首页 > 最新文献

Proceedings of the Internet Measurement Conference 2018最新文献

英文 中文
TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior 超越浏览器的TLS:结合终端主机和网络数据来理解应用程序行为
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355601
Blake Anderson, D. McGrew
The Transport Layer Security (TLS) protocol has evolved in response to different attacks and is increasingly relied on to secure Internet communications. Web browsers have led the adoption of newer and more secure cryptographic algorithms and protocol versions, and thus improved the security of the TLS ecosystem. Other application categories, however, are increasingly using TLS, but too often are relying on obsolete and insecure protocol options. To understand in detail what applications are using TLS, and how they are using it, we developed a novel system for obtaining process information from end hosts and fusing it with network data to produce a TLS fingerprint knowledge base. This data has a rich set of context for each fingerprint, is representative of enterprise TLS deployments, and is automatically updated from ongoing data collection. Our dataset is based on 471 million endpoint-labeled and 8 billion unlabeled TLS sessions obtained from enterprise edge networks in five countries, plus millions of sessions from a malware analysis sandbox. We actively maintain an open source dataset that, at 4,500+ fingerprints and counting, is both the largest and most informative ever published. In this paper, we use the knowledge base to identify trends in enterprise TLS applications beyond the browser: application categories such as storage, communication, system, and email. We identify a rise in the use of TLS by nonbrowser applications and a corresponding decline in the fraction of sessions using version 1.3. Finally, we highlight the shortcomings of naïvely applying TLS fingerprinting to detect malware, and we present recent trends in malware's use of TLS such as the adoption of cipher suite randomization.
为了应对不同的攻击,传输层安全(TLS)协议已经得到了发展,并且越来越多地依赖于保护Internet通信。Web浏览器引领了更新、更安全的加密算法和协议版本的采用,从而提高了TLS生态系统的安全性。然而,其他应用程序类别越来越多地使用TLS,但往往依赖于过时和不安全的协议选项。为了详细了解哪些应用程序正在使用TLS,以及它们是如何使用TLS的,我们开发了一个新的系统,用于从终端主机获取进程信息,并将其与网络数据融合,以生成TLS指纹知识库。该数据为每个指纹提供了丰富的上下文,代表了企业TLS部署,并从正在进行的数据收集中自动更新。我们的数据集基于从五个国家的企业边缘网络获得的4.71亿个端点标记和80亿个未标记的TLS会话,以及来自恶意软件分析沙箱的数百万个会话。我们积极维护一个开源数据集,有4500多个指纹和计数,是有史以来最大和最具信息量的数据集。在本文中,我们使用知识库来识别浏览器之外的企业TLS应用程序的趋势:应用程序类别,如存储、通信、系统和电子邮件。我们发现非浏览器应用程序对TLS的使用有所增加,而使用1.3版本的会话比例相应下降。最后,我们强调了naïvely应用TLS指纹识别检测恶意软件的缺点,并介绍了恶意软件使用TLS的最新趋势,例如采用密码套件随机化。
{"title":"TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior","authors":"Blake Anderson, D. McGrew","doi":"10.1145/3355369.3355601","DOIUrl":"https://doi.org/10.1145/3355369.3355601","url":null,"abstract":"The Transport Layer Security (TLS) protocol has evolved in response to different attacks and is increasingly relied on to secure Internet communications. Web browsers have led the adoption of newer and more secure cryptographic algorithms and protocol versions, and thus improved the security of the TLS ecosystem. Other application categories, however, are increasingly using TLS, but too often are relying on obsolete and insecure protocol options. To understand in detail what applications are using TLS, and how they are using it, we developed a novel system for obtaining process information from end hosts and fusing it with network data to produce a TLS fingerprint knowledge base. This data has a rich set of context for each fingerprint, is representative of enterprise TLS deployments, and is automatically updated from ongoing data collection. Our dataset is based on 471 million endpoint-labeled and 8 billion unlabeled TLS sessions obtained from enterprise edge networks in five countries, plus millions of sessions from a malware analysis sandbox. We actively maintain an open source dataset that, at 4,500+ fingerprints and counting, is both the largest and most informative ever published. In this paper, we use the knowledge base to identify trends in enterprise TLS applications beyond the browser: application categories such as storage, communication, system, and email. We identify a rise in the use of TLS by nonbrowser applications and a corresponding decline in the fraction of sessions using version 1.3. Finally, we highlight the shortcomings of naïvely applying TLS fingerprinting to detect malware, and we present recent trends in malware's use of TLS such as the adoption of cipher suite randomization.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"43 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75877321","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 27
A Look at the ECS Behavior of DNS Resolvers 查看DNS解析器的ECS行为
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355586
R. Al-Dalky, M. Rabinovich, Kyle Schomp
Content delivery networks (CDNs) commonly use DNS to map end-users to the best edge servers. A recently proposed EDNS0-Client-Subnet (ECS) extension allows recursive resolvers to include end-user subnet information in DNS queries, so that authoritative DNS servers, especially those belonging to CDNs, could use this information to improve user mapping. In this paper, we study the ECS behavior of ECS-enabled recursive resolvers from the perspectives of the opposite sides of a DNS interaction, the authoritative DNS servers of a major CDN and a busy DNS resolution service. We find a range of erroneous (i.e., deviating from the protocol specification) and detrimental (even if compliant) behaviors that may unnecessarily erode client privacy, reduce the effectiveness of DNS caching, diminish ECS benefits, and in some cases turn ECS from facilitator into an obstacle to authoritative DNS servers' ability to optimize user-to-edge-server mappings.
