traffickstop
play

TraffickStop: Detecting and Measuring Illicit Traffic Monetization - PowerPoint PPT Presentation

Dec 22, 2022 •514 likes •819 views

TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS Analysis Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu , Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, Yiming Zhang, Kai

  1. TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS Analysis Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu , Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, Yiming Zhang, Kai Chen and Zaifeng Zhang

  2. Illicit Traffic Monetization https://marketingland.com/study-how-pay-per-view-networks-cost-advertisers-180-million-a-year-in-impression-fraud-55484 https://www.forbes.com/sites/thomasbrewster/2016/12/20/methbot-biggest-ad-fraud-busted/#64ae66fe4899 https://adage.com/article/digital/search-ad-click-fraud-scheme-cost-business-2-3-million/307933 2

  3. Traffic Network Connects site owners and affiliates. Search engine GO! Traffic Web publisher Reward PC software >_ Site owner Traffic Network Affiliate (Needs traffic) (Finds affiliates) (Refers traffic) 3

  4. Traffic Network Connects site owners and affiliates. eCommerce Advertising Navigation Network Network Network 4

  5. Cheating in Traffic Networks Cheaters earn profit from site owners using invalid traffic. Traffic Traffic Reward Real users Reward Traffic Site owner Traffic Network (Needs traffic) & Affiliates Reward Cheaters

  6. Cheating in Traffic Networks Cheaters earn profit from site owners using invalid traffic. Traffic A fraudulent site (FS) redirects user traffic Traffi Reward c to a program site (PS) of a traffic network. Real users Reward Traffic The process violates rules of traffic networks. Site owner Traffic Network (Needs traffic) & Affiliates Reward Cheaters

  7. Cheating happens EVERYWHERE! Client-side: Browser Hijacking Install PUP / Malware on client machines Caused $8M loss in 2013 Reroute user traffic to targeted sites https://blog.malwarebytes.com/detections/adware-yontoo/ 7

  8. Cheating happens EVERYWHERE! Transport-layer: ISP Injection Inject extra ads into web responses Mitigation: HTTPS Relies on adoption rate http://xahlee.info/w/china_ISP_ad_injection.html https://techscience.org/a/2015103003/ 8

  9. Cheating happens EVERYWHERE! Server-side: Search Ad Impersonation Publish fake ads in search engines Impersonate popular brands to trap more users 9

  10. Cheating happens EVERYWHERE! Transport-layer: Client-side: Server-side: ISP Injection Browser Hijacking Search Ad Impersonation Install PUP / Malware Inject extra ads into Publish fake ads in on client machines web responses search engines Reroute user traffic to Mitigation: HTTPS Impersonate popular targeted sites Relies on adoption rate brands to trap more users 10

  11. Previous Works “Active” approaches. Honey ads Require deep involvement [Dave 2012] of publisher websites Inspection JS JavaScript JavaScript [Reis 2008, Thomas 2015] Work on only one type of traffic fraud Network probe [Dagon 2008, Kuhrer 2015] 12

  12. Our approach: Passive Analysis

  13. Ground Truth Collection Manually collect 151 FSes for empirical study. Search Ad Cases from four-month Baidu search 57 Impersonation results of popular brand products FS Browser 50 Cases from online posts and tech forums Hijacking FS 44 ISP Injection Collected by custom Flash advertisement FS 14

  14. Key Features of FS Manually collect 151 FSes for empirical study. Key Feature 1: AUTOMATIC & IMMEDIATE redirection to program sites. Traffic Network Affiliate Code Result: Strong domain Webpage of bd.114la6.com, a typical FS correlation 15

  15. Key Features of FS Manually collect 151 FSes for empirical study. Key Feature 2: The page only performs redirection, without anything else. Result: Meaningless Webpage of bd.114la6.com, a typical FS content 16

  16. TraffickStop: Passive Analysis http:// Data Collection Passive DNS URL WHOIS & DNS logs Association Content Finder Analyzer Examines suspicious Finds domains with behaviors between strong correlation domains

