extracting benefit from harm using malware pollution to
play

Extracting Benefit from Harm: Using Malware Pollution to Analyze the - PowerPoint PPT Presentation

Feb 20, 2023 •418 likes •649 views

SIGCOMM 2012 13-17 August, 2012 - Helsinki, Finland Extracting Benefit from Harm: Using Malware Pollution to Analyze the Impact of Political and Geophysical Events on the Internet A. Dainotti, R. Amman, E. Aben, K. C. Claffy alberto@caida.org

  1. SIGCOMM 2012 13-17 August, 2012 - Helsinki, Finland Extracting Benefit from Harm: Using Malware Pollution to Analyze the Impact of Political and Geophysical Events on the Internet A. Dainotti, R. Amman, E. Aben, K. C. Claffy alberto@caida.org CAIDA/UCSD w w w . cai da. or g

  2. CONTEXT Analysis of large-scale Internet Outages • Country-level Internet Blackouts Egypt, Jan 2011 Government orders ( BGP withdrawals, packet-filtering, to shut down the Internet satellite-signal jamming, ... ) • Natural disasters affecting the infrastructure/population Japan, Mar 2011 Earthquake of Magnitude 9.0 EPICENTER Cooperative Association for Internet Data Analysis University of California San Diego 2 w w w . cai da. or g

  3. IDEA “Extracting benefit from harm..” • Use Internet Background Radiation (IBR) generated by malware-infected hosts as a “signal” Infected Host Randomly Scanning the Internet UCSD Network Telescope Darknet xxx.0.0.0/8 Cooperative Association for Internet Data Analysis University of California San Diego 3 w w w . cai da. or g

  4. NOVELTY Using IBR to study Internet Outages • Revival of Network Telescopes Study of Opportunistic Characteristics Study of Inferring DoS Measurement Spread of CodeRed Internet Slammer IBR Revisited of IBR Outages Activity Worm . Worm . . 2010 2002 2003 2004 2005 2011 2001 • Alternative/Complementary measurement approaches to study outages - BGP [13][28] - Active Probing [20][42] - Passive Traffic [22][24] - Google services [13][14] - Peer-to-Peer traffic [5][6] Cooperative Association for Internet Data Analysis University of California San Diego 4 w w w . cai da. or g

  5. THE EVENTS (1/2) Internet Disruptions in North Africa • Egypt - January 25th, 2011 : protests start in the country - The government orders service providers to “shut down” the Internet - January 27th, around 22:34 UTC : several sources report the withdrawal in the Internet’s global routing table of almost all routes to Egyptian networks - The disruption lasts 5.5 days • Libya - February 17th, 2011 : protests start in the country - The government controls most of the country’s communication infrastructure - February 18th (6.8 hrs), 19th (8.3 hrs), March 3rd (3.7 days) : three different connectivity disruptions: Jan 25 Feb 17 Feb 18 23:15 (6.8 hours) Jan 27 22:12 (5.5 days) Mar 03 16:57 (3.7 days) Feb 19 21:55 (8.3 hours) G G Feb Feb Mar 2011 Figure 1: Timeline of Internet disruptions described in the paper. Times in figure are UTC (Egypt and Libya are UTC+2). The pair of red dots indicate the start Cooperative Association for Internet Data Analysis University of California San Diego 5 w w w . cai da. or g

  6. NETWORK INFO Prefixes, ASes, Filtering • Egypt - 3165 IPv4 and 6 IPv6 prefixes are delegated to Egypt by AfriNIC - They are managed by 51 Autonomous Systems - Filtering type: BGP only LY EG • Libya - 13 IPv4 prefixes, no IPv6 prefixes - 3 Autonomous Systems operate in the country - Filtering type: mix of BGP , packet filtering, satellite signal jamming A. Dainotti, C. Squarcella, E. Aben, K. C. Claffy, M. Chiesa, M. Russo, A. Pescapè, “Analysis of Country-wide Internet Outages Caused by Censorship” ACM SIGCOMM Internet Measurement Conference 2011 Cooperative Association for Internet Data Analysis University of California San Diego 6 w w w . cai da. or g

