Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual.

Slides:

Advertisements

Similar presentations

© 2012 YP Intellectual Property LLC. All rights reserved. YP, the YP logo and all other YP marks contained herein are trademarks of YP Intellectual Property.

Advertisements

TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

PAPER PRESENTATION BY V.Priyanka CSE-A Roll no. 13K41A0548.

Internet Safety Gleneagles Computer Club February 16, 2015 by Deborah Benson.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Social Media Networking Sites Charlotte Jenkins Designing the Social Web

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

Internet Phishing Not the kind of Fishing you are used to.

What is the Internet? Internet: The Internet, in simplest terms, is the large group of millions of computers around the world that are all connected to.

SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Touchdevelop api api: messaging sending sms Disclaimer: This document is provided “as-is”. Information and views expressed in this document, including.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

Norman SecureSurf Protect your users when surfing the Internet.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Constant Contact & How it Can Help Your Business Presented By.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

資安新聞簡報報告者：劉旭哲、曾家雄. Spam down, but malware up 報告者：劉旭哲.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.

Microsoft Office Communicator A General Introduction.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

What is the Internet? Internet: The Internet, in simplest terms, is the large group of millions of computers around the world that are all connected to.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Conditions and Terms of Use

Virtual Business CREATING A WEB PRESENCE Copyright © Texas Education Agency, All rights reserved.

What is the Internet? Internet: The Internet, in simplest terms, is the large group of millions of computers around the world that are all connected to.

Google Analytics for Small Business Presented by: Keidra Chaney.

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI.

CCT355H5 F Presentation: Phishing November Jennifer Li.

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

VENKAT DEEP RAJAN SUMALATHA REDDY KARTHIK INJARAPU CPSC 620 CLEMSON UNIVERSITY.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

11 CLUSTERING AND AVAILABILITY Chapter 11. Chapter 11: CLUSTERING AND AVAILABILITY2 OVERVIEW  Describe the clustering capabilities of Microsoft Windows.

Studying Spamming Botnets Using Botlab

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property.

The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol

SybilGuard: Defending Against Sybil Attacks via Social Networks.

A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.

Don’t Follow me : Spam Detection in Twitter January 12, 2011 In-seok An SNU Internet Database Lab. Alex Hai Wang The Pensylvania State University International.

Fulfillment Review (FR) Process YP Proprietary Information (Internal Use Only): ©2013 YP Intellectual Property LLC. All rights reserved. YP, the YP logo.

FLTCYBERCOM / C10F    U.S. FLEET CYBER COMMAND / U.S. TENTH FLEET    1 Overall Classification of this Briefing is UNCLASSIFIED//FOUO Phishing.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

2014 From Phish to Phraud Kat Seymour October 10, 2014 #GHC

Cyber security. Malicious Code Social Engineering Detect and prevent.

Learn how to protect yourself against common attacks

Analyzing WebView Vulnerabilities in Android Applications

Microsoft Services Provider License Agreement Program reference card

Network Security: DNS Spoofing, SQL Injection, ARP Poisoning

Wireless Spoofing Attacks on Mobile Devices

Cybersecurity Simplified: Phishing

Presentation transcript:

Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

2 ACSAC December 4, 2013 Introduction Goal: Increase attack cost ISP level defense against widespread attack campaigns in the mobility network Focus on attacks targeting large portions of user base not individual targeted attacks Cannot tolerate false positives as customers expect uninterrupted service © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

3 ACSAC December 4, 2013 Threat Model Mobility network differences More application verification Easier to monetize via premium services © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

4 ACSAC December 4, 2013 Typical Attack Scenario User receives an SMS spam that contains a URL with social engineering to convince the user to click Web server socially engineers a user into installing an app or signing up for a premium service (you won a gift card send a text then enter the code) If app installed, C&C tells user’s phone to send more SMS spam, steal bank two factor authorization info, etc. © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

5 ACSAC December 4, 2013 Key Observations Victims have contact with multiple entities from the attack campaign Malicious entities change over time as nodes are slowly blacklisted © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

6 ACSAC December 4, 2013 System Overview IP Data CDR SMS Data TrainingTestingCorrelation Post Processing Human Analysis © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

7 ACSAC December 4, 2013 Data Who-talks-to-whom IP and SMS data from same users roughly same geographic area ~150 million communication edges ~40 Million unique entities ~10 Million 10-digit phone numbers Only users that had at least some IP traffic Strict internal controls followed (limited on site access, anonymization, etc.) © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

8 ACSAC December 4, 2013 Training Attack campaigns change overtime (blacklisting eventually works) IP data is noisy as many popular websites have many domains and ad networks that new users often visit Ignore domains/IPs appearing in training window Ignore a small white list of phone numbers and short codes manually maintained © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

9 ACSAC December 4, 2013 Testing High degree nodes found Mutual contacts graph of high degree nodes Each pair of high degree nodes shares an edge if they share a large portion of the same users Thresholds based on Dice coefficient: © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

10 ACSAC December 4, 2013 Clustering Remove weak edges Remove any edge with Dice coefficient < 0.1 or absolute number of nodes shared < 20 Edges remaining represent the 99 th percentile (strongest connections) Further edge breaking based on modularity to break apart densely related graphs only connected by an edge or two © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

11 ACSAC December 4, 2013 Result © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

12 ACSAC December 4, 2013 Post Processing Hundreds of clusters Prioritize clusters for human analysts Temporal Size Change over time Containing blacklisted nodes © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

13 ACSAC December 4, 2013 Temporal Post Processing SMS TV Voting © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

14 ACSAC December 4, 2013 Size © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

15 ACSAC December 4, 2013 Change Over Time © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

16 ACSAC December 4, 2013 Evaluation Lack of complete ground truth Check whether nodes we find are eventually blacklisted afterwards Direct feedback from analysts blocking fraudulent premium numbers / botnets © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

17 ACSAC December 4, 2013 Nodes in our Clusters Being Blacklisted © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

18 ACSAC December 4, 2013 SMS Giftcard Scam SMS spam message tricks users into visiting a website Website redirects to a central domain Tricks users into sending enough data to be signed up for premium service © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

19 ACSAC December 4, 2013 SMS Giftcard Scam Over Time © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

20 ACSAC December 4, 2013 Giftcard Scam Cluster Over Time © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

21 ACSAC December 4, 2013 Future Work Additional training Better tools for defining splitting clusters More human in the loop feedback © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

22 ACSAC December 4, 2013 Conclusion Widespread attacks can be found at the ISP level Mobility network gives additional unique opportunities for attackers and defenders Anomaly detection to present likely candidates to human analysts has potential © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

23 ACSAC December 4, 2013 Questions? © 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.