Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Malware Detection Efficiency with Multiple Anti-Malware Programs Dr. Jose A. Morales – Software Engineering Institute, Carnegie Mellon University.

Published byBelen Ecton Modified over 9 years ago

Similar presentations

Presentation on theme: "Analyzing Malware Detection Efficiency with Multiple Anti-Malware Programs Dr. Jose A. Morales – Software Engineering Institute, Carnegie Mellon University."— Presentation transcript:

1 Analyzing Malware Detection Efficiency with Multiple Anti-Malware Programs Dr. Jose A. Morales – Software Engineering Institute, Carnegie Mellon University Dr. Shouhuai Xu – Department of Computer Science, University of Texas at San Antonio Dr. Ravi Sandhu – Institute for Cyber Security, University of Texas at San Antonio

2 Introduction Is 1 anti-malware enough? If NO how many are needed for sufficient detection? Qualitatively test detection with multiple anti- malware COTS in a VM Test for competence: achieved when an anti- malware detects and removes all malware from a machine Discovered 3 COTS not enough to fully eradicate all malware on a machine Conjecture more than 7 COTS may be needed to achieve competence

3 Contributions Qualitatively show 1 anti-malware program insufficient to protect against all malware threats Define the notion of an anti-malware being competent Show 3 anti-malware engines not enough to disinfected a compromised system Conclude the number of needed anti-malware programs too large to be practical

4 Anti-Malware Competence An anti-malware is competent when: – Detects & cleans all malware present on a system Consumer trust of anti-malware capability based on inherent competence Incompetence leads to – system compromise – Fundamental detection flaws in anti-malware

5 Testing for Competence Tested 2 sets of 3 anti-malware products in sequence – 2 environments Clean start state Infected start state Methodology:

6 DT & SDT Anti-malware program C State of a system S DT(C i (S i-1 )) = True iff – C i detects an object in S i-1 as malware – DT() tests C’s detection capability SDT(C i (S i )) = True iff – C i removes all detected malware in S i – SDT() tests C’s treatment effectiveness Turnover Rate: SDT/DT=X% – Shows treatment effectiveness of detected malicious objects

7 Achieving Competence An anti-malware program C1 is competent, denoted by SDT(C 1 (S))=T, if for every input S it holds that: This can be extended to any number of C 1 …C n Achieves complete detection and treatment thus is competent

8 Experiments Attempt to establish competence to show: – If 1 anti-malware is sufficient protection – If not 1, then test how many anti-malware programs are needed to achieve sufficient protection against a diverse set of known malware This measure facilitates confidence in consumers when buying these products.

9 Experiments Tested two sets of 3 anti-malware programs each: (C 1 (),C 2 (),C 3 ()) as follows: – 1 st set ESET,AVG,Zonealarm – 2 nd set Kaspersky,G-data,Bitdefender Tested all permutations of each set, 3!=6 cases per set Two experiments – carried out in Vmware – running Windows 7 OS freshly installed to assure malware free enviroment Diverse 500 malware samples – worms, rootkints, bots, backdoors, password stealers, malware downloaders – GFI sandbox repository 2010

10 Experiments

11

12

13

14

15 Experiment Observations Competence easily achieved with the anti-malware running in clean state Combined detection power of multiple engines increases competence Some cases where 3 engines not enough to achieve competence Infected system facilitates anti-malware program instability Anti-malware program installed in infected system may have higher false negatives Tested anti-malware programs seem to lack a self- defense facilitating malware to compromise it Malware running in a system may block access to resources needed by anti-malware facilitating a crash on execution

16 How Many Anti-Malware programs to deploy? Based on experiment result: – 2 minimum for low protection – 3 for medium protection – 4-5 or more for high protection Given current anti-malware technologies, achieving competence may be impractical – Insufficient protection – Facilitation of malware

17 Conclusions Using multiple anti-malware programs does not seeming provide competence with diverse malware Current anti-malware programs provide insufficient protection and are susceptible to malware compromise Combining multiple anti-malware detection engines under one program may increase protection Future work: rerun tests with larger sets of anti- malware programs seeking to achieve competence.

18 Questions? ¿Preguntas? 質問 ВопросыВопросы Sawaal Domande Soru ΕρωτήσειςΕρωτήσεις 問題

Download ppt "Analyzing Malware Detection Efficiency with Multiple Anti-Malware Programs Dr. Jose A. Morales – Software Engineering Institute, Carnegie Mellon University."

Similar presentations

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.

Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.
Symptoms-Based Detection of Bot Processes Jose Andre MoralesErhan Kartaltepe Shouhuai XuRavi Sandhu MMM-ACNS – St Petersburg, Russia 2010 ©2010 Institute.

Symptoms-Based Detection of Bot Processes Jose Andre MoralesErhan Kartaltepe Shouhuai XuRavi Sandhu MMM-ACNS – St Petersburg, Russia 2010 ©2010 Institute.
UNCLASSIFIED © 2011 Carnegie Mellon University Building Malware Infection Trees Jose Andre Morales 1, Michael Main 2, Weilang Luo 3, Shouhuai Xu 2,3, Ravi.

UNCLASSIFIED © 2011 Carnegie Mellon University Building Malware Infection Trees Jose Andre Morales 1, Michael Main 2, Weilang Luo 3, Shouhuai Xu 2,3, Ravi.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Cyber Security Quiz By: Alex Alberg. Q. A good password is: A. 8 characters or more B. Contains upper and lower case letters C. Contains special characters.

Cyber Security Quiz By: Alex Alberg. Q. A good password is: A. 8 characters or more B. Contains upper and lower case letters C. Contains special characters.
1. Intro What is PremiumAV? Antivirus engine Features of PremiumAV. Classification of PremiumAV. PremiumAV LAB Re-Branding or Private Label Why Re- Branding.

1. Intro What is PremiumAV? Antivirus engine Features of PremiumAV. Classification of PremiumAV. PremiumAV LAB Re-Branding or Private Label Why Re- Branding.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Shouhuai Xu UTSA Ravi Sandhu UTSA Jose A. Morales CMU.

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Shouhuai Xu UTSA Ravi Sandhu UTSA Jose A. Morales CMU.
Computer Viruses Theory and Experiments By Dr. Frederick B. Cohen Presented by Jose Andre Morales.

Computer Viruses Theory and Experiments By Dr. Frederick B. Cohen Presented by Jose Andre Morales.
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.

New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
By Joshua T. I. Towers. 13.3 $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
To run the program: To run the program: You need the OS: You need the OS:

To run the program: To run the program: You need the OS: You need the OS:
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.

Similar presentations

Ads by Google