skip to main content
research-article

Technological and Human Factors of Malware Attacks: A Computer Security Clinical Trial Approach

Published: 12 July 2018 Publication History

Abstract

The success (or failure) of malware attacks depends upon both technological and human factors. The most security-conscious users are susceptible to unknown vulnerabilities, and even the best security mechanisms can be circumvented as a result of user actions. Although there has been significant research on the technical aspects of malware attacks and defence, there has been much less research on how users interact with both malware and current malware defences.
This article describes a field study designed to examine the interactions between users, antivirus (AV) software, and malware as they occur on deployed systems. In a fashion similar to medical studies that evaluate the efficacy of a particular treatment, our experiment aimed to assess the performance of AV software and the human risk factors of malware attacks. The 4-month study involved 50 home users who agreed to use laptops that were instrumented to monitor for possible malware attacks and gather data on user behaviour. This study provided some very interesting, non-intuitive insights into the efficacy of AV software and human risk factors. AV performance was found to be lower under real-life conditions compared to tests conducted in controlled conditions. Moreover, computer expertise, volume of network usage, and peer-to-peer activity were found to be significant correlates of malware attacks. We assert that this work shows the viability and the merits of evaluating security products, techniques, and strategies to protect systems through long-term field studies with greater ecological validity than can be achieved through other means.

