Date of Award
3-2024
Document Type
Thesis
Degree Name
Master of Science in Cyber Operations
Department
Department of Electrical and Computer Engineering
First Advisor
Scott R. Graham, PhD
Abstract
The early detection of malware across DoD networks is paramount when considering which AV engine to employ. This study explores malware detection latency across various AV providers over a 30-day period using VirusTotal’s platform. The analysis reveals an initial surge in detections, reaching approximately 60% within 24 hours. From days 3 to 20, detections steadily increase by 1-3 instances per day, peaking at 74% on the 20th day, followed by a slight decline. The research also highlights a significant difference in false positive rates between packed and non-packed non-malicious samples, emphasizing the impact of packing on AV engine scans. While obfuscation methods show limited impact on detection rates, they reveal distinct variations in false positives among different protection techniques. Examination of individual AV engines suggests potential file signature sharing, hinting at collaborative detection behaviors among certain providers. Overall, this research underscores detection timelines, false positives in packed non-malicious files, and nuanced behaviors of AV engines.
AFIT Designator
AFIT-ENG-MS-24-M-021
DTIC Accession Number
AD1318969
Recommended Citation
Morath, Aaron J., "Malware Detection and Signature Propagation: A Study on Anti-Virus Platforms" (2024). Theses and Dissertations. 7684.
https://scholar.afit.edu/etd/7684
Comments
A 12-month embargo was observed for posting this work on AFIT Scholar.
Distribution Statement A, Approved for Public Release. PA case number on file.