Ghita Mezzour
ABSTRACT
The number of trojans, worms, and viruses that computers encounter varies greatly across countries. Empirically identifying factors behind such variation can provide a scientific empirical basis to policy actions to reduce malware encounters in the most affected countries. However, our understanding of these factors is currently mainly based on expert opinions, not empirical evidence.
In this paper, we empirically test alternative hypotheses about factors behind international variation in the number of trojan, worm, and virus encounters. We use the Symantec Anti-Virus (AV) telemetry data collected from more than 10 million Symantec customer computers worldwide that we accessed through the Symantec Worldwide Intelligence Environment (WINE) platform. We use regression analysis to test for the effect of computing and monetary resources, web browsing behavior, computer piracy, cyber security expertise, and international relations on international variation in malware encounters.
We find that trojans, worms, and viruses are most prevalent in Sub-Saharan African countries. Many Asian countries also encounter substantial quantities of malware. Our regression analysis reveals that the main factor that explains high malware exposure of these countries is a widespread computer piracy especially when combined with poverty. Our regression analysis also reveals that, surprisingly, web browsing behavior, cyber security expertise, and international relations have no significant effect.
- Akamai. Akamai's state of the internet report, Q1 2014.Google Scholar
- K. Bagchi, P. Kirs, and R. Cerveny. Global software piracy: can economic factors alone explain the trend? Communications of the ACM, 49(6): 70--76, June 2006. Google ScholarDigital Library
- M. Bailey, J. Oberheide, J. Anderen, Z. M. Mao, F. Jahanian, and J. Nezario. Automated classification and analysis of internet malware. In International Symposium on Research in Attacks, Instrusions and Defenses (RAID), September 2007. Google ScholarDigital Library
- U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2009.Google Scholar
- L. Bilge and T. Dumitraş. Before we knew it. An empirical study of zero-day attacks in the real world. In Computer and Communication Security Conference (CCS), Raleigh, NC, October 2012. Google ScholarDigital Library
- BIZTECH AFRICA. Nigeria at the mercy of software pirates. http://www.biztechafrica.com/article/nigeria-mercy-software-pirates/3871/#.VLrP9nv0_Sg, 2012.Google Scholar
- Business Software Alliance. 2010 piracy study. Technical report, May 2011.Google Scholar
- J. Caballero, C. Grier, C. Kreibich, and V. Paxson. Measuring pay-per-install: The commoditization of malware distribution. In The 20th USENIX Security Symposium, San Francisco, CA, August 2011. Google ScholarDigital Library
- D. Canali, L. Bilge, and D. Balzarotti. On the effectiveness of risk prediction based on users browsing behavior. In ACM symposium on Information, computer and communications security (ASIA CCS), pages 171--182. ACM Press, 2014. Google ScholarDigital Library
- J. Canto, M. Dacier, E. Kirda, and C. Leita. Large scale malware collection: Lessons learned. In IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computed Systems, October 2008.Google Scholar
- Center for International Development and Conflict Management. International crisis behavior project. http://www.cidcm.umd.edu/icb/. Last accessed: December 2011.Google Scholar
- Central Intelligence Agency. The World Factbook. https://www.cia.gov/library/publications/the-world-factbook/. Last accessed: January 2015.Google Scholar
- CERT. National computer security incident response teams. http://www.cert.org/csirts/national/contact.html, 2014. Last accessed: January 2014.Google Scholar
- Correlates of War Project. Alliances v3.03. http://www.correlatesofwar.org/. Last accessed: December 2011.Google Scholar
- Department of Peace and Conflict Research. Uppsala University. Ucdp dyadic dataset. http://www.pcr.uu.se/research/ucdp/datasets/ucdp_dyadic_dataset/. Last accessed: December 2011.Google Scholar
- T. Dumitras and D. Shou. Toward a standard benchmark for computer security research. The worldwide intelligence network environment (WINE). In Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), Salzburg, Austria, April 2011. Google ScholarDigital Library
- L. C. Freeman. A Set of Measures of Centrality Based on Betweenness. Sociometry, 40(1): 35, Mar. 1977.Google ScholarCross Ref
- X. Hu, T. Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs. In Computer and Communication Security Conference (CCS), Chicago, IL, November 2009. Google ScholarDigital Library
- International Cyber Center. George Mason University. Certicc home. http://internationalcybercenter.org/certicc, 2014. Last accessed: January 2014.Google Scholar
- International Telecommunication Union. Measuring the information society. http://www.itu.int/en/ITU-D/Statistics/Documents/publications/mis2012/MIS2012_without_Annex_4.pdf, 2012.Google Scholar
- M. Kammerstetter, C. Platzer, and G. Wondracek. Vanity, cracks and malware: insights into the anti-copy protection ecosystem. In Computer and Communication Security Conference (CCS), 2012. Google ScholarDigital Library
- F. Lalonde Levesque, J. Nsiempba, J. M. Fernandez, S. Chiasson, and A. Somayaji. A clinical study of risk factors related to malware infections. In ACM SIGSAC conference on Computer and communications security (CCS), pages 97--108, Berlin, Germany, November 2013. ACM Press. Google ScholarDigital Library
