The Impact of IMSI Catcher Deployments on Cellular Network Security: Challenges and Countermeasures in 4G and 5G Networks

IMSI (International Mobile Subscriber Identity) catchers, also known as "Stingrays" or "cell site simulators," are rogue devices that pose a significant threat to cellular network security [1]. IMSI catchers can intercept and manipulate cellular communications, compromising the privacy and security of mobile devices and their users. With the advent of 4G and 5G networks, IMSI catchers have become more sophisticated and pose new challenges to cellular network security [2]. This paper provides an overview of the impact of IMSI catcher deployments on cellular network security in the context of 4G and 5G networks. It discusses the challenges posed by IMSI catchers, including the unauthorized collection of IMSI numbers, interception of communications, and potential misuse of subscriber information. It also highlights the potential consequences of IMSI catcher deployments, including the compromise of user privacy, financial fraud, and unauthorized surveillance. The paper further reviews the countermeasures that can be employed to mitigate the risks posed by IMSI catchers. These countermeasures include network-based solutions such as signal analysis, encryption, and authentication mechanisms, as well as user-based solutions such as mobile applications and device settings. The paper also discusses the limitations and effectiveness of these countermeasures in the context of 4G and 5G networks. Finally, the paper identifies research gaps and future directions for enhancing cellular network security against IMSI catchers in the era of 4G and 5G networks. This includes the need for improved encryption algorithms, authentication mechanisms, and detection techniques to effectively detect and prevent IMSI catcher deployments. The paper also emphasizes the importance of regulatory and policy measures to govern the deployment and use of IMSI catchers to protect user privacy and security

Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse

Domain squatting is a common adversarial practice where attackers register domain names that are purposefully similar to popular domains. In this work, we study a specific type of domain squatting called "combosquatting," in which attackers register domains that combine a popular trademark with one or more phrases (e.g., betterfacebook[.]com, youtube-live[.]com). We perform the first large-scale, empirical study of combosquatting by analyzing more than 468 billion DNS records---collected from passive and active DNS data sources over almost six years. We find that almost 60% of abusive combosquatting domains live for more than 1,000 days, and even worse, we observe increased activity associated with combosquatting year over year. Moreover, we show that combosquatting is used to perform a spectrum of different types of abuse including phishing, social engineering, affiliate abuse, trademark abuse, and even advanced persistent threats. Our results suggest that combosquatting is a real problem that requires increased scrutiny by the security community.Comment: ACM CCS 1

A Survey on Malware Detection with Graph Representation Learning

Malware detection has become a major concern due to the increasing number and complexity of malware. Traditional detection methods based on signatures and heuristics are used for malware detection, but unfortunately, they suffer from poor generalization to unknown attacks and can be easily circumvented using obfuscation techniques. In recent years, Machine Learning (ML) and notably Deep Learning (DL) achieved impressive results in malware detection by learning useful representations from data and have become a solution preferred over traditional methods. More recently, the application of such techniques on graph-structured data has achieved state-of-the-art performance in various domains and demonstrates promising results in learning more robust representations from malware. Yet, no literature review focusing on graph-based deep learning for malware detection exists. In this survey, we provide an in-depth literature review to summarize and unify existing works under the common approaches and architectures. We notably demonstrate that Graph Neural Networks (GNNs) reach competitive results in learning robust embeddings from malware represented as expressive graph structures, leading to an efficient detection by downstream classifiers. This paper also reviews adversarial attacks that are utilized to fool graph-based detection methods. Challenges and future research directions are discussed at the end of the paper.Comment: Preprint, submitted to ACM Computing Surveys on March 2023. For any suggestions or improvements, please contact me directly by e-mai

Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets

Attributing a piece of malware to its creator typically requires threat intelligence. Binary attribution increases the level of difficulty as it mostly relies upon the ability to disassemble binaries to identify authorship style. Our survey explores malicious author style and the adversarial techniques used by them to remain anonymous. We examine the adversarial impact on the state-of-the-art methods. We identify key findings and explore the open research challenges. To mitigate the lack of ground truth datasets in this domain, we publish alongside this survey the largest and most diverse meta-information dataset of 15,660 malware labeled to 164 threat actor groups

Endpoints and Interdependencies in Internet of Things Residual Artifacts: Measurements, Analyses, and Insights into Defenses

