Portal de Periódicos da CAPES

Towards a Methodical Evaluation of Antivirus Scans and Labels

2014; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-319-05149-9_15

1611-3349

Aziz Mohaisen, Omar Alrawi, Matthew D. Larson, Danny McPherson,

Spam and Phishing Detection

In recent years, researchers have relied heavily on labels provided by antivirus companies in establishing ground truth for applications and algorithms of malware detection, classification, and clustering. Furthermore, companies use those labels for guiding their mitigation and disinfection efforts. However, ironically, there is no prior systematic work that validates the performance of antivirus vendors, the reliability of those labels (or even detections), or how they affect the said applications. Equipped with malware samples of several malware families that are manually inspected and labeled, we pose the following questions: How do different antivirus scans perform relatively? How correct are the labels given by those scans? How consistent are AV scans among each other? Our answers to these questions reveal alarming results about the correctness, completeness, coverage, and consistency of the labels utilized by much existing research. We invite the research community to challenge the assumption of relying on antivirus scans and labels as a ground truth for evaluating malware analysis and classification techniques.