Abstract
Cyber security is a major concern of computing systems. Different security controls are developed to mitigate or prevent cyber attacks. Such controls include cryptography, firewalls, intrusion detection systems, access controls, and strong authentication. These controls mainly protect the secure-system properties: confidentiality, integrity, and availability. The Antivirus software (AV) is considered the last line of defense against variety of security threats. The AV maintains a database of virus signatures against which it checks data. Had a match occurred, the AV would have reacted to the threat. Given the importance of the AV, different attacking techniques have been developed to evade the AV detection and render it useless. In this paper, we want to check how the AV behaves under pressure. We make the AV extremely busy in order to bypass its detection. We test several commercial AVs against three scenarios: when data flow from the hard drive (HD) into the main memory (reading), when data flow from the main memory into the HD (writing), and when data flow through the network (sending and receiving). This paper shows that when the AV is overloaded, some malwares can evade detection (in the reading scenario) and enjoy the existence for much more time on the HD (in the writing scenario). Finally, we show that the AVs (or at least the ones we tested in this paper) do not check network data as long as they are not written to or read from the HD.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Throughout this paper, we mean the OS definition for the word process.
References
Al-Saleh, M., Espinoza, A., Crandall, J : Antivirus performance characterisation: system-wide view. Inf. Secur. IET 7(2), 126–133 (2013)
Al-Saleh, M.I.: The impact of the antivirus on the digital evidence. Int. J. Electron. Secur. Digit. Forensic 5(3/4), 229–240 (2013)
Al-Saleh, M.I., Crandall, J.R.: Application-level reconnaissance: timing channel attacks against antivirus software. In: Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats. LEET’11, pp. 9–9. USENIX Association, Berkeley (2011)
Bishop, M.: Computer Security: Art and Science. Addison-Wesley, Boston (2003)
Bishop, P., Bloomfield, R., Gashi, I., Stankovic, V: Diversity for security: a study with off-the-shelf antivirus engines. In: Software Reliability Engineering (ISSRE), 2011 IEEE 22nd International Symposium on, pp. 11–19. IEEE (2011)
Christiansen, M. : Bypassing Malware Defenses? SANS Institute InfoSec Reading Room, pp. 3–4 (2010)
Christodorescu, M., Jha, S.: Testing malware detectors. SIGSOFT Softw. Eng. Notes 29(4), 34–44 (2004)
Daryabar, F., Dehghantanha, A., Broujerdi, H.G.: Investigation of malware defence and detection techniques. Int. J. Digit. Inf. Wirel. Commun. (IJDIWC) 1(3), 645–650 (2012)
Eisner, J.: Understanding Heuristics: Symantecs Bloodhound Technology. Symantec White Paper Series Volume XXXIV (1997)
Josse, S.: How to assess the effectiveness of your anti-virus? J. Comput. Virol. 2(1), 51–65 (2006)
Kojm, T.: Clamav (2004). http://www.clamav.net
Lagadec, P.: Opendocument and open xml security (openoffice. org and ms office 2007). J. Comput. Virol. 4(2), 115–125 (2008)
Lin, P.-C., Lin, Y.-D., Lai, Y.-C.: A hybrid algorithm of backward hashing and automaton tracking for virus scanning. IEEE Trans. Comput. 60, 594–601 (2011)
Meert, D., Teirlinckx, N.: Malware, from theory to practice (2012). http://ems2.be/Portals/6/Users/043/43/43/Paper_Final.pdf
Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: an on-access anti-virus file system. In: Proceedings of the 13th USENIX Security Symposium Security 2004, pp. 73–88. USENIX Association (2004)
Paul, N.R.: Disk-level behavioral malware detection. Doctoral dissertation, University of Virginia (2008)
Rad, B.B., Masrom, M., Ibrahim, S.: Evolution of computer virus concealment and anti-virus techniques: a short survey (2011). arXiv:1104.1070
Ramilli, M., Bishop, M.: Multi-stage delivery of malware. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 91–97. IEEE (2010)
Ramilli, M., Bishop, M., Sun, S.: Multiprocess malware. In: 2011 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 8–13. IEEE (2011)
Silberstein, M.: Designing a cam-based coprocessor for boosting performance of antivirus software. Technion technique report (2004)
Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Boston (2005)
Uluski, D., Moffie, M., Kaeli, D.: Characterizing antivirus workload execution. SIGARCH Comput. Archit. News 33, 90–98 (2005)
Vasiliadis, G., Ioannidis, S.: Gravity: a massively parallel antivirus engine. In: Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID’10, pp. 79–96. Springer, Berlin, Heidelberg (2010)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Al-Saleh, M.I., AbuHjeela, F.M. & Al-Sharif, Z.A. Investigating the detection capabilities of antiviruses under concurrent attacks. Int. J. Inf. Secur. 14, 387–396 (2015). https://doi.org/10.1007/s10207-014-0261-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-014-0261-x