1,013 research outputs found
Controlled Data Sharing for Collaborative Predictive Blacklisting
Although sharing data across organizations is often advocated as a promising
way to enhance cybersecurity, collaborative initiatives are rarely put into
practice owing to confidentiality, trust, and liability challenges. In this
paper, we investigate whether collaborative threat mitigation can be realized
via a controlled data sharing approach, whereby organizations make informed
decisions as to whether or not, and how much, to share. Using appropriate
cryptographic tools, entities can estimate the benefits of collaboration and
agree on what to share in a privacy-preserving way, without having to disclose
their datasets. We focus on collaborative predictive blacklisting, i.e.,
forecasting attack sources based on one's logs and those contributed by other
organizations. We study the impact of different sharing strategies by
experimenting on a real-world dataset of two billion suspicious IP addresses
collected from Dshield over two months. We find that controlled data sharing
yields up to 105% accuracy improvement on average, while also reducing the
false positive rate.Comment: A preliminary version of this paper appears in DIMVA 2015. This is
the full version. arXiv admin note: substantial text overlap with
arXiv:1403.212
What If? A Look at Integrity Pacts
This note examines the Integrity Pact (IP) methodology proposed by Transparency International to confront the problem of corruption in public procurement. The examination draws from a decision model for participants developed elsewhere, in which the critical elements are shown to be the vulnerability of the conditions under which the tender is conducted and the risk of bribing. The IP methodology intends to interfere with the central elements in individual tender instantiations by a process of discussion leading to mutual trust; participants and public officials sign a pledge of honesty. Disputes are to be resolved by private arbitration and allegedly enforcement is attained by force of a private contract between participants. Preferably, a civil society organization stimulates and monitors the process and acts as fiducial guarantor. Publicising proceedings stimulates discus-sion and enhances transparency. All this is held to favourably affect the process, leading to better results. This, in turn, is held to affect the overall environment over time. In order to accommodate for the ethical dimension introduced by IPs, the present analysis incorporates an “ethical” factor operating over the conditions under which tenders are conducted. Ascertaining the operation of this hypothetical factor is an empirical question. The examination of IP premises, together with evidence collected from instantiations of the meth-odology, plus the absence of comparative empirical data on bribery, leads to the conclusion that IPs do not heighten the risk of bribing for participants. Contrary to the methodology’s claim, en-forcement, be it from arbitration or otherwise, is shown to be dependent on each particular envi-ronment. Conditions under which particular tenders are conducted might be bettered, but not un-conditionally, as the institutional framework perforce dominates private agreements. The influence of the “ethical” factor cannot be assessed for lack of empirical evidence, and the honesty pledge IPs rely on is argued to be devoid of significance. Although for lack of data the economic effi-ciency of the methodology cannot be ascertained, there is no reason to suppose that IPs do not bet-ter the outcomes piecewise. The methodology fails to address the problem of cartelisation that af-fects public markets, and – perhaps due to the low frequency of its application – does not discuss measures to counterbalance the action of cartels. Interpreting the premises behind the IP idea, it is argued that they stem from a perspective on cor-ruption rooted on morality rather than on the mechanisms that propitiate bribery. Thus, tackling individual instantiations is favoured over confronting systemic factors. IP guidelines stipulate that the absence of allegations of bribery in a tender authorises the sponsor-ing NGO to announce that the tender was “clean”. It is argued that such manifestations of overcon-fidence are hazardous for the reputation of NGOs that adopt the methodology. It is also argued that the continuous involvement of NGOs with IPs raises questions about their entitlement to it, more-over because NGOs are not bound by oversight and accountability constraints that formally charac- terise State organisms. It is contended that for both governments and NGOs, promoting and par-ticipating in IPs is a strategic decision that should be balanced with their effectiveness towards the aim of changing the institutional environment.Control, corruption, integrity pact, public procurement, regulation, Transparency International
Automatic Detection of Malware-Generated Domains with Recurrent Neural Models
Modern malware families often rely on domain-generation algorithms (DGAs) to
determine rendezvous points to their command-and-control server. Traditional
defence strategies (such as blacklisting domains or IP addresses) are
inadequate against such techniques due to the large and continuously changing
list of domains produced by these algorithms. This paper demonstrates that a
machine learning approach based on recurrent neural networks is able to detect
domain names generated by DGAs with high precision. The neural models are
estimated on a large training set of domains generated by various malwares.
