TUM Logo

Large Scale Malware Analysis

Large Scale Malware Analysis  

Seminare 2 SWS / 4 ECTS
Veranstalter: Bojan Kolosnjaji, Mohammad Reza Norouzian, and George Webster
Beginn: 2017-04-12

The lecture is given in english


  • Presentation from the first seminar meeting is published.
  • Presentation schedule is published. Pay attention that the first meeting is on 12.04.2016.
  • List of topics is updated with the information about current availability.
  • The division of topics has started. Every participant should pick two papers, out of which one is for presentation, and a report should be written for both papers together. Paper for presentation must be unique and the papers are assigned on a "first come - first served" basis. Preferences should be sent to Bojan Kolosnjaji.
  • Papers are published below. Division of topics starts at 22.02.2016.
  • Slides from the kick-off meeting can be found here . If you could not attend the meeting, no problem. You can also apply by sending your short CV to Bojan Kolosnjaji (kolosnjaji@sec.in.tum.de) and choosing the course on the matching system.


Security companies are reporting an exponential growth in the number and variety of malicious executables and domains that need to be analyzed on a daily basis. In order to properly detect and analyze millions of samples, engineers need to make use of technologies stemming from areas like Big Data and Machine Learning/Data Mining. These technologies are potentially helpful in automating reverse engineering and analyzing malware on a large scale, enabling malware analysts to focus their efforts properly and design countermeasures in appropriate time.
There is an increasing number of papers from academia and industry in this direction and we will be studying them in this seminar. The topic of the seminar is very useful both for future security experts and data scientists/engineers.

Our papers are classified into 4 subareas:
1) Windows Malware Detection and Analysis
2) Android Malware Detection and Analysis
3) Malicious Web Pages and Domains
4) Botnets

The list of papers will be published soon...


  • Students should show up in the first kick-off meeting on 21.01.2016 at 5pm in 01.08.033. (as indicated on TUMOnline).
  • After the kick-off meeting, the application shoud be sent to by e-mail to Bojan Kolosnjaji. An application consists of a short CV indicating your knowledge and/or work experience related to the course (IT Security, Machine Learning, Data Mining, Math...). CVs are to be sent until 10.02.2016! After that we start with the selection.
  • Students do not need to register on TUMonline personally; this will be done by our chair. However, students must apply for the course through the matching system.


Must have: Basic IT Security

Nice to have: Machine Learning/Data Mining

Tasks for students:

Each student will be assigned with two research papers. After studying the papers, each student is required to write a short report about the chosen papers and make a 20 minutes presentation + discussion. Report is 14 pages LNCS in total and deadline for submission is 17.07.15

Presentations are given on the seminar meetings.

Paper List:

I Windows Malware Detection and Analysis

1) Polonium: Tera-Scale Graph Mining and Inference for Malware Detection

2) Scalable, Behavior-Based Malware Clustering (taken)
4) Bitshred: feature hashing malware for scalable triage and semantic analysis
5) Leveraging String Kernels for Malware Detection

II Android Malware Detection and Analysis

1) DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications
2) “Andromaly”: a behavioral malware detection framework for android devices
3) Fast, Scalable Detection of “Piggybacked” Mobile Applications
4) DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket

III Malicious Web Pages and Domains

1) Detecting Malicious Domains via Graph Inference (taken)
http://link.springer.com/chapter/10.1007%2F978-3-319-11203-9_1 2) Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages (taken)
3) EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis (taken)
4) Building a Dynamic Reputation System for DNS (taken)

V Botnets

1) BotMiner: Clustering Analysis of Network Traffic for Protocol- andStructure-Independent Botnet Detection (taken)
2) BotGrep: Finding P2P Bots with Structured Graph Analysis (taken)
3) BotFinder: finding bots in network traffic without deep packet inspection (taken)
http://www.sba-research.org/wp-content/uploads/publications/conext12_botfinder.pdf 4) DISCLOSURE: Detecting Botnet Command and Control Servers ThroughLarge-Scale NetFlow Analysis
5) BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

Presentation Guidelines

Each student makes a presentation about the given paper. The time given for the presentation is 30 minutes, including discussion. We recommend to take 20 minutes for actual presentation and leave around 10 minutes for discussion. Presentations should be in a style of conference/workshop talks. A good presentation will:

  • give correct and accurately displayed information about the paper,
  • present all the important points of the paper,
  • contain an understandable explanation for your colleague students, especially about the used method and the results of the paper,
  • initiate a good discussion.