CyberProbe: Towards Internet-Scale Active Detection of Malicious - - PowerPoint PPT Presentation

cyberprobe towards internet scale active detection of
SMART_READER_LITE
LIVE PREVIEW

CyberProbe: Towards Internet-Scale Active Detection of Malicious - - PowerPoint PPT Presentation

Nov 02, 2023 403 likes •657 views

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z. rafique, j.caballero, g.gu imdea software institute success lab, texas a&m univeristy Cybercriminals use geographically distributed servers to

slide-1
SLIDE 1

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers

  • a. nappa, z. xu, m.z. rafique, j.caballero, g.gu

imdea software institute success lab, texas a&m univeristy

slide-2
SLIDE 2

Cybercriminals use geographically distributed servers to run their malicious

  • perations
  • Exploit servers -> Malware distribution
  • Payment servers -> Monetization
  • Redirectors -> Anonymity
  • C&C servers -> Control botnets
  • P2P bots (server functionality)
slide-3
SLIDE 3

What is CyberProbe

Paunch’s Operation MALICIOU S BENIGN

slide-4
SLIDE 4

Existing detection techniques: Passive

  • Honeypots
  • Spamtraps
  • LIMITATIONS
  • Slow
  • Incomplete (i.e., limited view)
slide-5
SLIDE 5

Existing detection techniques: Active

  • Run malware samples
  • Honeyclient farms (i.e. Google Safebrowsing)
  • LIMITATIONS
  • Expensive
  • Incomplete (i.e., Safebrowsing focuses on exploit

servers)

slide-6
SLIDE 6

Contributions

  • Novel active probing approach for Internet-scale

detection of malicious servers

  • Novel adversarial fingerprint generation technique
  • Implement approach into CyberProbe
  • Use CyberProbe for 24 localized and Internet-wide scans
  • Identifies 151 malicious servers
  • 75% of the servers unknown to databases of malicious activity (e.g.,

VirusT

  • tal, UrlQuery)
  • Identifies provider locality property
slide-7
SLIDE 7

Cyberprobe in a nutshell

Adversarial Fingerprint Generation Network traces Benign Traffic Fingerprints Seed Servers Scanning Port T arget Ranges Malicious Servers Fingerprint

slide-8
SLIDE 8

Fingerprints

  • A fingerprint for each operation & server type
  • A fingerprint comprises:
  • A probe construction function  Packet
  • A classification function  Snort signature

Clickpayz1

Probe: GET /td?aid=e9xmkgg5h6&said=26427 Signature: content: “302”; http_stat_code; content: “\r\n\r\nLoading…”

slide-9
SLIDE 9

Adversarial Fingerprint Generation: Goals

  • Minimize traffic
  • Generate inconspicuous probes
slide-10
SLIDE 10

Adversarial Fingerprint Generation: Architecture

REPLAY THROUGH VPN CLUSTERIN G RRPs

RRP s

RRP EXTRACTION

EDP s

FP SIGNATURE GENERATIO N Benign T raffic Cluster

SEEDS

slide-11
SLIDE 11

Generation details

  • Replay
  • VPN for: anonymity, IP diversity and for new states
  • Check result against random resource from the server

GET /td? aid=e9xmkgg5h6&said=26427 GET /asdfgh.html Compa re

slide-12
SLIDE 12

Scanning

  • 3 scanners:
  • Horizontal  SYN scan
  • AppTCP scanner (sends app-level probe)
  • UDP scanner
  • 3 scan ranges:
  • Localized-reduced
  • Localized-extended
  • Internet-wide
  • Signature matching uses Snort
slide-13
SLIDE 13

INTERNET CyberPro be Malicious Family A

AppTCP and UDP scanners

Benign Server

slide-14
SLIDE 14

Scanning summary

TCP

  • TCP horizontal scanner (fast, polite)
  • TCP sniffer (reliable to get responses to
  • ur probes)
  • AppTCP scanner (Asynchronous + Snort)

UDP

  • UDP scanner (fast, polite) + Snort
slide-15
SLIDE 15

Ethical Considerations T

  • scan as politely as possible we:
  • Rate-limit scanners
  • Set up forward and backward DNS entries for scanners
  • Set up a webpage in the scanners to explain our

experiment

  • Remove from whitelist provider’s ranges that request so
  • Manually check fingerprints
slide-16
SLIDE 16

Adversarial fingerprint generation results

Type Source Families Pcaps RRPs RRPs Replaye r Seeds Fingerprint s Malware VirusSha re 152 918 1,639 193 19 18 Malware MALICIA 9 1,059 764 602 2 2 Honeyclie nt MALICIA 6 1,400 42,160 9,497 5 2 Honeyclie nt UrlQuery 1 4 11 11 1 1

slide-17
SLIDE 17

AppTCP Scan Results

  • 151 total servers found with the scans
  • Virustotal knew only about 25% of the

servers

  • UrlQuery 15%
  • MalwareDomainList and VxVault 1%

4x Better Coverage

slide-18
SLIDE 18

Servers Operations

Operation Fingerprint s Seeds Servers Prov. Provider Loc. bestav 3 4 23 7 3.3 bh2-adobe 1 1 13 7 1.8 bh2-ngen 1 1 2 2 1.0 blackrev 1 1 2 2 1.0 clickpayz 2 2 51 6 8.5 doubleighty 1 1 18 9 2.0 kovter 2 2 9 4 2.2 ironsource 1 1 7 4 1.7

  • ptinstaller

1 1 18 4 2.0 soft196 1 1 8 4 2.0 TOTAL 14 15 151 47 3.2(avg.)

slide-19
SLIDE 19

Observations

Provider Locality: Once a relationship has been established with a provider it is very likely that more than one malicious server will be setup with this provider

slide-20
SLIDE 20

P2P bots Scan Results

Typ e Start- Date Port Fingerpr int Targets SC Rate Time Found R 2013-03- 19 UDP/164 71 zeroacce ss 40,448 1 10 1.2h 55 (0.13%) I 2013-05- 03 UDP/164 71 zeroacce ss 2,6B 4 50,000 3.6h 7,884 (0.0003%)

slide-21
SLIDE 21

Related Work

Scanning:

  • Leonard et al. IMC ‘10
  • Heninger et al. Usenix Security ’12
  • Zmap

Fingerprinting:

  • FiG
  • PeerPress

Signature Generation:

  • Honeycomb, Autograph, EarlyBird, Polygraph,

Hamsa

  • Botzilla, Perdisci et al., Firma
slide-22
SLIDE 22

Conclusion

  • Novel active probing approach for Internet-scale

detection of malicious servers

  • Novel adversarial fingerprint generation technique
  • Implement approach into CyberProbe
  • Use CyberProbe for 24 localized and Internet-wide scans
  • Identifies 151 malicious servers
  • 75% of the servers unknown to databases of malicious activity (e.g.,

VirusT

  • tal, UrlQuery)
  • Identifies provider locality property
slide-23
SLIDE 23

Thanks!

slide-24
SLIDE 24

Future Work

  • Scanner IP diversity
  • Completeness
  • Shared hosting (i.e. CDN)
  • Complex protocol semantics