CAMP: Content-Agnostic Malware Protection

In spite of recent advances, the world wide web remains
an important vector for malware installation. Approaches
to evaluating potentially malicious code before execution in a
browser, such as blacklisting or content-based detection are
hindered by an attacker’s ability to easily change hosting domains
or mutate malware binaries. On the other hand, whitelistbased
approaches are challenged by the large, dynamic, and
heterogeneous space of benign binaries that they must track. In
practice these approaches continue to provide value for popular
binaries at either extreme of maliciousness (e.g., the current large
outbreak of malware, the benign binaries shipped with an OS),
but bridging the gap between whitelist and blacklist detection
for web malware remains a significant challenge.
This paper presents CAMP, a content-agnostic malware protection
system based on binary reputation that is designed to
address these shortcomings. CAMP is built into the browser and
determines the reputation of most downloads locally, relying on
server-side reputation data only when a local decision cannot be
made. This paper gives a detailed overview of CAMP and its
architecture and provides an evaluation of the system through
a six-month deployment in which 200 million users of Google
Chrome requested between eight to ten million reputation requests
a day. Our evaluation shows that CAMP exhibits accuracy
close to 99% relative to proprietary VM-based dynamic analysis,
is able to process requests in less than 130 ms on average, and
was able to detect approximately five million intentional malware
downloads per month that were not detected by existing solutions.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s