Abstract

Abstract---In spite of recent advances, the world wide web remains an important vector for malware installation. Approaches to evaluating potentially malicious code before execution in a browser, such as blacklisting or content-based detection are hindered by an attacker’s ability to easily change hosting domains or mutate malware binaries. On the other hand, whitelistbased approaches are challenged by the large, dynamic, and heterogeneous space of benign binaries that they must track. In practice these approaches continue to provide value for popular binaries at either extreme of maliciousness (e.g., the current large outbreak of malware, the benign binaries shipped with an OS), but bridging the gap between whitelist and blacklist detection for web malware remains a significant challenge. This paper presents CAMP, a content-agnostic malware protection system based on binary reputation that is designed to address these shortcomings. CAMP is built into the browser and determines the reputation of most downloads locally, relying on server-side reputation data only when a local decision cannot be made. This paper gives a detailed overview of CAMP and its architecture and provides an evaluation of the system through a six-month deployment in which 200 million users of Google Chrome requested between eight to ten million reputation requests a day. Our evaluation shows that CAMP exhibits accuracy close to 99 % relative to proprietary VM-based dynamic analysis, is able to process requests in less than 130 ms on average, and was able to detect approximately five million intentional malware downloads per month that were not detected by existing solutions. I.