Diversity for Security: A Study with Off-the-Shelf AntiVirus Engines

Author

Bishop, Peter ; Bloomfield, Robin ; Gashi, Ilir ; Stankovic, Valdimir

Author_Institution

Centre for Software Reliability, City Univ. London, London, UK

fYear

2011

fDate

Nov. 29 2011-Dec. 2 2011

Firstpage

11

Lastpage

19

Abstract

We have previously reported [1] the results of an exploratory analysis of the potential gains in detection capability from using diverse AntiVirus products. The analysis was based on 1599 malware samples collected from a distributed honey pot deployment over a period of 178 days. The malware samples were sent to the signature engines of 32 different AntiVirus products hosted by the Virus Total service. The analysis suggested significant gains in detection capability from using more than one AntiVirus product in a one-out-of-two intrusion-tolerant setup. In this paper we present new analysis of this dataset to explore the detection gains that can be achieved from using more diversity (i.e. more than two AntiVirus products), how diversity may help to reduce the "at risk time" of a system and a preliminary model-fitting using the hyper-exponential distribution.

Keywords

computer network security; computer viruses; digital signatures; exponential distribution; VirusTotal service; detection capability; distributed honeypot deployment; diverse antivirus products; hyper-exponential distribution; malware; model-fitting; off-the-shelf antivirus engines; one-out-of-two intrusion-tolerant setup; security assessment; signature engines; Software reliability; anti-virus engines; empirical assessment; malware; security assessment;

fLanguage

English

Publisher

ieee

Conference_Titel

Software Reliability Engineering (ISSRE), 2011 IEEE 22nd International Symposium on

Conference_Location

Hiroshima

ISSN

1071-9458

Print_ISBN

978-1-4577-2060-4

Type

conf

DOI

10.1109/ISSRE.2011.15

Filename

6132949