Abstract
While different works tested antiviruses (AVs) resilience to obfuscation techniques, no work studied AVs looking at the big picture, that is including their modern components (e.g., emulators, heuristics). As a matter of fact, it is still unclear how AVs work internally. In this paper, we investigate the current state of AVs proposing a methodology to explore AVs capabilities in a black-box fashion. First, we craft samples that trigger specific components in an AV engine, and then we leverage their detection outcome and label as a side channel to infer how such components work. To do this, we developed a framework, crAVe, to automatically test and explore the capabilities of generic AV engines. Finally, we tested and explored commercial AVs and obtained interesting insights on how they leverage their internal components.
| Original language | English |
|---|---|
| Title of host publication | Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings |
| Editors | Cristiano Giuffrida, Sebastien Bardin, Gregory Blanc |
| Publisher | Springer |
| Pages | 393-403 |
| Number of pages | 11 |
| ISBN (Print) | 9783319934105 |
| DOIs | |
| Publication status | Published - 1 Jan 2018 |
| Externally published | Yes |
| Event | 15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018 - Saclay, France Duration: 28 Jun 2018 → 29 Jun 2018 Conference number: 15 |
Publication series
| Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
|---|---|
| Volume | 10885 LNCS |
| ISSN (Print) | 0302-9743 |
| ISSN (Electronic) | 1611-3349 |
Conference
| Conference | 15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018 |
|---|---|
| Abbreviated title | DIMVA 2018 |
| Country/Territory | France |
| City | Saclay |
| Period | 28/06/18 → 29/06/18 |