Who Controls the Internet?: Analyzing Global Threats using Property Graph Traversals

The Internet is built on top of intertwined network services, e.g., email, DNS, and content distribution networks operated by private or governmental organizations. Recent events have shown that these organizations may, knowingly or unknowingly, be part of global-scale security incidents including state-sponsored mass surveillance programs and large-scale DDoS attacks. For example, in March 2015 the Great Cannon attack has shown that an Internet service provider can weaponize millions of Web browsers and turn them into DDoS bots by injecting malicious JavaScript code into transiting TCP connections. While attack techniques and root cause vulnerabilities are routinely studied, we still lack models and algorithms to study the intricate dependencies between services and providers, reason on their abuse, and assess the attack impact. To close this gap, we present a technique that models services, providers, and dependencies as a property graph. Moreover, we present a taint-style propagation-based technique to query the model, and present an evaluation of our framework on the top 100k Alexa domains.

[1]  Christopher Krügel,et al.  Rippler: Delay injection for service dependency detection , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[2]  Gregory N. Larsen,et al.  Techniques for Cyber Attack Attribution , 2003 .

[3]  Lawrence K. Saul,et al.  Who is .com?: Learning to Parse WHOIS Records , 2015, Internet Measurement Conference.

[4]  Bruce M. Maggs,et al.  Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem , 2016, CCS.

[5]  Sylvain Frey,et al.  It Bends But Would It Break? Topological Analysis of BGP Infrastructures in Europe , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[6]  Wei Jiang,et al.  Large-Scale Longitudinal Analysis of SOAP-Based and RESTful Web Services , 2012, 2012 IEEE 19th International Conference on Web Services.

[7]  Leslie Daigle,et al.  WHOIS Protocol Specification , 2004, RFC.

[8]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[9]  Gabi Nakibly,et al.  Website-Targeted False Content Injection by Network Operators , 2016, USENIX Security Symposium.

[10]  Katsunari Yoshioka,et al.  Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service , 2016, RAID.

[11]  Patrick D. McDaniel,et al.  A Survey of BGP Security Issues and Solutions , 2010, Proceedings of the IEEE.

[12]  Massimo Marchiori,et al.  Error and attacktolerance of complex network s , 2004 .

[13]  Sushil Jajodia,et al.  NSDMiner: Automated discovery of Network Service Dependencies , 2012, 2012 Proceedings IEEE INFOCOM.

[14]  Xu Zhang,et al.  K-core-based attack to the internet: Is it more malicious than degree-based attack? , 2014, World Wide Web.

[15]  Eric Bodden,et al.  jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications , 2015, RAID.

[16]  S. Havlin,et al.  Breakdown of the internet under intentional attack. , 2000, Physical review letters.

[17]  Dongwon Lee,et al.  Graph Theoretic Topological Analysis of Web Service Networks , 2009, World Wide Web.

[18]  Vern Paxson,et al.  An Analysis of China's "Great Cannon" , 2015 .

[19]  Susan Landau,et al.  Making Sense from Snowden: What's Significant in the NSA Surveillance Revelations , 2013, IEEE Security & Privacy.

[20]  Thomas C. Schmidt,et al.  Cashing Out the Great Cannon? On Browser-Based DDoS Attacks and Economics , 2015, WOOT.

[21]  Albert-László Barabási,et al.  Error and attack tolerance of complex networks , 2000, Nature.