KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulation
Traditional testing of Anti-Virus (AV) products is usually performed on a curated set of malware samples. While this approach can evaluate an AV's overall performance on known threats, it fails to provide details on the coverage of exact attack techniques used by adversaries and malware. Such c...
| Main Authors: | , , , , |
|---|---|
| Other Authors: | |
| Format: | Conference Paper |
| Language: | English |
| Published: |
2023
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/171747 |
| _version_ | 1811677812169375744 |
|---|---|
| author | Pružinec, Jakub Nguyen, Quynh Anh Baldwin, Adrian Griffin, Jonathan Liu, Yang |
| author2 | School of Computer Science and Engineering |
| author_facet | School of Computer Science and Engineering Pružinec, Jakub Nguyen, Quynh Anh Baldwin, Adrian Griffin, Jonathan Liu, Yang |
| author_sort | Pružinec, Jakub |
| collection | NTU |
| description | Traditional testing of Anti-Virus (AV) products is usually performed on a curated set of malware samples. While this approach can evaluate an AV's overall performance on known threats, it fails to provide details on the coverage of exact attack techniques used by adversaries and malware. Such coverage information is crucial in helping users understand potential attack paths formed using new code and combinations of known attack techniques. This paper describes KUBO, a framework for systematic large-scale testing of behavioral coverage of AV software. KUBO uses a novel malware behavior emulation method to generate a large number of attacks from combinations of adversarial procedures and runs them against a set of AVs. Contrary to other emulators, our attacks are coordinated by the adversarial procedures themselves, rendering the emulated malware independent of agents and semantically coherent. We perform an evaluation of KUBO on 7 major commercial AVs utilizing tens of distinct attack procedures and thousands of their combinations. The results demonstrate that our approach is feasible, leads to automatic large-scale evaluation, and is able to unveil a multitude of open attack paths. We show how the results can be used to assess general behavioral efficacy and efficacy with respect to individual adversarial procedures. |
| first_indexed | 2024-10-01T02:43:19Z |
| format | Conference Paper |
| id | ntu-10356/171747 |
| institution | Nanyang Technological University |
| language | English |
| last_indexed | 2024-10-01T02:43:19Z |
| publishDate | 2023 |
| record_format | dspace |
| spelling | ntu-10356/1717472023-11-07T01:34:53Z KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulation Pružinec, Jakub Nguyen, Quynh Anh Baldwin, Adrian Griffin, Jonathan Liu, Yang School of Computer Science and Engineering 13th International Workshop on Automating Test Case Design, Selection and Evaluation (A-TEST 2022) HP-NTU Digital Manufacturing Corporate Lab Engineering::Computer science and engineering Malware Anti-Virus Testing Traditional testing of Anti-Virus (AV) products is usually performed on a curated set of malware samples. While this approach can evaluate an AV's overall performance on known threats, it fails to provide details on the coverage of exact attack techniques used by adversaries and malware. Such coverage information is crucial in helping users understand potential attack paths formed using new code and combinations of known attack techniques. This paper describes KUBO, a framework for systematic large-scale testing of behavioral coverage of AV software. KUBO uses a novel malware behavior emulation method to generate a large number of attacks from combinations of adversarial procedures and runs them against a set of AVs. Contrary to other emulators, our attacks are coordinated by the adversarial procedures themselves, rendering the emulated malware independent of agents and semantically coherent. We perform an evaluation of KUBO on 7 major commercial AVs utilizing tens of distinct attack procedures and thousands of their combinations. The results demonstrate that our approach is feasible, leads to automatic large-scale evaluation, and is able to unveil a multitude of open attack paths. We show how the results can be used to assess general behavioral efficacy and efficacy with respect to individual adversarial procedures. This study is supported under the RIE2020 Industry Alignment Fund – Industry Collaboration Projects (IAF-ICP) Funding Initiative, as well as cash and in-kind contribution from the industry partner, HP Inc., through the HP-NTU Digital Manufacturing Corporate Lab. 2023-11-07T01:34:53Z 2023-11-07T01:34:53Z 2022 Conference Paper Pružinec, J., Nguyen, Q. A., Baldwin, A., Griffin, J. & Liu, Y. (2022). KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulation. 13th International Workshop on Automating Test Case Design, Selection and Evaluation (A-TEST 2022), November 2022, 37-44. https://dx.doi.org/10.1145/3548659.3561307 9781450394529 https://hdl.handle.net/10356/171747 10.1145/3548659.3561307 2-s2.0-85142925646 November 2022 37 44 en © 2022 Copyright held by the owner/author(s). Publication rights licensed to ACM. All rights reserved. |
| spellingShingle | Engineering::Computer science and engineering Malware Anti-Virus Testing Pružinec, Jakub Nguyen, Quynh Anh Baldwin, Adrian Griffin, Jonathan Liu, Yang KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulation |
| title | KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulation |
| title_full | KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulation |
| title_fullStr | KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulation |
| title_full_unstemmed | KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulation |
| title_short | KUBO: a framework for automated efficacy testing of anti-virus behavioral detection with procedure-based malware emulation |
| title_sort | kubo a framework for automated efficacy testing of anti virus behavioral detection with procedure based malware emulation |
| topic | Engineering::Computer science and engineering Malware Anti-Virus Testing |
| url | https://hdl.handle.net/10356/171747 |
| work_keys_str_mv | AT pruzinecjakub kuboaframeworkforautomatedefficacytestingofantivirusbehavioraldetectionwithprocedurebasedmalwareemulation AT nguyenquynhanh kuboaframeworkforautomatedefficacytestingofantivirusbehavioraldetectionwithprocedurebasedmalwareemulation AT baldwinadrian kuboaframeworkforautomatedefficacytestingofantivirusbehavioraldetectionwithprocedurebasedmalwareemulation AT griffinjonathan kuboaframeworkforautomatedefficacytestingofantivirusbehavioraldetectionwithprocedurebasedmalwareemulation AT liuyang kuboaframeworkforautomatedefficacytestingofantivirusbehavioraldetectionwithprocedurebasedmalwareemulation |