A post-mortem empirical investigation of the popularity and distribution of malware files in the contemporary web-facing internet

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review


  • Jukka Ruohonen
  • Sanja Scepanovic
  • Sami Hyrynsalmi
  • Igor Mishkovski
  • Tuomas Aura
  • Ville Leppanen

Research units

  • University of Turku
  • SS Cyril and Methodius University in Skopje


This short empirical paper investigates a snapshot of about two million files from a continuously updated big data collection maintained by F-Secure for security intelligence purposes. By further augmenting the snapshot with open data covering about a half of a million files, the paper examines two questions: (a) what is the shape of a probability distribution characterizing the relative share of malware files to all files distributed from web-facing Internet domains, and (b) what is the distribution shaping the popularity of malware files? A bimodal distribution is proposed as an answer to the former question, while a graph theoretical definition for the popularity concept indicates a long-tailed, extreme value distribution. With these two questions - and the answers thereto, the paper contributes to the attempts to understand large-scale characteristics of malware at the grand population level - at the level of the whole Internet.


Original languageEnglish
Title of host publicationProceedings - 2016 European Intelligence and Security Informatics Conference, EISIC 2016
Publication statusPublished - 2 Mar 2017
MoE publication typeA4 Article in a conference publication
EventEuropean Intelligence and Security Informatics Conference - Uppsala, Sweden
Duration: 17 Aug 201619 Aug 2016
Conference number: 7


ConferenceEuropean Intelligence and Security Informatics Conference
Abbreviated titleEISIC

    Research areas

  • Malware, Security intelligence, Web crawling

ID: 13633316