Malware distributions and graph structure of the Web

TL;DR

This study analyzes the Web's graph structure to distinguish between clean and malicious websites, revealing differences in local and global properties and assessing their predictive power for malware detection.

Contribution

It is the first large-scale analysis comparing the structural properties of malicious and clean Web pages, bridging Web science and cybersecurity.

Findings

Different distributions explain local and network properties.

Structural differences help classify malware websites.

Results can improve malware detection algorithms.

Abstract

Knowledge about the graph structure of the Web is important for understanding this complex socio-technical system and for devising proper policies supporting its future development. Knowledge about the differences between clean and malicious parts of the Web is important for understanding potential treats to its users and for devising protection mechanisms. In this study, we conduct data science methods on a large crawl of surface and deep Web pages with the aim to increase such knowledge. To accomplish this, we answer the following questions. Which theoretical distributions explain important local characteristics and network properties of websites? How are these characteristics and properties different between clean and malicious (malware-affected) websites? What is the prediction power of local characteristics and network properties to classify malware websites? To the best of our knowledge, this is the first large-scale study describing the differences in global properties between malicious and clean parts of the Web. In other words, our work is building on and bridging the gap between \textit{Web science} that tackles large-scale graph representations and \textit{Web cyber security} that is concerned with malicious activities on the Web. The results presented herein can also help antivirus vendors in devising approaches to improve their detection algorithms.