  7. EGYPT IBR: packet rate 140 120 100 packets per second 80 60 40 20 0 01-27 00:00 01-28 00:00 01-29 00:00 01-30 00:00 01-31 00:00 02-01 00:00 02-02 00:00 02-03 00:00 02-04 00:00 Cooperative Association for Internet Data Analysis University of California San Diego 7 w w w . cai da. or g

  8. RANDOM PROBING E.g., Conficker Infected Host Randomly Scanning the Internet DST:xxx.1.2.3 UCSD Network Telescope Darknet xxx.0.0.0/8 Cooperative Association for Internet Data Analysis University of California San Diego 8 w w w . cai da. or g

  9. BACKSCATTER e.g., SYN+ACK replies to spoofed SYNs src:yyy.1.2.3 ATTACKER (spoofing src:zzz.4.5.6 SRC IPs) DoS VICTIM src:xxx.1.2.3 DST:xxx.1.2.3 UCSD Network Telescope Darknet xxx.0.0.0/8 Cooperative Association for Internet Data Analysis University of California San Diego 9 w w w . cai da. or g

  10. EGYPT IBR: dissecting it 80 70 60 packets per second 50 40 30 20 10 0 01-27 00:00 01-28 00:00 01-29 00:00 01-30 00:00 01-31 00:00 02-01 00:00 02-02 00:00 02-03 00:00 02-04 00:00 distinct IPs backscatter (pps) conficker-like (pps) other (pps) Cooperative Association for Internet Data Analysis University of California San Diego 10 w w w . cai da. or g

  11. EGYPT IBR: rate of distinct src IPs vs packet rate 700 90 80 600 70 500 packets per second 60 IPs per hour 400 50 40 300 30 200 20 100 10 0 0 01-27 00:00 01-28 00:00 01-29 00:00 01-30 00:00 01-31 00:00 02-01 00:00 02-02 00:00 02-03 00:00 02-04 00:00 distinct IPs backscatter (pps) conficker-like (pps) other (pps) Cooperative Association for Internet Data Analysis University of California San Diego w w w . cai da. or g

  12. LIBYA the first two outages 450 400 350 Ratio of distinct IPs per hour 300 250 200 150 100 50 0 02-18 18:00 02-19 00:00 02-19 06:00 02-19 12:00 02-19 18:00 02-20 00:00 02-20 06:00 02-20 12:00 02-20 18:00 Cooperative Association for Internet Data Analysis University of California San Diego 12 w w w . cai da. or g

  13. THE EVENTS (2/2) Earthquakes • Christchurch - NZ Christchurch - NZ Tohoku - JP - February 21st, 2011 23:51:42 UTC Distance (Km) Networks IP Addresses Networks IP Addresses < 5 1 255 0 0 - Local time 22nd, 12:51:42 PM < 10 283 662,665 0 0 - Magnitude: 6.1 < 20 292 732,032 0 0 < 40 299 734,488 0 0 < 80 309 738,062 5 91 • Tohoku - JP < 100 310 738,317 58 42,734 < 200 348 769,936 1,352 1,691,560 < 300 425 828,315 3,953 4,266,264 - March 11th, 2011 05:46:23 UTC < 400 1,531 3,918,964 16,182 63,637,753 - Local time 02:46:23 PM < 500 1,721 4,171,527 41,522 155,093,650 - Magnitude: 9.0 We use MaxMind GeoLite City DB to compute distance from a given network to the epicenters Cooperative Association for Internet Data Analysis University of California San Diego 13 w w w . cai da. or g

  14. A SIMPLE METRIC to evaluate impact and extension I ∆ t i - number of distinct source IP addresses seen by the telescope over the interval ∆ ti, scope - 1-hour time slots following the event where ∆ t 1 , ..., ∆ t n and ∆ t − 1 , ..., ∆ t − n - 1-hour time slots preceding the event − 24 X I ∆ t i i = − 1 θ = 24 X I ∆ t j j =1 Cooperative Association for Internet Data Analysis University of California San Diego 14 w w w . cai da. or g