  17. Association Finder Find domain pairs {X, Y} with strong correlation . Criteria Metric A. X and Y appear together support with high frequency Association B. When X is observed, analysis confidence Y can be observed with high probability C. The visit interval between decay X and Y is small 18

  18. Association Finder Implementation: FP-Growth algorithm with MapReduce. Map procedure: Calculate the interval between two domain visits Reduce procedure: Calculate the frequency of domain pairs, to find those highly correlated. 19

  19. Content Analyzer Examine Redirection + Meaningless content . Suspicious Strong Program Domain Site correlation Top 10 Advertising http:// http:// URLs Content-based URL clustering Dynamic dataset crawler eCommerce If redirect FS Webpages Navigation to... 20

  20. System Evaluation Detect three types of fraud at a time . 2-week DNS logs Validation Rules: (231 billion requests) A. Serving illegal or unreadable content B. Forcing redirection Association Finder C. URL contains affiliate ID Content Analyzer 72.7% 89.4% eCommerce accuracy 67.5% Navigation FS 2,465 fraud URLs (1,792/2,465) 74.8% Advertising 21

  21. Measurement & Analysis

  22. Fraud Scale 1,457 FS SLDs are confirmed by TraffickStop. 1-year passive DNS data (May 2017 - Apr 2018, ~15% of DNS traffic in China) 53 100K+ 300+ Billion Queries Days Total DNS queries 96%+ FSes 85%+ FSes are to these FSes receive each active for 23

  23. Search Ad Impersonation Buying ads on search engines to attract visits. FS 1,457 fraud SLDs API 23 Ad fraud SLDs AD (All redirecting to taobao.com) 24

  24. Search Ad Impersonation 23 Ad fraud SLDs redirecting to taobao.com . 1M+ Total visits Hundreds of keywords bought under each domain 25

  25. Economic Loss Loss = (Total Visits x Traffic Ratio) x Reward x Probability $53.8K taobao.com jd.com $18.9K Thousands Baidu $13.3K per day Hao123 $2.5K 360 Navigation $1.0K dollars lost due to traffic fraud 26

  26. New Strategy: Ad Reselling Evading fraud detection of advertising platforms. Load Ads Load Ads Check fraud http:// Revenue Revenue Advertiser Publisher Other sites No Relation 27

  27. New Strategy: Ad Reselling Evading fraud detection of advertising platforms. FS Gray Publisher Advertiser 28

  28. Case Study: P2P Traffic Pal Distributed platform that generate traffic from real users. “Help me like this post at http://xxx!” “Help me play this video: http://yyy!” Clients with this software 29

  29. Summary A new passive approach to detect three kinds of illicit traffic monetization 1,457 fraudulent sites detected 72.7% overall accuracy Measurement on scale, evasion and impact on legitimate parties

  30. TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS Analysis Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu, Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, Yiming Zhang, Kai Chen and Zaifeng Zhang

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t)

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t)

THE A AND THE P OF THE T #APT #APT # APT #APwot ADVANCED w e dont [ d v :n :n(t) (t)st st] understand it PERSISTENT we detected it [p s st st nt nt] too late Ma Mari rion on Ma Marsc rschalek halek

440 views • 32 slides
OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on

OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on

OPSEC and defense agains social engineering for devels, execs, and sart-ups @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Contents Problem: Social Engineering concepts

857 views • 23 slides
Attack and defense Simona Fabrizi 1 Steffen Lippert 2 e Rodrigues-Neto 3 Jos 1 Massey University

Attack and defense Simona Fabrizi 1 Steffen Lippert 2 e Rodrigues-Neto 3 Jos 1 Massey University

Attack and defense Simona Fabrizi 1 Steffen Lippert 2 e Rodrigues-Neto 3 Jos 1 Massey University 2 University of Auckland 3 Australian National University 2nd ATE Symposium University of New South Wales Business School December, 2014 Fabrizi,

498 views • 24 slides
OBFUSCATION 1 Swizzor Present since 2002 ! AV companies receive hundreds of new binaries

OBFUSCATION 1 Swizzor Present since 2002 ! AV companies receive hundreds of new binaries

