Detection of malicious webmail attachments based on propagation patterns

Email remains one of the key media used by cybercriminals for distributing malware. Based on a large data set consisting of antivirus telemetry reports, we conduct the first comprehensive study of the properties of malicious webmail attachments. We show that they are distinct among the general web-b...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Knowledge-based systems 2018-02, Vol.141, p.67-79
Hauptverfasser: Cohen, Yehonatan, Hendler, Danny, Rubin, Amir
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Email remains one of the key media used by cybercriminals for distributing malware. Based on a large data set consisting of antivirus telemetry reports, we conduct the first comprehensive study of the properties of malicious webmail attachments. We show that they are distinct among the general web-borne malware population in terms of the malware reach (the number of machines to which the malware is downloaded), malware type and family. Furthermore, we show that malicious webmail attachments are unique in the manner in which they propagate through the network. We leverage these findings for defining novel features of malware propagation patterns. These features are derived from a time-series representation of malware download rates and from the community structure of graphs that model the network paths through which malware propagates. Based on these features, we implement a detector that provides high-quality detection of malicious webmail attachments.
ISSN:0950-7051
1872-7409
DOI:10.1016/j.knosys.2017.11.011