Pheromone model based visualization of malware distribution networks

Abstract

We present a novel computational pheromone model for describing dynamic network behaviors in terms of transition, persistency, and hosting. The model consists of a three-dimensional force-directed graph with bi-directional pheromone deposit and decay paths. A data compression algorithm is developed to optimize computational performance. We applied the model for visual analysis of a Malware Distribution Network (MDN), a connected set of maliciously compromised domains used to disseminate malicious software to victimize computers and users. The MDN graphs are extracted from datasets from Google Safe Browsing (GSB) reports with malware attributions from VirusTotal. Our research shows that this novel approach reveals patterns of topological changes of the network over time, including the existence of persistent sub-networks and individual top-level domains critical to the successful operation of MDNs, as well as the dynamics of the topological changes on a daily basis. From the visualization, we observed notable clustering effects, and also noticed life span patterns for high-edge-count malware distribution clusters.