{"title":"恶意软件作者测试挑战","authors":"Tarun Moni, Sameer Salahudeen, Anil Somayaji","doi":"10.1109/WATER.2014.7015755","DOIUrl":null,"url":null,"abstract":"Attackers regularly evaluate anti-malware software to see whether or not their malware will be detected. This attacker-driven anti-malware testing is something defenders would ideally want to limit. Given that anti-malware products must be widely distributed to be commercially viable, it is not feasible to prevent attackers from running them. Here we examine whether it may be possible to instead limit the effectiveness of attacker tests. Specifically, we present a game-theoretic model of anti-malware testing where detection timeliness and coverage are parameters that can be adjusted by anti-malware providers. The less coverage and the slower the response, the harder it is for attackers to determine whether their malware will be detected-and the less protection the software provides to hosts running the anti-malware software. While our results are preliminary, they suggest that it is clearly non-optimal for anti-malware vendors to simply maximize coverage and detection time. As we explain, this result has significant implications for product design and (non-malicious) anti-malware testing methodologies.","PeriodicalId":430865,"journal":{"name":"2014 Second Workshop on Anti-malware Testing Research (WATeR)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"The malware author testing challenge\",\"authors\":\"Tarun Moni, Sameer Salahudeen, Anil Somayaji\",\"doi\":\"10.1109/WATER.2014.7015755\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Attackers regularly evaluate anti-malware software to see whether or not their malware will be detected. This attacker-driven anti-malware testing is something defenders would ideally want to limit. Given that anti-malware products must be widely distributed to be commercially viable, it is not feasible to prevent attackers from running them. Here we examine whether it may be possible to instead limit the effectiveness of attacker tests. Specifically, we present a game-theoretic model of anti-malware testing where detection timeliness and coverage are parameters that can be adjusted by anti-malware providers. The less coverage and the slower the response, the harder it is for attackers to determine whether their malware will be detected-and the less protection the software provides to hosts running the anti-malware software. While our results are preliminary, they suggest that it is clearly non-optimal for anti-malware vendors to simply maximize coverage and detection time. As we explain, this result has significant implications for product design and (non-malicious) anti-malware testing methodologies.\",\"PeriodicalId\":430865,\"journal\":{\"name\":\"2014 Second Workshop on Anti-malware Testing Research (WATeR)\",\"volume\":\"5 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2014 Second Workshop on Anti-malware Testing Research (WATeR)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/WATER.2014.7015755\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 Second Workshop on Anti-malware Testing Research (WATeR)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WATER.2014.7015755","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Attackers regularly evaluate anti-malware software to see whether or not their malware will be detected. This attacker-driven anti-malware testing is something defenders would ideally want to limit. Given that anti-malware products must be widely distributed to be commercially viable, it is not feasible to prevent attackers from running them. Here we examine whether it may be possible to instead limit the effectiveness of attacker tests. Specifically, we present a game-theoretic model of anti-malware testing where detection timeliness and coverage are parameters that can be adjusted by anti-malware providers. The less coverage and the slower the response, the harder it is for attackers to determine whether their malware will be detected-and the less protection the software provides to hosts running the anti-malware software. While our results are preliminary, they suggest that it is clearly non-optimal for anti-malware vendors to simply maximize coverage and detection time. As we explain, this result has significant implications for product design and (non-malicious) anti-malware testing methodologies.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
