Ziffersystem: A novel malware distribution detection system

Cyber-criminals use various malware technologies to bypass antivirus software. For example, drive-by downloads happen without a person's knowledge when visiting a website, viewing an email message, or clicking on a deceptive pop-up window. One way to understand drive-by download attacks is to study the connections between different drive-by download behaviors during the installation phase. However, current solutions need a large number of browsing records from ISPs to build up a model. Insufficient historical browsing data may prevent this approach from working. In this study, we propose Ziffersystem, a system that identifies the suspicious connections in a targeted enterprise. We develop a graph-based model of malicious orchestrated behaviors. Ziffersystem does not need large-scale network data (e.g., IPS traffic) to model malicious activity, and therefore the system is useful for an enterprise with few in-house blacklists and highly sensitive data. We apply the proposed system to the analysis of blacklists from public and private sources, and we show its effectiveness for visualizing malicious download behavior that cannot be identified through piecewise event logs.