Post on 11-Jan-2016
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.
Discovery of Emergent Malicious Campaigns in Cellular Networks
Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.2 ACSAC December 4, 2013
Introduction
• Goal: Increase attack cost• ISP level defense against widespread attack
campaigns in the mobility network• Focus on attacks targeting large portions of user base
not individual targeted attacks• Cannot tolerate false positives as customers expect
uninterrupted service
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.3 ACSAC December 4, 2013
Threat Model
• Mobility network differences• More application verification
• Easier to monetize via premium services
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.4 ACSAC December 4, 2013
Typical Attack Scenario
• User receives an SMS spam that contains a URL with social engineering to convince the user to click• Web server socially engineers a user into installing an
app or signing up for a premium service (you won a gift card send a text then enter the code)• If app installed, C&C tells user’s phone to send more
SMS spam, steal bank two factor authorization info, etc.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.5 ACSAC December 4, 2013
Key Observations
• Victims have contact with multiple entities from the attack campaign• Malicious entities change over time as nodes are
slowly blacklisted
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.6 ACSAC December 4, 2013
System Overview
IP Data
CDR SMS Data
Training Testing Correlation Post Processing
Human Analysis
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.7 ACSAC December 4, 2013
Data
• Who-talks-to-whom IP and SMS data from same users roughly same geographic area• ~150 million communication edges• ~40 Million unique entities• ~10 Million 10-digit phone numbers• Only users that had at least some IP traffic• Strict internal controls followed (limited on site
access, anonymization, etc.)
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.8 ACSAC December 4, 2013
Training
• Attack campaigns change overtime (blacklisting eventually works)• IP data is noisy as many popular websites have many
domains and ad networks that new users often visit• Ignore domains/IPs appearing in training window• Ignore a small white list of phone numbers and short
codes manually maintained
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.9 ACSAC December 4, 2013
Testing
• High degree nodes found • Mutual contacts graph of high degree nodes• Each pair of high degree nodes shares an edge if they
share a large portion of the same users• Thresholds based on Dice coefficient:
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.10 ACSAC December 4, 2013
Clustering
• Remove weak edges • Remove any edge with Dice coefficient < 0.1 or
absolute number of nodes shared < 20• Edges remaining represent the 99th percentile
(strongest connections)• Further edge breaking based on modularity to break
apart densely related graphs only connected by an edge or two
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.11 ACSAC December 4, 2013
Result
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.12 ACSAC December 4, 2013
Post Processing
• Hundreds of clusters• Prioritize clusters for human analysts• Temporal • Size• Change over time• Containing blacklisted nodes
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.13 ACSAC December 4, 2013
Temporal Post Processing
• SMS TV Voting
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.14 ACSAC December 4, 2013
Size
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.15 ACSAC December 4, 2013
Change Over Time
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.16 ACSAC December 4, 2013
Evaluation
• Lack of complete ground truth• Check whether nodes we find are eventually
blacklisted afterwards• Direct feedback from analysts blocking fraudulent
premium numbers / botnets
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.17 ACSAC December 4, 2013
Nodes in our Clusters Being Blacklisted
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.18 ACSAC December 4, 2013
SMS Giftcard Scam
• SMS spam message tricks users into visiting a website• Website redirects to a central domain• Tricks users into sending enough data to be signed up
for premium service
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.19 ACSAC December 4, 2013
SMS Giftcard Scam Over Time
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.20 ACSAC December 4, 2013
Giftcard Scam Cluster Over Time
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.21 ACSAC December 4, 2013
Future Work
• Additional training• Better tools for defining splitting clusters• More human in the loop feedback
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.22 ACSAC December 4, 2013
Conclusion
• Widespread attacks can be found at the ISP level• Mobility network gives additional unique
opportunities for attackers and defenders• Anomaly detection to present likely candidates to
human analysts has potential
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.23 ACSAC December 4, 2013
Questions?