Diversity for Security: A Study with Off-the-Shelf AntiVirus Engines

Bishop, Peter; Bloomfield, Robin; Gashi, Ilir; Stanković, Vladimir

doi:10.1109/issre.2011.15

Cited by 27 publications

(46 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…And just as experimentation in the natural sciences is supported by laboratories, experimentation for a science of cybersecurity will require test beds where controlled experiments can be run." In this paper we present results of an empirical study about possible benefits of diversity with currently spreading malware and compare our findings with those reported in [6][7][8]. The main aim of our study is to verify the extent to which the findings previously reported are relevant with more recent malware.…”

Section: Introductionmentioning

confidence: 61%

“…The results presented in [6][7][8] are intriguing. However, they concern a specific snapshot in the detection capabilities of AVs against malware threats prevalent in that time period: 1599 malware samples collected from a distributed honeypot deployment over a period of 178 days from February to August 2008.…”

Section: Introductionmentioning

confidence: 90%

“…Two of the authors of this paper have previously reported [6][7][8] results from a study on the detection capabilities of different AVs and potential improvements in detection that can be observed from using diverse AVs. In those studies we reported that some AVs achieved high detection rates, but none detected all the malware samples.…”

Section: Introductionmentioning

confidence: 99%

“…In the security field the threat landscape changes rapidly and it is not clear to what extent these findings can be generalized to currently spreading malware. It is also not clear whether the diversity benefits reported in [6][7][8] are specific to that specific collection environment and time period, or whether they are consistent with other environments and time periods.…”

Section: Introductionmentioning

confidence: 99%

“…The rest of the paper is organized as follows: Section 2 summarizes related work; Section 3 describes the data collection infrastructure; Section 4 presents the results of our study; Section 5 compares the results reported in this paper with the ones in [6][7][8]; Section 6 discusses the implications of our results on the decision making about security protection systems, and presents conclusions and possible further work.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Does Malware Detection Improve with Diverse AntiVirus Products? An Empirical Study

Gashi

Sobesto

Stanković

et al. 2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We present results of an empirical study to evaluate the detection capability of diverse AntiVirus products (AVs). We used malware samples collected in a geographically distributed honeypot deployment in several different countries and organizations. The malware was collected in August 2012: the results are relevant to recent and current threats observed in the internet. We sent these malware to 42 AVs available from the VirusTotal service to evaluate the benefits in detection from using more than one AV. We then compare these findings with similar ones performed in the past to evaluate diversity with AVs. In general we found that the new findings are consistent with previous ones, despite some differences. This study provides additional evidence that detection capabilities are improved by diversity with AVs.

show abstract

Section: Introductionmentioning

confidence: 61%

Section: Introductionmentioning

confidence: 90%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Does Malware Detection Improve with Diverse AntiVirus Products? An Empirical Study

Gashi

Sobesto

Stanković

et al. 2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

Antivirus security: naked during updates

Min

Varadharajan

Tupakula

et al. 2013

Softw. Pract. Exper.

View full text Add to dashboard Cite

SUMMARYThe security of modern computer systems heavily depends on security tools, especially on antivirus software solutions. In the anti‐malware research community, development of techniques for evading detection by antivirus software is an active research area. This has led to malware that can bypass or subvert antivirus software. The common strategies deployed include the use of obfuscated code and staged malware whose first instance (usually installer such as dropper and downloader) is not detected by the antivirus software. Increasingly, most of the modern malware are staged ones in order for them to be not detected by antivirus solutions at the early stage of intrusion. The installers then determine the method for further intrusion including antivirus bypassing techniques. Some malware target boot and/or shutdown time when antivirus software may be inactive so that they can perform their malicious activities. However, there can be another time frame where antivirus solutions may be inactive, namely, during the time of update. All antivirus software share a unique characteristic that they must be updated at a very high frequency to provide up‐to‐date protection of their system. In this paper, we suggest a novel attack vector that targets antivirus updates and show practical examples of how a system and antivirus software itself can be compromised during the update of antivirus software. Local privilege escalation using this vulnerability is also described. We have investigated this design vulnerability with several of the major antivirus software products such as Avira, AVG, McAfee, Microsoft, and Symantec and found that they are vulnerable to this new attack vector. The paper also discusses possible solutions that can be used to mitigate the attack in the existing versions of the antivirus software as well as in the future ones. Copyright © 2013 John Wiley & Sons, Ltd.

show abstract