References

[1]
Shahid Alam, Ibrahim Sogukpinar, Issa Traore, and Yvonne Coady. 2014. In-cloud malware analysis and detection: State of the art. In Proceedings of the 7th International Conference on Security of Information and Networks. ACM, 473.
[2]
AV Comparatives. 2013. File Detection Test of Malicious Software. Technical Report. AV Comparatives.
[3]
J. Blackbird and B. Pfeifer. 2013. The global impact of anti-malware protection state on infection rates. In Proceedings of the Virus Bulletin International Conference.
[4]
Adam M. Bossler and Thomas J. Holt. 2009. On-line activities, guardianship, and malware infection: An examination of routine activities theory. Int. J. Cyber Criminol. 3, 1 (2009), 400.
[5]
Davide Canali, Leyla Bilge, and Davide Balzarotti. 2014. On the effectiveness of risk prediction based on users browsing behavior. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. ACM, 171--182.
[6]
Y. Carlinet, L. Mé, H. Débar, and Y. Gourhant. 2008. Analysis of computer infection risk factors based on customer network usage. In Proceedings of the 2nd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE’08). 317--325.
[7]
Tudor Dumitras. 2011. Field data available at Symantec research labs: The worldwide intelligence network environment (WINE). In Proceedings of the ASPLOS Exascale Evaluation and Research Techniques Workshop.
[8]
Simon P. G. Edwards. 2013. Four Fs of anti-malware testing: A practical approach to testing endpoint security products. In Proceedings of the Workshop on Anti-malware Testing Research (WATeR’13). IEEE, 1--9.
[9]
Serge Egelman and Eyal Peer. 2015. The myth of the average user: Improving privacy and security systems through individualization. In Proceedings of the New Security Paradigms Workshop. ACM, 16--28.
[10]
Eurostat. 2011. Nearly one-third of internet users in the EU27 caught a computer virus. Retrieved from http://ec.europa.eu/eurostat/documents/2995521/5028026/4-07022011-AP-EN.PDF/22c742a6-9a3d-456d-bedc-f91deb15481b.
[11]
Alain Forget, Saranga Komanduri, Alessandro Acquisti, Nicolas Christin, Lorrie Faith Cranor, and Rahul Telang. 2014. Building the security behavior observatory: An infrastructure for long-term monitoring of client machines. In Proceedings of the Symposium and Bootcamp on the Science of Security. ACM, 24.
[12]
Steven Furnell. 2010. Usability versus complexity—Striking the balance in end-user security. Netw. Secur. 2010, 12 (2010), 13--17.
[13]
S. Gordon and R. Ford. 1996. Real-world anti-virus product reviews and evaluations: The current state of affairs. In Proceedings of the National Information Systems Security Conference.
[14]
Galen A. Grimes, Michelle G. Hough, and Margaret L. Signorella. 2007. Email end users and spam: Relations of gender and age group to attitudes and actions. Comput. Human Behav. 23, 1 (2007), 318--332.
[15]
David Harley. 2009. Making sense of anti-malware comparative testing. Info. Secur. Tech. Rep. 14, 1 (2009), 7--15.
[16]
D. Harley and A. Lee. 2008. Who will test the testers. In Proceedings of the 18th Virus Bulletin International Conference. 199--207.
[17]
International Secure Systems Lab. 2013. Anubis malware analysis for unknown binaries. Retrieved from https://anubis.iseclab.org/.
[18]
Tom N. Jagatic, Nathaniel A. Johnson, Markus Jakobsson, and Filippo Menczer. 2007. Social phishing. Commun. ACM 50, 10 (2007), 94--100.
[19]
Andrew Kalafut, Abhinav Acharya, and Minaxi Gupta. 2006. A study of malware in peer-to-peer networks. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement. ACM, 327--332.
[20]
P. Kosinar, J. Malcho, R. Marko, and D. Harley. 2010. AV testing exposed. In Proceedings of the 20th Virus Bulletin International Conference.
[21]
Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair, and Theodore Pham. 2009. School of phish: A real-world evaluation of anti-phishing training. In Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, 3.
[22]
Fanny Lalonde Lévesque and José M. Fernandez. 2014. Computer security clinical trials: Lessons learned from a 4-month pilot study. In Proceedings of the 7th USENIX Conference on Cyber Security Experimentation and Test. USENIX Association.
[23]
Fanny Lalonde Lévesque, José M. Fernandez, and Dennis Batchelder. 2017. Age and gender as independent risk factors for malware victimisation. In Proceedings of the 31th International British Human Computer Interaction Conference.
[24]
Fanny Lalonde Lévesque, José M. Fernandez, Dennis Batchelder, and Glaucia Young. 2016. Are they real? Real-life comparative tests of anti-virus products. In Proceedings of the 26th Virus Bulletin International Conference. 25--33.
[25]
Fanny Lalonde Lévesque, Jose M. Fernandez, and Anil Somayaji. 2014. Risk prediction of malware victimization based on user behavior. In Proceedings of the 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE’14). IEEE, 128--134.
[26]
Fanny Lalonde Lévesque, Jude Nsiempba, José M. Fernandez, Sonia Chiasson, and Anil Somayaji. 2013. A clinical study of risk factors related to malware infections. In Proceedings of the ACM SIGSAC Conference on Computer & Communications Security. ACM, 97--108.
