Methods and Systems for Understanding Large-Scale Internet Threats

Author(s): Pearce, Paul | Advisor(s): Paxson, Vern | Abstract: Large-scale Internet attacks are pervasive. A broad spectrum of actors from organized gangs of criminals to nation-states exploit the modern, layered Internet to launch politically and economically motivated attacks. The impact of these attacks is vast, ranging from billions of users experiencing Internet censorship, to tens of millions of dollars lost annually to cybercrime. Developing effective and comprehensive defenses to these large scale threats requires systematic empirical measurement.In this dissertation we develop empirical measurement methods and systems for understanding politically and economically motivated Internet threats. Specifically, we examine the problems of Internet censorship and advertising abuse in-depth and at-scale. To understand censorship, we develop Augur and Iris, methods and accompanying systems that allow us to perform global, longitudinal measurement of Internet censorship at the TCP/IP and DNS layers of the network stack—without the use of volunteers. This work addresses a range of both technical and extra-technical challenges, at a scale and fidelity not previously achieved. In combating advertising abuse, we investigate and chronicle multiple facets of the ecosystem—from clickbots to large-scale botnets to advertising injection—using a variety of empirical methods. Our work ultimately identifies fundamental structural weak-points leverageable for defense, resulting in dismantling botnets, cleaning up ad networks, and protecting users.

[1]  EDDIE KOHLER,et al.  The click modular router , 2000, TOCS.

[2]  Benjamin Edelman,et al.  Internet Filtering in China , 2003, IEEE Internet Comput..

[3]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[4]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[5]  Donald F. Towsley,et al.  Exploiting the IPID Field to Infer Network Path and End-System Characteristics , 2005, PAM.

[6]  Robert N. M. Watson,et al.  Ignoring the Great Firewall of China , 2006, Privacy Enhancing Technologies.

[7]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[8]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[9]  Ken Chiang,et al.  A Case Study of the Rustock Rootkit and Spam Bot , 2007, HotBots.

[10]  Markus Jakobsson,et al.  Combating Click Fraud via Premium Clicks , 2007, USENIX Security Symposium.

[11]  Neil Daswani,et al.  The Anatomy of Clickbot.A , 2007, HotBots.

[12]  G. Lowe,et al.  The Great DNS Wall of China , 2007 .

[13]  Divyakant Agrawal,et al.  Detectives: detecting coalition hit inflation attacks in advertising networks streams , 2007, WWW '07.

[14]  Gregory Buehrer,et al.  A large-scale study of automated web search traffic , 2008, AIRWeb '08.

[15]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[16]  Niels Provos,et al.  Ghost Turns Zombie: Exploring the Life Cycle of Web-based Malware , 2008, LEET.

[17]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[18]  Divyakant Agrawal,et al.  SLEUTH: Single-pubLisher attack dEtection Using correlaTion Hunting , 2008, Proc. VLDB Endow..

[19]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[20]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[21]  Hari Balakrishnan,et al.  Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks , 2009, NSDI.

[22]  Neil Daswani,et al.  The Goals and Challenges of Click Fraud Penetration Testing Systems , 2009 .

[23]  Hongwen Kang,et al.  Large-scale bot detection for search engines , 2010, WWW '10.

[24]  Hamed Haddadi,et al.  Fighting online click-fraud using bluff ads , 2010, CCRV.

[25]  Nir Kshetri,et al.  The Economics of Click Fraud , 2010, IEEE Secur. Priv..

[26]  Qifa Ke,et al.  SBotMiner: large scale search bot detection , 2010, WSDM '10.

[27]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[28]  Jedidiah R. Crandall,et al.  Empirical Study of a National-Scale Distributed Intrusion Detection System: Backbone-Level Filtering of HTML Responses in China , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[29]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[30]  Dawn Xiaodong Song,et al.  Insights from the Inside: A View of Botnet Management from Infiltration , 2010, LEET.

[31]  Fang Yu,et al.  Investigation of Triangular Spamming: A Stealthy and Efficient Spamming Technique , 2010, 2010 IEEE Symposium on Security and Privacy.

[32]  Vern Paxson,et al.  What's Clicking What? Techniques and Innovations of Today's Clickbots , 2011, DIMVA.

[33]  Sotiris Ioannidis,et al.  CensMon: A Web Censorship Monitor , 2011, FOCI.

[34]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[35]  Michael Bailey,et al.  Censorship and Co-option of the Internet Infrastructure , 2011 .

[36]  He Liu,et al.  Click Trajectories: End-to-End Analysis of the Spam Value Chain , 2011, 2011 IEEE Symposium on Security and Privacy.

[37]  Vern Paxson,et al.  Redirecting DNS for Ads and Profit , 2011, FOCI.

[38]  Zhuoqing Morley Mao,et al.  Internet Censorship in China: Where Does the Filtering Occur? , 2011, PAM.

[39]  Chris Kanich,et al.  GQ: practical containment for measuring modern malware systems , 2011, IMC '11.