Pierre-Marc Bureau bureau@eset.sk Joan Calvet - j04n.calvet@gmail.com UNDERSTANDING SWIZZORS OBFUSCATION 1 Swizzor Present since 2002 ! AV companies receive hundreds of new binaries daily. Nice icons : Little publicly

966 views • 62 slides
AdWords: How to Make Advertising on Google Work for Your Brand Amelia Burke-Garcia, MA | Director,

AdWords: How to Make Advertising on Google Work for Your Brand Amelia Burke-Garcia, MA | Director,

AdWords: How to Make Advertising on Google Work for Your Brand Amelia Burke-Garcia, MA | Director, Center for Digital Strategy & Research, Westat Julie Yegen | Senior Digital Media Associate, Westat December 10, 2015 Case Studies Whats

386 views • 14 slides
Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

| 2018 Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate Marketing 2002 - Present SEM / Ads 2003 to Present Current Jenga Digital LLC 2013 - Present Personal Born in

385 views • 20 slides
PPC Budget Management Software We provide agencies with powerful tools to take control of PPC

PPC Budget Management Software We provide agencies with powerful tools to take control of PPC

PPC Budget Management Software We provide agencies with powerful tools to take control of PPC spend THE PROBLEM Digital ad spend will grow to $330 Billion by 2021 But digital marketers are struggling to scale their organizations fast enough to

659 views • 16 slides
Budgeting and Bidding in Ad Systems: Theory and Practice Aranyak Mehta Market Algorithms,

Budgeting and Bidding in Ad Systems: Theory and Practice Aranyak Mehta Market Algorithms,

Budgeting and Bidding in Ad Systems: Theory and Practice Aranyak Mehta Market Algorithms, Google Research, Mountain View, CA. Outline Topics: 1. Budget Allocation: - Algorithms based on Online Matching - Algorithms based on Reinforcement

913 views • 48 slides
Traffic UTM Tagging AdWords WebMaster Tools UTM TAGGING Where does my traffic come from? UTM

Traffic UTM Tagging AdWords WebMaster Tools UTM TAGGING Where does my traffic come from? UTM

Traffic UTM Tagging AdWords WebMaster Tools UTM TAGGING Where does my traffic come from? UTM TAGGING www.website.com/?utm_medium=email&utm_source=newsletter&utm_campaign=12-5-2015 utm_medium utm_content utm_source

608 views • 6 slides
Preparation: warning broken users Preparation: ipv6test.google.com On the day: business as usual

Preparation: warning broken users Preparation: ipv6test.google.com On the day: business as usual

Preparation: warning broken users Preparation: ipv6test.google.com On the day: business as usual We were already serving 60% of the IPv6 Internet Technical progress A number of services became available over IPv6 Voice, talk, mobile

228 views • 10 slides
Partnership Event - 31 mei Password : Google2017 Proprietary + Confidential Welkom Richard van

Partnership Event - 31 mei Password : Google2017 Proprietary + Confidential Welkom Richard van

WiFi : Google Partnership Event Partnership Event - 31 mei Password : Google2017 Proprietary + Confidential Welkom Richard van Cleeff, Sales Acquisition Lead, Benelux Proprietary + Confidential Proprietary + Confidential Google Confidential

659 views • 36 slides
Presidents Fall Address October 1, 2014 Moores Opera House Access Affordable Relevance

Presidents Fall Address October 1, 2014 Moores Opera House Access Affordable Relevance

Presidents Fall Address October 1, 2014 Moores Opera House Access Affordable Relevance Success Fall Undergraduate Enrollment Headcount Semester Credit Hours 388,303 31,744 377,373 31,367 367,782 368,050 30,452 30,408 353,287

779 views • 56 slides
Presenters: Courtney Crowley, Digital Marketing Specialist Emily OMalley, Digital Marketing

Presenters: Courtney Crowley, Digital Marketing Specialist Emily OMalley, Digital Marketing

Presenters: Courtney Crowley, Digital Marketing Specialist Emily OMalley, Digital Marketing Specialist What is Digital Advertising? Any advertisement on the internet Banner ads SEO (search engine optimization) Social media

570 views • 19 slides
Your customers are irrational and emotional Tina Arnoldi, MA Marketing Strategist &

