Pheromone Model Based Visualization of Malware Distribution Networks

  • Yang Cai
  • Jose Andre Morales
  • Sihan Wang
  • Pedro Pimentel
  • William Casey
  • Aaron Volkmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10860)


We present a novel computational pheromone model for describing dynamic network behaviors in terms of transition, persistency, and hosting. The model consists of a three-dimensional force-directed graph with bi-directional pheromone deposit and decay paths. A data compression algorithm is developed to optimize computational performance. We applied the model for visual analysis of a Malware Distribution Network (MDN), a connected set of maliciously compromised domains used to disseminate malicious software to victimize computers and users. The MDN graphs are extracted from datasets from Google Safe Browsing (GSB) reports with malware attributions from VirusTotal. Our research shows that this novel approach reveals patterns of topological changes of the network over time, including the existence of persistent sub-networks and individual top-level domains critical to the successful operation of MDNs, as well as the dynamics of the topological changes on a daily basis. From the visualization, we observed notable clustering effects, and also noticed life span patterns for high-edge-count malware distribution clusters.


Pheromone Visualization  Malware Malware distribution network Force-directed graph Biologically-inspired computing Security Dynamics 3D graph Graph 



The authors would like to thank VIS research assistants Sebastian Peryt for initial 3D model prototyping and data processing. This project is in part funded by Cyber-Security University Consortium of Northrop Grumman Corporation. The authors are grateful to the discussions with Drs. Neta Ezer, Robert Pike, Paul Conoval, and Donald Steiner. This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. References herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University DM-0004676.


  1. 1.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium Security 2008 (2008)Google Scholar
  2. 2.
    Gu, G., Zhang, J., Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008), February 2008Google Scholar
  3. 3.
    McCoy, D., Pitsillidis, A., Jordan, G., Weaver, N., Kreibich, C., Krebs, B., Voelker, G.M., Savage, S., Levchenko, K.: PharmaLeaks: understanding the business of online pharmaceutical affiliate programs. In: Proceedings of the 21st USENIX Conference on Security Symposium, Series Security 2012, Berkeley, CA, USA. USENIX Association, pp. 1 (2012)Google Scholar
  4. 4.
    Karami, M., Damon, M.: Understanding the emerging threat of DDOS-as-a-Service. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (2013)Google Scholar
  5. 5.
  6. 6.
    Zhang, J., Seifert, C., Stokes, J.W., Lee, W.: Arrow: generating signatures to detect drive-by downloads. In: Srinivasan, S., Ramamritham, K., Kumar, A., Ravindra, M.P., Bertino, E., Kumar, R. (eds.) Proceedings of the 20th International Conference on World Wide Web, WWW 2011, Hyderabad, India, 28 March–1 April 2011. ACM (2011)Google Scholar
  7. 7.
    Rossow, C., Dietrich, C., Bos, H.: Large-scale analysis of malware downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013). Scholar
  8. 8.
    Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the 20th USENIX Conference on Security, Series SEC 2011, Berkeley, CA, USA. USENIX Association (2011)Google Scholar
  9. 9.
    Goncharov, M.: Traffic direction systems as malware distribution tool. Trend Micro, Technical report (2011)Google Scholar
  10. 10.
    Behfarshad, Z.: Survey of malware distribution networks, Electrical and Computer Engineering, University of British Columbia, Technical report (2012)Google Scholar
  11. 11.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The ghost in the browser analysis of web-based malware. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, Series HotBots 2007, Berkeley, CA, USA. USENIX Association (2007)Google Scholar
  12. 12.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: Proceedings of the 17th conference on Security symposium, Series SS 2008, Berkeley, CA, USA. USENIX Association (2008)Google Scholar
  13. 13.
  14. 14.
  15. 15.
  16. 16.
    Wigglesworth, V.B.: Insect Hormones, pp. 134–141. W.H. Freeman and Company, Stuttgart (1970)Google Scholar
  17. 17.
    Cai, Y.: Instinctive Computing. Springer, London (2016). Scholar
  18. 18.
    Bonabeau, E., Dorigo, M., Theraulaz, G.: Sawrm Intelligence: From Nature to Artificial Systems. Oxford University Press, Oxford (1999)zbMATHGoogle Scholar
  19. 19.
    Cai, Y.: Ambient Diagnostics. CRC Press, Boca Raton (2014)Google Scholar
  20. 20.
    Jacobi, J.A., Benson, E.A., Linden, G.D.: Personalized recommendations of items represented within a database. US Patent. US 7113917 B2Google Scholar
  21. 21.
    Peryt, S., Morales, J.A., Casey, W., Volkmann, A., Cai, Y.: Visualizing malware distribution network. In: IEEE Conference on Visualization for Security, Baltimore, October 2016Google Scholar
  22. 22.
    Rossi, R.A., Gallagher, B., Neville, J., Henderson, K.: Modeling dynamic behavior in large evolving graphs. In: Proceedings of the Sixth ACM International Conference on Web Search and Data Mining (WSDM 2013), pp. 667–676. ACM, New York.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Yang Cai
    • 1
  • Jose Andre Morales
    • 1
  • Sihan Wang
    • 1
  • Pedro Pimentel
    • 1
  • William Casey
    • 1
  • Aaron Volkmann
    • 1
  1. 1.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations