Analyzing Malware Detection Efficiency with Multiple Anti-Malware Programs Dr. Jose A. Morales – Software Engineering Institute, Carnegie Mellon University.

Slides:



Advertisements
Similar presentations
Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Advertisements

Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.
Symptoms-Based Detection of Bot Processes Jose Andre MoralesErhan Kartaltepe Shouhuai XuRavi Sandhu MMM-ACNS – St Petersburg, Russia 2010 ©2010 Institute.
UNCLASSIFIED © 2011 Carnegie Mellon University Building Malware Infection Trees Jose Andre Morales 1, Michael Main 2, Weilang Luo 3, Shouhuai Xu 2,3, Ravi.
By Hiranmayi Pai Neeraj Jain
Cyber Security Quiz By: Alex Alberg. Q. A good password is: A. 8 characters or more B. Contains upper and lower case letters C. Contains special characters.
1. Intro What is PremiumAV? Antivirus engine Features of PremiumAV. Classification of PremiumAV. PremiumAV LAB Re-Branding or Private Label Why Re- Branding.
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Shouhuai Xu UTSA Ravi Sandhu UTSA Jose A. Morales CMU.
Computer Viruses Theory and Experiments By Dr. Frederick B. Cohen Presented by Jose Andre Morales.
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
By Joshua T. I. Towers $13.3 billion was the direct cost of malware for business in 2006 “direct costs are defined as labor costs to analyze, repair.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
To run the program: To run the program: You need the OS: You need the OS:
Chapter Nine Maintaining a Computer Part III: Malware.
Evaluating Detection & Treatment Effectiveness of Commercial Anti-Malware Programs Jose Andre Morales, Ravi Sandhu, Shouhuai Xu Institute for Cyber Security.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.
Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.
1 Precise Enforcement of Policies After we have a policy, is there always a mechanism to enforce it? If so, can we devise a generic procedure for developing.
PC Security: Antivirus Presentation done by Ming-Li Emily Chang (A2980) Raymond Chok (A2419)
Computer project – computer virus 1D Christy Chan (9) Patricia Cheung (14)
ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Roberto Paleari,Universit`a degli Studi di Milano Lorenzo Martignoni,Universit`a degli Studi di Udine Emanuele Passerini,Universit`a degli Studi di Milano.
Computer viruses The effects of a virus are…  Slow loadings  Crashing  Not having control over the computer  Deleting documents.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
RootKit By Parrag Mehta OUTLINE What is a RootKit ? Installation Types How do RootKits work ? Detection Removal Prevention Conclusion References.
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Business Technology Applications What is Malware.
Bay Ridge Security Consulting (BRSC). Importance in Securing System  If don’t keep up with security issues or fixes Exploitation of root access Installation.
Security Threats Caela Harris. What is a Virus A computer virus or a computer worm is a malicious software program that can self replicate on computer.
Antivirus Software Troy Behmer. Outline Topics covered: – What is Antivirus software (AVS)? – What are the advantages and disadvantages of AVS? – What.
Windows 10 Utilities  Windows Utilities:  Anti-Malware/Anti-Virus  Windows Update  Disk Cleanup  Defrag  Task Manager  Backup.
By Kyle Bickel.  Securing a host computer is making sure that your computer is secure when it’s connected to the internet  This be done by several protective.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Presented by : Matthew Sulkosky COSC 316 (Host Security) BOTNETS A.K.A ZOMBIE COMPUTING.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
1. Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. 2.
Easy3s Smart Cop antivirus Total Security for Internet ERA.
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,
Three steps to prevent Malware infection
V. A. Memos and K. E. Psannis*
National Cyber Security Month
Various Types of Malware
Cybersecurity Awareness
Executive Director and Endowed Chair
Cyber Security Research: Applied and Basic Combined*
Executive Director and Endowed Chair
Get Rid of a Trojan Horse? Even with a competent anti-virus installed, PCs could still be susceptible to malicious programs such.
CHAPTER 2: OPERATING SYSTEMS (Part 2) COMPUTER SKILLS.
Cyber Security Research: Applied and Basic Combined*
Lab 7 – Defeating MALWARE
UTSA Cyber Security Ecosystem
Faculty of Science IT Department By Raz Dara MA.
World-Leading Research with Real-World Impact!
Cyber Security Research: Applied and Basic Combined*
Talking Malware Analysis with MITRE
World-Leading Research with Real-World Impact!
About Us Scanster is one of the leading IT security software company. Our Software's are well integrated system that simplify computer security management.
Presentation transcript:

