skip to main content
10.1145/2413296.2413302acmotherconferencesArticle/Chapter ViewAbstractPublication PagesnspwConference Proceedingsconference-collections
research-article

Beyond the blacklist: modeling malware spread and the effect of interventions

Published: 18 September 2012 Publication History

Abstract

Malware spread among websites and between websites and clients is an increasing problem. Search engines play an important role in directing users to websites and are a natural control point for intervening using mechanisms such as blacklisting. The paper presents a simple Markov model of malware spread through large populations of websites and studies the effect of two interventions that might be deployed by a search provider: blacklisting infected web pages by removing them from search results entirely and a generalization of blacklisting, called depreferencing, in which a website's ranking is decreased by a fixed percentage each time period the site remains infected. We analyze and study the trade-offs between infection exposure and traffic loss due to false positives (the cost to a website that is incorrectly blacklisted) for different interventions. As expected, we find that interventions are most effective when websites are slow to remove infections. Surprisingly, we also find that low infection or recovery rates can increase traffic loss due to false positives. Our analysis also shows that heavy-tailed distributions of website popularity, as documented in many studies, leads to high sample variance of all measured outcomes. This result implies that it will be difficult to determine empirically whether certain website interventions are effective, and it suggests that theoretical models such as the one described in this paper have an important role to play in improving web security.

References

[1]
L. A. Adamic and B. A. Huberman. Power-law distribution of the world wide web. Science, 287:2115, 2000.
[2]
A. Clauset, C. Shalizi, and M. Newman. Power-law distributions in empirical data. Arxiv preprint arxiv:0706.1062, 2007.
[3]
M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proc. WWW '10, pages 281--290, 2010.
[4]
C. Curtsinger, B. Livshits, B. Zorgn, and C. Seifert. ZOZZLE: Fast and precise in-browser JavaScript malware detection. In Proc. 20th USENIX Security Symp., Aug. 2011.
[5]
S. Egelman, L. F. Cranor, and J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, CHI '08, pages 1065--1074, New York, NY, USA, 2008. ACM.
[6]
J. Erasmus. Compromised ftp details being exploited by in the wild malware, June 2009. http://www.prevx.com/blog/132/Compromised.html.
[7]
M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: validating ssl certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, pages 38--49, New York, NY, USA, 2012. ACM.
[8]
A. Ghosh and A. Schwartzbard. A study in using neural networks for anomaly and misuse detection. In Proc. USENIX Security Symp., 1999.
[9]
B. Gnedenko, A. Kolmogorov, K. Chung, and J. Doob. Limit distributions for sums of independent random variables, volume 195. Addison-Wesley Reading, MA:, 1968.
[10]
Google. Safe browsing api. http://code.google.com/apis/safebrowsing/.
[11]
A. Hess, M. Jung, and G. Schfer. Fidran: A flexible intrusion detection and response framework for active networks. In ISCC '03, 2003.
[12]
S. Hofmeyr, T. Moore, B. Edwards, S. Forrest, and G. Stelle. Modeling Internet-scale policies for cleaning up malware. In Proc. 10th Workshop on the Economics of Information Security, 2011.
[13]
HP. Immunity manager. Website. http://www.hp.com/rnd/pdfs/ProCurve_Network_Immunity_Manager1_0.pdf.
[14]
J. John, F. Yu, Y. Xie, M. Abadi, and A. Krishnamurthy. deSEO: Combating search-result poisoning. In Proceedings of the USENIX Security Symposium 2011, San Francisco, CA, 2011.
[15]
J. Karlin, J. Rexford, and S. Forrest. Pretty good bgp: Improving bgp by cautiously adopting routes. In Proc. CNP '06, 2006.
[16]
S. A. Krashakov, A. B. Teslyuk, and L. N. Shchur. On the universality of rank distributions of website popularity. Computer Networks, 50:1769--1780, August 2006.
[17]
K. Levchenko, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, A. Pitsillidis, N. Weaver, V. Paxson, G. Voelker, and S. Savage. Click trajectories: End-to-end analysis of the spam value chain. In Proc. IEEE Sym. and Security and Privacy, Oakland, CA, 2011.
[18]
E. Lin, S. Greenberg, E. Trotter, D. Ma, and J. Aycock. Does domain highlighting help people identify phishing sites? In Proceedings of the 2011 annual conference on Human factors in computing systems, CHI '11, pages 2075--2084, 2011.
[19]
H. Liu, K. Levchenko, M. Félegyházi, C. Kreibich, G. Maier, G. M. Voelker, and S. Savage. On the effects of registrar-level intervention. In Proc. USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), Boston, MA, March 2011.
[20]
L. Lu, V. Yegneswaran, P. Porras, and W. Lee. Blade: An attack-agnostic approach for preventing drive-by malware infection. Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010.
[21]
M. Meiss, B. Gonçalves, J. Ramasco, A. Flammini, and F. Menczer. Modeling traffic on the web graph. In R. Kumar and D. Sivakumar, editors, Algorithms and Models for the Web-Graph, volume 6516 of Lecture Notes in Computer Science, pages 50--61. Springer Berlin / Heidelberg, 2010.
[22]
T. Moore, N. Leontiadis, and N. Christin. Fashion crimes: Trending-term exploitation on the web. In Proc. ACM CCS'11, Chicago, IL, Oct. 2011.
[23]
A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware in the web. In NDSS, 2006.
[24]
Niels Provos. Safe browsing - protecting web users for 5 years and counting. http://googleonlinesecurity.blogspot.com/2012/06/safe-browsing-protecti%ng-web-users-for.html.
[25]
U. Parasites. Practical guide to dealing with Google's malware warnings. http://www.unmaskparasites.com/malware-warning-guide/.
[26]
N. Provos, P. Mavrommatis, M. Rajab, and F. Monrose. All your iFrames point to us. In Proc. 17th USENIX Security Symp., Aug. 2008.
[27]
N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: Analysis of web-based malware. In Proc. 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots'07), Cambridge, MA, Apr. 2007.
[28]
M. Rajab, L. Ballard, N. Jagpal, P. Mavrommatis, D. Nojiri, N. Provos, and L. Schmidt. Trends in circumventing web-malware detection. Technical report, Google, July 2011. http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/archive/papers/rajab-2011a.pdf.
[29]
A. Somayaji and S. Forrest. Automated response using system-call delays. In In Proceedings of the 9th USENIX Security Symposium, pages 185--197, 2000.
[30]
A. Sotirakopoulos, K. Hawkey, and K. Beznosov. I did it because i trusted you: Challenges with the study environment biasing participant behaviours. In SOUPS Usable Security Experiment Reports (USER) Workshop, 2010.
[31]
J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying wolf: an empirical study of ssl warning effectiveness. In Proceedings of the 18th conference on USENIX security symposium, SSYM'09, pages 399--416, Berkeley, CA, USA, 2009. USENIX Association.
[32]
M. Vasek and T. Moore. Do malware reports expedite cleanup? an experimental study. In Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test, pages 6--6. USENIX Association, 2012.
[33]
J. Voit. The statistical mechanics of financial markets. Springer Verlag, 2005.
[34]
Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In NDSS, 2006.
[35]
WhiteHat Security. Whitehat website security statistic report: Winter 2011, 11th edition. Technical report, 2011. https://www.whitehatsec.com/assets/WPstats_winter11_11th.pdf?doc=WPstats_fall10_10th.
[36]
M. M. Williamson. Throttling viruses: Restricting propagation to defeat malicous mobile code. In Proc. ACSAC '02, Las Vegas, Nevada, Dec. 2002.
[37]
C. Wong, S. Bielski, A. Studer, and C. Wang. On the effectiveness of rate limiting mechanisms. In Proc. RAID '05, 2005.
[38]
I. Zaliapin, Y. Kagan, and F. Schoenberg. Approximating the distribution of pareto sums. Pure and Applied Geophysics, 162(6):1187--1228, 2005.
[39]
C. Zou, W. Gong, and D. Towsley. Code red worm propagation modeling and analysis. In Proceedings of the 9th ACM conference on Computer and communications security, pages 138--147. ACM, 2002.

