Does Malware Detection Improve with Diverse AntiVirus Products? An Empirical Study

Gashi, Ilir; Sobesto, Bertrand; Stanković, Vladimir; Cukier, Michel

doi:10.1007/978-3-642-40793-2_9

Cited by 10 publications

(4 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The authors also explore if the combination of several AVT can improve protection and showed that AVT diversity and a combination of AVTs indeed improve detection without being able to reach 100% though. Similar empirical analysis using honeypot data [6] brought the same conclusions that diversity improves protection.…”

Section: Related Workmentioning

confidence: 62%

See 1 more Smart Citation

Anti-Virus Tools Analysis Using Deep Web Malwares

Mishkovski¹,

Sanja²,

Mirchev³

et al. 2018

Computer Science &Amp; Information Technology (CS &Amp; IT)

View full text Add to dashboard Cite

Knowledge about the strength of the anti-virus engines (i.e. tools) to detect malware files on the Deep web is important for people and companies to devise proper security polices and to choose the proper tool in order to be more secure. In this study, using malware file set crawled from the Deep web we detect similarities and possible groupings between plethora of anti-virus tools (AVTs) that exist on the market. Moreover, using graph theory, data science and visualization we find which of the existing AVTs has greater advantage in detecting malware over the other AVTs, in a sense that the AVT detects many unique. Finally, we propose a solution, for the given malware set, what is the best strategy for a company to defend against malwares if it uses a multi-scanning approach.

show abstract

Section: Related Workmentioning

confidence: 62%

“…In recent studies [6,7,13,14] it is shown that the results have also temporal scale, i.e. AV regression exists, in a way that a given AVT can declare one file as a malware in a given instance of time, but later fail to recognize the file as a malware.…”

Section: Related Workmentioning

confidence: 99%

Anti-Virus Tools Analysis Using Deep Web Malwares

Mishkovski¹,

Sanja²,

Mirchev³

et al. 2018

Computer Science &Amp; Information Technology (CS &Amp; IT)

View full text Add to dashboard Cite

show abstract

“…In future work, when we test against more sophisticated attacker data, all of these novel research approaches can be integrated into the SPICE framework as additional layers to test. Studies of using multiple antivirus security products as defense in depth have been conducted such as [21] [22] all showing benefit from combining multiple antivirus engines. These studies are limited to only one layer of defense in depth where with SPICE we expand beyond just antivirus to analyze security products across different layers.…”

Section: Related Workmentioning

confidence: 99%

Measuring Drive-by Download Defense in Depth

Boggs

Stolfo

2014

Research in Attacks, Intrusions and Defenses

View full text Add to dashboard Cite

Defense in depth is vital as no single security product detects all of today's attacks. To design defense in depth organizations rely on best practices and isolated product reviews with no way to determine the marginal benefit of additional security products. We propose empirically testing security products' detection rates by linking multiple pieces of data such as network traffic, executable files, and an email to the attack that generated all the data. This allows us to directly compare diverse security products and to compute the increase in total detection rate gained by adding a security product to a defense in depth strategy not just its stand alone detection rate. This approach provides an automated means of evaluating risks and the security posture of alternative security architectures. We perform an experiment implementing this approach for real drive-by download attacks found in a real time email spam feed and compare over 40 security products and human click-through rates by linking email, URL, network content, and executable file attack data.

show abstract

“…For this reason, the vast majority of works use the aggregated results from a collection of antivirus engines as a source of scalable labeling [26]. For example, a common approach to malware detection is antivirus thresholding, in which some minimum number of antivirus engines in a collection must detect a file as malicious in order for it to be considered malware [5,8]. Likewise, plurality and majority voting amongst antivirus engines are popular strategies for performing malware family classification [17,2].…”

Section: Introductionmentioning

confidence: 99%

Rank-1 Similarity Matrix Decomposition For Modeling Changes in Antivirus Consensus Through Time

Joyce¹,

Raff²,

Nicholas³

2022

Preprint

View full text Add to dashboard Cite

Although groups of strongly correlated antivirus engines are known to exist, at present there is limited understanding of how or why these correlations came to be. Using a corpus of 25 million VirusTotal reports representing over a decade of antivirus scan data, we challenge prevailing wisdom that these correlations primarily originate from "first-order" interactions such as antivirus vendors copying the labels of leading vendors. We introduce the Temporal Rank-1 Similarity Matrix decomposition (R1SM-T) in order to investigate the origins of these correlations and to model how consensus amongst antivirus engines changes over time. We reveal that first-order interactions do not explain as much behavior in antivirus correlation as previously thought, and that the relationships between antivirus engines are highly volatile. We make recommendations on items in need of future study and consideration based on our findings.

show abstract

Does Malware Detection Improve with Diverse AntiVirus Products? An Empirical Study

Cited by 10 publications

References 5 publications

Anti-Virus Tools Analysis Using Deep Web Malwares

Anti-Virus Tools Analysis Using Deep Web Malwares

Measuring Drive-by Download Defense in Depth

Rank-1 Similarity Matrix Decomposition For Modeling Changes in Antivirus Consensus Through Time

Contact Info

Product

Resources

About