Advertisement

The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges

  • Kurt ThomasEmail author
  • Rony Amira
  • Adi Ben-Yoash
  • Ori Folger
  • Amir Hardon
  • Ari Berger
  • Elie Bursztein
  • Michael Bailey
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9854)

Abstract

The underground commoditization of compromised hosts suggests a tacit capability where miscreants leverage the same machine—subscribed by multiple criminal ventures—to simultaneously profit from spam, fake account registration, malicious hosting, and other forms of automated abuse. To expedite the detection of these commonly abusive hosts, there are now multiple industry-wide efforts that aggregate abuse reports into centralized threat exchanges. In this work, we investigate the potential benefit of global reputation tracking and the pitfalls therein. We develop our findings from a snapshot of 45 million IP addresses abusing six Google services including Gmail, YouTube, and ReCaptcha between April 7–April 21, 2015. We estimate the scale of end hosts controlled by attackers, expose underground biases that skew the abuse perspectives of individual web services, and examine the frequency that criminals re-use the same infrastructure to attack multiple, heterogeneous services. Our results indicate that an average Google service can block 14 % of abusive traffic based on threats aggregated from seemingly unrelated services, though we demonstrate that outright blacklisting incurs an untenable volume of false positives.

Keywords

Threat exchanges Reputation systems Underground specialization 

Notes

Acknowledgments

This work was supported in part by the National Science Foundation under contracts CNS 1409758, CNS 1111699, and CNS 1518741. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.

