Marmite: Spreading malicious file reputation through download graphs

Gianluca Stringhini; Yun Shen; Yufei Han; Xiangliang Zhang

doi:10.1145/3134600.3134604

Marmite: Spreading malicious file reputation through download graphs

Gianluca Stringhini, Yun Shen, Yufei Han, Xiangliang Zhang

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

23 Scopus citations

Abstract

Effective malware detection approaches need not only high accuracy, but also need to be robust to changes in the modus operandi of criminals. In this paper, we propose Marmite, a feature-Agnostic system that aims at propagating known malicious reputation of certain files to unknown ones with the goal of detecting malware. Marmite does this by looking at a graph that encapsulates a comprehensive view of how files are downloaded (by which hosts and from which servers) on a global scale. The reputation of files is then propagated across the graph using semi-supervised label propagation with Bayesian confidence. We show that Marmite is able to reach high accuracy (0.94 G-mean on average) over a 10-day dataset of 200 million download events. We also demonstrate that Marmite's detection capabilities do not significantly degrade over time, by testing our system on a 30-day dataset of 660 million download events collected six months after the system was tuned and validated. Marmite still maintains a similar accuracy after this period of time.

Original language	English (US)
Title of host publication	Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017
Publisher	Association for Computing Machinery (ACM)
Pages	91-102
Number of pages	12
ISBN (Electronic)	9781450353458
DOIs	https://doi.org/10.1145/3134600.3134604
State	Published - Dec 4 2017
Event	33rd Annual Computer Security Applications Conference, ACSAC 2017 - Orlando, United States Duration: Dec 4 2017 → Dec 8 2017

Publication series

Name	ACM International Conference Proceeding Series
Volume	Part F132521

Conference

Conference	33rd Annual Computer Security Applications Conference, ACSAC 2017
Country/Territory	United States
City	Orlando
Period	12/4/17 → 12/8/17

Bibliographical note

KAUST Repository Item: Exported on 2020-10-01
Acknowledgements: We would like to thank the anonymous reviewers for their feedback, and our shepherd Christian Rossow for his help in improving the final version of this paper. This work was supported by UCL through a BEAMS Future Leaders in Engineering and Physical Sciences Award and by the EPSRC under grant EP/N008448/1.

ASJC Scopus subject areas

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Access to Document

10.1145/3134600.3134604

Cite this

Stringhini, G., Shen, Y., Han, Y., & Zhang, X. (2017). Marmite: Spreading malicious file reputation through download graphs. In Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017 (pp. 91-102). (ACM International Conference Proceeding Series; Vol. Part F132521). Association for Computing Machinery (ACM). https://doi.org/10.1145/3134600.3134604

@inproceedings{2fcc4f0ee54d4f4ba10d61f8a7a2f5c0,

title = "Marmite: Spreading malicious file reputation through download graphs",

abstract = "Effective malware detection approaches need not only high accuracy, but also need to be robust to changes in the modus operandi of criminals. In this paper, we propose Marmite, a feature-Agnostic system that aims at propagating known malicious reputation of certain files to unknown ones with the goal of detecting malware. Marmite does this by looking at a graph that encapsulates a comprehensive view of how files are downloaded (by which hosts and from which servers) on a global scale. The reputation of files is then propagated across the graph using semi-supervised label propagation with Bayesian confidence. We show that Marmite is able to reach high accuracy (0.94 G-mean on average) over a 10-day dataset of 200 million download events. We also demonstrate that Marmite's detection capabilities do not significantly degrade over time, by testing our system on a 30-day dataset of 660 million download events collected six months after the system was tuned and validated. Marmite still maintains a similar accuracy after this period of time.",

author = "Gianluca Stringhini and Yun Shen and Yufei Han and Xiangliang Zhang",

note = "KAUST Repository Item: Exported on 2020-10-01 Acknowledgements: We would like to thank the anonymous reviewers for their feedback, and our shepherd Christian Rossow for his help in improving the final version of this paper. This work was supported by UCL through a BEAMS Future Leaders in Engineering and Physical Sciences Award and by the EPSRC under grant EP/N008448/1.; 33rd Annual Computer Security Applications Conference, ACSAC 2017 ; Conference date: 04-12-2017 Through 08-12-2017",

