Skip to main content
SpringerLink
Log in

Investigating the detection capabilities of antiviruses under concurrent attacks

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Cyber security is a major concern of computing systems. Different security controls are developed to mitigate or prevent cyber attacks. Such controls include cryptography, firewalls, intrusion detection systems, access controls, and strong authentication. These controls mainly protect the secure-system properties: confidentiality, integrity, and availability. The Antivirus software (AV) is considered the last line of defense against variety of security threats. The AV maintains a database of virus signatures against which it checks data. Had a match occurred, the AV would have reacted to the threat. Given the importance of the AV, different attacking techniques have been developed to evade the AV detection and render it useless. In this paper, we want to check how the AV behaves under pressure. We make the AV extremely busy in order to bypass its detection. We test several commercial AVs against three scenarios: when data flow from the hard drive (HD) into the main memory (reading), when data flow from the main memory into the HD (writing), and when data flow through the network (sending and receiving). This paper shows that when the AV is overloaded, some malwares can evade detection (in the reading scenario) and enjoy the existence for much more time on the HD (in the writing scenario). Finally, we show that the AVs (or at least the ones we tested in this paper) do not check network data as long as they are not written to or read from the HD.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. Throughout this paper, we mean the OS definition for the word process.

References

  1. Al-Saleh, M., Espinoza, A., Crandall, J : Antivirus performance characterisation: system-wide view. Inf. Secur. IET 7(2), 126–133 (2013)

  2. Al-Saleh, M.I.: The impact of the antivirus on the digital evidence. Int. J. Electron. Secur. Digit. Forensic 5(3/4), 229–240 (2013)

    Article  Google Scholar 

  3. Al-Saleh, M.I., Crandall, J.R.: Application-level reconnaissance: timing channel attacks against antivirus software. In: Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats. LEET’11, pp. 9–9. USENIX Association, Berkeley (2011)

  4. Bishop, M.: Computer Security: Art and Science. Addison-Wesley, Boston (2003)

    Google Scholar 

  5. Bishop, P., Bloomfield, R., Gashi, I., Stankovic, V: Diversity for security: a study with off-the-shelf antivirus engines. In: Software Reliability Engineering (ISSRE), 2011 IEEE 22nd International Symposium on, pp. 11–19. IEEE (2011)

  6. Christiansen, M. : Bypassing Malware Defenses? SANS Institute InfoSec Reading Room, pp. 3–4 (2010)

  7. Christodorescu, M., Jha, S.: Testing malware detectors. SIGSOFT Softw. Eng. Notes 29(4), 34–44 (2004)

    Article  Google Scholar 

  8. Daryabar, F., Dehghantanha, A., Broujerdi, H.G.: Investigation of malware defence and detection techniques. Int. J. Digit. Inf. Wirel. Commun. (IJDIWC) 1(3), 645–650 (2012)

    Google Scholar 

  9. Eisner, J.: Understanding Heuristics: Symantecs Bloodhound Technology. Symantec White Paper Series Volume XXXIV (1997)

  10. Josse, S.: How to assess the effectiveness of your anti-virus? J. Comput. Virol. 2(1), 51–65 (2006)

  11. Kojm, T.: Clamav (2004). http://www.clamav.net

  12. Lagadec, P.: Opendocument and open xml security (openoffice. org and ms office 2007). J. Comput. Virol. 4(2), 115–125 (2008)

    Article  Google Scholar 

  13. Lin, P.-C., Lin, Y.-D., Lai, Y.-C.: A hybrid algorithm of backward hashing and automaton tracking for virus scanning. IEEE Trans. Comput. 60, 594–601 (2011)

    Article  MathSciNet  Google Scholar 

  14. Meert, D., Teirlinckx, N.: Malware, from theory to practice (2012). http://ems2.be/Portals/6/Users/043/43/43/Paper_Final.pdf

  15. Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: an on-access anti-virus file system. In: Proceedings of the 13th USENIX Security Symposium Security 2004, pp. 73–88. USENIX Association (2004)

  16. Paul, N.R.: Disk-level behavioral malware detection. Doctoral dissertation, University of Virginia (2008)

  17. Rad, B.B., Masrom, M., Ibrahim, S.: Evolution of computer virus concealment and anti-virus techniques: a short survey (2011). arXiv:1104.1070

  18. Ramilli, M., Bishop, M.: Multi-stage delivery of malware. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 91–97. IEEE (2010)

  19. Ramilli, M., Bishop, M., Sun, S.: Multiprocess malware. In: 2011 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 8–13. IEEE (2011)

  20. Silberstein, M.: Designing a cam-based coprocessor for boosting performance of antivirus software. Technion technique report (2004)

  21. Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Boston (2005)

    Google Scholar 

  22. Uluski, D., Moffie, M., Kaeli, D.: Characterizing antivirus workload execution. SIGARCH Comput. Archit. News 33, 90–98 (2005)

    Article  Google Scholar 

  23. Vasiliadis, G., Ioannidis, S.: Gravity: a massively parallel antivirus engine. In: Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID’10, pp. 79–96. Springer, Berlin, Heidelberg (2010)

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Jordan University of Science and Technology, P.O. Box 3030, Irbid, Jordan

    Mohammed I. Al-Saleh & Fatima M. AbuHjeela

  2. Software Engineering Department, Jordan University of Science and Technology, P.O. Box 3030, Irbid, Jordan

    Ziad A. Al-Sharif

Authors
  1. Mohammed I. Al-Saleh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fatima M. AbuHjeela
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ziad A. Al-Sharif
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammed I. Al-Saleh.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Al-Saleh, M.I., AbuHjeela, F.M. & Al-Sharif, Z.A. Investigating the detection capabilities of antiviruses under concurrent attacks. Int. J. Inf. Secur. 14, 387–396 (2015). https://doi.org/10.1007/s10207-014-0261-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-014-0261-x

Keywords

Search

Navigation