Harvesting the Low-hanging Fruits:Defending Against Automated Large-Scale

Cyber-Intrusions by Focusing on the Vulnerable Population

Hassan Halawa 1, Konstantin Beznosov 1, Yazan Boshmaf 2,Baris Coskun 3, Matei Ripeanu 1, and Elizeu Santos-Neto 4

1 The University of British Columbia2 Qatar Computing Research Institute

3 Yahoo! Research4 Google, Inc.

Focus on the vulnerable population

Proposed Paradigm

2

Current vs. Proposed Paradigm

3

Phishing

4

Phishing

5

Phishing

6

Phishing

7

Efficient Compromise-Detection Campaigns

Phishing

8

Personalized ControlsImmunization

Efficient Compromise-Detection Campaigns

Phishing

9

Throttled OutboxDelayed Inbox

Personalized ControlsImmunization

Efficient Compromise-Detection Campaigns

Predicting the vulnerable population

10

Advantages of the proposed paradigm

11

● Proactive

● Targeted

● Efficient

● Robust

Intermission

12

Focus on detecting theattacks/attackers

Current Paradigm

13

Problems with the current paradigm

14[SNS’11] Tao Stein, Erdong Chen, and Karan Mangla. 2011. Facebook immune system.

In Proceedings of the 4th Workshop on Social Network Systems (SNS'11). ACM, pp. 8, New York, NY, USA.

Fake Accounts in OSNs

15

Enhanced Graph-Based Defences

Customized User Experience

Efficient Compromise-Detection Campaigns

Íntegro: in a nutshell

16[ECS’16] Boshmaf, Y., Logothetis, D., Siganos, G., Lería, J., Lorenzo, J., Ripeanu, M., Beznosov, K., and Halawa, H. (2016).

Íntegro: Leveraging Victim Prediction for Robust Fake Account Detection in Large Scale OSNs.

Elsevier Computers & Security. 61: 142-168.

Íntegro: System Model

17[ECS’16] Boshmaf, Y., Logothetis, D., Siganos, G., Lería, J., Lorenzo, J., Ripeanu, M., Beznosov, K., and Halawa, H. (2016).

Íntegro: Leveraging Victim Prediction for Robust Fake Account Detection in Large Scale OSNs.

Elsevier Computers & Security. 61: 142-168.

Íntegro: Trust Propagation

18

[ECS’16] Boshmaf, Y., Logothetis, D., Siganos, G., Lería, J., Lorenzo, J., Ripeanu, M., Beznosov, K., and Halawa, H. (2016).

Íntegro: Leveraging Victim Prediction for Robust Fake Account Detection in Large Scale OSNs.

Elsevier Computers & Security. 61: 142-168.

Summary

19

Harvesting the Low-hanging Fruits:Defending Against Automated Large-Scale

Cyber-Intrusions by Focusing on the Vulnerable Population

Hassan Halawa 1, Konstantin Beznosov 1, Yazan Boshmaf 2,Baris Coskun 3, Matei Ripeanu 1, and Elizeu Santos-Neto 4

1 The University of British Columbia2 Qatar Computing Research Institute

3 Yahoo! Research4 Google, Inc.

Contact Email: hhalawa@ece.ubc.caProject Web Site: http://netsyslab.ece.ubc.ca/wiki/index.php/Artemis

Discussion Points

21

Can the vulnerable population be identified?• Offline Worlds

• Online Worlds

• Our Experience

22

Why an approach focused on the vulnerable population is a key defense element?• Similar dynamics to epidemics

• Cost of attack victim

• Multi-stage attacks

23

Why does this approach have the potential to increase the robustness of existing defenses?• Current defenses are attack/attacker centric

• Based on attacker-controlled behavior/features

• Attackers can employ adversarial strategies

24

Can the proposed approach improve the effectiveness of user education or security advice? • First line of defense

• Direct cost (attack) vs. Indirect cost (effort)

• Distribute cost proportional to user vulnerability

25

Are there other domains that can benefit from the proposed approach?• Systems where users can make incorrect decisions

• Enterprise security and risk management

26

Are there legal/ethical implications of the proposed approach?• Paternalism

• Fairness (Service Discrimination)

27

What are some of the challenges that may prevent adopting this paradigm?• Feasibility to develop a vulnerable population classifier

• Inaccuracies in predicting the vulnerable population

• Some mitigation techniques may violate user expectations

• Targeted protection may be confusing / complex

28

What are the categories of defenses enabled by adopting this paradigm?• Targeted protection

• Inferring the origin of attacks

29

What is the relationship to our past work in this area?• Large-scale social-bot infiltration feasible

• Defense system leveraging the proposed paradigm

• Deployed at Telefonica’s OSN Tuenti (50 million+ users)

30

Harvesting the Low-hanging Fruits:Defending Against Automated Large-Scale

Cyber-Intrusions by Focusing on the Vulnerable Population

Hassan Halawa 1, Konstantin Beznosov 1, Yazan Boshmaf 2,Baris Coskun 3, Matei Ripeanu 1, and Elizeu Santos-Neto 4

1 The University of British Columbia2 Qatar Computing Research Institute

3 Yahoo! Research4 Google, Inc.

Contact Email: hhalawa@ece.ubc.caProject Web Site: http://netsyslab.ece.ubc.ca/wiki/index.php/Artemis

Backup Slides

32

Malware Downloads

33

Temporal & Spatial Traffic Graph Analysis Captive Portals Honeypots

Harvesting the Low-hanging Fruits:Defending Against Automated Large-Scale

Cyber-Intrusions by Focusing on the Vulnerable Population

Hassan Halawa 1, Konstantin Beznosov 1, Yazan Boshmaf 2,Baris Coskun 3, Matei Ripeanu 1, and Elizeu Santos-Neto 4

1 The University of British Columbia2 Qatar Computing Research Institute

3 Yahoo! Research4 Google, Inc.

Contact Email: hhalawa@ece.ubc.caProject Web Site: http://netsyslab.ece.ubc.ca/wiki/index.php/Artemis

Thank You35

Questions?