skip to main content
research-article

Technological and Human Factors of Malware Attacks: A Computer Security Clinical Trial Approach

Published:12 July 2018Publication History
Skip Abstract Section

Abstract

The success (or failure) of malware attacks depends upon both technological and human factors. The most security-conscious users are susceptible to unknown vulnerabilities, and even the best security mechanisms can be circumvented as a result of user actions. Although there has been significant research on the technical aspects of malware attacks and defence, there has been much less research on how users interact with both malware and current malware defences.

This article describes a field study designed to examine the interactions between users, antivirus (AV) software, and malware as they occur on deployed systems. In a fashion similar to medical studies that evaluate the efficacy of a particular treatment, our experiment aimed to assess the performance of AV software and the human risk factors of malware attacks. The 4-month study involved 50 home users who agreed to use laptops that were instrumented to monitor for possible malware attacks and gather data on user behaviour. This study provided some very interesting, non-intuitive insights into the efficacy of AV software and human risk factors. AV performance was found to be lower under real-life conditions compared to tests conducted in controlled conditions. Moreover, computer expertise, volume of network usage, and peer-to-peer activity were found to be significant correlates of malware attacks. We assert that this work shows the viability and the merits of evaluating security products, techniques, and strategies to protect systems through long-term field studies with greater ecological validity than can be achieved through other means.

