research-article

Open access

An empirical study of global malware encounters

Authors:

Kathleen M. Carley,

L. Richard CarleyAuthors Info & Claims

HotSoS '15: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security

Article No.: 8, Pages 1 - 11

https://doi.org/10.1145/2746194.2746202

Published: 21 April 2015 Publication History

Abstract

The number of trojans, worms, and viruses that computers encounter varies greatly across countries. Empirically identifying factors behind such variation can provide a scientific empirical basis to policy actions to reduce malware encounters in the most affected countries. However, our understanding of these factors is currently mainly based on expert opinions, not empirical evidence.

In this paper, we empirically test alternative hypotheses about factors behind international variation in the number of trojan, worm, and virus encounters. We use the Symantec Anti-Virus (AV) telemetry data collected from more than 10 million Symantec customer computers worldwide that we accessed through the Symantec Worldwide Intelligence Environment (WINE) platform. We use regression analysis to test for the effect of computing and monetary resources, web browsing behavior, computer piracy, cyber security expertise, and international relations on international variation in malware encounters.

We find that trojans, worms, and viruses are most prevalent in Sub-Saharan African countries. Many Asian countries also encounter substantial quantities of malware. Our regression analysis reveals that the main factor that explains high malware exposure of these countries is a widespread computer piracy especially when combined with poverty. Our regression analysis also reveals that, surprisingly, web browsing behavior, cyber security expertise, and international relations have no significant effect.

References

[1]

Akamai. Akamai's state of the internet report, Q1 2014.

[2]

K. Bagchi, P. Kirs, and R. Cerveny. Global software piracy: can economic factors alone explain the trend? Communications of the ACM, 49(6): 70--76, June 2006.

Digital Library

[3]

M. Bailey, J. Oberheide, J. Anderen, Z. M. Mao, F. Jahanian, and J. Nezario. Automated classification and analysis of internet malware. In International Symposium on Research in Attacks, Instrusions and Defenses (RAID), September 2007.

Digital Library

[4]

U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2009.

[5]

L. Bilge and T. Dumitraş. Before we knew it. An empirical study of zero-day attacks in the real world. In Computer and Communication Security Conference (CCS), Raleigh, NC, October 2012.

Digital Library

[6]

BIZTECH AFRICA. Nigeria at the mercy of software pirates. http://www.biztechafrica.com/article/nigeria-mercy-software-pirates/3871/#.VLrP9nv0_Sg, 2012.

[7]

Business Software Alliance. 2010 piracy study. Technical report, May 2011.

[8]

J. Caballero, C. Grier, C. Kreibich, and V. Paxson. Measuring pay-per-install: The commoditization of malware distribution. In The 20^th USENIX Security Symposium, San Francisco, CA, August 2011.

Digital Library

[9]

D. Canali, L. Bilge, and D. Balzarotti. On the effectiveness of risk prediction based on users browsing behavior. In ACM symposium on Information, computer and communications security (ASIA CCS), pages 171--182. ACM Press, 2014.

Digital Library

[10]

J. Canto, M. Dacier, E. Kirda, and C. Leita. Large scale malware collection: Lessons learned. In IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computed Systems, October 2008.

[11]

Center for International Development and Conflict Management. International crisis behavior project. http://www.cidcm.umd.edu/icb/. Last accessed: December 2011.

[12]

Central Intelligence Agency. The World Factbook. https://www.cia.gov/library/publications/the-world-factbook/. Last accessed: January 2015.

[13]

CERT. National computer security incident response teams. http://www.cert.org/csirts/national/contact.html, 2014. Last accessed: January 2014.

[14]

Correlates of War Project. Alliances v3.03. http://www.correlatesofwar.org/. Last accessed: December 2011.

[15]

Department of Peace and Conflict Research. Uppsala University. Ucdp dyadic dataset. http://www.pcr.uu.se/research/ucdp/datasets/ucdp_dyadic_dataset/. Last accessed: December 2011.

[16]

T. Dumitras and D. Shou. Toward a standard benchmark for computer security research. The worldwide intelligence network environment (WINE). In Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), Salzburg, Austria, April 2011.

Digital Library

[17]

L. C. Freeman. A Set of Measures of Centrality Based on Betweenness. Sociometry, 40(1): 35, Mar. 1977.

[18]

X. Hu, T. Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs. In Computer and Communication Security Conference (CCS), Chicago, IL, November 2009.

Digital Library

[19]

International Cyber Center. George Mason University. Certicc home. http://internationalcybercenter.org/certicc, 2014. Last accessed: January 2014.

[20]

International Telecommunication Union. Measuring the information society. http://www.itu.int/en/ITU-D/Statistics/Documents/publications/mis2012/MIS2012_without_Annex_4.pdf, 2012.

[21]

M. Kammerstetter, C. Platzer, and G. Wondracek. Vanity, cracks and malware: insights into the anti-copy protection ecosystem. In Computer and Communication Security Conference (CCS), 2012.