  15. RADIUS OF IMPACT rough estimate based on θ - We compute θ for address ranges geolocated at different distances from the epicenter of the earthquake (0 to 500km in bins of 1km each ) - θ around 1 indicates no substantial change in the number of unique IP addresses observed in IBR before and after the event. Christchurch 3 θ - Ratio of distinct IPs before/after earthquake 2.5 (x=20,y=2.4) 2 1.5 1 0.5 0 0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 440 460 480 500 Km Cooperative Association for Internet Data Analysis University of California San Diego 15 w w w . cai da. or g

  16. RADIUS OF IMPACT rough estimate based on θ radius ρ max of We call the maximum distance at which we observe a value of θ significantly > 1 Figure ?? Tohoku 90 θ - Ratio of distinct IPs before/after earthquake 80 70 60 50 40 30 (x=304,y=9.3) 20 10 0 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 440 460 480 500 Km Cooperative Association for Internet Data Analysis University of California San Diego 16 w w w . cai da. or g

  17. EXTENSION OF IMPACT geo coordinates of most affected networks Networks within each respective radius ρ max of Figure ?? (a) Christchurch (b) Tohoku Cooperative Association for Internet Data Analysis University of California San Diego 17 w w w . cai da. or g

  18. “MAGNITUDE” A measure of impact • Varying the radius, we pick the highest value of θ calculated for the whole set of networks within the corresponding circle 4 θ - Ratio of distinct IPs before/after earthquake (x=137,y=3.59) 3.5 (x=6,y=2.0) 3 2.5 2 1.5 1 0.5 0 0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 440 460 480 500 Km Christchurch Tohoku Christchurch Tohoku Cooperative Association for Internet Data Analysis Magnitude ( θ max ) 2 at 6 km 3 . 59 at 137 km University of California San Diego Radius ( ρ max ) 20 km 304 km 18 w w w . cai da. or g

  19. IP RATE IN TIME reflects the dynamics of the event Christchurch Tohoku 180 800 EARTHQUAKE 160 700 EARTHQUAKE 140 Number of distinct IPs per hour Number of distinct IPs per hour 600 120 100 500 80 400 60 300 40 200 20 0 02-18 00:00 02-20 00:00 02-22 00:00 02-24 00:00 02-26 00:00 02-28 00:00 03-02 00:00 03-04 00:00 100 03-04 00:00 03-06 00:00 03-08 00:00 03-10 00:00 03-12 00:00 03-14 00:00 03-16 00:00 03-18 00:00 03-20 00:00 03-22 00:00 Cooperative Association for Internet Data Analysis University of California San Diego 19 w w w . cai da. or g

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

904 views • 30 slides
Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
Extracting a 19-Year-Old Code Execution From WinRAR Introduction | Who Am I? I am a

Extracting a 19-Year-Old Code Execution From WinRAR Introduction | Who Am I? I am a

Extracting a 19-Year-Old Code Execution From WinRAR Introduction | Who Am I? I am a vulnerability researcher @ Check Point Research Worked @ Akamai as a security researcher Worked @ IBM as a malware researcher Twituer: @

1.13k views • 112 slides
Introduction to Harm Reduction Definition of Harm Reduction Harm reduction refers to policies,

Introduction to Harm Reduction Definition of Harm Reduction Harm reduction refers to policies,

Introduction to Harm Reduction Definition of Harm Reduction Harm reduction refers to policies, programs and practices that aim to reduce the adverse consequences associated with a variety of health behaviors. Harm Reduction in Everyday Life

255 views • 25 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Zeus Financial Malware Samaneh Tajalizadehkhoob Hadi Asghari Carlos Gan Michel van Eeten

Zeus Financial Malware Samaneh Tajalizadehkhoob Hadi Asghari Carlos Gan Michel van Eeten

Why Them? Extracting Intelligence about Target Selection from Zeus Financial Malware Samaneh Tajalizadehkhoob Hadi Asghari Carlos Gan Michel van Eeten Economics of Cybersecurity Group, Delft University of Technology Outline 1. Problem

679 views • 31 slides
What is harm reduction? The International Harm Reduction Association (IHRA) defines harm

What is harm reduction? The International Harm Reduction Association (IHRA) defines harm

