Rank-1 Similarity Matrix Decomposition For Modeling Changes in Antivirus Consensus Through Time

TL;DR

This paper introduces a new method, R1SM-T, to analyze how antivirus engine consensus evolves over time, revealing that correlations are more volatile and less driven by direct copying than previously believed.

Contribution

The paper presents the R1SM-T model, a novel approach to understanding the origins and dynamics of antivirus engine correlations over a decade.

Findings

First-order interactions explain less correlation behavior than assumed.

Antivirus engine relationships are highly volatile over time.

Recommendations for future research on antivirus consensus dynamics.

Abstract

Although groups of strongly correlated antivirus engines are known to exist, at present there is limited understanding of how or why these correlations came to be. Using a corpus of 25 million VirusTotal reports representing over a decade of antivirus scan data, we challenge prevailing wisdom that these correlations primarily originate from "first-order" interactions such as antivirus vendors copying the labels of leading vendors. We introduce the Temporal Rank-1 Similarity Matrix decomposition (R1SM-T) in order to investigate the origins of these correlations and to model how consensus amongst antivirus engines changes over time. We reveal that first-order interactions do not explain as much behavior in antivirus correlation as previously thought, and that the relationships between antivirus engines are highly volatile. We make recommendations on items in need of future study and consideration based on our findings.