Beyond the blacklist

Modeling malware spread and the effect of interventions

Benjamin Edwards, Tyler Moore, George Stelle, Steven Hofmeyr, Stephanie Forrest

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)

Abstract

Malware spread among websites and between websites and clients is an increasing problem. Search engines play an important role in directing users to websites and are a natural control point for intervening using mechanisms such as blacklisting. The paper presents a simple Markov model of malware spread through large populations of websites and studies the effect of two interventions that might be deployed by a search provider: blacklisting infected web pages by removing them from search results entirely and a generalization of blacklisting, called depreferencing, in which a website's ranking is decreased by a fixed percentage each time period the site remains infected. We analyze and study the trade-offs between infection exposure and traffic loss due to false positives (the cost to a website that is incorrectly blacklisted) for different interventions. As expected, we find that interventions are most effective when websites are slow to remove infections. Surprisingly, we also find that low infection or recovery rates can increase traffic loss due to false positives. Our analysis also shows that heavy-tailed distributions of website popularity, as documented in many studies, leads to high sample variance of all measured outcomes. This result implies that it will be difficult to determine empirically whether certain website interventions are effective, and it suggests that theoretical models such as the one described in this paper have an important role to play in improving web security.

Original languageEnglish (US)
Title of host publicationNSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop
Pages53-65
Number of pages13
StatePublished - Dec 1 2012
Externally publishedYes
Event2012 21st New Security Paradigms Workshop, NSPW 2012 - Bertinoro, Italy
Duration: Sep 18 2012Sep 21 2012

Other

Other2012 21st New Security Paradigms Workshop, NSPW 2012
CountryItaly
CityBertinoro
Period9/18/129/21/12

Fingerprint

Websites
Computer simulation
Malware
Search engines
Recovery

Keywords

  • Blacklist
  • Drive-by-Downloads
  • Graduated Response
  • Malware
  • Modeling
  • Search
  • Web Security

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Software
  • Information Systems

Cite this

Edwards, B., Moore, T., Stelle, G., Hofmeyr, S., & Forrest, S. (2012). Beyond the blacklist: Modeling malware spread and the effect of interventions. In NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop (pp. 53-65)

Beyond the blacklist : Modeling malware spread and the effect of interventions. / Edwards, Benjamin; Moore, Tyler; Stelle, George; Hofmeyr, Steven; Forrest, Stephanie.

NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop. 2012. p. 53-65.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Edwards, B, Moore, T, Stelle, G, Hofmeyr, S & Forrest, S 2012, Beyond the blacklist: Modeling malware spread and the effect of interventions. in NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop. pp. 53-65, 2012 21st New Security Paradigms Workshop, NSPW 2012, Bertinoro, Italy, 9/18/12.
Edwards B, Moore T, Stelle G, Hofmeyr S, Forrest S. Beyond the blacklist: Modeling malware spread and the effect of interventions. In NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop. 2012. p. 53-65
Edwards, Benjamin ; Moore, Tyler ; Stelle, George ; Hofmeyr, Steven ; Forrest, Stephanie. / Beyond the blacklist : Modeling malware spread and the effect of interventions. NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop. 2012. pp. 53-65
@inproceedings{ca14f277245d4a8b9a897f35dcfb3ea5,
title = "Beyond the blacklist: Modeling malware spread and the effect of interventions",
abstract = "Malware spread among websites and between websites and clients is an increasing problem. Search engines play an important role in directing users to websites and are a natural control point for intervening using mechanisms such as blacklisting. The paper presents a simple Markov model of malware spread through large populations of websites and studies the effect of two interventions that might be deployed by a search provider: blacklisting infected web pages by removing them from search results entirely and a generalization of blacklisting, called depreferencing, in which a website's ranking is decreased by a fixed percentage each time period the site remains infected. We analyze and study the trade-offs between infection exposure and traffic loss due to false positives (the cost to a website that is incorrectly blacklisted) for different interventions. As expected, we find that interventions are most effective when websites are slow to remove infections. Surprisingly, we also find that low infection or recovery rates can increase traffic loss due to false positives. Our analysis also shows that heavy-tailed distributions of website popularity, as documented in many studies, leads to high sample variance of all measured outcomes. This result implies that it will be difficult to determine empirically whether certain website interventions are effective, and it suggests that theoretical models such as the one described in this paper have an important role to play in improving web security.",
keywords = "Blacklist, Drive-by-Downloads, Graduated Response, Malware, Modeling, Search, Web Security",
author = "Benjamin Edwards and Tyler Moore and George Stelle and Steven Hofmeyr and Stephanie Forrest",
year = "2012",
month = "12",
day = "1",
language = "English (US)",
isbn = "9781450317948",
pages = "53--65",
booktitle = "NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop",

}

TY - GEN

T1 - Beyond the blacklist

T2 - Modeling malware spread and the effect of interventions

AU - Edwards, Benjamin

AU - Moore, Tyler

AU - Stelle, George

AU - Hofmeyr, Steven

AU - Forrest, Stephanie

PY - 2012/12/1

Y1 - 2012/12/1

N2 - Malware spread among websites and between websites and clients is an increasing problem. Search engines play an important role in directing users to websites and are a natural control point for intervening using mechanisms such as blacklisting. The paper presents a simple Markov model of malware spread through large populations of websites and studies the effect of two interventions that might be deployed by a search provider: blacklisting infected web pages by removing them from search results entirely and a generalization of blacklisting, called depreferencing, in which a website's ranking is decreased by a fixed percentage each time period the site remains infected. We analyze and study the trade-offs between infection exposure and traffic loss due to false positives (the cost to a website that is incorrectly blacklisted) for different interventions. As expected, we find that interventions are most effective when websites are slow to remove infections. Surprisingly, we also find that low infection or recovery rates can increase traffic loss due to false positives. Our analysis also shows that heavy-tailed distributions of website popularity, as documented in many studies, leads to high sample variance of all measured outcomes. This result implies that it will be difficult to determine empirically whether certain website interventions are effective, and it suggests that theoretical models such as the one described in this paper have an important role to play in improving web security.

AB - Malware spread among websites and between websites and clients is an increasing problem. Search engines play an important role in directing users to websites and are a natural control point for intervening using mechanisms such as blacklisting. The paper presents a simple Markov model of malware spread through large populations of websites and studies the effect of two interventions that might be deployed by a search provider: blacklisting infected web pages by removing them from search results entirely and a generalization of blacklisting, called depreferencing, in which a website's ranking is decreased by a fixed percentage each time period the site remains infected. We analyze and study the trade-offs between infection exposure and traffic loss due to false positives (the cost to a website that is incorrectly blacklisted) for different interventions. As expected, we find that interventions are most effective when websites are slow to remove infections. Surprisingly, we also find that low infection or recovery rates can increase traffic loss due to false positives. Our analysis also shows that heavy-tailed distributions of website popularity, as documented in many studies, leads to high sample variance of all measured outcomes. This result implies that it will be difficult to determine empirically whether certain website interventions are effective, and it suggests that theoretical models such as the one described in this paper have an important role to play in improving web security.

KW - Blacklist

KW - Drive-by-Downloads

KW - Graduated Response

KW - Malware

KW - Modeling

KW - Search

KW - Web Security

UR - http://www.scopus.com/inward/record.url?scp=84871944135&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84871944135&partnerID=8YFLogxK

M3 - Conference contribution

SN - 9781450317948

SP - 53

EP - 65

BT - NSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop

ER -