Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky...
Transcript of Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky...
![Page 1: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/1.jpg)
1 Malicious Activity and Risky Behavior in Residential Networks 1
Malicious Activity and Risky Behavior in Residential Networks
Gregor Maier1, Anja Feldmann1, Vern Paxson2,3, Robin Sommer2,4, Matthias Vallentin3
1 TU Berlin / Deutsche Telekom Laboratories 2 International Computer Science Institute (ICSI) 3 University of California, Berkeley 4 Lawrence Berkeley National Laboratories (LBNL)
![Page 2: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/2.jpg)
Malicious Activity and Risky Behavior in Residential Networks 2
Introduction
q Common perception: Residential users responsible for much of insecurity
q Even worse in developing regions q But: Few systematic studies to date q We undertake such a study q Also important: What influences security?
o Anti-virus o Software updates o Risky behavior (requesting blacklistes URLs)
![Page 3: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/3.jpg)
Malicious Activity and Risky Behavior in Residential Networks 3
Outline q Data sets and vantage points q Methodology q Security awareness and risky behavior q Malicious activity q Discussion & Conclusion
![Page 4: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/4.jpg)
Malicious Activity and Risky Behavior in Residential Networks 4
Outline q Data sets and vantage points
o European ISP o AirJaldi network in India o Lawrence Berkeley Lab o Data annotations
q Methodology q Security awareness and risky behavior q Malicious activity q Discussion & Conclusion
![Page 5: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/5.jpg)
Malicious Activity and Risky Behavior in Residential Networks 5
Data sets: European ISP q Major ISP in Europe q Observations from 20,000 DSL customers q All data immediately anonymized q 14 day observation period q No traffic shaping or port filters q Traffic makeup:
o More than 50% HTTP o Peer-to-Peer around 15% o NNTP also significant
![Page 6: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/6.jpg)
Malicious Activity and Risky Behavior in Residential Networks 6
Data sets: AirJaldi in India q Community network in rural India q 10,000 users; several 1,000 machines q All share 10Mbps uplink q 400 wireless routers, spread over 80km radius q Use "layered NAT" approach => Cannot identify
individual hosts q 3 traces, 34-40hrs each q Traffic makeup:
o 56—72% HTTP o Quite some VoIP and instant messenger traffic o Almost no Peer-to-Peer or NNTP
![Page 7: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/7.jpg)
Malicious Activity and Risky Behavior in Residential Networks 7
Data sets: LBNL q Lawrence Berkeley National Lab, CA, USA q 12,000 hosts q 4 day observation period; 7,000 hosts active q Open network policy but q Security staff:
o Uses Bro IDS o Infected machines are taken offline immediately
Ø We do not expect any/much malicious activity
![Page 8: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/8.jpg)
Malicious Activity and Risky Behavior in Residential Networks 8
Data annotation q Want to know more about DSL-lines q Identify influences on security q Is NAT used? How many hosts are connected q How active are they?
o Group by number of HTTP request o Classify into high/medium/low activity
q Operating systems o Are Macs more secure? o Identify by HTTP user-agent string o Check DSL lines with only Macs (and no Windows)
![Page 9: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/9.jpg)
Malicious Activity and Risky Behavior in Residential Networks 9
Outline q Data sets and vantage points q Methodology
o Scanning o Spamming o Known malware families o Generic NIDS o Security awareness and risky behavior
q Security awareness and risky behavior q Malicious activity q Discussion & Conclusion
![Page 10: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/10.jpg)
Malicious Activity and Risky Behavior in Residential Networks 10
Finding Scanners (1) q Problem: NIDS are tuned to find incoming scans
o Often use threshold of unsuccessful connections per source
q We want outgoing scans but o Scan traffic embedded in benign activity o Cannot use simple threshold
q Idea (borrowed from TRW scan detector) o Ratio of successful connections / all connections per
<DSL-line, remote-IP> pair o Does it work?