Your customers are irrational and emotional Tina Arnoldi, MA Marketing Strategist &

10/25/2017 Your customers are irrational and emotional Tina Arnoldi, MA Marketing Strategist & Performance Analyst 360InternetStrategy.com @ TinaArnoldi 1 2 1 10/25/2017 Which leads me to point #1... 3 No one cares

375 views • 23 slides
F1: A Distributed SQL Database That Scales Presentation by: Alex Degtiar (adegtiar@cm u.edu)

F1: A Distributed SQL Database That Scales Presentation by: Alex Degtiar (adegtiar@cm u.edu)

F1: A Distributed SQL Database That Scales Presentation by: Alex Degtiar (adegtiar@cm u.edu) 15-799 10/ 21/ 2013 What is F1? Distributed relational database Built to replace sharded MySQL back-end of AdWords system Combines

750 views • 37 slides
Economics of Peer-to-Peer Markets Jonathan Levin Stanford

Economics of Peer-to-Peer Markets Jonathan Levin Stanford

Economics of Peer-to-Peer Markets Jonathan Levin Stanford University Lear Conference July 25, 2015 1 Internet Marketplaces 2 On-Demand Services 3 Introduction Peer-to-peer

1.02k views • 25 slides
Auc2Charge: An Online Auction Framework for Electric Vehicle Park-and-Charge Qiao Xiang 1 , Fanxin

Auc2Charge: An Online Auction Framework for Electric Vehicle Park-and-Charge Qiao Xiang 1 , Fanxin

Auc2Charge: An Online Auction Framework for Electric Vehicle Park-and-Charge Qiao Xiang 1 , Fanxin Kong 1 , Xue Liu 1 , Xi Chen 1 , Linghe Kong 1 and Lei Rao 2 1 School of Computer Science, McGill University 2 General Motors Research Lab July

623 views • 26 slides
Member Updates! More Information Arizona Marketing Association

Member Updates! More Information Arizona Marketing Association

Member Updates! More Information Arizona Marketing Association Facebook.com/AZMarketingAssociation th Ask an Expert October 18 th rd Wednesda 3 rd esday y of t f the Month th Exp xper ert t Inter Interview view 7pm pm 10 G

615 views • 29 slides
Intellectual Property in the Era of Machine Learning Presented by Susan Ford of Res Nova Law

Intellectual Property in the Era of Machine Learning Presented by Susan Ford of Res Nova Law

Intellectual Property in the Era of Machine Learning Presented by Susan Ford of Res Nova Law Oregon State Bar Technology Section April 25, 2019 Artificial Intelligence General AI: a system that can perform any generalized task that is

493 views • 17 slides
YOUR MESSAGING ISNT ABOUT YOU 7 Steps to Messaging that Connects Who am I? Why am I

YOUR MESSAGING ISNT ABOUT YOU 7 Steps to Messaging that Connects Who am I? Why am I

YOUR MESSAGING ISNT ABOUT YOU 7 Steps to Messaging that Connects Who am I? Why am I here? Hundreds of product launches. Dozens of corporate launches. One top-funded Kickstarter campaign The Tool: The Message Map

655 views • 22 slides
Wikipedia: n ++ made easy Matt Might University of Utah / NGLY1.org matt.might.net What

Wikipedia: n ++ made easy Matt Might University of Utah / NGLY1.org matt.might.net What

Wikipedia: n ++ made easy Matt Might University of Utah / NGLY1.org matt.might.net What is Wikipedia? What is Wikipedia? Anyone can view. Anyone can edit. Wikipedia is the worlds database. Its what parents and patients search.

720 views • 53 slides
Killing Giants How to beat the blue chips in search Grand National Love the underdog Minnehoma

Killing Giants How to beat the blue chips in search Grand National Love the underdog Minnehoma

Killing Giants How to beat the blue chips in search Grand National Love the underdog Minnehoma won the grand national in 1994 Odds: 16/1 Conditions: Heavy No track record 1 Bet The speaker Hi, Im Ross Ex Publicis

1.05k views • 58 slides

More recommend