AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi - - PowerPoint PPT Presentation

av meter an evaluation of antivirus scans and labels
SMART_READER_LITE
LIVE PREVIEW

AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi - - PowerPoint PPT Presentation

Dec 15, 2022 412 likes •655 views

AV-Meter: An Evaluation of Antivirus Scans and Labels Omar Alrawi (Qatar Computing Research Institute) Joint with Aziz Mohaisen (VeriSign Labs) Overview Introduction to problem Evaluation metrics Dataset gathering and use

slide-1
SLIDE 1

AV-Meter: An Evaluation of Antivirus Scans and Labels

Omar Alrawi (Qatar Computing Research Institute) Joint with Aziz Mohaisen (VeriSign Labs)

slide-2
SLIDE 2

2

Overview

  • Introduction to problem
  • Evaluation metrics
  • Dataset gathering and use
  • Measurements and findings
  • Implications
  • Conclusion and questions
slide-3
SLIDE 3

4

Example of labels

  • ZeroAccess known labels by vendors and community:
  • ­‑ Zeroaccess, Zaccess, 0access, Sirefef, Reon
slide-4
SLIDE 4

5

Applications

  • Anti-virus (AV) independent labeling and inconsistency
  • ­‑ Heuristics, generic labels, etc.
  • Machine learning (ground truth learning set and verification for

classification)

  • Incident response, mitigation strategies
  • “Elephant in the room”
  • ­‑ Symantec finally admits it!
slide-5
SLIDE 5

6

Approach

  • Contribution
  • ­‑ Provide metrics for evaluating AV detection and labeling systems
  • ­‑ Use of highly-accurate and manually-vetted dataset for evaluation
  • ­‑ Provide several directions to address the problem
  • Limitations
  • ­‑ Cannot be used to benchmark AV engines
  • ­‑ Cannot be generalized for a given malware family
slide-6
SLIDE 6

7

Metrics (4Cs)

  • Completeness (detection rate)
  • Correctness (correct label)
  • Consistency (agreement among other Avs)
  • Coverage
slide-7
SLIDE 7

8

Completeness (detection rate)

  • Given a set of malware, how many are detected by a given AV

engine

  • Normalized by the dataset size; value in [0-1]

Malware ¡Set ¡ Detected ¡Set ¡

slide-8
SLIDE 8

9

Correctness

  • Score based on correct label returned by a given AV engine;

normalized by the set size

Malware ¡Set ¡ Detected ¡Set ¡ Correct ¡Label ¡Set ¡

slide-9
SLIDE 9

10

Consistency

  • Agreement of labels (detections) among vendors
  • ­‑ Completeness consistency
  • ­‑ Correctness consistency
  • ­‑ (S’^S’’)/(S’vS’’) for both measures
  • Normalized by the size of the union of S’ and S’’

S’ ¡ ¡S’’ ¡

S’^S’’

slide-10
SLIDE 10

11

Coverage

  • Minimal number of AV engines required to detect a given

complete set of malware

  • Normalized by the size of set; value in [0-1]

¡ ¡ ¡ ¡ ¡ Malware ¡Set ¡

AV1 ¡ AV2 ¡ AV3 ¡ AV4 ¡ AV6 ¡ AV5 ¡

slide-11
SLIDE 11

12

Data

  • Eleven malware families
  • ­‑ Zeus, ZeroAccess, Getkys, Lurid, DNSCalc, ShadyRat, N0ise,

JKDDos, Ddoser, Darkness, Avzhan

  • ­‑ Total of about 12k pieces of malware
  • Three types of malware
  • ­‑ Trojans
  • ­‑ DDoS
  • ­‑ Targeted
slide-12
SLIDE 12

13

Data Vetting

  • Operational environment
  • ­‑ Incident response
  • ­‑ Collected over 1.5 years (2011-2013)
  • Malware labels
  • ­‑ industry, community, and malware author given labels (Zbot, Zaccess,

cosmu, etc.)

  • Virus scans
  • ­‑ VirusTotal
  • ­‑ Multiple occurrence of vendors, use best results
slide-13
SLIDE 13

