Measuring and detecting malware downloads in live network traffic

(Publication) Google search: [1]

Abstract

“ In this paper, we present AMICO, a novel system for measuring and detecting malware downloads in live web traffic. AMICO

learns to distinguish between malware and benign file downloads from the download behavior of the network users themselves. Given a labeled dataset of past benign and malware file downloads, AMICO learns a provenance classifier that can accurately detect future malware downloads based on information about where the downloads originated from. The main intuition is that to avoid current countermeasures, malware campaigns need to use an “agile” distribution infrastructure, e.g., frequently changing the domains and/or IPs of the malware download servers. We engineer a number of statistical features that aim to capture these fundamental characteristics of malware distribution campaigns. We have deployed AMICO at the edge of a large academic network for almost nine months, where we continuously witness hundreds of new malware downloads per week, including many zero-days. We show that AMICO is able to accurately detect malware downloads with up to 90% true positives at a false positives rate of 0.1% and can detect zero-day malware downloads, thus providing an effective way to complement current malware detection tools.

Bibtex

 @article{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1534,
   editor = {},
   author = {Manos Antonakakis, Phani Vadrevu, Babak Rahbarinia, Roberto Perdisci, Kang Li},
   title = {Measuring and detecting malware downloads in live network traffic},
   date = {18},
   month = May,
   year = {2013},
   howpublished = {\url{}},
 }