References

  1. 1.
    Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M.J.G., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: Proceedings of the Workshop on Economics of Information Security (WEIS) (2012)Google Scholar
  2. 2.
    Asghari, H., Ciere, M., Van Eeten, M.J.: Post-mortem of a Zombie: conficker cleanup after six years. In: Proceedings of the USENIX Security Symposium (2015)Google Scholar
  3. 3.
    Taylor, B.: It’s not about the spam (2007). http://goo.gl/zzAL4N
  4. 4.
    Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: USENIX Security Symposium (2011)Google Scholar
  5. 5.
    Casado, M., Freedman, M.J.: Peering through the shroud: the effect of edge opacity on IP-based client identification. In: Proceedings of the Symposium on Networked Systems Design and Implementation (2007)Google Scholar
  6. 6.
    Czyz, J., Allman, M., Zhang, J., Iekel-Johnson, S., Osterweil, E., Bailey, M.: Measuring IPv6 adoption. In: Proceedings of the ACM Conference on SIGCOMM (2014)Google Scholar
  7. 7.
    DShield.: DShield (2015). https://www.dshield.org/
  8. 8.
    Grier, C., Thomas, K., Paxson, V., Zhang, M.: @spam: the underground on 140 characters or less. In: Proceedings of the ACM Conference on Computer and Communications Security (2010)Google Scholar
  9. 9.
    Hammell, M.: ThreatExchange: sharing for a safer internet (2015). http://on.fb.me/1zvuPdS
  10. 10.
    Hong, C.-Y., Fang, Y., Xie, Y.: Populated IP addresses: classification and applications. In: Proceedings of the Conference on Computer and Communications Security (2012)Google Scholar
  11. 11.
    Ihm, S., Pai, V.S.: Towards understanding modern web traffic. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2011)Google Scholar
  12. 12.
    Jung, J., Sit, E.: An empirical study of spam traffic and the use of DNS black lists. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2004)Google Scholar
  13. 13.
    Kreibich, C., Weaver, N., Nechaev, B., Paxson, V.: Netalyzr: illuminating the edge network. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2010)Google Scholar
  14. 14.
    Kührer, M., Rossow, C., Holz, T.: Paint it black: evaluating the effectiveness of malware blacklists. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 1–21. Springer, Heidelberg (2014)Google Scholar
  15. 15.
    Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Félegyházi, M., Grier, C., Halvorson, T., Kanich, C., et al.: Click trajectories: end-to-end analysis of the spam value chain. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)Google Scholar
  16. 16.
    Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2009)Google Scholar
  17. 17.
    McCoy, D., Pitsillidis, A., Jordan, G., Weaver, N., Kreibich, C., Krebs, B., Voelker, G.M., Savage, S., Levchenko, K.: Pharmaleaks: understanding the business of online pharmaceutical affiliate programs. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)Google Scholar
  18. 18.
    Metwally, A., Paduano, M.: Estimating the number of users behind IP addresses for combating abusive traffic. In: Proceedings of the SIGKDD International Conference on Knowledge Discovery and Data Mining (2011)Google Scholar
  19. 19.
    Miller, R.: AlienVault announces more social threat exchange (2015). http://tcrn.ch/1FL7E8A
  20. 20.
    Neville, A., Gibb, R.: ZeroAccess indepth (2013). http://goo.gl/j0eMHr
  21. 21.
    Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in zeroaccess. In: Proceedings of the Conference on Computer and Communications Security (2014)Google Scholar
  22. 22.
    Pitsillidis, A., Kanich, C., Voelker, G.M., Levchenko, K., Savage, S.: Taster’s choice: a comparative analysis of spam feeds. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2012)Google Scholar
  23. 23.
    Provos, N.: Safe browsing - protecting web users for 5 years and counting (2012). http://goo.gl/psdXkP
  24. 24.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proceedings of the USENIX Security Symposium (2008)Google Scholar
  25. 25.
    Rains, T.: Microsoft interflow: a new security and threat information exchange platform (2015). http://bit.ly/1SKpcs2
  26. 26.
    Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: Proceedings of the ACM Conference on SIGCOMM (2006)Google Scholar
  27. 27.
    Rowinski, M.: More than 1,000 organizations join IBM to battle cybercrime (2015). https://www-03.ibm.com/press/us/en/pressrelease/46856.wss
  28. 28.
    Sinha, P., Boukhtouta, A., Belarde, V.H., Debbabi, M.: Insights from the analysis of the Mariposa botnet. In: Proceedings of the International Conference on Risks and Security of Internet and Systems (CRiSIS) (2010)Google Scholar
  29. 29.
    Sinha, S., Bailey, M., Jahanian, F.: Improving spam blacklisting through dynamic thresholding and speculative aggregation. In: Proceedings of the Network & Distributed System Security Symposium (2010)Google Scholar
  30. 30.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the ACM Conference on Computer and Communications Security (2009)Google Scholar
  31. 31.
    Thomas, K., Grier, C., Song, D., Paxson, V.: Suspended accounts in retrospect: an analysis of Twitter spam. In: Proceedings of the Internet Measurement Conference (2011)Google Scholar
  32. 32.
    Thomas, K., Huang, D.Y., Wang, D., Bursztein, E., Grier, C., Holt, T.J., et al.: Framing dependencies introduced by underground commoditization. In: Proceedings of the Workshop on the Economics of Information Security (2015)Google Scholar
  33. 33.
    Thomas, K., McCoy, D., Grier, C., Kolcz, A., Paxson, V.: Trafficking fraudulent accounts: the role of the underground market in Twitter spam and abuse. In: Proceedings of the USENIX Security Symposium (2013)Google Scholar
  34. 34.
    Xie, Y., Fang, Y., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are IP addresses? In: Proceedings of the ACM Conference on SIGCOMM (2007)Google Scholar
  35. 35.
    Fang, Y., Xie, Y., Ke, Q.: Sbotminer: large scale search bot detection. In: Proceedings of the ACM International Conference on Web Search and Data Mining (2010)Google Scholar
  36. 36.
    Zhang, J., Chivukula, A., Bailey, M., Karir, M., Liu, M.: Characterization of blacklists and tainted network traffic. In: Roughan, M., Chang, R. (eds.) PAM 2013. LNCS, vol. 7799, pp. 218–228. Springer, Heidelberg (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Kurt Thomas
    • 1
    Email author
  • Rony Amira
    • 1
  • Adi Ben-Yoash
    • 1
  • Ori Folger
    • 1
  • Amir Hardon
    • 1
  • Ari Berger
    • 1
  • Elie Bursztein
    • 1
  • Michael Bailey
    • 2
  1. 1.Google, Inc.Mountain ViewUSA
  2. 2.University of Illinois, Urbana-ChampaignChampaignUSA

Personalised recommendations