[27]
Fanny Lalonde Lévesque, Anil Somayaji, Dennis Batchelder, and Jose M. Fernandez. 2015. Measuring the health of antivirus ecosystems. In Proceedings of the 10th International Conference on Malicious and Unwanted Software (MALWARE’15). IEEE, 101--109.
[28]
Martin Lee. 2012. Who’s next? Identifying risks factors for subjects of targeted attacks. In Proceedings of the Virus Bulletin International Conference. 301--306.
[29]
Fanny Lalonde Lévesque, C. R. Davis, J. M. Fernandez, S. Chiasson, and A. Somayaji. 2012. Methodology for a field study of anti-malware software. In Proceedinsg of the Workshop on Usable Security (USEC’12). LNCS, 80--85.
[30]
Fanny Lalonde Lévesque, C. R. Davis, J. M. Fernandez, and A. Somayaji. 2012. Evaluating antivirus products with field studies. In Proceedings of the 22th Virus Bulletin International Conference. 87--94.
[31]
Gregor Maier, Anja Feldmann, Vern Paxson, Robin Sommer, and Matthias Vallentin. 2011. An assessment of overt malicious activity manifest in residential networks. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 144--163.
[32]
Andreas Marx. 2000. A guideline to anti-malware-software testing. In Proceedings of the 9th Annual European Institute for Computer Antivirus Research Conference. 218--253.
[33]
G. R. Milne, L. I. Labrecque, and C. Cromer. 2009. Toward an understanding of the online consumer’s risky behavior and protection practices. J. Consum. Affairs 43 (2009), 449--473.
[34]
Igor Muttik and James Vignoles. 2008. Rebuilding anti-malware testing for the future. In Virus Bulletin Conference.
[35]
Fawn T. Ngo and Raymond Paternoster. 2011. Cybercrime victimization: An examination of individual and situational level factors. Int. J. Cyber Criminol. 5, 1 (2011), 773--793.
[36]
Daniela Oliveira, Harold Rocha, Huizi Yang, Donovan Ellis, Sandeep Dommaraju, Melis Muradoglu, Devon Weir, Adam Soliman, Tian Lin, and Natalie Ebner. 2017. Dissecting spear phishing emails for older vs. young adults: On the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In Proceedings of the CHI Conference on Human Factors in Computing Systems. ACM, 6412--6424.
[37]
Kaan Onarlioglu, Utku Ozan Yilmaz, Engin Kirda, and Davide Balzarotti. 2012. Insights into user behavior in dealing with internet attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS’12).
[38]
Michael Ovelgönne, Tudor Dumitras, B. Aditya Prakash, V. S. Subrahmanian, and Benjamin Wang. 2017. Understanding the relationship between human behavior and susceptibility to cyber attacks: A data-driven approach. ACM Trans. Intell. Syst. Technol. 8, 4 (2017), 51.
[39]
Panda Security Labs. 2011. Panda Labs Annual Report 2011 Summary. Retrieved from https://www.pandasecurity.com/mediacenter/src/uploads/2012/01/Annual-Report-PandaLabs-2011.pdf.
[40]
PC Security Labs. 2013. Security Solution Review on Windows 8 Platform. Technical Report. PC Security Labs.
[41]
Bradford W. Reyns. 2013. Online routines and identity theft victimization further expanding routine activity theory beyond direct-contact offenses. J. Res. Crime Delinq. 50, 2 (2013), 216--238.
[42]
Imtithal A. Saeed, Ali Selamat, and Ali M. A. Abuagoub. 2013. A survey on malware and malware detection systems. International Journal of Computer Applications 67, 16 (2013), 25--31.
[43]
S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs. 2010. Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’10). 373--382.
[44]
A. Somayaji, Y. Li, H. Inoue, J. M. Fernandez, and R. Ford. 2009. Evaluating security products with clinical trials. In Proceedings of the USENIX Workshop on Cyber Security Experimentation and Test (CSET’09).
[45]
SurfRight. 2009. Real-World malware statistics: October/November 2009. Retrieved from http://files.surfright.nl/reports/HitmanPro3-RealWorldStatistics-OctNov2009.pdf.
[46]
Symantec Corporation. 2012. Internet security threat report 2011 trends. Retrieved from http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf.
[47]
The WildList Organization International. 2017. The WildList. Retrieved from https://www.wildlist.org/.
[48]
Olivier Thonnard, Leyla Bilge, Anand Kashyap, and Martin Lee. 2015. Are you at risk? Profiling organizations and individuals subject to targeted attacks. In Proceedings of the International Conference on Financial Cryptography and Data Security. Springer, 13--31.
[49]
Trend Micro. 2012. Website classification. Retrieved from http://solutionfile.trendmicro.com/solutionfile/Consumer/new-web-classification.html.
[50]
Virus Total. 2013. Virus total. Retrieved from https://www.virustotal.com.
[51]
J. Vrabec and D. Harley. 2010. Real performance? In Proceedings of the European Institute for Computer Antivirus Research Annual Conference (EICAR’10).
[52]
Ting-Fang Yen, Victor Heorhiadi, Alina Oprea, Michael K. Reiter, and Ari Juels. 2014. An epidemiological study of malware encounters in a large enterprise. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1117--1130.
[53]
Righard Zwienenberg, Richard Ford, and Thomas Wegele. 2013. The real-time threat list. In Proceedings of the 23rd Virus Bulletin International Conference.

