Increased volume and sophistication of malware has led recent research efforts to focus on content-agnostic malware detection techniques. Existing works that use such techniques largely rely on the understanding of how the malicious software are distributed among client machines.

In this paper, we present a complementary study of analyzing the download activity behavior of the software once they are dropped at  client machines and how these behavioral features could be used to distinguish malicious activity from benign behavior.

We introduce a novel graph-based abstraction called download activity graph to describe the download activities on host machines. We also introduce the notion influence graph, defined for each software, that characterizes the nature of download activity caused by the corresponding software. 

We use real-data from one of the largest security firm to construct the influence graphs and use data-driven techniques to uncover unique and explainable insights, e.g., (1) influence graph of trojans and ppi-malware tend to have high clustering coefficient but benign downloaders show low clustering, (2) adware have low cluster coefficient but their influence graphs vary lot less across machines compared to benign influence graphs, (3) about 50% of trojans have download cycles in their influence graphs, (4) influence graphs of ppi-malware vary more across machines compared to trojans and adware, (5) ppi-malware have much longer download life cycle than trojans and adware, and many more. 

Finally, we use these features to learn a classifier to classify malware from benign software. Our classifier demonstrates high accuracy and low false positive rate. Our techniques also outperforms a competitive baseline based on VirusTotal in early detection of unknown malicious software.