Difference between revisions of "Measuring and detecting malware downloads in live network traffic"
(Created page with "{{Publication |Year=2013 |Author=Manos Antonakakis, Phani Vadrevu, Babak Rahbarinia, Roberto Perdisci, Kang Li, |Type=Scientific paper |Abstract=In this paper, we present AMIC...") |
|||
| Line 1: | Line 1: | ||
{{Publication | {{Publication | ||
|Year=2013 | |Year=2013 | ||
|Editor=ESORICS | |||
|Link=http://www.perdisci.com/publications/publication-files/amico.pdf | |||
|Author=Manos Antonakakis, Phani Vadrevu, Babak Rahbarinia, Roberto Perdisci, Kang Li, | |Author=Manos Antonakakis, Phani Vadrevu, Babak Rahbarinia, Roberto Perdisci, Kang Li, | ||
|Type=Scientific paper | |Type=Scientific paper | ||
|Abstract=In this paper, we present AMICO, a novel system for measuring and detecting malware downloads in live web traffic. AMICO | |Abstract=In this paper, we present AMICO, a novel system for measuring and detecting malware downloads in live web traffic. AMICO learns to distinguish between malware and benign file downloads from the download behavior of the network users themselves. Given a labeled dataset of past benign and malware file downloads, AMICO learns a provenance classifier that can accurately detect future malware downloads based on information about where the downloads originated from. The main intuition is that to avoid current countermeasures, malware campaigns need to use an “agile” distribution infrastructure, e.g., frequently changing the domains and/or IPs of the malware download servers. We engineer a number of statistical features that aim to capture these fundamental characteristics of malware distribution campaigns. | ||
learns to distinguish between malware and benign file downloads from the download behavior of the network users themselves. Given a labeled dataset of past benign and malware file downloads, AMICO learns a provenance classifier that can accurately detect future malware downloads based on information about where the downloads originated from. The main intuition is that to avoid current countermeasures, malware campaigns need to use an “agile” distribution infrastructure, e.g., frequently changing the domains and/or IPs of the malware download servers. We engineer a number of statistical features that aim to capture these fundamental characteristics of malware distribution campaigns. We have deployed AMICO at the edge of a large academic network for almost nine months, where we continuously witness hundreds of new malware downloads per week, including many zero-days. We show that AMICO is able to accurately detect malware downloads with up to 90% true positives at a false positives rate of 0.1% and can detect zero-day malware downloads, thus providing an effective way to complement current malware detection tools. | |||
We have deployed AMICO at the edge of a large academic network for almost nine months, where we continuously witness hundreds of new malware downloads per week, including many zero-days. We show that AMICO is able to accurately detect malware downloads with up to 90% true positives at a false positives rate of 0.1% and can detect zero-day malware downloads, thus providing an effective way to complement current malware detection tools. | |||
}} | }} | ||
Latest revision as of 00:12, 20 February 2015
(Publication) Google search: [1]
| Measuring and detecting malware downloads in live network traffic | |
|---|---|
| Botnet | |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2013 / |
| Editor/Conference | ESORICS |
| Link | http://www.perdisci.com/publications/publication-files/amico.pdf (Archive copy) |
| Author | Manos Antonakakis, Phani Vadrevu, Babak Rahbarinia, Roberto Perdisci, Kang Li |
| Type | Scientific paper |
Abstract
“ In this paper, we present AMICO, a novel system for measuring and detecting malware downloads in live web traffic. AMICO learns to distinguish between malware and benign file downloads from the download behavior of the network users themselves. Given a labeled dataset of past benign and malware file downloads, AMICO learns a provenance classifier that can accurately detect future malware downloads based on information about where the downloads originated from. The main intuition is that to avoid current countermeasures, malware campaigns need to use an “agile” distribution infrastructure, e.g., frequently changing the domains and/or IPs of the malware download servers. We engineer a number of statistical features that aim to capture these fundamental characteristics of malware distribution campaigns.
We have deployed AMICO at the edge of a large academic network for almost nine months, where we continuously witness hundreds of new malware downloads per week, including many zero-days. We show that AMICO is able to accurately detect malware downloads with up to 90% true positives at a false positives rate of 0.1% and can detect zero-day malware downloads, thus providing an effective way to complement current malware detection tools.
Bibtex
@article{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1534,
editor = {ESORICS},
author = {Manos Antonakakis, Phani Vadrevu, Babak Rahbarinia, Roberto Perdisci, Kang Li},
title = {Measuring and detecting malware downloads in live network traffic},
date = {18},
month = May,
year = {2013},
howpublished = {\url{http://www.perdisci.com/publications/publication-files/amico.pdf}},
}