Empirical analysis of factors affecting malware URL detection

2013 APWG eCrime Researchers Summit Pub Date : 2013-09-01 DOI:10.1109/ECRS.2013.6805776

Marie Vasek, T. Moore

{"title":"Empirical analysis of factors affecting malware URL detection","authors":"Marie Vasek, T. Moore","doi":"10.1109/ECRS.2013.6805776","DOIUrl":null,"url":null,"abstract":"Many organizations, from antivirus companies to motivated volunteers, maintain blacklists of URLs suspected of distributing malware in order to protect users. Detection rates can vary widely, but it is not known why. We posit that much variation can be explained by differences in the type of malware and differences in the blacklists themselves. To that end, we conducted an empirical analysis of 722 malware URLs submitted to the Malware Domain List (MDL) over 6 months in 2012-2013. We ran each URL through VirusTotal, a tool that allowed us to check each URL against 38 different malware URL blacklists, within an hour from when they were first blacklisted by the MDL. We followed up on each for two weeks following. We then ran logisitic regressions and Cox proportional hazard models to identify factors affecting blacklist accuracy and speed. We find that URLs belonging to known exploit kits such as Blackhole and Styx were more likely to be blacklisted and blacklisted quicker. We also found that blacklists that are used to actively block URLs are more effective than those that do not, and furthermore that paid services are more effective than free ones.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 APWG eCrime Researchers Summit","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ECRS.2013.6805776","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Many organizations, from antivirus companies to motivated volunteers, maintain blacklists of URLs suspected of distributing malware in order to protect users. Detection rates can vary widely, but it is not known why. We posit that much variation can be explained by differences in the type of malware and differences in the blacklists themselves. To that end, we conducted an empirical analysis of 722 malware URLs submitted to the Malware Domain List (MDL) over 6 months in 2012-2013. We ran each URL through VirusTotal, a tool that allowed us to check each URL against 38 different malware URL blacklists, within an hour from when they were first blacklisted by the MDL. We followed up on each for two weeks following. We then ran logisitic regressions and Cox proportional hazard models to identify factors affecting blacklist accuracy and speed. We find that URLs belonging to known exploit kits such as Blackhole and Styx were more likely to be blacklisted and blacklisted quicker. We also found that blacklists that are used to actively block URLs are more effective than those that do not, and furthermore that paid services are more effective than free ones.

查看原文本刊更多论文

恶意软件URL检测影响因素实证分析

许多组织，从反病毒公司到积极的志愿者，都维护着涉嫌传播恶意软件的url黑名单，以保护用户。检出率差异很大，但原因尚不清楚。我们认为，许多变化可以通过恶意软件类型的差异和黑名单本身的差异来解释。为此，我们对2012-2013年6个月内提交到恶意软件域列表(MDL)的722个恶意软件url进行了实证分析。我们通过VirusTotal对每个URL进行了测试，该工具允许我们在一个小时内将每个URL与38个不同的恶意软件URL黑名单进行比对。我们对每个人都进行了两周的跟踪调查。然后，我们运行逻辑回归和Cox比例风险模型来确定影响黑名单准确性和速度的因素。我们发现，属于已知漏洞利用工具包(如Blackhole和Styx)的url更有可能被列入黑名单，而且被列入黑名单的速度更快。我们还发现，用于主动阻止url的黑名单比那些不这样做的黑名单更有效，而且付费服务比免费服务更有效。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 APWG eCrime Researchers Summit

自引率

0.00%

发文量