TY - GEN
T1 - Under the Shadow of Sunshine
T2 - 2017 IEEE Symposium on Security and Privacy, SP 2017
AU - Alrwais, Sumayah
AU - Liao, Xiaojing
AU - Mi, Xianghang
AU - Wang, Peng
AU - Wang, Xiaofeng
AU - Qian, Feng
AU - Beyah, Raheem
AU - McCoy, Damon
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/6/23
Y1 - 2017/6/23
N2 - BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.
AB - BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.
KW - BulletProof
KW - Hosting
KW - Malicious
KW - Sub-allocations
UR - http://www.scopus.com/inward/record.url?scp=85024475731&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85024475731&partnerID=8YFLogxK
U2 - 10.1109/SP.2017.32
DO - 10.1109/SP.2017.32
M3 - Conference contribution
AN - SCOPUS:85024475731
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 805
EP - 823
BT - 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 22 May 2017 through 24 May 2017
ER -