References

  1. Shahid Alam, Ibrahim Sogukpinar, Issa Traore, and Yvonne Coady. 2014. In-cloud malware analysis and detection: State of the art. In Proceedings of the 7th International Conference on Security of Information and Networks. ACM, 473. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. AV Comparatives. 2013. File Detection Test of Malicious Software. Technical Report. AV Comparatives.Google ScholarGoogle Scholar
  3. J. Blackbird and B. Pfeifer. 2013. The global impact of anti-malware protection state on infection rates. In Proceedings of the Virus Bulletin International Conference.Google ScholarGoogle Scholar
  4. Adam M. Bossler and Thomas J. Holt. 2009. On-line activities, guardianship, and malware infection: An examination of routine activities theory. Int. J. Cyber Criminol. 3, 1 (2009), 400.Google ScholarGoogle Scholar
  5. Davide Canali, Leyla Bilge, and Davide Balzarotti. 2014. On the effectiveness of risk prediction based on users browsing behavior. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. ACM, 171--182. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Y. Carlinet, L. Mé, H. Débar, and Y. Gourhant. 2008. Analysis of computer infection risk factors based on customer network usage. In Proceedings of the 2nd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE’08). 317--325. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Tudor Dumitras. 2011. Field data available at Symantec research labs: The worldwide intelligence network environment (WINE). In Proceedings of the ASPLOS Exascale Evaluation and Research Techniques Workshop.Google ScholarGoogle Scholar
  8. Simon P. G. Edwards. 2013. Four Fs of anti-malware testing: A practical approach to testing endpoint security products. In Proceedings of the Workshop on Anti-malware Testing Research (WATeR’13). IEEE, 1--9.Google ScholarGoogle ScholarCross RefCross Ref
  9. Serge Egelman and Eyal Peer. 2015. The myth of the average user: Improving privacy and security systems through individualization. In Proceedings of the New Security Paradigms Workshop. ACM, 16--28. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Eurostat. 2011. Nearly one-third of internet users in the EU27 caught a computer virus. Retrieved from http://ec.europa.eu/eurostat/documents/2995521/5028026/4-07022011-AP-EN.PDF/22c742a6-9a3d-456d-bedc-f91deb15481b.Google ScholarGoogle Scholar
  11. Alain Forget, Saranga Komanduri, Alessandro Acquisti, Nicolas Christin, Lorrie Faith Cranor, and Rahul Telang. 2014. Building the security behavior observatory: An infrastructure for long-term monitoring of client machines. In Proceedings of the Symposium and Bootcamp on the Science of Security. ACM, 24. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Steven Furnell. 2010. Usability versus complexity—Striking the balance in end-user security. Netw. Secur. 2010, 12 (2010), 13--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. S. Gordon and R. Ford. 1996. Real-world anti-virus product reviews and evaluations: The current state of affairs. In Proceedings of the National Information Systems Security Conference.Google ScholarGoogle Scholar
  14. Galen A. Grimes, Michelle G. Hough, and Margaret L. Signorella. 2007. Email end users and spam: Relations of gender and age group to attitudes and actions. Comput. Human Behav. 23, 1 (2007), 318--332.Google ScholarGoogle ScholarCross RefCross Ref
  15. David Harley. 2009. Making sense of anti-malware comparative testing. Info. Secur. Tech. Rep. 14, 1 (2009), 7--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. D. Harley and A. Lee. 2008. Who will test the testers. In Proceedings of the 18th Virus Bulletin International Conference. 199--207.Google ScholarGoogle Scholar
  17. International Secure Systems Lab. 2013. Anubis malware analysis for unknown binaries. Retrieved from https://anubis.iseclab.org/.Google ScholarGoogle Scholar
  18. Tom N. Jagatic, Nathaniel A. Johnson, Markus Jakobsson, and Filippo Menczer. 2007. Social phishing. Commun. ACM 50, 10 (2007), 94--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Andrew Kalafut, Abhinav Acharya, and Minaxi Gupta. 2006. A study of malware in peer-to-peer networks. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement. ACM, 327--332. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. P. Kosinar, J. Malcho, R. Marko, and D. Harley. 2010. AV testing exposed. In Proceedings of the 20th Virus Bulletin International Conference.Google ScholarGoogle Scholar
  21. Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair, and Theodore Pham. 2009. School of phish: A real-world evaluation of anti-phishing training. In Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, 3. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Fanny Lalonde Lévesque and José M. Fernandez. 2014. Computer security clinical trials: Lessons learned from a 4-month pilot study. In Proceedings of the 7th USENIX Conference on Cyber Security Experimentation and Test. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Fanny Lalonde Lévesque, José M. Fernandez, and Dennis Batchelder. 2017. Age and gender as independent risk factors for malware victimisation. In Proceedings of the 31th International British Human Computer Interaction Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Fanny Lalonde Lévesque, José M. Fernandez, Dennis Batchelder, and Glaucia Young. 2016. Are they real? Real-life comparative tests of anti-virus products. In Proceedings of the 26th Virus Bulletin International Conference. 25--33.Google ScholarGoogle Scholar
  25. Fanny Lalonde Lévesque, Jose M. Fernandez, and Anil Somayaji. 2014. Risk prediction of malware victimization based on user behavior. In Proceedings of the 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE’14). IEEE, 128--134.Google ScholarGoogle ScholarCross RefCross Ref
  26. Fanny Lalonde Lévesque, Jude Nsiempba, José M. Fernandez, Sonia Chiasson, and Anil Somayaji. 2013. A clinical study of risk factors related to malware infections. In Proceedings of the ACM SIGSAC Conference on Computer & Communications Security. ACM, 97--108. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Fanny Lalonde Lévesque, Anil Somayaji, Dennis Batchelder, and Jose M. Fernandez. 2015. Measuring the health of antivirus ecosystems. In Proceedings of the 10th International Conference on Malicious and Unwanted Software (MALWARE’15). IEEE, 101--109. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Martin Lee. 2012. Who’s next? Identifying risks factors for subjects of targeted attacks. In Proceedings of the Virus Bulletin International Conference. 301--306.Google ScholarGoogle Scholar
