Presentation is loading. Please wait.

Presentation is loading. Please wait.

Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual.

Published byMelvyn Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual."— Presentation transcript:

1 Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

2 2 ACSAC December 4, 2013 Introduction Goal: Increase attack cost ISP level defense against widespread attack campaigns in the mobility network Focus on attacks targeting large portions of user base not individual targeted attacks Cannot tolerate false positives as customers expect uninterrupted service © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

3 3 ACSAC December 4, 2013 Threat Model Mobility network differences More application verification Easier to monetize via premium services © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

4 4 ACSAC December 4, 2013 Typical Attack Scenario User receives an SMS spam that contains a URL with social engineering to convince the user to click Web server socially engineers a user into installing an app or signing up for a premium service (you won a gift card send a text then enter the code) If app installed, C&C tells user’s phone to send more SMS spam, steal bank two factor authorization info, etc. © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

5 5 ACSAC December 4, 2013 Key Observations Victims have contact with multiple entities from the attack campaign Malicious entities change over time as nodes are slowly blacklisted © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

6 6 ACSAC December 4, 2013 System Overview IP Data CDR SMS Data TrainingTestingCorrelation Post Processing Human Analysis © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

7 7 ACSAC December 4, 2013 Data Who-talks-to-whom IP and SMS data from same users roughly same geographic area ~150 million communication edges ~40 Million unique entities ~10 Million 10-digit phone numbers Only users that had at least some IP traffic Strict internal controls followed (limited on site access, anonymization, etc.) © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

8 8 ACSAC December 4, 2013 Training Attack campaigns change overtime (blacklisting eventually works) IP data is noisy as many popular websites have many domains and ad networks that new users often visit Ignore domains/IPs appearing in training window Ignore a small white list of phone numbers and short codes manually maintained © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

9 9 ACSAC December 4, 2013 Testing High degree nodes found Mutual contacts graph of high degree nodes Each pair of high degree nodes shares an edge if they share a large portion of the same users Thresholds based on Dice coefficient: © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

10 10 ACSAC December 4, 2013 Clustering Remove weak edges Remove any edge with Dice coefficient < 0.1 or absolute number of nodes shared < 20 Edges remaining represent the 99 th percentile (strongest connections) Further edge breaking based on modularity to break apart densely related graphs only connected by an edge or two © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

11 11 ACSAC December 4, 2013 Result © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

12 12 ACSAC December 4, 2013 Post Processing Hundreds of clusters Prioritize clusters for human analysts Temporal Size Change over time Containing blacklisted nodes © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

13 13 ACSAC December 4, 2013 Temporal Post Processing SMS TV Voting © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

14 14 ACSAC December 4, 2013 Size © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

15 15 ACSAC December 4, 2013 Change Over Time © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

16 16 ACSAC December 4, 2013 Evaluation Lack of complete ground truth Check whether nodes we find are eventually blacklisted afterwards Direct feedback from analysts blocking fraudulent premium numbers / botnets © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

17 17 ACSAC December 4, 2013 Nodes in our Clusters Being Blacklisted © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

18 18 ACSAC December 4, 2013 SMS Giftcard Scam SMS spam message tricks users into visiting a website Website redirects to a central domain Tricks users into sending enough data to be signed up for premium service © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

19 19 ACSAC December 4, 2013 SMS Giftcard Scam Over Time © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

20 20 ACSAC December 4, 2013 Giftcard Scam Cluster Over Time © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

21 21 ACSAC December 4, 2013 Future Work Additional training Better tools for defining splitting clusters More human in the loop feedback © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

22 22 ACSAC December 4, 2013 Conclusion Widespread attacks can be found at the ISP level Mobility network gives additional unique opportunities for attackers and defenders Anomaly detection to present likely candidates to human analysts has potential © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

23 23 ACSAC December 4, 2013 Questions? © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

Download ppt "Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual."

Similar presentations

© 2012 YP Intellectual Property LLC. All rights reserved. YP, the YP logo and all other YP marks contained herein are trademarks of YP Intellectual Property.

© 2012 YP Intellectual Property LLC. All rights reserved. YP, the YP logo and all other YP marks contained herein are trademarks of YP Intellectual Property.
TrustPort Net Gateway Web traffic protection. WWW.TRUSTPORT.COM Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.

TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
PAPER PRESENTATION BY V.Priyanka CSE-A Roll no. 13K41A0548.

PAPER PRESENTATION BY V.Priyanka CSE-A Roll no. 13K41A0548.
Internet Safety Gleneagles Computer Club February 16, 2015 by Deborah Benson.

Internet Safety Gleneagles Computer Club February 16, 2015 by Deborah Benson.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
Social Media Networking Sites Charlotte Jenkins Designing the Social Web 06-10-2011.

Social Media Networking Sites Charlotte Jenkins Designing the Social Web
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
What is the Internet? Internet: The Internet, in simplest terms, is the large group of millions of computers around the world that are all connected to.

What is the Internet? Internet: The Internet, in simplest terms, is the large group of millions of computers around the world that are all connected to.
SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq.

SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq.
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J. 2004.

URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Touchdevelop api api: messaging sending sms Disclaimer: This document is provided “as-is”. Information and views expressed in this document, including.

Touchdevelop api api: messaging sending sms Disclaimer: This document is provided “as-is”. Information and views expressed in this document, including.

Similar presentations

Ads by Google