内容分发网络(cdn)通常使用DNS将最终用户映射到最佳边缘服务器。最近提出的EDNS0-Client-Subnet (ECS)扩展允许递归解析器在DNS查询中包含最终用户子网信息,以便权威DNS服务器,特别是属于cdn的DNS服务器可以使用这些信息来改进用户映射。本文从DNS交互的对立面、主CDN的权威DNS服务器和繁忙DNS解析服务的角度研究了支持ECS的递归解析器的ECS行为。我们发现了一系列错误(即偏离协议规范)和有害(即使合规)的行为,这些行为可能不必要地侵蚀客户端隐私,降低DNS缓存的有效性,减少ECS的好处,并在某些情况下将ECS从推动者转变为权威DNS服务器优化用户到边缘服务器映射能力的障碍。
{"title":"A Look at the ECS Behavior of DNS Resolvers","authors":"R. Al-Dalky, M. Rabinovich, Kyle Schomp","doi":"10.1145/3355369.3355586","DOIUrl":"https://doi.org/10.1145/3355369.3355586","url":null,"abstract":"Content delivery networks (CDNs) commonly use DNS to map end-users to the best edge servers. A recently proposed EDNS0-Client-Subnet (ECS) extension allows recursive resolvers to include end-user subnet information in DNS queries, so that authoritative DNS servers, especially those belonging to CDNs, could use this information to improve user mapping. In this paper, we study the ECS behavior of ECS-enabled recursive resolvers from the perspectives of the opposite sides of a DNS interaction, the authoritative DNS servers of a major CDN and a busy DNS resolution service. We find a range of erroneous (i.e., deviating from the protocol specification) and detrimental (even if compliant) behaviors that may unnecessarily erode client privacy, reduce the effectiveness of DNS caching, diminish ECS benefits, and in some cases turn ECS from facilitator into an obstacle to authoritative DNS servers' ability to optimize user-to-edge-server mappings.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"29 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73330591","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 20
VisibleV8
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355599
Jordan Jueckstock, A. Kapravelos
Modern web security and privacy research depends on accurate measurement of an often evasive and hostile web. No longer just a network of static, hyperlinked documents, the modern web is alive with JavaScript (JS) loaded from third parties of unknown trustworthiness. Dynamic analysis of potentially hostile JS currently presents a cruel dilemma: use heavyweight in-browser solutions that prove impossible to maintain, or use lightweight inline JS solutions that are detectable by evasive JS and which cannot match the scope of coverage provided by in-browser systems. We present VisibleV8, a dynamic analysis framework hosted inside V8, the JS engine of the Chrome browser, that logs native function or property accesses during any JS execution. At less than 600 lines (only 67 of which modify V8's existing behavior), our patches are lightweight and have been maintained from Chrome versions 63 through 72 without difficulty. VV8 consistently outperforms equivalent inline instrumentation, and it intercepts accesses impossible to instrument inline. This comprehensive coverage allows us to isolate and identify 46 JavaScript namespace artifacts used by JS code in the wild to detect automated browsing platforms and to discover that 29% of the Alexa top 50k sites load content which actively probes these artifacts.