Digital Library

[22]

F. Lalonde Levesque, J. Nsiempba, J. M. Fernandez, S. Chiasson, and A. Somayaji. A clinical study of risk factors related to malware infections. In ACM SIGSAC conference on Computer and communications security (CCS), pages 97--108, Berlin, Germany, November 2013. ACM Press.

Digital Library

[23]

J. A. Lewis and K. Timlin. Cybersecurity and cyberwarfare. Preliminary assessment of national doctrine and organization. Technical report, Center for Strategic and International Studies, 2011.

[24]

G. Maier, A. Feldmann, V. Paxson, R. Sommer, and M. Vallentin. An assessment of overt malicious activity manifest in residential networks. In Detection of Intrusions and Malware, and Vulnerability Assessment, volume 6739, pages 144--163. Springer Berlin Heidelberg, Berlin, Heidelberg, 2011.

Digital Library

[25]

Maxmind. Geolite free downloadable databases. Geolite country. http://dev.maxmind.com/geoip/legacy/geolite/, November 2012.

[26]

McAfree. Mcafee labs threats report. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014.pdf, June 2014.

[27]

G. Mezzour, L. R. Carley, and K. M. Carley. Global mapping of cyber attacks. Technical Report CMU-ISR-14-111, Carnegie Mellon University, School of Computer Science, Institute for Software Research, 2014.

[28]

G. Mezzour, L. R. Carley, and K. M. Carley. Longitudinal analysis of a large corpus of cyber threat descriptions. Journal of Computer Virology and Hacking Techniques, June 2014.

[29]

Microsoft. Windows 8.1. http://www.microsoftstore.com/stor.e/msusa/en_US/pdp/Windows-8.1/productID.288401200, 2015. http://www.microsoftstore.com/store/msusa/en_US/pdp/Windows-8.1/productID.288401200.

[30]

Micrsoft. Micrsoft security intelligence report. Worldwide threat assessment, July-December 2013.

[31]

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Security and Privacy, 4(1): 33--39, July 2003.

Digital Library

[32]

New York Times. Obama calls for new law to bolster cybersecurity. http://www.nytimes.com/2015/01/14/us/obama-to-announce-new-cyberattack-protections.html?_r=0, 2015.

[33]

K. Onarlioglu, Y. O. Yilmaz, E. Kirda, and D. Balzarotti. Insights into user behavior in dealing with internet attacks. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2012.

[34]

E. E. Papalexakis, T. Dumitras, D. H. P. Chau, B. A. Prakash, and C. Faloutsos. Spatio-temporal mining of software adoption & penetration. In IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, pages 878--885. ACM Press, 2013.

Digital Library

[35]

N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In 17th Usenix Security Symposium, San Jose, CA, July 2008.

Digital Library

[36]

K. Rieck, T. Holz, C. Willems, P. Düssel, and P. Laskov. Learning and classification of malware behavior. In Conference on Detection of Intrusions and Malware and Vulnerability (DIMVA), pages 108--125, Paris, France, July 2008.

Digital Library

[37]

SCOPUS. www.scopus.com. Last accessed: October 2012.

[38]

S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In SIGCHI Conference on Human Factors in Computing Systems (CHI), page 373, Atlanta, GA, April 2010. ACM Press.

Digital Library

[39]

S. K. Shin, R. D. Gopal, G. L. Sanders, and A. B. Whinston. Global software piracy revisited. Communications of the ACM, 47(1): 103--107, Jan. 2004.

Digital Library

[40]

Symantec threat explorer. http://www.symantec.com/security_response/landing/azlisting.jsp. Last accessed: October 2012.

[41]

The World Bank. World development indicators (wdi) 2012. http://data.worldbank.org/data-catalog/world-development-indicators/wdi-2012, April 2012.

[42]

O. Thonnard, L. Bilge, G. O'Gorman, S. Kiernan, and M. Lee. Industrial espionage and targeted attacks: Understanding the characteristics of an escalating threat. In International Symposium on Research in Attacks, Instrusions and Defenses (RAID), September 2012.

Digital Library

[43]

United Nations Crime and Justice Information Network. Bilateral agreements on extradition, judicial/legal assistance, control of narcotic drugs, and prisoner transfer by country. http://www.uncjin.org/Laws/extradit/extindx.htm.

[44]

T.-F. Yen, V. Heorhiadi, A. Oprea, M. K. Reiter, and A. Juels. An epidemiological study of malware encounters in a large enterprise. In ACM SIGSAC conference on Computer and communications security (CCS), pages 1117--1130. ACM Press, 2014.