- J. A. Lewis and K. Timlin. Cybersecurity and cyberwarfare. Preliminary assessment of national doctrine and organization. Technical report, Center for Strategic and International Studies, 2011.Google Scholar
- G. Maier, A. Feldmann, V. Paxson, R. Sommer, and M. Vallentin. An assessment of overt malicious activity manifest in residential networks. In Detection of Intrusions and Malware, and Vulnerability Assessment, volume 6739, pages 144--163. Springer Berlin Heidelberg, Berlin, Heidelberg, 2011. Google ScholarDigital Library
- Maxmind. Geolite free downloadable databases. Geolite country. http://dev.maxmind.com/geoip/legacy/geolite/, November 2012.Google Scholar
- McAfree. Mcafee labs threats report. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014.pdf, June 2014.Google Scholar
- G. Mezzour, L. R. Carley, and K. M. Carley. Global mapping of cyber attacks. Technical Report CMU-ISR-14-111, Carnegie Mellon University, School of Computer Science, Institute for Software Research, 2014.Google Scholar
- G. Mezzour, L. R. Carley, and K. M. Carley. Longitudinal analysis of a large corpus of cyber threat descriptions. Journal of Computer Virology and Hacking Techniques, June 2014.Google Scholar
- Microsoft. Windows 8.1. http://www.microsoftstore.com/stor.e/msusa/en_US/pdp/Windows-8.1/productID.288401200, 2015. http://www.microsoftstore.com/store/msusa/en_US/pdp/Windows-8.1/productID.288401200.Google Scholar
- Micrsoft. Micrsoft security intelligence report. Worldwide threat assessment, July-December 2013.Google Scholar
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Security and Privacy, 4(1): 33--39, July 2003. Google ScholarDigital Library
- New York Times. Obama calls for new law to bolster cybersecurity. http://www.nytimes.com/2015/01/14/us/obama-to-announce-new-cyberattack-protections.html?_r=0, 2015.Google Scholar
- K. Onarlioglu, Y. O. Yilmaz, E. Kirda, and D. Balzarotti. Insights into user behavior in dealing with internet attacks. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2012.Google Scholar
- E. E. Papalexakis, T. Dumitras, D. H. P. Chau, B. A. Prakash, and C. Faloutsos. Spatio-temporal mining of software adoption & penetration. In IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, pages 878--885. ACM Press, 2013. Google ScholarDigital Library
- N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In 17th Usenix Security Symposium, San Jose, CA, July 2008. Google ScholarDigital Library
- K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In Conference on Detection of Intrusions and Malware and Vulnerability (DIMVA), pages 108--125, Paris, France, July 2008. Google ScholarDigital Library
- SCOPUS. www.scopus.com. Last accessed: October 2012.Google Scholar
- S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In SIGCHI Conference on Human Factors in Computing Systems (CHI), page 373, Atlanta, GA, April 2010. ACM Press. Google ScholarDigital Library
- S. K. Shin, R. D. Gopal, G. L. Sanders, and A. B. Whinston. Global software piracy revisited. Communications of the ACM, 47(1): 103--107, Jan. 2004. Google ScholarDigital Library
- Symantec threat explorer. http://www.symantec.com/security_response/landing/azlisting.jsp. Last accessed: October 2012.Google Scholar
- The World Bank. World development indicators (wdi) 2012. http://data.worldbank.org/data-catalog/world-development-indicators/wdi-2012, April 2012.Google Scholar
- O. Thonnard, L. Bilge, G. O'Gorman, S. Kiernan, and M. Lee. Industrial espionage and targeted attacks: Understanding the characteristics of an escalating threat. In International Symposium on Research in Attacks, Instrusions and Defenses (RAID), September 2012. Google ScholarDigital Library
- United Nations Crime and Justice Information Network. Bilateral agreements on extradition, judicial/legal assistance, control of narcotic drugs, and prisoner transfer by country. http://www.uncjin.org/Laws/extradit/extindx.htm.Google Scholar
- T.-F. Yen, V. Heorhiadi, A. Oprea, M. K. Reiter, and A. Juels. An epidemiological study of malware encounters in a large enterprise. In ACM SIGSAC conference on Computer and communications security (CCS), pages 1117--1130. ACM Press, 2014. Google ScholarDigital Library
Index Terms
- An empirical study of global malware encounters
Recommendations
Global Variation in Attack Encounters and Hosting
HoTSoS: Proceedings of the Hot Topics in Science of Security: Symposium and BootcampCountries vary greatly in the extent to which their computers encounter and host attacks. Empirically identifying factors behind such variation can provide a sound basis for policies to reduce attacks worldwide. However, the main current approach to ...
Does Malware Detection Improve with Diverse AntiVirus Products? An Empirical Study
SAFECOMP 2013: Proceedings of the 32nd International Conference on Computer Safety, Reliability, and Security - Volume 8153We present results of an empirical study to evaluate the detection capability of diverse AntiVirus products (AVs). We used malware samples collected in a geographically distributed honeypot deployment in several different countries and organizations. ...
A Large-Scale Empirical Study of Conficker
Conficker is the most recent widespread, well-known worm/bot. According to several reports, it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large ...
Comments