Antivirus performance characterisation: system‐wide view

Al-Saleh, Mohammed I.; Espinoza, Antonio M.; Crandall, Jedediah R.

doi:10.1049/iet-ifs.2012.0192

Cited by 17 publications

(8 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Al-Saleh et al [84] analyze the intrusiveness of two AV solutions (Symantec and Sophos) using a Windows event logger in an attempt to evaluate the impact on system performance. Their results show that the presence of an AV engine noticeably impacts on regular program execution, not only in terms of CPU usage, but also in IO operations and paging issues.…”

Section: Av Performance and Alternativesmentioning

confidence: 99%

Machine Learning-Based Routing and Wavelength Assignment in Software-Defined Optical Networks

Martín

Troia

Hernández

et al. 2019

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Lately, Artificial Intelligence and Machine Learning (ML) have become game-changing technologies due to their ability to generalize from data and infer algorithmic behaviors that consider larger casuistic that humans are able to. In short, these technologies pursue the installation of human-like intelligence to computer tasks so they can overtake different functions. Despite, their implantation and development in many fields is still too early stage, not to mention the requirements and needs they entail.Therefore, the aim of this thesis is to advance in the application of these technologies and for that we will consider an specific field: The Internet Infrastructure. To this aim, contributions focus on two main specific areas, namely cybersecurity and optical WDM networks.On the security side, we propose a new approach for malware detection and application quality assessment that relies in application meta-information, that is, the data describing the application (such as description, category, permissions...) instead of application code. This approach is detailed and validated in two specific applications: ML-based detection of malware and scalable repackaging detection through meta-data semantic clustering.The first application consists on the usage of meta-data as Machine Learning features with a labeled collection of malware applications to detect whether they are malware or not. Resulting algorithms are capable of detecting malware to a good extent in certain conditions, reaching F-score values of nearly 0.9.Arising from the observations from Machine Learning analysis, Antivirus (AV) engines coming from multi-scanner tools are inspected using data analytics and AI technologies aiming at the understanding of their lack of consensus at the detection and categorization levels. The main aim for this study is twofold: advancing on the understanding of AV detection patterns and policies and the improvement multiengine detection by proposing different aggregation and cleaning tools.Initially, AV engine detections are inspected, showing that most engines disagree when detecting malware to the extent of not completely agreeing in the detection of a single application. Moreover, different detection patterns are observed, namely leader, follower and eccentric engines. At the end, an estimation of the risk of malware per application based on Structural Equation models is proposed.On the family side, we propose a lightweight categorization scheme that achieves comparable scores to other alternatives in the literature at a smaller train cost: Sig-natureMiner. Using such system, we normalize and categorize AV signatures into 41 distinct families and three broader categories, namely adware, harmful and unknown. Then, an ML classifier to assign and specific category to unknown malware is proposed with high performance.Another application explored for meta-data is that of repackaging detection. Using similarity clustering, a large collection of unlabeled applications from Google xiv Play are inspected and compared to detect p...

show abstract

Section: Av Performance and Alternativesmentioning

confidence: 99%

Machine Learning-Based Routing and Wavelength Assignment in Software-Defined Optical Networks

Martín

Troia

Hernández

et al. 2019

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

“…Furthermore, AV performance is analyzed in [8], where the authors quantify how devices' performance is affected by AV execution, and [9], a characterization and evaluation of AV overhead. In addition, the authors in [10] compare the design of 30 top AV solutions focusing on their detection and prevention capabilities.…”

Section: Previous Workmentioning

confidence: 99%

Machine-Learning based analysis and classification of Android malware signatures

Martín

Hernández

Santos

2019

Future Generation Computer Systems

View full text Add to dashboard Cite

“…Ramilli et al (2011) showed that the detection of Avs can be avoided by splitting it into parts that are distributed over several processes. Finally, performance studies on AVs to find their bottlenecks or improve scanning times have also been conducted (Vasiliadis and Ioannidis, 2010;Miretskiy et al, 2004;Lin et al, 2011;Al-Saleh et al, 2013).…”

Section: Related Workmentioning

confidence: 99%

On Improving Antivirus Scanning Engines: Memory On-Access Scanner

Al-Saleh¹,

Al-Huthaifi²

2017

Journal of Computer Science

View full text Add to dashboard Cite

Abstract:The Antivirus (AV) products are utilized by home user's community to attain protection. To some extent, the AV meets users' expectations by detecting previously known malware samples. In this study, we question the set of events which should trigger the AV to scan data. Scanning every single piece of data as it moves from one location into another could be a demanding and performance-killing task. The AV faces a design challenge when deciding what kind of data to scan and when to do so. Typically, the on-access scanner component of the AV scans data upon moving from/to hard drives. Other occurrences of data movements are of equal importance. For example, data moves between different memory locations or between memory and network. In this study, we are motivated to explore what it needs to be done by the AV upon various data movements. We design and implement a system that has a capability of scanning memory when necessary. We recognize and intercept the most effective API calls that involve memory. Afterwards, we extract involved data and scan it if it has not been scanned before. We test our system against 15 real malware and find out that our system is capable of detecting all malware samples. Furthermore, we provide a thorough performance study to present the overhead of our system.

show abstract

Antivirus performance characterisation: system‐wide view

Cited by 17 publications

References 7 publications

Machine Learning-Based Routing and Wavelength Assignment in Software-Defined Optical Networks

Machine Learning-Based Routing and Wavelength Assignment in Software-Defined Optical Networks

Machine-Learning based analysis and classification of Android malware signatures

On Improving Antivirus Scanning Engines: Memory On-Access Scanner

Contact Info

Product

Resources

About