Measuring the Impact of Sharing Abuse Data with Web Hosting - - PowerPoint PPT Presentation

measuring the impact of sharing abuse data with web
SMART_READER_LITE
LIVE PREVIEW

Measuring the Impact of Sharing Abuse Data with Web Hosting - - PowerPoint PPT Presentation

Mar 20, 2023 108 likes •398 views

Measuring the Impact of Sharing Abuse Data with Web Hosting Providers Marie Vasek , Matthew Weeden, and Tyler Moore University of Tulsa WISCS 24 October 2016 1 of 27 StopBadware Founded in 2006 by Harvards Berkman Klein Center for

slide-1
SLIDE 1

Measuring the Impact of Sharing Abuse Data with Web Hosting Providers

Marie Vasek, Matthew Weeden, and Tyler Moore

University of Tulsa

WISCS 24 October 2016

1 of 27

slide-2
SLIDE 2
slide-3
SLIDE 3

StopBadware

  • Founded in 2006 by Harvard’s Berkman Klein Center for Internet

and Society

  • Now housed at the University of Tulsa
  • Provides independent reviews of websites appearing on 3 malware

blacklists

3 of 27

slide-4
SLIDE 4

Review Requests for Individual URLs

4 of 27

slide-5
SLIDE 5

Review Requests for Bulk URLs

5 of 27

slide-6
SLIDE 6

Research Questions

Does sending bulk reports help?

  • Short term:
  • Do reported URLs get cleaned up?
  • Which URLs are more likely to get cleaned up?
  • Long term:
  • Do ASes get better at cleaning URLs after receiving bulk reports?

6 of 27

slide-7
SLIDE 7

Overview

  • Brief overview of study
  • Define metrics
  • Direct impact of sharing abuse data
  • Indirect impact of sharing abuse data
  • Conclusions

7 of 27

slide-8
SLIDE 8

Bulk Requests over Time

2010 2011 2012 2013 2014 2015 1 5 50 500 5000

Date shared # URLs shared

8 of 27

slide-9
SLIDE 9

Summary Statistics

  • Google Safebrowsing Data used exclusively
  • 6 year time frame (2010 - 2015)
  • 69 stakeholders requested reports
  • 41 web hosting providers in our study
  • Responsible for entire AS
  • Sent Google Safebrowsing Data
  • Had at least a month of data before/after
  • 28 548 URLs reported

9 of 27

slide-10
SLIDE 10

Malware Cleanup Metrics

  • Clean
  • Off the blacklist
  • Stays off for 3 weeks
  • Recompromise
  • A previously blacklisted URL is clean and then is reblacklisted

10 of 27

slide-11
SLIDE 11

Measuring Direct and Indirect Impact of Reporting

  • Direct Impact
  • Are the URLs we shared cleaned up?
  • Indirect Impact
  • Are networks “better” after receiving a bulk review from

StopBadware?

  • Do they clean malware URLs faster?
  • Do they clean malware URLs more effectively?

11 of 27

slide-12
SLIDE 12

Measurement Timeline

blacklisted reported clean blacklist to report report to clean blacklist to clean

12 of 27

slide-13
SLIDE 13

Cleanup of URLs Shared with ASes

1 5 50 500 0.0 0.2 0.4 0.6 0.8 1.0 URLS shared with ASes Report to Clean (days) Pr(report to clean days >= X)

13 of 27

slide-14
SLIDE 14

Measurement Timeline

blacklisted reported clean blacklist to report report to clean blacklist to clean

14 of 27

slide-15
SLIDE 15

Long Lived Malware Takes Longer to Clean

0− 10% 10− 20% 20− 30% 30− 40% 40− 50% 50− 60% 60− 70% 70− 80% 80− 90% 90− 100%

100 200 300 400 500

  • 200

400 600 800 1000

Decile for Blacklist to Report (Days) Median Report to Clean (Days) [Bar] Blacklist to Report (Days) [Line]

15 of 27

slide-16
SLIDE 16

Pre- vs. Post-Contact Cleanup

1 2 5 10 50 200 0.0 0.2 0.4 0.6 0.8 1.0

Survival probability before and after contact

Blacklist to Clean (days) Pr(blacklist to clean days >=X)

pre−contact post−contact

16 of 27

slide-17
SLIDE 17

Pre- vs. Post-Contact Cleanup: Improved AS

17 of 27

slide-18
SLIDE 18

Pre- vs. Post-Contact Cleanup: Worsened AS

18 of 27

slide-19
SLIDE 19

Pre- vs. Post-Contact Cleanup: Unclear effect AS

19 of 27

slide-20
SLIDE 20

Change in Metrics Pre- and Post- Sharing

# ∆ days to clean ∆ recomp. rate Improved 13 58 0.010 Worsened 3

  • 176

0.085 Unclear 17 13 0.008

20 of 27

slide-21
SLIDE 21

Comparing Change in Metrics by AS

  • −300

−200 −100 100 −0.10 −0.05 0.00 0.05 0.10 0.15 Median blacklist to clean pre−sharing − post−sharing Median recompromise rate pre−sharing − post−sharing

  • Top Quartile Report to Clean

2nd Quartile Report to Clean 3rd Quartile Report to Clean Bottom Quartile Report to Clean 21 of 27

slide-22
SLIDE 22

Matched Pair Analysis

  • What would happen if StopBadware had not sent out reviews?
  • Matched pairs between reported-to ASes and similar ASes
  • Similar?
  • Same country
  • Similar level of badness
  • Key Assumption: All else equal, ASes would exhibit similar patterns

22 of 27

slide-23
SLIDE 23

Measurement Timeline

blacklisted reported clean blacklist to report report to clean blacklist to clean

23 of 27

slide-24
SLIDE 24

Matched Pair: Cleanup of URLs Shared with ASes

1 5 50 500 0.0 0.2 0.4 0.6 0.8 1.0 URLS shared with ASes Report to Clean (days) Pr(report to clean days >= X)

reported ASes matched pairs

24 of 27

slide-25
SLIDE 25

Matched Pair: Pre- vs. Post-Contact Cleanup

1 2 5 10 50 200 0.0 0.2 0.4 0.6 0.8 1.0

Survival probability before and after contact

Blacklist to Clean (days) Pr(blacklist to clean days >=X)

pre−contact post−contact pre−contact (mp) post−contact (mp)

25 of 27

slide-26
SLIDE 26

Responsive ASes Improve Long Term after Report

  • −300

−200 −100 100 −0.10 −0.05 0.00 0.05 0.10 0.15 Median blacklist to clean pre−sharing − post−sharing Median recompromise rate pre−sharing − post−sharing

  • Top Quartile Report to Clean

2nd Quartile Report to Clean 3rd Quartile Report to Clean Bottom Quartile Report to Clean 26 of 27

slide-27
SLIDE 27

Conclusions

  • Directly sharing URLs helps clean up those URLs
  • Consistent with prior work on individual reports
  • This work finds it to be true for bulk reporting
  • No evidence for long term change overall
  • Improvements on individual providers
  • Long lived malware a scourge
  • Lots of efforts concentrating on newly infected websites
  • Lurking infections continue to harm, perhaps compounding
  • Current efforts not sufficient for stopping this “immortal” malware

27 of 27