Visible to the public Real-Time Detection of Malware Downloads via Large-Scale URL-≫File-≫Machine Graph Mining

TitleReal-Time Detection of Malware Downloads via Large-Scale URL-≫File-≫Machine Graph Mining
Publication TypeConference Paper
Year of Publication2016
AuthorsRahbarinia, Babak, Balduzzi, Marco, Perdisci, Roberto
Conference NameProceedings of the 11th ACM on Asia Conference on Computer and Communications Security
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4233-9
Keywordscomposability, cyber physical systems, False Data Detection, graph mining, Human Behavior, machine learning, malware detection, pubcrawl, Resiliency

In this paper we propose Mastino, a novel defense system to detect malware download events. A download event is a 3-tuple that identifies the action of downloading a file from a URL that was triggered by a client (machine). Mastino utilizes global situation awareness and continuously monitors various network- and system-level events of the clients' machines across the Internet and provides real time classification of both files and URLs to the clients upon submission of a new, unknown file or URL to the system. To enable detection of the download events, Mastino builds a large download graph that captures the subtle relationships among the entities of download events, i.e. files, URLs, and machines. We implemented a prototype version of Mastino and evaluated it in a large-scale real-world deployment. Our experimental evaluation shows that Mastino can accurately classify malware download events with an average of 95.5% true positive (TP), while incurring less than 0.5% false positives (FP). In addition, we show the Mastino can classify a new download event as either benign or malware in just a fraction of a second, and is therefore suitable as a real time defense system.

Citation Keyrahbarinia_real-time_2016