Real-Time Detection Of Malware Downloads Via Large-Scale Url -> File -> Machine Graph Mining

In this paper we propose MASTINO, a novel defense system to detect malware download events. A download event is a 3-tuple that identifies the action of downloading a file from a URL that was triggered by a client (machine). MASTINO utilizes global situation awareness and continuously monitors various network- and system-level events of the clients' machines across the Internet and provides real time classification of both files and URLs to the clients upon submission of a new, unknown file or URL to the system. To enable detection of the download events, MASTINO builds a large download graph that captures the subtle relationships among the entities of download events, i.e. files, URLs, and machines. We implemented a prototype version of MASTINO and evaluated it in a large-scale real-world deployment. Our experimental evaluation shows that MASTINO can accurately classify malware download events with an average of 95.5% true positive (TP), while incurring less than 0.5% false positives (FP). In addition, we show the MASTINO can classify a new download event as either benign or malware in just a fraction of a second, and is therefore suitable as a real time defense system.