Analyzing Malware Detection Efficiency with Multiple Anti-Malware Programs Dr. Jose A. Morales – Software Engineering Institute, Carnegie Mellon University Dr. Shouhuai Xu – Department of Computer Science, University of Texas at San Antonio Dr. Ravi Sandhu – Institute for Cyber Security, University of Texas at San Antonio

Introduction Is 1 anti-malware enough? If NO how many are needed for sufficient detection? Qualitatively test detection with multiple anti- malware COTS in a VM Test for competence: achieved when an anti- malware detects and removes all malware from a machine Discovered 3 COTS not enough to fully eradicate all malware on a machine Conjecture more than 7 COTS may be needed to achieve competence

Contributions Qualitatively show 1 anti-malware program insufficient to protect against all malware threats Define the notion of an anti-malware being competent Show 3 anti-malware engines not enough to disinfected a compromised system Conclude the number of needed anti-malware programs too large to be practical

Anti-Malware Competence An anti-malware is competent when: – Detects & cleans all malware present on a system Consumer trust of anti-malware capability based on inherent competence Incompetence leads to – system compromise – Fundamental detection flaws in anti-malware

Testing for Competence Tested 2 sets of 3 anti-malware products in sequence – 2 environments Clean start state Infected start state Methodology:

DT & SDT Anti-malware program C State of a system S DT(C i (S i-1 )) = True iff – C i detects an object in S i-1 as malware – DT() tests C’s detection capability SDT(C i (S i )) = True iff – C i removes all detected malware in S i – SDT() tests C’s treatment effectiveness Turnover Rate: SDT/DT=X% – Shows treatment effectiveness of detected malicious objects

Achieving Competence An anti-malware program C1 is competent, denoted by SDT(C 1 (S))=T, if for every input S it holds that: This can be extended to any number of C 1 …C n Achieves complete detection and treatment thus is competent

Experiments Attempt to establish competence to show: – If 1 anti-malware is sufficient protection – If not 1, then test how many anti-malware programs are needed to achieve sufficient protection against a diverse set of known malware This measure facilitates confidence in consumers when buying these products.

Experiments Tested two sets of 3 anti-malware programs each: (C 1 (),C 2 (),C 3 ()) as follows: – 1 st set ESET,AVG,Zonealarm – 2 nd set Kaspersky,G-data,Bitdefender Tested all permutations of each set, 3!=6 cases per set Two experiments – carried out in Vmware – running Windows 7 OS freshly installed to assure malware free enviroment Diverse 500 malware samples – worms, rootkints, bots, backdoors, password stealers, malware downloaders – GFI sandbox repository 2010

Experiments

Experiment Observations Competence easily achieved with the anti-malware running in clean state Combined detection power of multiple engines increases competence Some cases where 3 engines not enough to achieve competence Infected system facilitates anti-malware program instability Anti-malware program installed in infected system may have higher false negatives Tested anti-malware programs seem to lack a self- defense facilitating malware to compromise it Malware running in a system may block access to resources needed by anti-malware facilitating a crash on execution

How Many Anti-Malware programs to deploy? Based on experiment result: – 2 minimum for low protection – 3 for medium protection – 4-5 or more for high protection Given current anti-malware technologies, achieving competence may be impractical – Insufficient protection – Facilitation of malware

Conclusions Using multiple anti-malware programs does not seeming provide competence with diverse malware Current anti-malware programs provide insufficient protection and are susceptible to malware compromise Combining multiple anti-malware detection engines under one program may increase protection Future work: rerun tests with larger sets of anti- malware programs seeking to achieve competence.

Questions? ¿Preguntas? 質問 ВопросыВопросы Sawaal Domande Soru ΕρωτήσειςΕρωτήσεις 問題