in a more effective and realistic manner than currently accepted measurements which primarily focus on detection accuracy.

[1]  Lior Rokach,et al.  Detection of unknown computer worms based on behavioral classification of the host , 2008, Comput. Stat. Data Anal..

[2]  Jesse C. Rabek,et al.  Detection of injected, dynamically generated, and obfuscated malicious code , 2003, WORM '03.

[3]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[4]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[5]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[6]  Peter J. Clarke,et al.  Identification of file infecting viruses through detection of self-reference replication , 2010, Journal in Computer Virology.

[7]  Steven R. Gordon,et al.  Real world anti-virus product reviews and evaluations -- the current state of affairs , 1996 .

[8]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[9]  Peter J. Clarke,et al.  Testing and evaluating virus detectors for handheld devices , 2006, Journal in Computer Virology.

[10]  Éric Filiol Computer Viruses: from Theory to Applications , 2005 .

[11]  Andreas Marx,et al.  A Guideline to Anti-Malware-Software testing , 2011 .

[12]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[13]  Igor Muttik,et al.  REBUILDING ANTI-MALWARE TESTING FOR THE FUTURE , 2008 .

[14]  Dawn Song,et al.  Malware Detection , 2010, Advances in Information Security.

[15]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.