Measuring and Detecting Malware Downloads in Live Network Traffic

Vadrevu, Phani; Rahbarinia, Babak; Perdisci, Roberto; Li, Kang; Antonakakis, Manos

doi:10.1007/978-3-642-40203-6_31

Cited by 33 publications

(22 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other papers extract network-related inputs by monitoring the network and analysing incoming and outgoing traffic [66,24,41]. A complementary approach consists in analysing download patterns of network users in a monitored network [22]. It does not require sample execution and focuses on network features related to the download of a sample, such as the website from which the file has been downloaded.…”

Section: Portable Executable Featuresmentioning

confidence: 99%

Survey of machine learning techniques for malware analysis

Ucci

Aniello

Baldoni

2019

Computers & Security

397

189

View full text Add to dashboard Cite

Coping with malware is getting more and more challenging, given their relentless growth in complexity and volume. One of the most common approaches in literature is using machine learning techniques, to automatically learn models and patterns behind such complexity, and to develop technologies to keep pace with malware evolution. This survey aims at providing an overview on the way machine learning has been used so far in the context of malware analysis in Windows environments, i.e. for the analysis of Portable Executables. We systematize surveyed papers according to their objectives (i.e., the expected output), what information about malware they specifically use (i.e., the features), and what machine learning techniques they employ (i.e., what algorithm is used to process the input and produce the output). We also outline a number of issues and challenges, including those concerning the used datasets, and identify the main current topical trends and how to possibly advance them. In particular, we introduce the novel concept of malware analysis economics, regarding the study of existing trade-offs among key metrics, such as analysis accuracy and economical costs.

show abstract

Section: Portable Executable Featuresmentioning

confidence: 99%

Survey of machine learning techniques for malware analysis

Ucci

Aniello

Baldoni

2019

Computers & Security

397

189

View full text Add to dashboard Cite

show abstract

“…Protecting Systems and Networks. Numerous alternatives to blacklists and anti-viruses were proposed to help protect networked systems (e.g., [32,33,40,56,57,62,63,67,82,83,91]). For instance, Gu et al proposed techniques to detect bots within networks [32,33].…”

Section: Related Workmentioning

confidence: 99%

Predicting Impending Exposure to Malicious Content from User Behavior

Sharif

Urakawa

Christin

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Many computer-security defenses are reactive-they operate only when security incidents take place, or immediately thereafter. Recent efforts have attempted to predict security incidents before they occur, to enable defenders to proactively protect their devices and networks. These efforts have primarily focused on long-term predictions. We propose a system that enables proactive defenses at the level of a single browsing session. By observing user behavior, it can predict whether they will be exposed to malicious content on the web seconds before the moment of exposure, thus opening a window of opportunity for proactive defenses. We evaluate our system using three months' worth of HTTP traffic generated by 20,645 users of a large cellular provider in 2017 and show that it can be helpful, even when only very low false positive rates are acceptable, and despite the difficulty of making "on-the-fly" predictions. We also engage directly with the users through surveys asking them demographic and security-related questions, to evaluate the utility of self-reported data for predicting exposure to malicious content. We find that self-reported data can help forecast exposure risk over long periods of time. However, even on the long-term, self-reported data is not as crucial as behavioral measurements to accurately predict exposure. CCS CONCEPTS• Security and privacy → Network security; Human and societal aspects of security and privacy; • Computing methodologies → Neural networks; KEYWORDS Exposure prediction; network security; proactive security ACM Reference Format:

show abstract

“…This is in contrast with previous works, which attempt to detect malware downloads based primarily on features derived from network traffic [12,19,22] or that only consider the "relationships" between machines and files [8]. In addition, unlike [19], our system is not limited to detecting browser-initiated malware downloads (e.g., via drive-by and social engineering attacks), and instead aims to detect any malware download, including malware updates, second-stage malware drops, pay-perinstall malware downloads, etc.…”

Section: Introductionmentioning

confidence: 72%

“…AMICO [22] and Google's CAMP [19] distinguish between benign and malicious files by reasoning on the download behavior of client machines. However, we identify several fundamental differences with our work.…”

Section: Related Workmentioning

confidence: 99%

Real-Time Detection of Malware Downloads via Large-Scale URL->File->Machine Graph Mining

Rahbarinia

Balduzzi²,

Perdisci

2016

Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

In this paper we propose Mastino, a novel defense system to detect malware download events. A download event is a 3-tuple that identifies the action of downloading a file from a URL that was triggered by a client (machine). Mastino utilizes global situation awareness and continuously monitors various network-and system-level events of the clients' machines across the Internet and provides real time classification of both files and URLs to the clients upon submission of a new, unknown file or URL to the system. To enable detection of the download events, Mastino builds a large download graph that captures the subtle relationships among the entities of download events, i.e. files, URLs, and machines. We implemented a prototype version of Mastino and evaluated it in a large-scale real-world deployment. Our experimental evaluation shows that Mastino can accurately classify malware download events with an average of 95.5% true positive (TP), while incurring less than 0.5% false positives (FP). In addition, we show the Mastino can classify a new download event as either benign or malware in just a fraction of a second, and is therefore suitable as a real time defense system.

show abstract

Measuring and Detecting Malware Downloads in Live Network Traffic

Cited by 33 publications

References 7 publications

Survey of machine learning techniques for malware analysis

Survey of machine learning techniques for malware analysis

Predicting Impending Exposure to Malicious Content from User Behavior

Real-Time Detection of Malware Downloads via Large-Scale URL->File->Machine Graph Mining

Contact Info

Product

Resources

About