15

Experiment - Completeness

  • More than half of AV engines detect our pool of samples (positive outcome!)
  • These samples contribute to the high detection rates seen across AV engines

zeus zaccess lurid n0ise

  • ldcarp

jkddos dnscalc ddoser darkness bfox avzhan 10 20 30 40 Number of scanners

slide-14
SLIDE 14

16

Experiment - Completeness

  • Completeness score for each AV for all 12k samples
  • Maximum completeness provided is 99.7%
  • Average completeness provided is 59.1%
  • eTrust.Vet

eSafe NANO Malwarebytes Agnitum MicroWorld NOD32 VirusBuster Antiy.AVL Kingsoft Rising ClamAV TotalDefense SAntiSpyware ViRobot CAT.QuickHeal PCTools F.Prot Commtouch TheHacker ESET.NOD32 Jiangmin VBA32 nProtect Symantec AhnLab.V3 TrendMicro K7AntiVirus Emsisoft TrendMicro.1 Comodo Sophos Fortinet DrWeb Norman Panda VIPRE Microsoft Avast McAfee.GWE AVG Ikarus F.Secure AntiVir McAfee BitDefender Kaspersky GData 0.0 0.2 0.4 0.6 0.8 1.0 Completeness

slide-15
SLIDE 15

17

Experiment - Completeness

  • Completeness versus number of labels
  • ­‑ On average each scanner has 139 unique label per family and

median of 69 labels

  • Completeness versus largest label
  • ­‑ We see an average largest label is 20%
  • Example: if largest label 100, then average AV has 20 labels per family
  • ­‑ AV with smaller labels can be deceiving regarding correctness
  • Example: Norman has generic label (ServStart) for Avzhan family covering 96.7%
  • f the sample set
slide-16
SLIDE 16

18

Experiment - Correctness

  • Highest correct label is Jkddos (labeled jackydos or jukbot) by:
  • ­‑ Symantec (86.8%), Microsoft (85.3%), PCTools (80.3%), with

completeness close to 98%

  • Others
  • ­‑ Blackenergy (64%,)
  • ­‑ Zaccess (38.6%)
  • ­‑ Zbot (73.9%)
slide-17
SLIDE 17

19

Experiment - Correctness

  • Correctness - Zeus and JKDDoS
  • ­‑ Static scan labels - green
  • ­‑ Behavior labels (Trojan, generic, etc.) - blue
  • ­‑ Incorrect labels (unique label) - red

Correctness 0.0 0.2 0.4 0.6 0.8 1.0 eTrust.Vet eSafe NANO Malwarebytes Agnitum MicroWorld NOD32 VirusBuster Antiy.AVL Kingsoft Rising ClamAV TotalDefense SA.Spyware ViRobot CAT.QuickHeal PCTools F.Prot Commtouch TheHacker ESET.NOD32 Jiangmin VBA32 nProtect Symantec AhnLab.V3 TrendMicro K7AntiVirus Emsisoft TrendMicro.HC Comodo Sophos Fortinet DrWeb Norman Panda VIPRE Microsoft Avast McAfee.GWE AVG Ikarus F.Secure AntiVir McAfee BitDefender Kaspersky GData Correctness 0.0 0.2 0.4 0.6 0.8 1.0

slide-18
SLIDE 18

20 1 2 3 4 5 6 7 8 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 0.0 0.2 0.4 0.6 0.8 1.0 Antivirus Scanner Consistency

Experiment – Consistency

  • Consistency of detection
  • ­‑ Pairwise comparison for sample detection across two vendors
  • On average 50% agreement
  • 24 vendors have, almost, perfect consistency
  • ­‑ AV sharing information is a potential explanation;
  • ­‑ AV vendor 1 depends on vendor 2 detection (piggybacking)
  • Example of one family (Zeus)
slide-19
SLIDE 19

21

Experiment - Coverage

  • JKDDoS and Zeus
  • Coverage for
  • Completeness (3-10 AV

engines) depending on family

  • Correctness (Never reached

with all 48 engines)

  • Highest score observed for

correctness is 97.6% 0.7 0.75 0.8 0.85 0.9 0.95 1 5 10 15 20 25 Coverage Number of Antivirus Scanners Completeness - Zeus Correctness - Zeus Completeness - JKDDoS Correctness - JKDDoS

slide-20
SLIDE 20

22

Implications

  • Relying on AV labels to evaluate proposed approaches seems

problematic at best;

  • ­‑ Machine learning, classification and clustering
  • Rapid incident response based on AV labels
  • ­‑ Applying wrong remediation for incident based on incorrect label may

cause long-lasting harm.

  • Tracking and attribution of malicious code (Law enforcement)
  • ­‑ Tracking inaccurate indictors due to incorrect label
slide-21
SLIDE 21

23

Conclusion

  • Proposed remedies
  • ­‑ Data/indicator sharing
  • ­‑ Label unification
  • ­‑ Existing label consolidation
  • ­‑ Defining a label, by behavior, class, purpose, etc.
  • Future work
  • ­‑ Methods and techniques to tolerate inconsistencies and

incompleteness of labels/detection

  • Full paper
  • ­‑ http://goo.gl/1xFv93
slide-22
SLIDE 22

Omar Alrawi

  • alrawi@qf.org.qa

+974 4544 2955