Dandelion - Revealing Malicious Groups of Interest in Large Mobile Networks

There are an enormous number of security anomalies that occur across the Internet on a daily basis. These anomalies are typically viewed as individual security events that are manually analyzed in order to detect an attack and take action. Important characteristics of an attack may go unnoticed due to limited manual resources. Mobile attacks introduce further complexity by typically traversing multiple types of networks making correlation and detection even more challenging. In this paper, we propose a system Dandelion, which aims to automatically correlate individual security anomalies together to reveal an entire mobile attack campaign. The system also identifies previously unknown malicious network entities that are highly correlated. Our prototype system correlates thousands of network anomalies across both the SMS and IP networks of a large US tier-1 mobile service provider, reducing them to approximately \(20\sim 30\) groups of interest a day. To demonstrate Dandelion’s value, we show how our system has provided the critical information necessary to human analysts in detecting and mitigating previously unknown mobile attacks.

[1]  Wenke Lee,et al.  Connected Colors: Unveiling the Structure of Criminal Networks , 2013, RAID.

[2]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[3]  Wei Wang,et al.  Discovery of emergent malicious campaigns in cellular networks , 2013, ACSAC.

[4]  Fang Yu,et al.  Knowing your enemy: understanding and detecting malicious web advertising , 2012, CCS '12.

[5]  Sergey Brin,et al.  The Anatomy of a Large-Scale Hypertextual Web Search Engine , 1998, Comput. Networks.

[6]  H. Wolda,et al.  Similarity indices, sample size and diversity , 1981, Oecologia.

[7]  Zhenyu Zhong,et al.  Mining DNS for malicious domain registrations , 2010, 6th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2010).

[8]  Corinna Cortes,et al.  Communities of interest , 2001, Intell. Data Anal..

[9]  Nasir D. Memon,et al.  Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts , 2010, ACSAC '10.

[10]  Hector Garcia-Molina,et al.  Combating Web Spam with TrustRank , 2004, VLDB.

[11]  Roger Piqueras Jover,et al.  Crime scene investigation: SMS spam data analysis , 2012, IMC '12.

[12]  Fang Yu,et al.  Finding the Linchpins of the Dark Web: a Study on Topologically Dedicated Hosts on Malicious Web Infrastructures , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Baris Coskun,et al.  Mitigating SMS spam by online detection of repetitive near-duplicate messages , 2012, 2012 IEEE International Conference on Communications (ICC).

[14]  Arati Baliga,et al.  Triton: A Carrier-based Approach for Detecting and Mitigating Mobile Malware , 2014, J. Cyber Secur. Mobil..

[15]  Wenke Lee,et al.  The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers , 2013, NDSS.

[16]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.