132 research outputs found
Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse
Domain squatting is a common adversarial practice where attackers register
domain names that are purposefully similar to popular domains. In this work, we
study a specific type of domain squatting called "combosquatting," in which
attackers register domains that combine a popular trademark with one or more
phrases (e.g., betterfacebook[.]com, youtube-live[.]com). We perform the first
large-scale, empirical study of combosquatting by analyzing more than 468
billion DNS records---collected from passive and active DNS data sources over
almost six years. We find that almost 60% of abusive combosquatting domains
live for more than 1,000 days, and even worse, we observe increased activity
associated with combosquatting year over year. Moreover, we show that
combosquatting is used to perform a spectrum of different types of abuse
including phishing, social engineering, affiliate abuse, trademark abuse, and
even advanced persistent threats. Our results suggest that combosquatting is a
real problem that requires increased scrutiny by the security community.Comment: ACM CCS 1
Measuring CDNs susceptible to Domain Fronting
Domain fronting is a network communication technique that involves leveraging
(or abusing) content delivery networks (CDNs) to disguise the final destination
of network packets by presenting them as if they were intended for a different
domain than their actual endpoint. This technique can be used for both benign
and malicious purposes, such as circumventing censorship or hiding
malware-related communications from network security systems. Since domain
fronting has been known for a few years, some popular CDN providers have
implemented traffic filtering approaches to curb its use at their CDN
infrastructure. However, it remains unclear to what extent domain fronting has
been mitigated.
To better understand whether domain fronting can still be effectively used,
we propose a systematic approach to discover CDNs that are still prone to
domain fronting. To this end, we leverage passive and active DNS traffic
analysis to pinpoint domain names served by CDNs and build an automated tool
that can be used to discover CDNs that allow domain fronting in their
infrastructure. Our results reveal that domain fronting is feasible in 22 out
of 30 CDNs that we tested, including some major CDN providers like Akamai and
Fastly. This indicates that domain fronting remains widely available and can be
easily abused for malicious purposes
Practical Attacks Against Graph-based Clustering
Graph modeling allows numerous security problems to be tackled in a general
way, however, little work has been done to understand their ability to
withstand adversarial attacks. We design and evaluate two novel graph attacks
against a state-of-the-art network-level, graph-based detection system. Our
work highlights areas in adversarial machine learning that have not yet been
addressed, specifically: graph-based clustering techniques, and a global
feature space where realistic attackers without perfect knowledge must be
accounted for (by the defenders) in order to be practical. Even though less
informed attackers can evade graph clustering with low cost, we show that some
practical defenses are possible.Comment: ACM CCS 201
Detection of DNS Traffic Anomalies in Large Networks
Almost every Internet communication is preceded by a translation of a DNS name to an IP address. Therefore monitoring of DNS traffic can effectively extend capabilities of current methods for network traffic anomaly detection. In order to effectively monitor this traffic, we propose a new flow metering algorithm that saves resources of a flow exporter. Next, to show benefits of the DNS traffic monitoring for anomaly detection, we introduce novel detection methods using DNS extended flows. The evaluation of these methods shows that our approach not only reveals DNS anomalies but also scales well in a campus network.Téměř každá síťová komunikace je předcházena překladem doménového jména na IP adresu. Měření a následná analýza DNS provozu může účinně rozšířit schopnosti současných metod pro detekci anomálií v celkovém síťovém provozu. Aby bylo možné tento provoz efektivně sledovat, navrhujeme v článku nový algoritmus pro sběr a export síťových toků šetřicí zdroje exportéru. Dále, abychom ukázali výhody monitorování DNS provozu pro detekci anomálií, představujeme nové detekční metody využívající síťové toky rozšířené o informace z DNS paketů. Z vyhodnocení těchto metod vyplývá, že navržený přístup umožňuje úspěšně detekovat anomálie v DNS provozu a to dokonce i v rozsáhlých, univerzitních sítích
Understanding Malvertising Through Ad-Injecting Browser Extensions
Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a lot of effort to mitigate malicious ads from their ad networks. This drives adversaries to look for alternative methods to deploy malvertising. In this paper, we show that browser extensions that use ads as their monetization strategy often facilitate the deployment of malver-tising. Moreover, while some extensions simply serve ads from ad networks that support malvertising, other extensions maliciously alter the content of visited webpages to force users into installing malware. To measure the extent of these behaviors we developed Expector, a system that automatically inspects and identifies browser extensions that inject ads, and then classifies these ads as malicious or benign based on their landing pages. Using Expector, we auto-matically inspected over 18,000 Chrome browser extensions. We found 292 extensions that inject ads, and detected 56 extensions that participate in malvertising using 16 different ad networks and with a total user base of 602,417
Clust-IT:Clustering-Based Intrusion Detection in IoT Environments
Low-powered and resource-constrained devices are forming a greater part of our smart networks. For this reason, they have recently been the target of various cyber-attacks. However, these devices often cannot implement traditional intrusion detection systems (IDS), or they can not produce or store the audit trails needed for inspection. Therefore, it is often necessary to adapt existing IDS systems and malware detection approaches to cope with these constraints. We explore the application of unsupervised learning techniques, specifically clustering, to develop a novel IDS for networks composed of low-powered devices. We describe our solution, called Clust-IT (Clustering of IoT), to manage heterogeneous data collected from cooperative and distributed networks of connected devices and searching these data for indicators of compromise while remaining protocol agnostic. We outline a novel application of OPTICS to various available IoT datasets, composed of both packet and flow captures, to demonstrate the capabilities of the proposed techniques and evaluate their feasibility in developing an IoT IDS
The arms race: adversarial search defeats entropy used to detect malware
Malware creators have been getting their way for too long now. String-based similarity measures can leverage ground truth in a scalable way and can operate at a level of abstraction that is difficult to combat from the code level. At the string level, information theory and, specifically, entropy play an important role related to detecting patterns altered by concealment strategies, such as polymorphism or encryption. Controlling the entropy levels in different parts of a disk resident executable allows an analyst to detect malware or a black hat to evade the detection. This paper shows these two perspectives into two scalable entropy-based tools: EnTS and EEE. EnTS, the detection tool, shows the effectiveness of detecting entropy patterns, achieving 100% precision with 82% accuracy. It outperforms VirusTotal for accuracy on combined Kaggle and VirusShare malware. EEE, the evasion tool, shows the effectiveness of entropy as a concealment strategy, attacking binary-based state of the art detectors. It learns their detection patterns in up to 8 generations of its search process, and increments their false negative rate from range 0–9%, up to the range 90–98.7%
- …