Finding Non-trivial Malware Naming Inconsistencies

Maggi, Federico; Bellini, Andrea; Salvaneschi, Guido; Zanero, Stefano

doi:10.1007/978-3-642-25560-1_10

Cited by 36 publications

(28 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hence, we do not attempt to cover the full range of information that could be quantied from the output of AV scans. In addition, our analysis of antivirus reports has exposed a global lack of consensus that has been previously highlighted by other authors for other computing platforms [2,4,13,33]. Our work cannot be used to solve the challenge of naming inconsistencies directly.…”

Section: Limitations and Future Workmentioning

confidence: 85%

On the Lack of Consensus in Anti-Virus Decisions: Metrics and Insights on Building Ground Truths of Android Malware

Hurier

Allix

Bissyandé

et al. 2016

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. There is generally a lack of consensus in Antivirus (AV) engines' decisions on a given sample. This challenges the building of authoritative ground-truth datasets. Instead, researchers and practitioners may rely on unvalidated approaches to build their ground truth, e.g., by considering decisions from a selected set of Antivirus vendors or by setting up a threshold number of positive detections before classifying a sample.Both approaches are biased as they implicitly either decide on ranking AV products, or they consider that all AV decisions have equal weights.In this paper, we extensively investigate the lack of agreement among AV engines. To that end, we propose a set of metrics that quantitatively describe the dierent dimensions of this lack of consensus. We show how our metrics can bring important insights by using the detection results of 66 AV products on 2 million Android apps as a case study. Our analysis focuses not only on AV binary decision but also on the notoriously hard problem of labels that AVs associate with suspicious les, and allows to highlight biases hidden in the collection of a malware ground trutha foundation stone of any malware detection approach.

show abstract

Section: Limitations and Future Workmentioning

confidence: 85%

On the Lack of Consensus in Anti-Virus Decisions: Metrics and Insights on Building Ground Truths of Android Malware

Hurier

Allix

Bissyandé

et al. 2016

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

show abstract

“…The issues of malware naming discrepancies have been debated in security research communities for decades [1,5,12,14,20]. Bailey et al [1] measured such inconsistency in terms of the capability of AV systems to identify similar or identical malware in the same way and found that consistency is never a design goal of most AV systems, e.g., they assign the same name to identically behaved malware only from 31% to 61% of the time.…”

Section: Related Workmentioning

confidence: 98%

“…Bailey et al [1] measured such inconsistency in terms of the capability of AV systems to identify similar or identical malware in the same way and found that consistency is never a design goal of most AV systems, e.g., they assign the same name to identically behaved malware only from 31% to 61% of the time. Recently Maggi et al [20] quantitatively showed that high degrees of inconsistency in terms of naming distance and scatter score exist across different AV systems. Many factors may account for the malware naming discrepancies.…”

Section: Related Workmentioning

confidence: 99%

Rebuilding the Tower of Babel

Wang

Meng

Gao

et al. 2014

Proceedings of the 23rd ACM International Conference on Conference on Information and Knowledge Management

View full text Add to dashboard Cite

Anti-virus systems developed by different vendors often demonstrate strong discrepancies in how they name malware, which signficantly hinders malware information sharing. While existing work has proposed a plethora of malware naming standards, most antivirus vendors were reluctant to change their own naming conventions. In this paper we explore a new, more pragmatic alternative. We propose to exploit the correlation between malware naming of different anti-virus systems to create their consensus classification, through which these systems can share malware information without modifying their naming conventions. Specifically we present Latin, a novel classification integration framework leveraging the correspondence between participating anti-virus systems as reflected in heterogeneous information sources at instanceinstance, instance-name, and name-name levels. We provide results from extensive experimental studies using real malware datasets and concrete use cases to verify the efficacy of Latin in supporting cross-system malware information sharing.

show abstract

“…In this Section, we aim to quantify the "inconsistency" typical of multiple AV labels that has been qualitatively discussed in previous work [2,15,18], and analyzed more in details in [1,13]. Our main goal is to suggest that (semi-) manually creating a mapping between malware family labels and correct the inconsistent (or erroneous) labels, which was required in previous work to perform malware cluster validity analysis (e.g., in [2]), is in fact a fairly difficult task.…”

Section: Measuring Inconsistency In Av Labelsmentioning

confidence: 99%

Vamo

Perdisci

ManChon

2012

Proceedings of the 28th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Malware clustering is commonly applied by malware analysts to cope with the increasingly growing number of distinct malware variants collected every day from the Internet. While malware clustering systems can be useful for a variety of applications, assessing the quality of their results is intrinsically hard. In fact, clustering can be viewed as an unsupervised learning process over a dataset for which the complete ground truth is usually not available. Previous studies propose to evaluate malware clustering results by leveraging the labels assigned to the malware samples by multiple anti-virus scanners (AVs). However, the methods proposed thus far require a (semi-)manual adjustment and mapping between labels generated by different AVs, and are limited to selecting a reference sub-set of samples for which an agreement regarding their labels can be reached across a majority of AVs. This approach may bias the reference set towards "easy to cluster" malware samples, thus potentially resulting in an overoptimistic estimate of the accuracy of the malware clustering results.In this paper we propose VAMO, a system that provides a fully automated quantitative analysis of the validity of malware clustering results. Unlike previous work, VAMO does not seek a majority voting-based consensus across different AV labels, and does not discard the malware samples for which such a consensus cannot be reached. Rather, VAMO explicitly deals with the inconsistencies typical of multiple AV labels to build a more representative reference set, compared to majority voting-based approaches. Furthermore, VAMO avoids the need of a (semi-)manual mapping between AV labels from different scanners that was required in previous work. Through an extensive evaluation in a controlled setting and a real-world application, we show that VAMO outperforms majority voting-based approaches, and provides a better way for malware analysts to automatically assess the quality of their malware clustering results.

show abstract

Finding Non-trivial Malware Naming Inconsistencies

Cited by 36 publications

References 4 publications

On the Lack of Consensus in Anti-Virus Decisions: Metrics and Insights on Building Ground Truths of Android Malware

On the Lack of Consensus in Anti-Virus Decisions: Metrics and Insights on Building Ground Truths of Android Malware

Rebuilding the Tower of Babel

Vamo

Contact Info

Product

Resources

About