Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluating Detection & Treatment Effectiveness of Commercial Anti-Malware Programs Jose Andre Morales, Ravi Sandhu, Shouhuai Xu Institute for Cyber Security.

Published byAlvin Scott Modified over 8 years ago

Similar presentations

Presentation on theme: "Evaluating Detection & Treatment Effectiveness of Commercial Anti-Malware Programs Jose Andre Morales, Ravi Sandhu, Shouhuai Xu Institute for Cyber Security."— Presentation transcript:

1 Evaluating Detection & Treatment Effectiveness of Commercial Anti-Malware Programs Jose Andre Morales, Ravi Sandhu, Shouhuai Xu Institute for Cyber Security University of Texas at San Antonio ©2010 Institute for Cyber Security 1 World-Leading Research with Real-World Impact!

2 Introduction Evaluate CAmp’s detection and treatment effectiveness against malicious objects Redefine true positives (TP) to include treatment effectiveness Evaluate 4 current CAmp’s in three tests reflecting realistic scenarios Results suggest our approach is a more realistic evaluation of CAmp effectiveness than current trends. ©2010 Institute for Cyber Security 2 World-Leading Research with Real-World Impact!

3 Current Evaluation Trends In ranking CAmp’s for users to purchase – Detection accuracy is king – Treatment not rigorously tested More realistic approach is to evaluate both detection and treatment – Treatment just as important as detection and must be equally measured – Detection alone does not give the full picture of a CAmp’s effectiveness ©2010 Institute for Cyber Security 3 World-Leading Research with Real-World Impact!

4 Desired Characteristics Camp Should: – Automatically detect and treat malware – Correctly inform the user of system status – Not leave active threats on a system – Minimize treatment choices left up to the user From a user perspective, these are desirable characteristics making their life easier! ©2010 Institute for Cyber Security 4 World-Leading Research with Real-World Impact!

5 CAmp Components CAmp A(S) where S is any input accepted by A for detection and treatment of malicious objects. A( ) consists of two sub-components – Detection A D ( ) – Treatment A T ( ) – Assumption: a malicious objects is always detected first then treated ©2010 Institute for Cyber Security 5 World-Leading Research with Real-World Impact!

6 Detection A D ( ) Classic measure of detection accuracy A D (S)  (TP,TN,FP,FN) – true positives (TP) – true negatives (TN) – false positives (FP) – false negatives (FN) – S can be a single object (file, process) or many objects (directory, or system in infected state) ©2010 Institute for Cyber Security 6 World-Leading Research with Real-World Impact!

7 Treatment A T ( ) Measures treatment effectiveness Input comes from output of A D (S) A T (TP,FP)  (TP A,TP O,TP N,FP) – TP A :TP with automatic treatment – TP O :TP with treatment chosen via user option – TP N :TP which did not receive treatment Redefining TP incorporates treatment outcomes in a standardized form ©2010 Institute for Cyber Security 7 World-Leading Research with Real-World Impact!

8 Evaluating A(S) A(S)  (FN,FP,TN,TP A,TP O,TP N ) Evaluates both detection and treatment effectiveness of a CAmp Only interested in malicious objects – We set FP=0, TN=0 thus S = TP + FN – Tests designed to guarantee as much as possible Effective detection  high TP & low FN Effective detection + treatment  high TP A & low FN ©2010 Institute for Cyber Security 8 World-Leading Research with Real-World Impact!

9 Evaluation Tests 4 CAmps (trial versions): Kaspersky, ESET, BitDefender, ZoneAlarm. Set of 974 malware samples CWSandbox 27 October 2009 upload 3 tests emulating realistic scenarios a user may face when dealing with malware VMWare running Windows XP-SP2 Snapshot scanned and assured malware free prior to testing ©2010 Institute for Cyber Security 9 World-Leading Research with Real-World Impact!

10 Calculating TP A, TP O, TP N CAmp log file labels used to calculate results All labels in TP A verified to do what label suggests All labels in TP N verified as leaving malware active Misleading labels leave active malware on system TP O calculated by counting number of malware samples a user is asked to choose treatmen ©2010 Institute for Cyber Security World-Leading Research with Real-World Impact! 10

11 Test 1 A static file scan on a folder of 974 known malware samples, FN = 974 – TP TP rates higher than TP A meaning detection + treatment less effective then detection alone ©2010 Institute for Cyber Security 11 World-Leading Research with Real-World Impact!

12 Malware used in Tests 2 & 3 Used 3 sets of 4 malware samples, each set executes together harmoniously Active at time of testing ©2010 Institute for Cyber Security 12 World-Leading Research with Real-World Impact!

13 Test 2 Install a CAmp in a clean state, infect the system with malware for 3 minutes and perform detection and treatment, FN=TP-4 Almost every case malware detected when attempting to execute, TP=TP A One case TP=12, a detected malware seems to have executed before treatment, newly infected objects not detected ©2010 Institute for Cyber Security 13 World-Leading Research with Real-World Impact!

14 Test 2 ©2010 Institute for Cyber Security 14 World-Leading Research with Real-World Impact!

15 Test 3 Execute malware for 3 minutes, then install a CAmp and perform detection and treatment in the infected state Most difficult for CAmps to handle, broad range of TP, TP A and FN rates FN calculated using Anubis and CWSandbox – Compared log files to Analysis reports –.EXE files in report and not in log file marked FN ©2010 Institute for Cyber Security 15 World-Leading Research with Real-World Impact!

