Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Sumayah Alrwais, Xiaojing Liao, Xianghang.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.

Security Issues and Challenges in Cloud Computing

SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Supervised classification performance (prediction) assessment Dr. Huiru Zheng Dr. Franscisco Azuaje School of Computing and Mathematics Faculty of Engineering.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Authors: Thomas Ristenpart, et at.

Mapping Out Cyber Crime Infrastructure A Law Enforcement Approach Jon Flaherty UK National Cyber Crime Unit 13 th May 2015 RIPE 70 - Amsterdam.

SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Telefonica Research Joint work with Kyungbaek.

Test Review. What is the main advantage to using shadow copies?

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

Company Confidential Registration Management Committee 1 AS9104/1 Certification Structures - Client and CB Agreement July 17, 2014 Tim Lee Chair - IAQG.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.

SURF:SURF: Detecting and Measuring Search Poisoning Long Lu, Roberto Perdisci, and Wenke Lee Georgia Tech and University of Georgia.

Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 9/19/2015Slide 1 (of 32)

Presented by Abirami Poonkundran.  Introduction  Current Work  Current Tools  Solution  Tesseract  Tesseract Usage Scenarios  Information Flow.

Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)

FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.

Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

An Evaluation Of Extended Validation and Picture-in-Picture Phishing Attacks Presented by Hui (Henry) Fang Collin Jackson, Daniel R. Simon, Desney S. Tan,

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Company Confidential Registration Management Committee 1 AS9104/1 Certification Structures July 22, 2015 Tim Lee Chair - IAQG OPMT The Boeing Company RMC.

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.

Don’t Follow me : Spam Detection in Twitter January 12, 2011 In-seok An SNU Internet Database Lab. Alex Hai Wang The Pensylvania State University International.

Fabricio Benevenuto, Gabriel Magno, Tiago Rodrigues, and Virgilio Almeida Universidade Federal de Minas Gerais Belo Horizonte, Brazil ACSAC 2010 Fabricio.

Cell Segmentation in Microscopy Imagery Using a Bag of Local Bayesian Classifiers Zhaozheng Yin RI/CMU, Fall 2009.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

IPv6 Matrix Project - Page 1 IPv6 Matrix Project Tracking IPv6 connectivity Worldwide Dr. Olivier MJ.

I2Coalition: How To Build Relationships And Save Money With Better Abuse Reporting Moderator: Michele Neylon CEO, Blacknight.

Data Science Credibility: Evaluating What’s Been Learned

Claims Leakage Control

Gross Niv Analyzing Spammer’s Social Networks for Fun and Profit

Under the Shadow of sunshine

Learning to Detect and Classify Malicious Executables in the Wild by J

Domain Reputation Hussien Othman.

Detecting DGA Botnets Using DNS Traffic

An Wang, Aziz Mohaisen, Wentao Chang, Songqing Chen

A lustrum of malware network communication: Evolution & insights

Real-time protection for web sites and web apps against ATTACKS

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Inside Job: Applying Traffic Analysis to Measure Tor from Within

Unknown Malware Detection Using Network Traffic Classification

Proactive Network Protection Through DNS

Location Recommendation — for Out-of-Town Users in Location-Based Social Network Yina Meng.

DDoS Attack Detection under SDN Context

Detecting Targeted Attacks Using Shadow Honeypots

Binghui Wang, Le Zhang, Neil Zhenqiang Gong

Xin Qi, Matthew Keally, Gang Zhou, Yantao Li, Zhen Ren

Model Enhanced Classification of Serious Adverse Events

The Domain Abuse Activity Reporting System (DAAR)

MAS 622J Course Project Classification of Affective States - GP Semi-Supervised Learning, SVM and kNN Hyungil Ahn

Kanchana Ihalagedara Rajitha Kithuldeniya Supun weerasekara

Report 7 Brandon Silva.

Presumptions Subgroups (samples) of data are formed.