Cited By

View all
  • (2022)Detecting Malware Activity Using Public Search Data2022 IEEE International Conference on Big Data (Big Data)10.1109/BigData55660.2022.10020883(2997-3006)Online publication date: 17-Dec-2022
  • (2017)Abuse Reporting and the Fight Against CybercrimeACM Computing Surveys10.1145/300314749:4(1-27)Online publication date: 2-Jan-2017
  • (2017)Mixing Coins of Different Quality: A Game-Theoretic ApproachFinancial Cryptography and Data Security10.1007/978-3-319-70278-0_18(280-297)Online publication date: 19-Nov-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
NSPW '12: Proceedings of the 2012 New Security Paradigms Workshop
September 2012
162 pages
ISBN:9781450317948
DOI:10.1145/2413296
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

  • ACSA: Applied Computing Security Assoc

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 September 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. drive-by-downloads
  2. graduated response
  3. malware
  4. modeling
  5. search
  6. web security

Qualifiers

  • Research-article

Conference

NSPW '12
Sponsor:
  • ACSA
NSPW '12: The New Security Paradigms Workshop
September 18 - 21, 2012
Bertinoro, Italy

Acceptance Rates

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)12
  • Downloads (Last 6 weeks)0
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Detecting Malware Activity Using Public Search Data2022 IEEE International Conference on Big Data (Big Data)10.1109/BigData55660.2022.10020883(2997-3006)Online publication date: 17-Dec-2022
  • (2017)Abuse Reporting and the Fight Against CybercrimeACM Computing Surveys10.1145/300314749:4(1-27)Online publication date: 2-Jan-2017
  • (2017)Mixing Coins of Different Quality: A Game-Theoretic ApproachFinancial Cryptography and Data Security10.1007/978-3-319-70278-0_18(280-297)Online publication date: 19-Nov-2017
  • (2016)Hype and heavy tails: A closer look at data breachesJournal of Cybersecurity10.1093/cybsec/tyw0032:1(3-14)Online publication date: 27-Dec-2016
  • (2015)Analyzing and Modeling Longitudinal Security DataProceedings of the 31st Annual Computer Security Applications Conference10.1145/2818000.2818010(391-400)Online publication date: 7-Dec-2015
  • (2015)Scripting the crime commission process in the illicit online prescription drug tradeJournal of Cybersecurity10.1093/cybsec/tyv006(tyv006)Online publication date: 10-Nov-2015
  • (2013)A mathematical exploitation of simulated uniform scanning botnet propagation dynamics for early stage detection and managementJournal of Computer Virology and Hacking Techniques10.1007/s11416-013-0190-710:1(29-51)Online publication date: 27-Aug-2013

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media