![Page 11: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/11.jpg)
Malicious Activity and Risky Behavior in Residential Networks 11
Finding Scanners (2) q Histogram: Success ratio per pair
![Page 12: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/12.jpg)
Malicious Activity and Risky Behavior in Residential Networks 12
Finding Scanners (3) q Next step: classify pair as successful or unsuccessful q Count #successful VS. #unsuccessful pairs per DSL-line
![Page 13: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/13.jpg)
Malicious Activity and Risky Behavior in Residential Networks 13
Finding Scanners (4) q Where's the problem? Ø Peer-to-Peer (P2P) protocols
o Peer tries to contact peers' IPs o But peer might be offline now or moved to other IP Ø Many unsuccessful connections o But not only filesharing, WoW also uses P2P protocol
for maps q Solution: Look only for suspicious / dangerous
ports o E.g., windows SMB, databases, VNC, remote desktop
![Page 14: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/14.jpg)
Malicious Activity and Risky Behavior in Residential Networks 14
Finding Scanners (5) q #successful VS. #unsuccessful for suspicious ports
Now we have a nice separation ð Classify as scanner if >100 (or 1,000)
unsuccessful pairs
![Page 15: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/15.jpg)
Malicious Activity and Risky Behavior in Residential Networks 15
Finding Spammers q We omit the details for brevity q Similar idea to scanning:
o Count number of contacted SMTP servers
q DSL lines contact <<25 or >> 100 SMTP servers Ø Use cutoff of 100 for spam classification
![Page 16: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/16.jpg)
Malicious Activity and Risky Behavior in Residential Networks 16
Malware families q Use network signatures of known malware q Conficker
o Tries to resolve known DNS names
q Zlob o Changes DNS resolvers o Targets Macs and Windows
q Zeus o Tries to resolve DNS names of C&C servers
Domain names from blacklist
![Page 17: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/17.jpg)
Malicious Activity and Risky Behavior in Residential Networks 17
Generic NIDS q Use Snort with Emerging Threads rulesets q 3,500 rules (but undocumented) q 1million alarms per day, 90% of DSL lines
Ø Unuseable q Includes everything
o Adware: users might have installed them on purpose o "Spyware": includes Alexa toolbar, but Alexa clearly
states what it does o etc. Ø Excluded those
![Page 18: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/18.jpg)
Malicious Activity and Risky Behavior in Residential Networks 18
Generic NIDS (2) q Still too many hits :-( q Lack of documentation ð Cannot tell:
o How bad traffic triggering a specific rule is o False positives
q E.g., signatures for botnet command & control: o Check for single or double-letter URL parameters (b=....,
tm=...) o Many benign websites use them too
q Conclusion o Emerging threads might be useful for small networks with strict
policies but for our case o Document rules!!!!
![Page 19: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/19.jpg)
Malicious Activity and Risky Behavior in Residential Networks 19
Security awareness & risky behavior q Security awareness
o Do user use/update anti-virus software? o Do user update operating systems? Ø Detecting by inspecting HTTP user-agents
q Risky behavior o Do users request URLs blacklisted by Google Safe
Browsing? o We update our blacklist copy every 25 minutes
q Again: this helps to find factors influencing security problems
![Page 20: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/20.jpg)
Malicious Activity and Risky Behavior in Residential Networks 20
Methodology summary q Behaviroal metrics
o Scanning o Spamming
q Malware families o Conficker o Zlob o Zeus
q Generic NIDS (Snort with Emerging Threads) o Unuseable
q Security awareness and risky behavior
![Page 21: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/21.jpg)
Malicious Activity and Risky Behavior in Residential Networks 21
Outline q Data sets and vantage points q Methodology q Security awareness and risky behavior
o Security awareness o Google blacklist o Comparision with AirJaldi and LBNL
q Malicious activity q Discussion & Conclusion
![Page 22: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/22.jpg)
Malicious Activity and Risky Behavior in Residential Networks 22
Security awareness
Up to 90% of DSL-lines update AV and software
![Page 23: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/23.jpg)
Malicious Activity and Risky Behavior in Residential Networks 23
Google blacklists q Up to 4.4% of DSL-lines request blacklisted URL
per day q Over 14 days: 19% do so!!! q Google blacklist integrated in many browsers
o Were users warned by browser and ignored it? o Google requires update every 30 min o Check whether same user-agent downloads blacklist
and requests URL o Result: mixed. Some were warned, but ignored it!!
