Presentation is loading. Please wait.

Presentation is loading. Please wait.

Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Sumayah Alrwais, Xiaojing Liao, Xianghang.

Published byCory Taylor Modified over 7 years ago

Similar presentations

Presentation on theme: "Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Sumayah Alrwais, Xiaojing Liao, Xianghang."— Presentation transcript:

1 Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Sumayah Alrwais, Xiaojing Liao, Xianghang Mi, Peng Wang, XiaoFeng Wang, Feng Qian, Raheem Beyah and Damon McCoy Presented by: Jay Lakhupota

2 Highlights Study of the new trend of Bulletproof Hosting services (BPH). Identifying the new features that uniquely characterizes the BPH on sub- allocations. Training the classifiers to detect the malicious sub-allocated network blocks. Study of the detected malicious network blocks and the magnitude of this problem.

3 Motivation Bulletproof Hosting is a stable base of operation for attackers to conduct the illicit operations such as hosting botnet command and control, launching DDoS attacks and phishing etc. To prevent ourselves from such malicious activities, it is important to know the platform on which these activities are conducted.

4 Background What is Bulletproof Hosting Service?
Bulletproof hosting operations are similar to regular web hosting, however these companies are a lot more lenient about what can be hosted on their servers. It has somewhat of a “don’t ask, don’t tell” philosophy.  (Source: Norton)

5 Problem Establishment of reseller relationship with lower end hosting service providers. Better reputation of parent providers, as a result gives a mix of both legitimate and BPH resellers. Quickly enables the client to move to another IP when detected. Blacklisting lower end service provider would cause a major damage which is not feasible.

6 Problem(conti….) Figure 1: BPH Ecosystem

7 Solution The processing of the work flow is as follows:

8 Data Collection Other source of information are:
The main two data sets of information are: WHOIS: Keeps the logs and record all the information of network block. PDNS (Passive Domain Name Server): Has the information regarding the sub- allocations and their corresponding IP addresses. Other source of information are: Blacklist: has three types of list which are CleanMX, SpamHaus Edrop and BL-A. Ground Truth: two ways used in generating the labelled sets those are: Finding clean sub-allocations, finding malicious sub-allocations.

9 Data Processing There were basically four stages for data processing:
Finding sub-allocations: Used the WHOIS data to generate hierarchy network tree for each network block. Identifying sub-allocations owners: Considering the owner object from WHOIS data and comparing it with the owner object of all of its parent object. Filtering sub-allocations: Selecting the sub-allocations that hosts more than 10 TLD+3 and are utilizing more than 25% of the network block. Feature selection and extraction: Uses PDNS, WHOIS and AS to extract the information for training the classifier.

10 Evaluation To evaluate they used two types of label sets:
Highly conservative set Noisier set And a larger unlabelled set Training classifiers: To train classifiers they used two labelled sets Set A and Set B which contains both clean and malicious samples. Evaluation on Labelled Datasets: Uses 5-fold cross validation to evaluate the set with the help of two classifiers i.e. Support Vector Mechanism(SVM) and Random Forest(RF). They were unable to obtain an accurate result due to noise present in those large data set.

11 Evaluation(conti…) Evaluation on Unlabelled Set: Run the two trained models Set A and Set B on larger unlabelled set of sub-allocations. As a result they detected 40k(20%) and 20k(10%) sub-allocations from the trained models. Manual Sampling: sample the sub-allocations and investigate them case by case looking for evidence of False Positive.

12 Exploring the BPH Ecosystem
Upon running the detector they detected 39k sub-allocations in total, averaging 20k(10%) per processed snapshot. This high percentage of sub-allocations shows that the operation of BPH services uses WHOIS de-listing method to avoid the detection by de-listing from WHOIS record. Using this information they studied the role of service providers and the sub-allocations owners to avoid the AS based detection method.

13 Limitations Ground truth: It was unclear as to which sub-allocations are run by BPH services and how much malicious activities are actually happening on these sub-allocations. Scope of detection: They were unable to tell the overall infrastructure of BPH services. Robustness of Detection: As the processing time for detection was long so they will not be able to find the service providers which are colluding actively. Apart from that I think the some results that they obtained were not totally accurate. They had to use these result as estimates of performance.

14 Future Work As the authors said that this was just a start point for classifying and analysing these BPH services. So it would be better to create a system where the processing time is reduced and can detect the malicious network such that when the service provider is colluding with these BPH services.

15 Any Questions? Thank you

Download ppt "Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Sumayah Alrwais, Xiaojing Liao, Xianghang."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.

Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,

SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Supervised classification performance (prediction) assessment Dr. Huiru Zheng Dr. Franscisco Azuaje School of Computing and Mathematics Faculty of Engineering.

Supervised classification performance (prediction) assessment Dr. Huiru Zheng Dr. Franscisco Azuaje School of Computing and Mathematics Faculty of Engineering.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Mapping Out Cyber Crime Infrastructure A Law Enforcement Approach Jon Flaherty UK National Cyber Crime Unit 13 th May 2015 RIPE 70 - Amsterdam.

Mapping Out Cyber Crime Infrastructure A Law Enforcement Approach Jon Flaherty UK National Cyber Crime Unit 13 th May 2015 RIPE 70 - Amsterdam.
SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Telefonica Research Joint work with Kyungbaek.

SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Telefonica Research Joint work with Kyungbaek.
Test Review. What is the main advantage to using shadow copies?

Test Review. What is the main advantage to using shadow copies?
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
Company Confidential Registration Management Committee 1 AS9104/1 Certification Structures - Client and CB Agreement July 17, 2014 Tim Lee Chair - IAQG.

Company Confidential Registration Management Committee 1 AS9104/1 Certification Structures - Client and CB Agreement July 17, 2014 Tim Lee Chair - IAQG.
PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.
SURF:SURF: Detecting and Measuring Search Poisoning Long Lu, Roberto Perdisci, and Wenke Lee Georgia Tech and University of Georgia.

SURF:SURF: Detecting and Measuring Search Poisoning Long Lu, Roberto Perdisci, and Wenke Lee Georgia Tech and University of Georgia.

Similar presentations

Ads by Google