Testing malware detectors Export

@article{citeulike:5998617, abstract = {In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing techniques for evaluating them. We present a technique based on program obfuscation for generating tests for malware detectors. Our technique is geared towards evaluating the resilience of malware detectors to various obfuscation transformations commonly used by hackers to disguise malware. We also demonstrate that a hacker can leverage a malware detector's weakness in handling obfuscation transformations and can extract the signature used by a detector for a specific malware. We evaluate three widely-used commercial virus scanners using our techniques and discover that the resilience of these scanners to various obfuscations is very poor.}, address = {New York, NY, USA}, author = {Christodorescu, Mihai and Jha, Somesh}, citeulike-article-id = {5998617}, citeulike-linkout-0 = {http://portal.acm.org/citation.cfm?id=1007518}, citeulike-linkout-1 = {http://dx.doi.org/10.1145/1013886.1007518}, citeulike-linkout-2 = {http://www.cs.wisc.edu/wisa/papers/issta04/issta.pdf}, doi = {10.1145/1013886.1007518}, issn = {0163-5948}, journal = {SIGSOFT Softw. Eng. Notes}, keywords = {adequacy, malware, malware-detection, testing}, number = {4}, pages = {34--44}, posted-at = {2009-10-23 22:33:08}, priority = {0}, publisher = {ACM}, title = {Testing malware detectors}, url = {http://dx.doi.org/10.1145/1013886.1007518}, volume = {29}, year = {2004} }

TY - JOUR ID - citeulike:5998617 L3 - citeulike-article-id:5998617 N2 - In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing techniques for evaluating them. We present a technique based on program obfuscation for generating tests for malware detectors. Our technique is geared towards evaluating the resilience of malware detectors to various obfuscation transformations commonly used by hackers to disguise malware. We also demonstrate that a hacker can leverage a malware detector's weakness in handling obfuscation transformations and can extract the signature used by a detector for a specific malware. We evaluate three widely-used commercial virus scanners using our techniques and discover that the resilience of these scanners to various obfuscations is very poor. IS - 4 JF - SIGSOFT Softw. Eng. Notes SN - 0163-5948 AD - New York, NY, USA EP - 44 TI - Testing malware detectors PB - ACM VL - 29 SP - 34 KW - adequacy KW - malware KW - malware-detection KW - testing AU - Christodorescu, Mihai AU - Jha, Somesh PY - 2004/// UR - http://dx.doi.org/10.1145/1013886.1007518 ER -