|1. ||Blacklisting by Domain Names vs. IP Addresses - (PDF)|
Blacklist is a popular approach to filtering out cyber attacks. Since malicious attackers are trying to escape from the blacklist, it is our challenge to make an effective blacklist. This presentation investigates the characteristics of malicious IP addresses and domain names. Malicious IP addresses are relatively stable compared to domain names. The IP addresses are moving within /24 range. Malicious attackers generate new domain names automatically in a short time. The domain names are new, lengthy, and un-natural. This presentation deals with temporal change pattern (TVP) in domain names. Our proposed method is effective in predicting malicious domain names 220 days beforehand with a true positive rate of 98.5 percent.
|2. ||Large-scale network security measurement through the lens of darknet - (PDF)|
Darknet, a.k.a. network telescope, is a passive network monitoring
system that analyzes traffic destined to unused IP address
space. Darknets have been widely deployed as a tool to observe
malicious activities such as Internet worms. On the other hand, recent
advance of Internet-scale survey traffic originating from legitimate
hosts using tools like ZMap could overwhelm the traffic that was
originally supposed to be monitored with a darknet. Given this
background, we developed a statistical framework that can
discriminates between Internet-scale survey traffic originating from
legitimate hosts and other traffic potentially associated with
malicious activities. It leverages two intrinsic characteristics of
Internet-scale survey traffic: a network-level property and some form
of footprint explicitly indicated by surveyors. In this talk, we
report how such a framework is useful in analyzing the darknet traffic
in the presence of ubiquitous survey traffic.
|3. ||Understanding Promotional Attacks in Mobile Software Distribution Platform - (PDF)|
Mobile app stores, such as Google Play, play a vital role in the ecosystem of mobile apps. When users look for an app of interest, they can acquire useful data from the app store to facilitate their decision on installing the app or not. This data includes ratings, reviews, number of installs, and the category of the app. The ratings and reviews are the user-generated content (UGC) that affect the reputation of an app. Unfortunately, miscreants also exploit such channels to conduct promotional attacks (PAs) that lure victims to install malicious apps. In this talk, I will introduce new system called PADetective, which aims to detect miscreants who are likely to be conducting promotional attacks. Using a dataset with 1,723 of labeled samples, I will demonstrate that PADetective can accurately detect promotional attacks. I will also report the cases where we applied the PADetective to a large-scald data for characterizing the prevalence of PAs in the wild and find 289 K potential PA attackers who posted reviews to 21 K malicious apps.
|4. ||Delivering Effective Security - (PDF)|
Every day companies are turning to digital to create new customer experiences, new business models and gain greater efficiencies. But all the while, attackers continue to advance. Our IT landscapes are often systems cobbled together over the years. We may have servers from 15 years ago and cloud apps from 15 minutes ago. We face a constantly evolving threat landscape of sophisticated attacks and attackers. And we often confront security problems with a patchwork of point products that don’t fit or work together. To defend against aggressive adversaries, security must advance to more effective solutions that are simple, automated and open. A key to enabling more effective security is simplifying deployment and management of advanced security to users wherever they are working from. With security designed to work together across the network, endpoints, and cloud. Get automated security that takes the burden off IT teams for a force multiplier of effectiveness.