The usage of Internet of Things (IoT) devices is growing fast. Moreover, the lack of security measures among the IoT devices and their persistent online connection give adversaries an opportunity to exploit them for multiple types of attacks, such as distributed denial-of-service (DDoS). To understand the risks of IoT devices, we analyze IoT malware from an endpoint standpoint. We investigate the relationship between endpoints infected and attacked by IoT malware, and gain insights into the underlying dynamics in the malware ecosystem. We observe the affinities and different patterns among endpoints. Towards this, we reverse-engineer 2,423 IoT malware samples and extract IP addresses from them. We further gather information about these endpoints from Internet-wide scans. For masked IP addresses, we examine their network distribution, with networks accumulating more than 100 million endpoints. Moreover, we conduct a network penetration analysis, leveraging information such as active ports, vulnerabilities, and organizations. We discover the possibility of ports being an entry point of attack and observe the low presence of vulnerable services in dropzones. Our analysis shows the tolerance of organizations towards endpoints with malicious intent. To understand the dependencies among malware, we highlight dropzone characteristics including spatial, network, and organizational affinities. Towards the analysis of dropzones\u27 interdependencies and dynamics, we identify dropzones chains. In particular, we identify 56 unique chains, which unveil coordination among different malware families. Our further analysis of chains suggests a centrality-based defense and monitoring mechanism to limit malware propagation. Finally, we propose a defense based on the observed measures, such as the blocked/blacklisted IP addresses or ports. In particular, we investigate network-level and country-level defenses, by blocking a list of ports that are not commonly used by benign applications, and study the underlying issues and possible solutions of such a defense

Backup To The Rescue: Automated Forensic Techniques For Advanced Website-Targeting Cyber Attacks

The last decade has seen a significant rise in non-technical users gaining a web presence, often via the easy-to-use functionalities of Content Management Systems (CMS). In fact, over 60% of the world’s websites run on CMSs. Unfortunately, this huge user population has made CMS-based websites a high-profile target for hackers. Worse still, the vast majority of the website hosting industry has shifted to a “backup and restore” model of security, which relies on error-prone AV scanners to prompt non-technical users to roll back to a pre-infection nightly snapshot. My cyber forensics research directly addresses this emergent problem by developing next-generation techniques for the investigation of advanced cyber crimes. Driven by economic incentives, attackers abuse the trust in this economy: selling malware on legitimate marketplaces, pirating popular website plugins, and infecting websites post-deployment. Furthermore, attackers are exploiting these websites at scale by carelessly dropping thousands of obfuscated and packed malicious files on the webserver. This is counter-intuitive since attackers are assumed to be stealthy. Despite the rise in web attacks, efficiently locating and accurately analyzing the malware dropped on compromised webservers has remained an open research challenge. This dissertation posits that the already collected webserver nightly backup snapshots contain all required information to enable automated and scalable detection of website compromises. This dissertation presents a web attack forensics framework that leverages program analysis to automatically understand the webserver’s nightly backup snapshots. This will enable the recovery of temporal phases of a webserver compromise and its origin within the website supply chain.Ph.D

A Survey of Subscription Privacy on the 5G Radio Interface - The Past, Present and Future

End-user privacy in mobile telephony systems is nowadays of great interest because of the envisaged hyper-connectivity and the potential of the unprecedented services (virtual reality, machine-type communication, vehicle-to-everything, IoT, etc.) being offered by the new 5G system. This paper reviews the state of subscription privacy in 5G systems. As the work on 5G Release 15 -- the first full set of 5G standards -- has recently been completed, this seems to be an appropriate occasion for such a review. The scope of the privacy study undertaken is limited to the wireless part of the 5G system which occurs between the service provider\u27s base station and the subscriber\u27s mobile phone. Although 5G offers better privacy guarantees than its predecessors, this work highlights that there still remain significant issues which need rectifying. We undertook an endeavor to (i) compile the privacy vulnerabilities that already existed in the previous mobile telephony generations. Thereafter, (ii) the privacy improvements offered by the recently finalized 5G standard were aggregated. Consequently, (iii) we were able to highlight privacy issues from previous generations that remain unresolved in 5G Release 15. For completeness, (iv) we also explore new privacy attacks which surfaced after the publication of the 5G standard. To address the identified privacy gaps, we also present future research directions in the form of proposed improvements