Ph.D. Dissertation Defense Announcement
Title: Understanding and Defending Against Internet Infrastructures Supporting Cybecrime Operations
Maria Konte
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: Friday, November 13, 2015
Time: 9:00 AM - 11:00 AM
Location : Klaus Room 3126 (GTISC War Room)
Committee:
-------------
Prof. Nick Feamster, Advisor, Department of Computer Science, Princeton University
Prof. Roberto Perdisci, Department of Computer Science, University of Georgia
Prof. Wenke Lee, School of Computer Science, Georgia Institute of Technology
Prof. Ellen Zegura, School of Computer Science, Georgia Institute of Technology
Prof. Manos Antonakakis, School of Electrical and Computer Engineering, Georgia Institute of Technology
Allison Mankin, Director of Verisign Labs
Abstract:
-------------
Today's cybercriminals must carefully manage their network resources to evade detection and maintain profitable businesses. For example, a rogue online enterprise has to have multiple technical and business components in place, to provide the necessary infrastructure to keep the business available. Often, cybercriminals in their effort to protect and maintain their valuable network resources (infrastructures), they manipulate two fundamental Internet protocols; the Domain Name System (DNS) and the Border Gateway Protocol (BGP). A popular countermeasure against cybercriminal infrastructures are Autonomous Systems (AS) reputation systems. Past research efforts have developed several AS reputation systems that monitor the traffic for illicit activities. Unfortunately, these systems have severe limitations; (1) they cannot distinguish between malicious and legitimate but abused ASes, and thus it is not clear how to use them in practice, (2) require direct observation of malicious activity, from many different vantage points and for an extended period of time, thus delaying detection. This dissertation presents empirical studies and a system that help to counteract cybecriminal infrastructures. First, we perform empirical studies that help to advance our understanding, about how these infrastructures operate. We study two representative types of infrastructures: (1) fast-flux service networks which are infrastructures based on DNS manipulation, (b) malicious ASes (hubs of cybercriminal activities) which are infrastructures that are primarily based on BGP manipulation. Second, we build on our observations from these studies, and we design and implement, ASwatch; an AS reputation system that, unlike existing approaches, monitors exclusively the routing level behavior of ASes, to expose malicious ASes sooner. We build ASwatch based on the intuition that, in an attempt to evade possible detection and remediation efforts, malicious ASes exhibit agile routing behavior (e.g. short-lived routes, aggressive re-wiring). We evaluate ASwatch on known malicious ASes, and we compare its performance to a state of the art AS reputation system.