![Page 24: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/24.jpg)
Malicious Activity and Risky Behavior in Residential Networks 24
Compare to AirJaldi and LBNL q AirJaldi
o Cannot do per DSL-line or host (NAT hierachy) o Fraction of requests for anti-virus and software
updates similar o Fraction of requests that are blacklisted similar
q LBNL: o Less anti-virus and software updates
• But central update servers at LBNL • Other OS mix
o Significantly less risky behavior
![Page 25: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/25.jpg)
Malicious Activity and Risky Behavior in Residential Networks 25
Outline q Data sets and vantage points q Methodology q Security awareness and risky behavior q Malicious activity
o General results o Influences on malicious activity o Malicious activity and Macs o Comparison with AirJaldi and LBNL
q Discussion & Conclusion
![Page 26: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/26.jpg)
Malicious Activity and Risky Behavior in Residential Networks 26
Malicious activity
Only small fraction of lines trigger metrics <0.7% per day, < 1.3% overall
![Page 27: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/27.jpg)
Malicious Activity and Risky Behavior in Residential Networks 27
Malicious activity (2) q Malware families contribute most
Ø Few DSL-lines scan or spam
q 44% of spammers active only single day q 38% of Zeus lines only trigger single day q Zlob active on 8.4 (10) days on average (median) q Conficker active on 6.5 days mean, 6 median q Most others around 4 days (mean) and 2-4 days median q 92% of "bad" lines only trigger single metric Ø We likely underestimate total
![Page 28: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/28.jpg)
Malicious Activity and Risky Behavior in Residential Networks 28
Influences on malicious activity q No strong influence of anti-virus and OS updates
o Prob. only 1.26% if not using anti-virus
q No strong influence of NAT q A l%ittle influence of activity
o High activity: 4.08% o Medium activity: 1.94% o Low activity: 0.46%
q Only slight influence of blacklist hits o Prob. 3.19%. Less than high activity o Risky behavior does not impact infections much!
![Page 29: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/29.jpg)
Malicious Activity and Risky Behavior in Residential Networks 29
Malicious activity and Macs q 2.7% of DSL-lines have only Macs q Mac infections: 0.54% (compare to 1.23%) q But only Zlob triggers
Ø No scanning, spamming, Conficker, Zeus on Macs
q 0.54% of Macs have Zlob, only 0.24% overall q Mac not better than Windows q Malware that targets Macs is successful!
![Page 30: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/30.jpg)
Malicious Activity and Risky Behavior in Residential Networks 30
Comparison with AirJaldi and LBNL
q No malicious activity at LBNL o As we expected o Scan and spam metrics trigger on
• Benign mail server • Penetration testing hosts that scan
q AirJaldi o 180—260 active IPs per trace o Each IP can have 1—1,000s of hosts o Cannot analyze per host (NAT)
![Page 31: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/31.jpg)
Malicious Activity and Risky Behavior in Residential Networks 31
AirJaldi malicious activity
Not much malicious activity Comparable to European ISP
![Page 32: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/32.jpg)
Malicious Activity and Risky Behavior in Residential Networks 32
Outline q Data sets and vantage points q Methodology q Security awareness and risky behavior q Malicious activity q Discussion & Conclusion
![Page 33: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/33.jpg)
Malicious Activity and Risky Behavior in Residential Networks 33
Discussion & Conclusion (1) q We use behavioral metrics and malware signatures q Confident that metrics find what they should q Cannot know how much we miss
o Lower bound o Might be significant (e.g., most lines trigger 1 metric)
q Out approach mimics closely how security analysts work o Deploy toolbox of orthogonal strategies
q Snort with emerging threads problematic o Many blacklists have similar problems
![Page 34: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/34.jpg)
Malicious Activity and Risky Behavior in Residential Networks 34
Discussion & Conclusion (2) q Residential users do not spam or scan
Ø Likely not infected with such malware
q Users are risk aware o Anti-virus and software updates widespread o Does not lower infection risk
q Users exhibit risky behavior o Many request blacklisted URLs o Does not affect infection risk by as much as one may assume
q Comparing to rural community network in India o Very similar in terms of malicious activity and risky behavior o No infections at LBL and less risky behavior
![Page 35: Malicious Activity and Risky Behavior in Residential Networks · Malicious Activity and Risky Behavior in Residential Networks 1 1 ... o Spamming o Known malware ... Malicious Activity](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac680f37f8b9a57528e46af/html5/thumbnails/35.jpg)
35 Malicious Activity and Risky Behavior in Residential Networks 35
Questions?