Experimental results show that this data-driven approach can detect
malware-generated domain names with a F_1 score of 0.971. To put it
differently, the model can automatically detect 93 % of malware-generated
domain names for a false positive rate of 1:100.Comment: Submitted to NISK 201
On Modeling the Costs of Censorship
We argue that the evaluation of censorship evasion tools should depend upon
economic models of censorship. We illustrate our position with a simple model
of the costs of censorship. We show how this model makes suggestions for how to
evade censorship. In particular, from it, we develop evaluation criteria. We
examine how our criteria compare to the traditional methods of evaluation
employed in prior works
The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire
The vulnerability of the Internet has been demonstrated by prominent IP
prefix hijacking events. Major outages such as the China Telecom incident in
2010 stimulate speculations about malicious intentions behind such anomalies.
Surprisingly, almost all discussions in the current literature assume that
hijacking incidents are enabled by the lack of security mechanisms in the
inter-domain routing protocol BGP. In this paper, we discuss an attacker model
that accounts for the hijacking of network ownership information stored in
Regional Internet Registry (RIR) databases. We show that such threats emerge
from abandoned Internet resources (e.g., IP address blocks, AS numbers). When
DNS names expire, attackers gain the opportunity to take resource ownership by
re-registering domain names that are referenced by corresponding RIR database
objects. We argue that this kind of attack is more attractive than conventional
hijacking, since the attacker can act in full anonymity on behalf of a victim.
Despite corresponding incidents have been observed in the past, current
detection techniques are not qualified to deal with these attacks. We show that
they are feasible with very little effort, and analyze the risk potential of
abandoned Internet resources for the European service region: our findings
reveal that currently 73 /24 IP prefixes and 7 ASes are vulnerable to be
stealthily abused. We discuss countermeasures and outline research directions
towards preventive solutions.Comment: Final version for TMA 201
Evaluating IP Blacklists Effectiveness
IP blacklists are widely used to increase network security by preventing
communications with peers that have been marked as malicious. There are several
commercial offerings as well as several free-of-charge blacklists maintained by
volunteers on the web. Despite their wide adoption, the effectiveness of the
different IP blacklists in real-world scenarios is still not clear. In this
paper, we conduct a large-scale network monitoring study which provides
insightful findings regarding the effectiveness of blacklists. The results
collected over several hundred thousand IP hosts belonging to three distinct
large production networks highlight that blacklists are often tuned for
precision, with the result that many malicious activities, such as scanning,
are completely undetected. The proposed instrumentation approach to detect IP
scanning and suspicious activities is implemented with home-grown and
open-source software. Our tools enable the creation of blacklists without the
security risks posed by the deployment of honeypots
A first look at the misuse and abuse of the IPv4 Transfer Market
The depletion of the unallocated address space in combination with the slow pace of IPv6 deployment have given rise to the IPv4 transfer market, namely the trading of allocated IPv4 prefixes between ASes. While RIRs have established detailed policies in an effort to regulate the IPv4 transfer market for malicious networks such as spammers and bulletproof ASes, IPv4 transfers pose an opportunity to bypass reputational penalties of abusive behaviour since they can obtain "clean" address space or offload blacklisted address space. Additionally, IP transfers create a window of uncertainty about legitimate ownership of prefixes, which adversaries to hijack parts of the transferred address space. In this paper, we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild by synthesizing an array of longitudinal IP blacklists and lists of prefix hijacking incidents. Our findings yield evidence that the transferred network blocks are used by malicious networks to address botnets and fraudulent sites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicates efforts to evade filtering mechanisms
- …