Scalable Detection of Server-Side Polymorphic Malware

We cluster the files population based on their locality-sensitive hash (LSH) values and analyze the resulting LSH clusters. Using ground truth labels, we identify benign and malicious clusters and analyse the differences between them in terms of the distributions of cluster-size, file download numbers and activity period, and in terms of their web domain utilization patterns. The results of this analysis are then leveraged for devising SPADE - a scalable Server-side Polymorphic mAlware DEtector that provides high-quality detection of both malicious files and malicious web domains.