Cited By

View all
  • (2025)Conceptual inconsistencies in variable definitions and measurement items within ISP non-/compliance research: A systematic literature reviewComputers & Security10.1016/j.cose.2025.104365152(104365)Online publication date: May-2025
  • (2024)A Case-Control Study to Measure Behavioral Risks of Malware Encounters in OrganizationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345696019(9419-9432)Online publication date: 1-Jan-2024
  • (2024)The Practical Requirements of a Malware Training Platform Tailored to Industry and Education2024 11th International Conference on Future Internet of Things and Cloud (FiCloud)10.1109/FiCloud62933.2024.00013(27-31)Online publication date: 19-Aug-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security
ACM Transactions on Privacy and Security  Volume 21, Issue 4
November 2018
142 pages
ISSN:2471-2566
EISSN:2471-2574
DOI:10.1145/3232648
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 July 2018
Accepted: 01 April 2018
Received: 01 October 2017
Published in TOPS Volume 21, Issue 4

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Computer security
  2. antivirus
  3. clinical trial
  4. malware
  5. risk factors

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)95
  • Downloads (Last 6 weeks)8
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Conceptual inconsistencies in variable definitions and measurement items within ISP non-/compliance research: A systematic literature reviewComputers & Security10.1016/j.cose.2025.104365152(104365)Online publication date: May-2025
  • (2024)A Case-Control Study to Measure Behavioral Risks of Malware Encounters in OrganizationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345696019(9419-9432)Online publication date: 1-Jan-2024
  • (2024)The Practical Requirements of a Malware Training Platform Tailored to Industry and Education2024 11th International Conference on Future Internet of Things and Cloud (FiCloud)10.1109/FiCloud62933.2024.00013(27-31)Online publication date: 19-Aug-2024
  • (2024)Position: The Explainability Paradox - Challenges for XAI in Malware Detection and Analysis2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00067(554-561)Online publication date: 8-Jul-2024
  • (2024)Is cyber hygiene a remedy to IPTV infringement? A study of online streaming behaviours and cyber security practicesInternational Journal of Information Security10.1007/s10207-024-00824-023:3(1913-1926)Online publication date: 1-Jun-2024
  • (2023)Malware victimisation and organisational survival: A multi-method exploration of emerging marketJournal of Governance and Regulation10.22495/jgrv12i3siart1912:3, special issue(377-388)Online publication date: 28-Sep-2023
  • (2023)Detection of Fraudulent Entities in Ethereum Cryptocurrency: A Boosting-based Machine Learning ApproachGLOBECOM 2023 - 2023 IEEE Global Communications Conference10.1109/GLOBECOM54140.2023.10437184(6444-6449)Online publication date: 4-Dec-2023
  • (2023)Explaining cybercrime victimization using a longitudinal population-based survey experiment. Are personal characteristics, online routine activities, and actual self-protective online behavior related to future cybercrime victimization?Journal of Crime and Justice10.1080/0735648X.2023.2222719(1-20)Online publication date: 13-Jun-2023
  • (2023)Maaker: A framework for detecting and defeating evasion techniques in Android malwareJournal of Information Security and Applications10.1016/j.jisa.2023.10361778(103617)Online publication date: Nov-2023
  • (2023)Indicators of employee phishing email behaviours: Intuition, elaboration, attention, and email typologyInternational Journal of Human-Computer Studies10.1016/j.ijhcs.2023.102996172(102996)Online publication date: Apr-2023
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media