Presentation transcript:

Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Sumayah Alrwais, Xiaojing Liao, Xianghang Mi, Peng Wang, XiaoFeng Wang, Feng Qian, Raheem Beyah and Damon McCoy Presented by: Jay Lakhupota

Highlights Study of the new trend of Bulletproof Hosting services (BPH). Identifying the new features that uniquely characterizes the BPH on sub- allocations. Training the classifiers to detect the malicious sub-allocated network blocks. Study of the detected malicious network blocks and the magnitude of this problem.

Motivation Bulletproof Hosting is a stable base of operation for attackers to conduct the illicit operations such as hosting botnet command and control, launching DDoS attacks and phishing etc. To prevent ourselves from such malicious activities, it is important to know the platform on which these activities are conducted.

Background What is Bulletproof Hosting Service? Bulletproof hosting operations are similar to regular web hosting, however these companies are a lot more lenient about what can be hosted on their servers. It has somewhat of a “don’t ask, don’t tell” philosophy. (Source: Norton)

Problem Establishment of reseller relationship with lower end hosting service providers. Better reputation of parent providers, as a result gives a mix of both legitimate and BPH resellers. Quickly enables the client to move to another IP when detected. Blacklisting lower end service provider would cause a major damage which is not feasible.

Problem(conti….) Figure 1: BPH Ecosystem

Solution The processing of the work flow is as follows:

Data Collection Other source of information are: The main two data sets of information are: WHOIS: Keeps the logs and record all the information of network block. PDNS (Passive Domain Name Server): Has the information regarding the sub- allocations and their corresponding IP addresses. Other source of information are: Blacklist: has three types of list which are CleanMX, SpamHaus Edrop and BL-A. Ground Truth: two ways used in generating the labelled sets those are: Finding clean sub-allocations, finding malicious sub-allocations.

Data Processing There were basically four stages for data processing: Finding sub-allocations: Used the WHOIS data to generate hierarchy network tree for each network block. Identifying sub-allocations owners: Considering the owner object from WHOIS data and comparing it with the owner object of all of its parent object. Filtering sub-allocations: Selecting the sub-allocations that hosts more than 10 TLD+3 and are utilizing more than 25% of the network block. Feature selection and extraction: Uses PDNS, WHOIS and AS to extract the information for training the classifier.

Evaluation To evaluate they used two types of label sets: Highly conservative set Noisier set And a larger unlabelled set Training classifiers: To train classifiers they used two labelled sets Set A and Set B which contains both clean and malicious samples. Evaluation on Labelled Datasets: Uses 5-fold cross validation to evaluate the set with the help of two classifiers i.e. Support Vector Mechanism(SVM) and Random Forest(RF). They were unable to obtain an accurate result due to noise present in those large data set.

Evaluation(conti…) Evaluation on Unlabelled Set: Run the two trained models Set A and Set B on larger unlabelled set of sub-allocations. As a result they detected 40k(20%) and 20k(10%) sub-allocations from the trained models. Manual Sampling: sample the sub-allocations and investigate them case by case looking for evidence of False Positive.

Exploring the BPH Ecosystem Upon running the detector they detected 39k sub-allocations in total, averaging 20k(10%) per processed snapshot. This high percentage of sub-allocations shows that the operation of BPH services uses WHOIS de-listing method to avoid the detection by de-listing from WHOIS record. Using this information they studied the role of service providers and the sub-allocations owners to avoid the AS based detection method.

Limitations Ground truth: It was unclear as to which sub-allocations are run by BPH services and how much malicious activities are actually happening on these sub-allocations. Scope of detection: They were unable to tell the overall infrastructure of BPH services. Robustness of Detection: As the processing time for detection was long so they will not be able to find the service providers which are colluding actively. Apart from that I think the some results that they obtained were not totally accurate. They had to use these result as estimates of performance.

Future Work As the authors said that this was just a start point for classifying and analysing these BPH services. So it would be better to create a system where the processing time is reduced and can detect the malicious network such that when the service provider is colluding with these BPH services.

Any Questions? Thank you