A Scalable Implementation of Malware Detection Based on Network Connection Behaviors

Abstract

When hundreds of thousands of applications need to be analyzed within a short period of time, existing static and dynamic malware detection methods may become less desirable because they could quickly exhaust system and human resources. Additionally, many behavioral malware detection methods may not be practical because they require the collection of applications' system-level and network-level activities, which may not always be available. In this paper, we propose a malware behavioral clustering approach to detect malware variants based on applications' simple network connection data, which can be easily collected from anti-virus (AV) products. This approach is highly scalable and has been used on huge volumes of real-world data. Our experiments demonstrate that, at a false positive rate lower than 0.001%, the proposed method achieved a detection rate of 80%+ in identifying spambots and achieved a 50%+ detection rate on average when detecting 3 popular malware families. In addition, the proposed method was deployed in a real environment and it detected malware instances more than one week earlier on average than two other leading AV products.