Exploiting an antivirus interface

Kevin W. Hamlen; Vishwath Mohan; Mohammad M. Masud; Latifur Khan; Bhavani Thuraisingham

doi:10.1016/j.csi.2009.04.004

Exploiting an antivirus interface

Kevin W. Hamlen, Vishwath Mohan, Mohammad M. Masud, Latifur Khan, Bhavani Thuraisingham

Research output: Contribution to journal › Article › peer-review

25 Citations (Scopus)

Abstract

We propose a technique for defeating signature-based malware detectors by exploiting information disclosed by antivirus interfaces. This information is leveraged to reverse engineer relevant details of the detector's underlying signature database, revealing binary obfuscations that suffice to conceal malware from the detector. Experiments with real malware and antivirus interfaces on Windows operating systems justify the effectiveness of our approach.

Original language	English
Pages (from-to)	1182-1189
Number of pages	8
Journal	Computer Standards and Interfaces
Volume	31
Issue number	6
DOIs	https://doi.org/10.1016/j.csi.2009.04.004
Publication status	Published - Nov 2009
Externally published	Yes

Keywords

Binary obfuscation
Data mining
Security
Signature-based malware detection

ASJC Scopus subject areas

Software
Hardware and Architecture
Law

Access to Document

10.1016/j.csi.2009.04.004

Cite this

@article{2fda0cf01b8b43caa7059f688bbe2ad5,

title = "Exploiting an antivirus interface",

abstract = "We propose a technique for defeating signature-based malware detectors by exploiting information disclosed by antivirus interfaces. This information is leveraged to reverse engineer relevant details of the detector's underlying signature database, revealing binary obfuscations that suffice to conceal malware from the detector. Experiments with real malware and antivirus interfaces on Windows operating systems justify the effectiveness of our approach.",

keywords = "Binary obfuscation, Data mining, Security, Signature-based malware detection",

author = "Hamlen, {Kevin W.} and Vishwath Mohan and Masud, {Mohammad M.} and Latifur Khan and Bhavani Thuraisingham",

year = "2009",

month = nov,

doi = "10.1016/j.csi.2009.04.004",

language = "English",

volume = "31",

pages = "1182--1189",

journal = "Computer Standards and Interfaces",

issn = "0920-5489",

publisher = "Elsevier",

number = "6",

}

TY - JOUR

T1 - Exploiting an antivirus interface

AU - Hamlen, Kevin W.

AU - Mohan, Vishwath

AU - Masud, Mohammad M.

AU - Khan, Latifur

AU - Thuraisingham, Bhavani

PY - 2009/11

Y1 - 2009/11

N2 - We propose a technique for defeating signature-based malware detectors by exploiting information disclosed by antivirus interfaces. This information is leveraged to reverse engineer relevant details of the detector's underlying signature database, revealing binary obfuscations that suffice to conceal malware from the detector. Experiments with real malware and antivirus interfaces on Windows operating systems justify the effectiveness of our approach.

AB - We propose a technique for defeating signature-based malware detectors by exploiting information disclosed by antivirus interfaces. This information is leveraged to reverse engineer relevant details of the detector's underlying signature database, revealing binary obfuscations that suffice to conceal malware from the detector. Experiments with real malware and antivirus interfaces on Windows operating systems justify the effectiveness of our approach.

KW - Binary obfuscation

KW - Data mining

KW - Security

KW - Signature-based malware detection

UR - http://www.scopus.com/inward/record.url?scp=68849090525&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=68849090525&partnerID=8YFLogxK

U2 - 10.1016/j.csi.2009.04.004

DO - 10.1016/j.csi.2009.04.004

M3 - Article

AN - SCOPUS:68849090525

SN - 0920-5489

VL - 31

SP - 1182

EP - 1189

JO - Computer Standards and Interfaces

JF - Computer Standards and Interfaces

IS - 6

ER -

Exploiting an antivirus interface

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this