year = "2017",

month = dec,

day = "4",

doi = "10.1145/3134600.3134604",

language = "English (US)",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery (ACM)",

pages = "91--102",

booktitle = "Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017",

address = "United States",

}

Stringhini, G, Shen, Y, Han, Y & Zhang, X 2017, Marmite: Spreading malicious file reputation through download graphs. in Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017. ACM International Conference Proceeding Series, vol. Part F132521, Association for Computing Machinery (ACM), pp. 91-102, 33rd Annual Computer Security Applications Conference, ACSAC 2017, Orlando, United States, 12/4/17. https://doi.org/10.1145/3134600.3134604

Marmite: Spreading malicious file reputation through download graphs. / Stringhini, Gianluca; Shen, Yun; Han, Yufei et al.
Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017. Association for Computing Machinery (ACM), 2017. p. 91-102 (ACM International Conference Proceeding Series; Vol. Part F132521).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Marmite

T2 - 33rd Annual Computer Security Applications Conference, ACSAC 2017

AU - Stringhini, Gianluca

AU - Shen, Yun

AU - Han, Yufei

AU - Zhang, Xiangliang

N1 - KAUST Repository Item: Exported on 2020-10-01 Acknowledgements: We would like to thank the anonymous reviewers for their feedback, and our shepherd Christian Rossow for his help in improving the final version of this paper. This work was supported by UCL through a BEAMS Future Leaders in Engineering and Physical Sciences Award and by the EPSRC under grant EP/N008448/1.

PY - 2017/12/4

Y1 - 2017/12/4

N2 - Effective malware detection approaches need not only high accuracy, but also need to be robust to changes in the modus operandi of criminals. In this paper, we propose Marmite, a feature-Agnostic system that aims at propagating known malicious reputation of certain files to unknown ones with the goal of detecting malware. Marmite does this by looking at a graph that encapsulates a comprehensive view of how files are downloaded (by which hosts and from which servers) on a global scale. The reputation of files is then propagated across the graph using semi-supervised label propagation with Bayesian confidence. We show that Marmite is able to reach high accuracy (0.94 G-mean on average) over a 10-day dataset of 200 million download events. We also demonstrate that Marmite's detection capabilities do not significantly degrade over time, by testing our system on a 30-day dataset of 660 million download events collected six months after the system was tuned and validated. Marmite still maintains a similar accuracy after this period of time.

AB - Effective malware detection approaches need not only high accuracy, but also need to be robust to changes in the modus operandi of criminals. In this paper, we propose Marmite, a feature-Agnostic system that aims at propagating known malicious reputation of certain files to unknown ones with the goal of detecting malware. Marmite does this by looking at a graph that encapsulates a comprehensive view of how files are downloaded (by which hosts and from which servers) on a global scale. The reputation of files is then propagated across the graph using semi-supervised label propagation with Bayesian confidence. We show that Marmite is able to reach high accuracy (0.94 G-mean on average) over a 10-day dataset of 200 million download events. We also demonstrate that Marmite's detection capabilities do not significantly degrade over time, by testing our system on a 30-day dataset of 660 million download events collected six months after the system was tuned and validated. Marmite still maintains a similar accuracy after this period of time.

UR - http://www.scopus.com/inward/record.url?scp=85038936852&partnerID=8YFLogxK

U2 - 10.1145/3134600.3134604

DO - 10.1145/3134600.3134604

M3 - Conference contribution

AN - SCOPUS:85038936852

T3 - ACM International Conference Proceeding Series

SP - 91

EP - 102

BT - Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017

PB - Association for Computing Machinery (ACM)

Y2 - 4 December 2017 through 8 December 2017

ER -

Marmite: Spreading malicious file reputation through download graphs

Abstract

Publication series

Conference

Bibliographical note

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this