The malware author testing challenge

Attackers regularly evaluate anti-malware software to see whether or not their malware will be detected. This attacker-driven anti-malware testing is something defenders would ideally want to limit. Given that anti-malware products must be widely distributed to be commercially viable, it is not feasible to prevent attackers from running them. Here we examine whether it may be possible to instead limit the effectiveness of attacker tests. Specifically, we present a game-theoretic model of anti-malware testing where detection timeliness and coverage are parameters that can be adjusted by anti-malware providers. The less coverage and the slower the response, the harder it is for attackers to determine whether their malware will be detected-and the less protection the software provides to hosts running the anti-malware software. While our results are preliminary, they suggest that it is clearly non-optimal for anti-malware vendors to simply maximize coverage and detection time. As we explain, this result has significant implications for product design and (non-malicious) anti-malware testing methodologies.