[40]  kc claffy,et al.  Geocompare: a comparison of public and commercial geolocation databases - Technical Report , 2011 .

[41]  Jacob Appelbaum,et al.  OONI: Open Observatory of Network Interference , 2012, FOCI.

[42]  Jun Li,et al.  Ghost Domain Names: Revoked Yet Still Resolvable , 2012, NDSS.

[43]  Yin Zhang,et al.  Measuring and fingerprinting click-spam in ad networks , 2012, SIGCOMM.

[44]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[45]  Stefan Lindskog,et al.  How the Great Firewall of China is Blocking Tor , 2012, FOCI.

[46]  Stefan Savage,et al.  Priceless: the role of payments in abuse-advertised goods , 2012, CCS.

[47]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[48]  J. Alex Halderman,et al.  Internet Censorship in Iran: A First Look , 2013, FOCI.

[49]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[50]  Collin Anderson,et al.  Dimming the Internet: Detecting Throttling as a Mechanism of Censorship in Iran , 2013, ArXiv.

[51]  Zubair Nabi The Anatomy of Web Censorship in Pakistan , 2013, FOCI.

[52]  Mark Allman,et al.  On measuring the client-side DNS infrastructure , 2013, Internet Measurement Conference.

[53]  Yin Zhang,et al.  ViceROI: catching click-spam in search ad networks , 2013, CCS.

[54]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[55]  Stefan Savage,et al.  The ZeroAccess Auto-Clicking and Search-Hijacking Click Fraud Modules , 2013 .

[56]  Vern Paxson,et al.  Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion , 2013, FOCI.

[57]  Adam Senft,et al.  A method for identifying and confirming the use of URL filtering products for censorship , 2013, Internet Measurement Conference.

[58]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[59]  Saikat Guha,et al.  Characterizing Large-Scale Click Fraud in ZeroAccess , 2014, CCS.

[60]  Philipp Winter,et al.  Global Network Interference Detection Over the RIPE Atlas Network , 2014, FOCI.

[61]  Marco Chiesa,et al.  Analysis of country-wide internet outages caused by censorship , 2011, IMC '11.

[62]  Nick Feamster,et al.  Automated Detection and Fingerprinting of Censorship Block Pages , 2014, Internet Measurement Conference.

[63]  Emiliano De Cristofaro,et al.  Censorship in the Wild: Analyzing Internet Filtering in Syria , 2014, Internet Measurement Conference.

[64]  Jeffrey Knockel,et al.  Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels , 2014, PAM.

[65]  Vern Paxson,et al.  Ad Injection at Scale: Assessing Deceptive Advertisement Modifications , 2015, 2015 IEEE Symposium on Security and Privacy.

[66]  Xu Zhang,et al.  Original SYN: Finding machines hidden behind firewalls , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[67]  Nick Feamster,et al.  Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests , 2015, Comput. Commun. Rev..

[68]  Nick Feamster,et al.  Examining How the Great Firewall Discovers Hidden Circumvention Servers , 2015, Internet Measurement Conference.

[69]  Christopher Krügel,et al.  Framing Dependencies Introduced by Underground Commoditization , 2015, WEIS.

[70]  Nick Feamster,et al.  Monitoring Internet Censorship with UBICA , 2015, TMA.

[71]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[72]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[73]  Philipp Winter,et al.  Analyzing the Great Firewall of China Over Space and Time , 2015, Proc. Priv. Enhancing Technol..

[74]  Nick Feamster,et al.  Detecting DNS Root Manipulation , 2016, PAM.

[75]  Will Scott,et al.  Exploring the Design Space of Longitudinal Censorship Measurement Platforms , 2016, ArXiv.

[76]  Steven J. Murdoch,et al.  Do You See What I See? Differential Treatment of Anonymous Users , 2016, NDSS.

[77]  Vern Paxson,et al.  SoK: Towards Grounding Censorship Circumvention in Empiricism , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[78]  Joss Wright,et al.  Poisoning the Well: Exploring the Great Firewall's Poisoned DNS Responses , 2016, WPES@CCS.

[79]  David Fifield,et al.  Censors' Delay in Blocking Circumvention Proxies , 2016, FOCI.

[80]  Tadayoshi Kohno,et al.  Satellite: Joint Analysis of CDNs and Network-Level Interference , 2016, USENIX Annual Technical Conference.

[81]  Dario Rossi,et al.  Latency-Based Anycast Geolocation: Algorithms, Software, and Data Sets , 2016, IEEE Journal on Selected Areas in Communications.

[82]  Nick Feamster,et al.  Global Measurement of DNS Manipulation , 2017, USENIX Security Symposium.

[83]  Matthew J. Salganik,et al.  Bit by bit: social research in the digital age , 2019, The Journal of mathematical sociology.

[84]  Nick Feamster,et al.  Augur: Internet-Wide Detection of Connectivity Disruptions , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[85]  Nick Feamster,et al.  Toward Continual Measurement of Global Network-Level Censorship , 2018, IEEE Security & Privacy.