TY - GEN
T1 - Marmite
T2 - 33rd Annual Computer Security Applications Conference, ACSAC 2017
AU - Stringhini, Gianluca
AU - Shen, Yun
AU - Han, Yufei
AU - Zhang, Xiangliang
N1 - KAUST Repository Item: Exported on 2020-10-01
Acknowledgements: We would like to thank the anonymous reviewers for their feedback, and our shepherd Christian Rossow for his help in improving the final version of this paper. This work was supported by UCL through a BEAMS Future Leaders in Engineering and Physical Sciences Award and by the EPSRC under grant EP/N008448/1.
PY - 2017/12/4
Y1 - 2017/12/4
N2 - Effective malware detection approaches need not only high accuracy, but also need to be robust to changes in the modus operandi of criminals. In this paper, we propose Marmite, a feature-Agnostic system that aims at propagating known malicious reputation of certain files to unknown ones with the goal of detecting malware. Marmite does this by looking at a graph that encapsulates a comprehensive view of how files are downloaded (by which hosts and from which servers) on a global scale. The reputation of files is then propagated across the graph using semi-supervised label propagation with Bayesian confidence. We show that Marmite is able to reach high accuracy (0.94 G-mean on average) over a 10-day dataset of 200 million download events. We also demonstrate that Marmite's detection capabilities do not significantly degrade over time, by testing our system on a 30-day dataset of 660 million download events collected six months after the system was tuned and validated. Marmite still maintains a similar accuracy after this period of time.
AB - Effective malware detection approaches need not only high accuracy, but also need to be robust to changes in the modus operandi of criminals. In this paper, we propose Marmite, a feature-Agnostic system that aims at propagating known malicious reputation of certain files to unknown ones with the goal of detecting malware. Marmite does this by looking at a graph that encapsulates a comprehensive view of how files are downloaded (by which hosts and from which servers) on a global scale. The reputation of files is then propagated across the graph using semi-supervised label propagation with Bayesian confidence. We show that Marmite is able to reach high accuracy (0.94 G-mean on average) over a 10-day dataset of 200 million download events. We also demonstrate that Marmite's detection capabilities do not significantly degrade over time, by testing our system on a 30-day dataset of 660 million download events collected six months after the system was tuned and validated. Marmite still maintains a similar accuracy after this period of time.
UR - http://www.scopus.com/inward/record.url?scp=85038936852&partnerID=8YFLogxK
U2 - 10.1145/3134600.3134604
DO - 10.1145/3134600.3134604
M3 - Conference contribution
AN - SCOPUS:85038936852
T3 - ACM International Conference Proceeding Series
SP - 91
EP - 102
BT - Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017
PB - Association for Computing Machinery (ACM)
Y2 - 4 December 2017 through 8 December 2017
ER -