Digital Library

Cited By

Almahmoud ZYoo PDamiani EChoo KYeun C(2025)Forecasting Cyber Threats and Pertinent Mitigation TechnologiesTechnological Forecasting and Social Change10.1016/j.techfore.2024.123836210(123836)Online publication date: Jan-2025
https://doi.org/10.1016/j.techfore.2024.123836
Meschini MTizio GBalduzzi MMassacci F(2024)A Case-Control Study to Measure Behavioral Risks of Malware Encounters in OrganizationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345696019(9419-9432)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3456960
Iqbal AAman MRejendran RSikdar B(2024)Unveiling the Connection Between Malware and Pirated Software in Southeast Asian Countries: A Case StudyIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33645765(62-72)Online publication date: 2024
https://doi.org/10.1109/OJCS.2024.3364576
Show More Cited By

Index Terms

An empirical study of global malware encounters
1. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Global Variation in Attack Encounters and Hosting
HoTSoS: Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp

Countries vary greatly in the extent to which their computers encounter and host attacks. Empirically identifying factors behind such variation can provide a sound basis for policies to reduce attacks worldwide. However, the main current approach to ...
Does Malware Detection Improve with Diverse AntiVirus Products? An Empirical Study
SAFECOMP 2013: Proceedings of the 32nd International Conference on Computer Safety, Reliability, and Security - Volume 8153

We present results of an empirical study to evaluate the detection capability of diverse AntiVirus products (AVs). We used malware samples collected in a geographically distributed honeypot deployment in several different countries and organizations. ...
A Large-Scale Empirical Study of Conficker

Conficker is the most recent widespread, well-known worm/bot. According to several reports, it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

HotSoS '15: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security

April 2015

170 pages

ISBN:9781450333764

DOI:10.1145/2746194

General Chair:
David Nicol
University of Illinois at Urbana-Champaign

Copyright © 2015 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

US Army Research Office: US Army Research Office
NSF: National Science Foundation
University of Illinois at Urbana-Champaign
National Security Agency: National Security Agency

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2015

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

HotSoS '15

Sponsor:

US Army Research Office
NSF
National Security Agency

HotSoS '15: Symposium and Bootcamp on the Science of Security

April 21 - 22, 2015

Illinois, Urbana

Acceptance Rates

HotSoS '15 Paper Acceptance Rate 13 of 22 submissions, 59%;

Overall Acceptance Rate 34 of 60 submissions, 57%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
895
Total Downloads

Downloads (Last 12 months)129
Downloads (Last 6 weeks)13

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Almahmoud ZYoo PDamiani EChoo KYeun C(2025)Forecasting Cyber Threats and Pertinent Mitigation TechnologiesTechnological Forecasting and Social Change10.1016/j.techfore.2024.123836210(123836)Online publication date: Jan-2025
https://doi.org/10.1016/j.techfore.2024.123836
Meschini MTizio GBalduzzi MMassacci F(2024)A Case-Control Study to Measure Behavioral Risks of Malware Encounters in OrganizationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345696019(9419-9432)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3456960
Iqbal AAman MRejendran RSikdar B(2024)Unveiling the Connection Between Malware and Pirated Software in Southeast Asian Countries: A Case StudyIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33645765(62-72)Online publication date: 2024
https://doi.org/10.1109/OJCS.2024.3364576
Dambra SBilge LKotzias PShen YCaballero JCalandrino JTroncoso C(2023)One size does not fit allProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620555(5683-5700)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620555
Smahel DDedkova LKraus LMatyas VStavova V(2022)Investigating Installers of Security Software in 20 Countries: Individual- and Country-Level DifferencesHuman Behavior and Emerging Technologies10.1155/2022/12303442022(1-12)Online publication date: 1-Jun-2022
https://doi.org/10.1155/2022/1230344
Alrabaee SDebbabi MWang L(2022)A Survey of Binary Code Fingerprinting Approaches: Taxonomy, Methodologies, and FeaturesACM Computing Surveys10.1145/348686055:1(1-41)Online publication date: 17-Jan-2022
https://dl.acm.org/doi/10.1145/3486860
An QHong WXu XZhang YKolletar-Zhu K(2022)How education level influences internet security knowledge, behaviour, and attitude: a comparison among undergraduates, postgraduates and working graduatesInternational Journal of Information Security10.1007/s10207-022-00637-z22:2(305-317)Online publication date: 24-Nov-2022
https://doi.org/10.1007/s10207-022-00637-z
Fu YLan Q(2020)Deep Generative Model for Malware Detection2020 Chinese Control And Decision Conference (CCDC)10.1109/CCDC49329.2020.9164231(2072-2077)Online publication date: Aug-2020
https://doi.org/10.1109/CCDC49329.2020.9164231
Wray RMassey LMedina JBolton A(2020)Increasing Engagement in a Cyber-Awareness Training GameAugmented Cognition. Human Cognition and Behavior10.1007/978-3-030-50439-7_10(147-158)Online publication date: 10-Jul-2020
https://doi.org/10.1007/978-3-030-50439-7_10
Hammouchi HMezzour GGhogho MKoutbi M(2019)Predicting Probing Rate Severity by Leveraging Twitter Sentiments2019 15th International Wireless Communications & Mobile Computing Conference (IWCMC)10.1109/IWCMC.2019.8766669(883-888)Online publication date: Jun-2019
https://doi.org/10.1109/IWCMC.2019.8766669
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents