Content-Agnostic Malware Detection in Heterogeneous Malicious Distribution Graph

Ibrahim Alabdulmohsin, Yufei Han, Yun Shen, Xiangliang Zhang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Scopus citations

Abstract

Malware detection has been widely studied by analysing either file dropping relationships or characteristics of the file distribution network. This paper, for the first time, studies a global heterogeneous malware delivery graph fusing file dropping relationship and the topology of the file distribution network. The integration offers a unique ability of structuring the end-to-end distribution relationship. However, it brings large heterogeneous graphs to analysis. In our study, an average daily generated graph has more than 4 million edges and 2.7 million nodes that differ in type, such as IPs, URLs, and files. We propose a novel Bayesian label propagation model to unify the multi-source information, including content-agnostic features of different node types and topological information of the heterogeneous network. Our approach does not need to examine the source codes nor inspect the dynamic behaviours of a binary. Instead, it estimates the maliciousness of a given file through a semi-supervised label propagation procedure, which has a linear time complexity w.r.t. the number of nodes and edges. The evaluation on 567 million real-world download events validates that our proposed approach efficiently detects malware with a high accuracy. © 2016 Copyright held by the owner/author(s).
Original languageEnglish (US)
Title of host publicationProceedings of the 25th ACM International on Conference on Information and Knowledge Management - CIKM '16
PublisherAssociation for Computing Machinery (ACM)
Pages2395-2400
Number of pages6
ISBN (Print)9781450340731
DOIs
StatePublished - Oct 26 2016

Fingerprint

Dive into the research topics of 'Content-Agnostic Malware Detection in Heterogeneous Malicious Distribution Graph'. Together they form a unique fingerprint.

Cite this