16 Test 3 ©2010 Institute for Cyber Security 16 World-Leading Research with Real-World Impact!

17 Discussion Many cases TP A lower than TP, implying detection + treatment not as effective as detection alone Infected state (Test 3) most difficult case FN, TP O in all 3 tests, TP N in only 2 tests Many malware left active on system, either not detected or detected & not treated ©2010 Institute for Cyber Security 17 World-Leading Research with Real-World Impact!

18 One More Thing… CAmps G-Data, AVG results not included – AVG did not install, improperly ran, BSOD – G-Data only produced FN & TP O & no TP A Very high detection rate Automatic treatment disabled in trial version? ©2010 Institute for Cyber Security 18 World-Leading Research with Real-World Impact!

19 New Results 5000 samples – CWSandbox: Drew samples from 5 random dates 2009: Nov 4, Dec 8; 2010: Jan 28, Jun 29, Aug 25 ©2010 Institute for Cyber Security 19 World-Leading Research with Real-World Impact!

20 Conclusions - 1 New approach to evaluate detection & treatment effectiveness of a CAmp with standardized output Redefined TP to include treatment results Tests show detection & treatment less effective than detection alone Misleading labels, malware left active Users unaware of system’s real security status ©2010 Institute for Cyber Security 20 World-Leading Research with Real-World Impact!

21 Conclusions - 2 CAmps need to improve detection & treatment Should minimize TP O & TP N Maximize TP A CAmps need to be tested rigorously and incorporate treatment resulting in a more realistic evaluation than current trends. ©2010 Institute for Cyber Security 21 World-Leading Research with Real-World Impact!

22 Camp processes can be disabled and terminated with simple commands Poor self defense Leaves system vulnerable Not able to perform static or behavior based malware scans Gives malware the upper hand. ©2010 Institute for Cyber Security 22 World-Leading Research with Real-World Impact! Self-Defense Mechanisms

23 THANK YOU! QUESTIONS? ©2010 Institute for Cyber Security 23 World-Leading Research with Real-World Impact!

Download ppt "Evaluating Detection & Treatment Effectiveness of Commercial Anti-Malware Programs Jose Andre Morales, Ravi Sandhu, Shouhuai Xu Institute for Cyber Security."

Similar presentations

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.

Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.

Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.
Symptoms-Based Detection of Bot Processes Jose Andre MoralesErhan Kartaltepe Shouhuai XuRavi Sandhu MMM-ACNS – St Petersburg, Russia 2010 ©2010 Institute.

Symptoms-Based Detection of Bot Processes Jose Andre MoralesErhan Kartaltepe Shouhuai XuRavi Sandhu MMM-ACNS – St Petersburg, Russia 2010 ©2010 Institute.
Reuel A. Morales (Sr. Security Analyst, APAC-RTL) 04.29.2008 APAC RTL Clean Tool v5.0 Solution.

Reuel A. Morales (Sr. Security Analyst, APAC-RTL) APAC RTL Clean Tool v5.0 Solution.
UNCLASSIFIED © 2011 Carnegie Mellon University Building Malware Infection Trees Jose Andre Morales 1, Michael Main 2, Weilang Luo 3, Shouhuai Xu 2,3, Ravi.

UNCLASSIFIED © 2011 Carnegie Mellon University Building Malware Infection Trees Jose Andre Morales 1, Michael Main 2, Weilang Luo 3, Shouhuai Xu 2,3, Ravi.
Line Item Accounting Eaglesoft 16.

Line Item Accounting Eaglesoft 16.
Evaluation of segmentation. Example Reference standard & segmentation.

Evaluation of segmentation. Example Reference standard & segmentation.
Analyzing Malware Detection Efficiency with Multiple Anti-Malware Programs Dr. Jose A. Morales – Software Engineering Institute, Carnegie Mellon University.

Analyzing Malware Detection Efficiency with Multiple Anti-Malware Programs Dr. Jose A. Morales – Software Engineering Institute, Carnegie Mellon University.
A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.

A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Shouhuai Xu UTSA Ravi Sandhu UTSA Jose A. Morales CMU.

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Shouhuai Xu UTSA Ravi Sandhu UTSA Jose A. Morales CMU.
COURSE: JUST 3900 INTRODUCTORY STATISTICS FOR CRIMINAL JUSTICE Instructor: Dr. John J. Kerbs, Associate Professor Joint Ph.D. in Social Work and Sociology.

COURSE: JUST 3900 INTRODUCTORY STATISTICS FOR CRIMINAL JUSTICE Instructor: Dr. John J. Kerbs, Associate Professor Joint Ph.D. in Social Work and Sociology.
Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.

Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.
By Joshua T. I. Towers. 13.3 $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.

By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.
Cbio course, spring 2005, Hebrew University (Alignment) Score Statistics.

Cbio course, spring 2005, Hebrew University (Alignment) Score Statistics.
1 Validation and Verification of Simulation Models.

1 Validation and Verification of Simulation Models.
A Local Facility Location Algorithm Supervisor: Assaf Schuster Denis Krivitski Technion – Israel Institute of Technology.

A Local Facility Location Algorithm Supervisor: Assaf Schuster Denis Krivitski Technion – Israel Institute of Technology.
What Is Malwarebytes? Malwarebytes is a free anti- malware program. Anti-malware programs are specifically designed to find and remove malware on your.

What Is Malwarebytes? Malwarebytes is a free anti- malware program. Anti-malware programs are specifically designed to find and remove malware on your.
Free Software Alternatives: Avast! Anti-virus

Free Software Alternatives: Avast! Anti-virus
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)

Similar presentations

Ads by Google