International Journal of Information Security

, Volume 14, Issue 4, pp 387–396 | Cite as

Investigating the detection capabilities of antiviruses under concurrent attacks

  • Mohammed I. Al-Saleh
  • Fatima M. AbuHjeela
  • Ziad A. Al-Sharif
Regular Contribution


Cyber security is a major concern of computing systems. Different security controls are developed to mitigate or prevent cyber attacks. Such controls include cryptography, firewalls, intrusion detection systems, access controls, and strong authentication. These controls mainly protect the secure-system properties: confidentiality, integrity, and availability. The Antivirus software (AV) is considered the last line of defense against variety of security threats. The AV maintains a database of virus signatures against which it checks data. Had a match occurred, the AV would have reacted to the threat. Given the importance of the AV, different attacking techniques have been developed to evade the AV detection and render it useless. In this paper, we want to check how the AV behaves under pressure. We make the AV extremely busy in order to bypass its detection. We test several commercial AVs against three scenarios: when data flow from the hard drive (HD) into the main memory (reading), when data flow from the main memory into the HD (writing), and when data flow through the network (sending and receiving). This paper shows that when the AV is overloaded, some malwares can evade detection (in the reading scenario) and enjoy the existence for much more time on the HD (in the writing scenario). Finally, we show that the AVs (or at least the ones we tested in this paper) do not check network data as long as they are not written to or read from the HD.


AV Concurrent attack Malware detection 


  1. 1.
    Al-Saleh, M., Espinoza, A., Crandall, J : Antivirus performance characterisation: system-wide view. Inf. Secur. IET 7(2), 126–133 (2013)Google Scholar
  2. 2.
    Al-Saleh, M.I.: The impact of the antivirus on the digital evidence. Int. J. Electron. Secur. Digit. Forensic 5(3/4), 229–240 (2013)CrossRefGoogle Scholar
  3. 3.
    Al-Saleh, M.I., Crandall, J.R.: Application-level reconnaissance: timing channel attacks against antivirus software. In: Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats. LEET’11, pp. 9–9. USENIX Association, Berkeley (2011)Google Scholar
  4. 4.
    Bishop, M.: Computer Security: Art and Science. Addison-Wesley, Boston (2003)Google Scholar
  5. 5.
    Bishop, P., Bloomfield, R., Gashi, I., Stankovic, V: Diversity for security: a study with off-the-shelf antivirus engines. In: Software Reliability Engineering (ISSRE), 2011 IEEE 22nd International Symposium on, pp. 11–19. IEEE (2011)Google Scholar
  6. 6.
    Christiansen, M. : Bypassing Malware Defenses? SANS Institute InfoSec Reading Room, pp. 3–4 (2010)Google Scholar
  7. 7.
    Christodorescu, M., Jha, S.: Testing malware detectors. SIGSOFT Softw. Eng. Notes 29(4), 34–44 (2004)CrossRefGoogle Scholar
  8. 8.
    Daryabar, F., Dehghantanha, A., Broujerdi, H.G.: Investigation of malware defence and detection techniques. Int. J. Digit. Inf. Wirel. Commun. (IJDIWC) 1(3), 645–650 (2012)Google Scholar
  9. 9.
    Eisner, J.: Understanding Heuristics: Symantecs Bloodhound Technology. Symantec White Paper Series Volume XXXIV (1997)Google Scholar
  10. 10.
    Josse, S.: How to assess the effectiveness of your anti-virus? J. Comput. Virol. 2(1), 51–65 (2006)Google Scholar
  11. 11.
    Kojm, T.: Clamav (2004).
  12. 12.
    Lagadec, P.: Opendocument and open xml security (openoffice. org and ms office 2007). J. Comput. Virol. 4(2), 115–125 (2008)CrossRefGoogle Scholar
  13. 13.
    Lin, P.-C., Lin, Y.-D., Lai, Y.-C.: A hybrid algorithm of backward hashing and automaton tracking for virus scanning. IEEE Trans. Comput. 60, 594–601 (2011)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Meert, D., Teirlinckx, N.: Malware, from theory to practice (2012).
  15. 15.
    Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: an on-access anti-virus file system. In: Proceedings of the 13th USENIX Security Symposium Security 2004, pp. 73–88. USENIX Association (2004)Google Scholar
  16. 16.
    Paul, N.R.: Disk-level behavioral malware detection. Doctoral dissertation, University of Virginia (2008)Google Scholar
  17. 17.
    Rad, B.B., Masrom, M., Ibrahim, S.: Evolution of computer virus concealment and anti-virus techniques: a short survey (2011). arXiv:1104.1070
  18. 18.
    Ramilli, M., Bishop, M.: Multi-stage delivery of malware. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 91–97. IEEE (2010)Google Scholar
  19. 19.
    Ramilli, M., Bishop, M., Sun, S.: Multiprocess malware. In: 2011 6th International Conference on Malicious and Unwanted Software (MALWARE), pp. 8–13. IEEE (2011)Google Scholar
  20. 20.
    Silberstein, M.: Designing a cam-based coprocessor for boosting performance of antivirus software. Technion technique report (2004)Google Scholar
  21. 21.
    Szor, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Boston (2005)Google Scholar
  22. 22.
    Uluski, D., Moffie, M., Kaeli, D.: Characterizing antivirus workload execution. SIGARCH Comput. Archit. News 33, 90–98 (2005)CrossRefGoogle Scholar
  23. 23.
    Vasiliadis, G., Ioannidis, S.: Gravity: a massively parallel antivirus engine. In: Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID’10, pp. 79–96. Springer, Berlin, Heidelberg (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Mohammed I. Al-Saleh
    • 1
  • Fatima M. AbuHjeela
    • 1
  • Ziad A. Al-Sharif
    • 2
  1. 1.Computer Science DepartmentJordan University of Science and TechnologyIrbidJordan
  2. 2.Software Engineering DepartmentJordan University of Science and TechnologyIrbidJordan

Personalised recommendations