AntiViruses under the microscope: A hands-on perspective

Botacin, Marcus; Domingues, Felipe Duarte; Ceschin, Fabrício; Machnicki, Raphael; Alves, Marco A. Z.; Geus, Paulo Lício de; Grégio, André

doi:10.1016/j.cose.2021.102500

Cited by 15 publications

(6 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To avoid committing pitfalls, I conducted an analysis of real AV's operations to develop the foundations for future developments. The findings were published in a paper [Botacin et al 2021c] and the results published on it highlight: (i) the performance overhead imposed by monitoring solutions, which motivates the research about more efficient AVs; and (ii) the still significant use of signatures by AV solutions, which motivates my choice for their use in some of the published papers, as following presented.…”

Section: Real Av Operationmentioning

confidence: 94%

On the Malware Detection Problem: Challenges & Novel Approaches

Botacin¹,

Geus²,

Grégio³

2022

Anais Estendidos Do XXII Simpósio Brasileiro De Segurança Da Informação E De Sistemas Computacionais (SBSeg Estendido 2022)

Self Cite

View full text Add to dashboard Cite

Many solutions to detect malware have been proposed over time, but effective and efficient malware detection still remains an open problem. In this work, I take a look at some malware detection challenges and pitfalls to contribute towards increasing system’s malware detection capabilities. I propose a new approach to tackle malware research in a practical but still scientific manner and leverage this approach to investigate four issues: (i) the need for understanding context to allow proper detection of localized threats; (ii) the need for developing better metrics for AntiVirus (AV) evaluation; (iii) the feasibility of leveraging hardware-software collaboration for efficient AV implementation, and (iv) the need for predicting future threats to allow faster incident responses.

show abstract

Section: Real Av Operationmentioning

confidence: 94%

On the Malware Detection Problem: Challenges & Novel Approaches

Botacin¹,

Geus²,

Grégio³

2022

Anais Estendidos Do XXII Simpósio Brasileiro De Segurança Da Informação E De Sistemas Computacionais (SBSeg Estendido 2022)

Self Cite

View full text Add to dashboard Cite

show abstract

“…We selected five popular AV products for our detectability analysis: Windows Defender, Avast, AVG, Kaspersky, and Avira. These products qualify as modern EDR solutions and cover state-of-the-art detection techniques [5]. For instance, they monitor system calls using user-space and kernel-space hooks; they use both signature-based and real-time behavioral detection; and they implement self-and system-protection techniques.…”

Section: Methodsmentioning

confidence: 99%

“…The choice of antivirus solutions can be a limitation of our evaluation. We focused on antivirus solutions that represent those commonly used in real-world scenarios [5], considering the ones that aligned better with the typical deployment context of adversary emulation.…”

Section: Threats To Validitymentioning

confidence: 99%

Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection

Orbinato,

Feliciano,

Cotroneo

et al. 2024

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.

show abstract

“…As suggested by Botacin et al ( Botacin et al, 2021 ), it is appropriate that the design phase of a security solution consists of reasoning about its design aspects, such as the definition of a threat model, assumptions, target platform, and so on. A threat model specifies which, why and how resources will be protected ( Botacin et al, 2022 ). The ultimate goal of our research work is to design an ontology and then produce a knowledge base for digital extortion-based onslaughts.…”

Section: Design Of Digital Extortion Ontologymentioning

confidence: 99%

“…These systems operate by running malware instances in controlled environments and capturing their behavioral patterns. Current antiviruses utilize various detection methods and operate based on multiple engines that are activated according to the type of scan and the requested context ( Botacin et al, 2022 ). A comprehensive longitudinal analysis of these security solutions is presented in ( Botacin et al, 2020 ), which evaluates them based on six metrics proposed by the authors from different aspects.…”

Section: Introductionmentioning

confidence: 99%