What is harm reduction? The International Harm Reduction Association (IHRA) defines harm reduction as the policies, programmes and practices that aim to reduce the harms associated with the use of psychoactive drugs in people unable or

525 views • 16 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Remark on a Kinetic Equation for Compton Scattering M. Escobedo UPV/EHU &amp; BCAM Bilbao 1

Remark on a Kinetic Equation for Compton Scattering M. Escobedo UPV/EHU &amp; BCAM Bilbao 1

Remark on a Kinetic Equation for Compton Scattering M. Escobedo UPV/EHU &amp; BCAM Bilbao 1 Plan 1. Compton Scattering 2. Boltzmann-Compton equation: known results 3. Kompaneets approximation: known results 4. Zeldovich approximation

505 views • 36 slides
Acceleration and radiation mechanisms in extragalactic gamma ray sources E.V. Derishev Institute

Acceleration and radiation mechanisms in extragalactic gamma ray sources E.V. Derishev Institute

Acceleration and radiation mechanisms in extragalactic gamma ray sources E.V. Derishev Institute of Applied Physics, Nizhny Novgorod, Russia Are jets efficient emitters? ? Prompt emission Cyg A Afterglow AGNs: GRBs: AGN jet luminosity

723 views • 59 slides
Radiations Role in Accelerating Galactic Outflow 2019 Athena++ User Meeting | Xiaoshan

Radiations Role in Accelerating Galactic Outflow 2019 Athena++ User Meeting | Xiaoshan

Radiations Role in Accelerating Galactic Outflow 2019 Athena++ User Meeting | Xiaoshan Huang ( Shane W. Davis, Dong Zhang) Radiations Role in Accelerating Galactic Outflow Galactic Outflow : Importance in Galaxy

600 views • 19 slides
Cosmological Background Radiation and Extragalactic Gamma-ray Opacity Rudy Gilmore SISSA TeV

Cosmological Background Radiation and Extragalactic Gamma-ray Opacity Rudy Gilmore SISSA TeV

Cosmological Background Radiation and Extragalactic Gamma-ray Opacity Rudy Gilmore SISSA TeV Particle Astrophysics July 21, 2010 Collaborators: Joel Primack - UCSC Rachel Somerville - STScI (Baltimore) Piero Madau - UCSC

310 views • 18 slides
Chapter 27: The Early Universe The plan: 1. A brief survey of the entire history of the big bang

Chapter 27: The Early Universe The plan: 1. A brief survey of the entire history of the big bang

Chapter 27: The Early Universe The plan: 1. A brief survey of the entire history of the big bang universe. 2. A more detailed discussion of each phase, or epoch, from the Planck era through particle production, nucleosynthesis,

544 views • 36 slides
Observational Cosmology (C. Porciani / K. Basu) Lectures 2 + 4 The Cosmic Microwave Background

Observational Cosmology (C. Porciani / K. Basu) Lectures 2 + 4 The Cosmic Microwave Background

Observational Cosmology (C. Porciani / K. Basu) Lectures 2 + 4 The Cosmic Microwave Background Course website: http://www.astro.uni-bonn.de/~kbasu/ObsCosmo Observational Cosmology Lectures 2+4 (K. Basu): CMB theory and experiments Outline

1.38k views • 123 slides
Example of Black Body Spectra for different temperatures What is the best known example of a black

Example of Black Body Spectra for different temperatures What is the best known example of a black

Example of Black Body Spectra for different temperatures What is the best known example of a black body source? What is the best known example of a black body source? Hint Temperature = 2.7 K Planck Radiation Law Cosmic Microwave

504 views • 32 slides
Kari Helgason Max Planck Institute for Astrophysics Max Planck Institut fr Astrophysik

Kari Helgason Max Planck Institute for Astrophysics Max Planck Institut fr Astrophysik

From the Resolved to the Unresolved: The Role of Cosmic Backgrounds in Future Surveys Kari Helgason Max Planck Institute for Astrophysics Max Planck Institut fr Astrophysik Cosmic Backgrounds ? ? -ray Near-IR X-ray Mid-IR UV

172 views • 16 slides

More recommend