Analysis of Rogue Anti-Virus Campaigns Using Hidden Structures in k-Partite Graphs
Driven by the potential economic profits, cyber-criminals are on the rise and use the Web to exploit unsuspecting users. Indeed, a real underground black market with thousands of collaborating organizations and individuals has developed, which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. Among the various malicious activities of cyber-criminals, rogue security software campaigns have evolved into one of the most lucrative criminal operations on the Internet. In this paper, we present a novel method to analyze rogue security software campaigns, by studying a number of different features that are related to their operation. Contrary to existing data mining techniques for multivariate data, which are mostly based on the definition of appropriate proximity measures on a per-feature basis and data fusion techniques to combine per-feature mining results, we take advantage of the structural properties of the k-partite graph formed by considering the natural interconnections between objects of different types. We show that the proposed method is straightforward, fast and scalable. The results of the analysis of rogue security software campaigns are further assessed by a visual analysis tool and their accuracy is documented.
Keywordsunsupervised learning security k-partite graphs
Unable to display preview. Download preview PDF.
- 1.Thonnard, O.: A multi-criteria clustering approach to support attack attribution in cyberspace. PhD thesis, École Doctorale d’Informatique, Télécommunications et Électronique de Paris (March 2010)Google Scholar
- 2.Wang, Y.M., Beck, D., Jiang, X., Roussev, R.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: NDSS (2006)Google Scholar
- 3.Fossi, M., Turner, D., Johnson, E., Mack, T., Adams, T., Blackbird, J., Low, M.K., McKinney, D., Dacier, M., Keromytis, A., Leita, C., Cova, M., Overton, J., Thonnard, O.: Symantec report on rogue security software. Technical report, Symantec (October 2009)Google Scholar
- 4.Rajab, M.A., Ballard, L., Mavrommatis, P., Provos, N., Zhao, X.: The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. In: Workshop on Large-Scale Exploits and Emergent Threats (April 2010)Google Scholar
- 5.Zhuge, J., Holz, T., Song, C., Guo, J., Han, X., Zou, W.: Studying Malicious Websites and the Underground Economy on the Chinese Web. In: 2008 Workshop on the Economics of Information Security, WEIS 2008 (2008)Google Scholar
- 6.Franklin, J., Paxson, V.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 375–388. ACM, New York (2007)Google Scholar
- 7.Stone-Gross, B., Abman, R., Kemmerer, R., Kruegel, C., Steigerwald, D., Vigna, G.: The Underground Economy of Fake Antivirus Software. In: Proceedings of the Workshop on Economics of Information Security, WEIS (2011)Google Scholar
- 9.Cova, M., Leita, C., Thonnard, O., Keromytis, A., Dacier, M.: Gone Rogue: An Analysis of Rogue Security Software Campaigns. In: Proceedings of the 2009 European Conference on Computer Network Defense, EC2ND 2009, pp. 1–3. IEEE Computer Society (2009)Google Scholar
- 10.Dongen, S.V.: Graph Clustering by Flow Simulation. PhD thesis, University of Utrecht (2000)Google Scholar
- 13.The WOMBAT Project, http://www.wombat-project.eu
- 14.The VIS-SENSE Project, http://www.vis-sense.eu/