Rank-1 Similarity Matrix Decomposition For Modeling Changes in Antivirus Consensus Through Time
Loading...
Links to Files
Permanent Link
Author/Creator
Author/Creator ORCID
Date
2021-12-28
Type of Work
Department
Program
Citation of Original Publication
Rights
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Attribution 4.0 International (CC BY 4.0)
Attribution 4.0 International (CC BY 4.0)
Subjects
Abstract
Although groups of strongly correlated antivirus engines are known to exist, at present
there is limited understanding of how or why these correlations came to be. Using a corpus of 25 million VirusTotal reports representing over a decade of antivirus scan data, we
challenge prevailing wisdom that these correlations primarily originate from "first-order"
interactions such as antivirus vendors copying the labels of leading vendors. We introduce
the Temporal Rank-1 Similarity Matrix decomposition (R1SM-T) in order to investigate the
origins of these correlations and to model how consensus amongst antivirus engines changes
over time. We reveal that first-order interactions do not explain as much behavior in antivirus correlation as previously thought, and that the relationships between antivirus engines are highly volatile. We make recommendations on items in need of future study and
consideration based on our findings.