2019
DOI: 10.3390/e21050513
|View full text |Cite
|
Sign up to set email alerts
|

Mimicking Anti-Viruses with Machine Learning and Entropy Profiles

Abstract: The quality of anti-virus software relies on simple patterns extracted from binary files. Although these patterns have proven to work on detecting the specifics of software, they are extremely sensitive to concealment strategies, such as polymorphism or metamorphism. These limitations also make anti-virus software predictable, creating a security breach. Any black hat with enough information about the anti-virus behaviour can make its own copy of the software, without any access to the original implementation … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
10
0

Year Published

2019
2019
2023
2023

Publication Types

Select...
9

Relationship

3
6

Authors

Journals

citations
Cited by 13 publications
(10 citation statements)
references
References 59 publications
0
10
0
Order By: Relevance
“…An interesting application of VirusTotal is AVClass, a tool whose aim is to identify the ground truth on the malware family classification problem by averaging the opinion of the different engines of VirusTotal [ 28 ]. There are also tools like MimickAV [ 29 ] that prove the predictability of VirusTotal and auditing studies that show how obfuscation changes the outcome of anti-viruses [ 30 ]. Nevertheless, from our current knowledge, no author has used it to study the malware arms race coevolution.…”
Section: Related Workmentioning
confidence: 99%
“…An interesting application of VirusTotal is AVClass, a tool whose aim is to identify the ground truth on the malware family classification problem by averaging the opinion of the different engines of VirusTotal [ 28 ]. There are also tools like MimickAV [ 29 ] that prove the predictability of VirusTotal and auditing studies that show how obfuscation changes the outcome of anti-viruses [ 30 ]. Nevertheless, from our current knowledge, no author has used it to study the malware arms race coevolution.…”
Section: Related Workmentioning
confidence: 99%
“…There are multiple contributions to the analysis of malware based on using binary, static and/or dynamic features to feed machine learning to detect malware. Some examples are already mentioned, such as structural entropy [97], and its extensions to metamorphic malware detection [11], time-series features [71], and mimicking antivirus behaviours [70]. Other good examples -more classical-, are the work Schultz et al [92] who used n-gram features to feed different machine learning approaches for Windows malware detection; Kolter and Maloof who also [52] included the information gain metric and byte-level analysis to the n-gram features; Stolfo et al [98] who applied a similar methodology to PDF malware detection; Tabish et al [101] who combined the n-grams with histograms to extract different metrics from information-theory; and Santos et al [89] who used n-gram features but reduced the labelling process by using semi-supervised methods.…”
Section: Learning-based Detectionmentioning
confidence: 99%
“…It is also important to consider that some anti-viruses will be predictable. MimickAV [70] will allow determining which anti-viruses are more predictable and therefore vulnerable to potential evasion attacks based on the transferability of evasive samples [28].…”
Section: Toolsmentioning
confidence: 99%
“…For instance, Calleja et al [ 45 ] applied adversarial machine learning to cheat malware family classification based on static analysis. These ideas have also been extended to audit antiviruses by measuring the way they can be mimicked [ 46 ].…”
Section: Related Workmentioning
confidence: 99%