Reference : On the Lack of Consensus in Anti-Virus Decisions: Metrics and Insights on Building Gr...
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
Security, Reliability and Trust
http://hdl.handle.net/10993/27845
On the Lack of Consensus in Anti-Virus Decisions: Metrics and Insights on Building Ground Truths of Android Malware
English
Hurier, Médéric mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Allix, Kevin mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC) >]
Bissyande, Tegawendé François D Assise mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Klein, Jacques mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC) >]
Le Traon, Yves mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
2016
Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference
Springer
Lecture Notes in Computer Science; 9721
142--162
Yes
International
978-3-319-40666-4
13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
July 7-8, 2016
San Sebastian
Spain
[en] Android ; malware ; ground-truth
[en] There is generally a lack of consensus in Antivirus (AV) engines' decisions on a given sample. This challenges the building of authoritative ground-truth datasets. Instead, researchers and practitioners may rely on unvalidated approaches to build their ground truth, e.g., by considering decisions from a selected set of Antivirus vendors or by setting up a threshold number of positive detections before classifying a sample. Both approaches are biased as they implicitly either decide on ranking AV products, or they consider that all AV decisions have equal weights. In this paper, we extensively investigate the lack of agreement among AV engines. To that end, we propose a set of metrics that quantitatively describe the different dimensions of this lack of consensus. We show how our metrics can bring important insights by using the detection results of 66 AV products on 2 million Android apps as a case study. Our analysis focuses not only on AV binary decision but also on the notoriously hard problem of labels that AVs associate with suspicious files, and allows to highlight biases hidden in the collection of a malware ground truth---a foundation stone of any machine learning-based malware detection approach.
University of Luxembourg: Interdisciplinary Centre for Security, Reliability and Trust - SNT
Researchers ; Professionals ; Students
http://hdl.handle.net/10993/27845
10.1007/978-3-319-40667-1_8
FnR ; FNR5921289 > Jacques Klein > AndroMap > Static Analysis For Android Security: Building the Map of Android Inter-Application Communication > 01/04/2014 > 31/03/2017 > 2013

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
PAPER.pdfAuthor preprint528.73 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.