TY - GEN
T1 - Resilience of anti-malware programs to naïve modifications of malicious binaries
AU - Guri, Mordechai
AU - Kedma, Gabi
AU - Kachlon, Assaf
AU - Elovici, Yuval
N1 - Publisher Copyright: © 2014 IEEE.
PY - 2014/12/4
Y1 - 2014/12/4
N2 - The massive amounts of malware variants which are released each day demand fast in-lab analysis, along with fast in-field detection. Traditional malware detection methodology depends on either static or dynamic in-lab analysis to identify a suspicious file as malicious. When a file is identified as malware, the analyst extracts a structural signature, which is dispatched to subscriber machines. The signature should enable fast scanning, and should also be flexible enough to detect simple variants. In this paper we discuss 'naïve' variants which can be produced by a modestly skilled individual with publically accessible tools and knowhow which, if needed, can be found on the Internet. Furthermore, those variants can be derived directly from the malicious binary file, allowing anyone who has access to the binary file to modify it at his or her will. Modification can be automated, to produce large amounts of variants in short time. We describe several naïve modifications. We also put them to test against multiple antivirus products, resulting in significant decline of the average detection rate, compared to the original (unmodified) detection rate. Since the aforementioned decline may be related, at least in some cases, to avoidance of probable false positives, we also discuss the acceptable rate of false positives in the context of malware detection.
AB - The massive amounts of malware variants which are released each day demand fast in-lab analysis, along with fast in-field detection. Traditional malware detection methodology depends on either static or dynamic in-lab analysis to identify a suspicious file as malicious. When a file is identified as malware, the analyst extracts a structural signature, which is dispatched to subscriber machines. The signature should enable fast scanning, and should also be flexible enough to detect simple variants. In this paper we discuss 'naïve' variants which can be produced by a modestly skilled individual with publically accessible tools and knowhow which, if needed, can be found on the Internet. Furthermore, those variants can be derived directly from the malicious binary file, allowing anyone who has access to the binary file to modify it at his or her will. Modification can be automated, to produce large amounts of variants in short time. We describe several naïve modifications. We also put them to test against multiple antivirus products, resulting in significant decline of the average detection rate, compared to the original (unmodified) detection rate. Since the aforementioned decline may be related, at least in some cases, to avoidance of probable false positives, we also discuss the acceptable rate of false positives in the context of malware detection.
KW - crafty malware
KW - false positive
KW - malware analysis
KW - malware detection
KW - malware variants
UR - http://www.scopus.com/inward/record.url?scp=84920271541&partnerID=8YFLogxK
U2 - https://doi.org/10.1109/JISIC.2014.31
DO - https://doi.org/10.1109/JISIC.2014.31
M3 - Conference contribution
T3 - Proceedings - 2014 IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014
SP - 152
EP - 159
BT - Proceedings - 2014 IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014
T2 - 2014 IEEE Joint Intelligence and Security Informatics Conference, JISIC 2014
Y2 - 24 September 2014 through 26 September 2014
ER -