  29. Fanny Lalonde Lévesque, C. R. Davis, J. M. Fernandez, S. Chiasson, and A. Somayaji. 2012. Methodology for a field study of anti-malware software. In Proceedinsg of the Workshop on Usable Security (USEC’12). LNCS, 80--85.Google ScholarGoogle Scholar
  30. Fanny Lalonde Lévesque, C. R. Davis, J. M. Fernandez, and A. Somayaji. 2012. Evaluating antivirus products with field studies. In Proceedings of the 22th Virus Bulletin International Conference. 87--94.Google ScholarGoogle Scholar
  31. Gregor Maier, Anja Feldmann, Vern Paxson, Robin Sommer, and Matthias Vallentin. 2011. An assessment of overt malicious activity manifest in residential networks. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 144--163. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Andreas Marx. 2000. A guideline to anti-malware-software testing. In Proceedings of the 9th Annual European Institute for Computer Antivirus Research Conference. 218--253.Google ScholarGoogle Scholar
  33. G. R. Milne, L. I. Labrecque, and C. Cromer. 2009. Toward an understanding of the online consumer’s risky behavior and protection practices. J. Consum. Affairs 43 (2009), 449--473.Google ScholarGoogle ScholarCross RefCross Ref
  34. Igor Muttik and James Vignoles. 2008. Rebuilding anti-malware testing for the future. In Virus Bulletin Conference.Google ScholarGoogle Scholar
  35. Fawn T. Ngo and Raymond Paternoster. 2011. Cybercrime victimization: An examination of individual and situational level factors. Int. J. Cyber Criminol. 5, 1 (2011), 773--793.Google ScholarGoogle Scholar
  36. Daniela Oliveira, Harold Rocha, Huizi Yang, Donovan Ellis, Sandeep Dommaraju, Melis Muradoglu, Devon Weir, Adam Soliman, Tian Lin, and Natalie Ebner. 2017. Dissecting spear phishing emails for older vs. young adults: On the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In Proceedings of the CHI Conference on Human Factors in Computing Systems. ACM, 6412--6424. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Kaan Onarlioglu, Utku Ozan Yilmaz, Engin Kirda, and Davide Balzarotti. 2012. Insights into user behavior in dealing with internet attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS’12).Google ScholarGoogle Scholar
  38. Michael Ovelgönne, Tudor Dumitras, B. Aditya Prakash, V. S. Subrahmanian, and Benjamin Wang. 2017. Understanding the relationship between human behavior and susceptibility to cyber attacks: A data-driven approach. ACM Trans. Intell. Syst. Technol. 8, 4 (2017), 51. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Panda Security Labs. 2011. Panda Labs Annual Report 2011 Summary. Retrieved from https://www.pandasecurity.com/mediacenter/src/uploads/2012/01/Annual-Report-PandaLabs-2011.pdf.Google ScholarGoogle Scholar
  40. PC Security Labs. 2013. Security Solution Review on Windows 8 Platform. Technical Report. PC Security Labs.Google ScholarGoogle Scholar
  41. Bradford W. Reyns. 2013. Online routines and identity theft victimization further expanding routine activity theory beyond direct-contact offenses. J. Res. Crime Delinq. 50, 2 (2013), 216--238.Google ScholarGoogle ScholarCross RefCross Ref
  42. Imtithal A. Saeed, Ali Selamat, and Ali M. A. Abuagoub. 2013. A survey on malware and malware detection systems. International Journal of Computer Applications 67, 16 (2013), 25--31.Google ScholarGoogle ScholarCross RefCross Ref
  43. S. Sheng, M. Holbrook, P. Kumaraguru, L. F. Cranor, and J. Downs. 2010. Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI’10). 373--382. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. A. Somayaji, Y. Li, H. Inoue, J. M. Fernandez, and R. Ford. 2009. Evaluating security products with clinical trials. In Proceedings of the USENIX Workshop on Cyber Security Experimentation and Test (CSET’09). Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. SurfRight. 2009. Real-World malware statistics: October/November 2009. Retrieved from http://files.surfright.nl/reports/HitmanPro3-RealWorldStatistics-OctNov2009.pdf.Google ScholarGoogle Scholar
  46. Symantec Corporation. 2012. Internet security threat report 2011 trends. Retrieved from http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf.Google ScholarGoogle Scholar
  47. The WildList Organization International. 2017. The WildList. Retrieved from https://www.wildlist.org/.Google ScholarGoogle Scholar
  48. Olivier Thonnard, Leyla Bilge, Anand Kashyap, and Martin Lee. 2015. Are you at risk? Profiling organizations and individuals subject to targeted attacks. In Proceedings of the International Conference on Financial Cryptography and Data Security. Springer, 13--31.Google ScholarGoogle ScholarCross RefCross Ref
  49. Trend Micro. 2012. Website classification. Retrieved from http://solutionfile.trendmicro.com/solutionfile/Consumer/new-web-classification.html.Google ScholarGoogle Scholar
  50. Virus Total. 2013. Virus total. Retrieved from https://www.virustotal.com.Google ScholarGoogle Scholar
  51. J. Vrabec and D. Harley. 2010. Real performance? In Proceedings of the European Institute for Computer Antivirus Research Annual Conference (EICAR’10).Google ScholarGoogle Scholar
  52. Ting-Fang Yen, Victor Heorhiadi, Alina Oprea, Michael K. Reiter, and Ari Juels. 2014. An epidemiological study of malware encounters in a large enterprise. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1117--1130. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Righard Zwienenberg, Richard Ford, and Thomas Wegele. 2013. The real-time threat list. In Proceedings of the 23rd Virus Bulletin International Conference.Google ScholarGoogle Scholar

Index Terms

  1. Technological and Human Factors of Malware Attacks: A Computer Security Clinical Trial Approach

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Privacy and Security
          ACM Transactions on Privacy and Security  Volume 21, Issue 4
          November 2018
          142 pages
          ISSN:2471-2566
          EISSN:2471-2574
          DOI:10.1145/3232648
          Issue’s Table of Contents

          Copyright © 2018 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 12 July 2018
          • Accepted: 1 April 2018
          • Received: 1 October 2017
          Published in tops Volume 21, Issue 4

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!