{"title":"VisibleV8","authors":"Jordan Jueckstock, A. Kapravelos","doi":"10.1145/3355369.3355599","DOIUrl":"https://doi.org/10.1145/3355369.3355599","url":null,"abstract":"Modern web security and privacy research depends on accurate measurement of an often evasive and hostile web. No longer just a network of static, hyperlinked documents, the modern web is alive with JavaScript (JS) loaded from third parties of unknown trustworthiness. Dynamic analysis of potentially hostile JS currently presents a cruel dilemma: use heavyweight in-browser solutions that prove impossible to maintain, or use lightweight inline JS solutions that are detectable by evasive JS and which cannot match the scope of coverage provided by in-browser systems. We present VisibleV8, a dynamic analysis framework hosted inside V8, the JS engine of the Chrome browser, that logs native function or property accesses during any JS execution. At less than 600 lines (only 67 of which modify V8's existing behavior), our patches are lightweight and have been maintained from Chrome versions 63 through 72 without difficulty. VV8 consistently outperforms equivalent inline instrumentation, and it intercepts accesses impossible to instrument inline. This comprehensive coverage allows us to isolate and identify 46 JavaScript namespace artifacts used by JS code in the wild to detect automated browsing platforms and to discover that 29% of the Alexa top 50k sites load content which actively probes these artifacts.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"574 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77079075","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Opening the Blackbox of VirusTotal: Analyzing Online Phishing Scan Engines 打开VirusTotal的黑盒子:分析在线钓鱼扫描引擎
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355585
Peng Peng, Limin Yang, Linhai Song, Gang Wang
Online scan engines such as VirusTotal are heavily used by researchers to label malicious URLs and files. Unfortunately, it is not well understood how the labels are generated and how reliable the scanning results are. In this paper, we focus on VirusTotal and its 68 third-party vendors to examine their labeling process on phishing URLs. We perform a series of measurements by setting up our own phishing websites (mimicking PayPal and IRS) and submitting the URLs for scanning. By analyzing the incoming network traffic and the dynamic label changes at VirusTotal, we reveal new insights into how VirusTotal works and the quality of their labels. Among other things, we show that vendors have trouble flagging all phishing sites, and even the best vendors missed 30% of our phishing sites. In addition, the scanning results are not immediately updated to VirusTotal after the scanning, and there are inconsistent results between VirusTotal scan and some vendors' own scanners. Our results reveal the need for developing more rigorous methodologies to assess and make use of the labels obtained from VirusTotal.
像VirusTotal这样的在线扫描引擎被研究人员大量用于标记恶意url和文件。不幸的是,目前还不清楚标签是如何产生的,以及扫描结果的可靠性如何。在本文中,我们将重点关注VirusTotal及其68家第三方供应商,以检查他们对网络钓鱼url的标签流程。我们通过建立我们自己的网络钓鱼网站(模仿PayPal和IRS)并提交url进行扫描来执行一系列测量。通过分析VirusTotal的传入网络流量和动态标签变化,我们揭示了VirusTotal如何工作及其标签质量的新见解。除此之外,我们发现供应商在标记所有的网络钓鱼网站时遇到了困难,即使是最好的供应商也错过了30%的网络钓鱼网站。另外,扫描后扫描结果不会立即更新到VirusTotal,并且VirusTotal扫描结果与部分厂商自带的扫描结果不一致。我们的研究结果表明,需要开发更严格的方法来评估和利用从VirusTotal获得的标签。
{"title":"Opening the Blackbox of VirusTotal: Analyzing Online Phishing Scan Engines","authors":"Peng Peng, Limin Yang, Linhai Song, Gang Wang","doi":"10.1145/3355369.3355585","DOIUrl":"https://doi.org/10.1145/3355369.3355585","url":null,"abstract":"Online scan engines such as VirusTotal are heavily used by researchers to label malicious URLs and files. Unfortunately, it is not well understood how the labels are generated and how reliable the scanning results are. In this paper, we focus on VirusTotal and its 68 third-party vendors to examine their labeling process on phishing URLs. We perform a series of measurements by setting up our own phishing websites (mimicking PayPal and IRS) and submitting the URLs for scanning. By analyzing the incoming network traffic and the dynamic label changes at VirusTotal, we reveal new insights into how VirusTotal works and the quality of their labels. Among other things, we show that vendors have trouble flagging all phishing sites, and even the best vendors missed 30% of our phishing sites. In addition, the scanning results are not immediately updated to VirusTotal after the scanning, and there are inconsistent results between VirusTotal scan and some vendors' own scanners. Our results reveal the need for developing more rigorous methodologies to assess and make use of the labels obtained from VirusTotal.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"76 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86094158","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 80
Measuring Security Practices and How They Impact Security 衡量安全实践以及它们如何影响安全
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355571
Louis F. DeKoven, A. Randall, A. Mirian, Gautam Akiwate, Ansel Blume, L. Saul, Aaron Schulman, G. Voelker, S. Savage
Security is a discipline that places significant expectations on lay users. Thus, there are a wide array of technologies and behaviors that we exhort end users to adopt and thereby reduce their security risk. However, the adoption of these "best practices" --- ranging from the use of antivirus products to actively keeping software updated --- is not well understood, nor is their practical impact on security risk well-established. This paper explores both of these issues via a large-scale empirical measurement study covering approximately 15,000 computers over six months. We use passive monitoring to infer and characterize the prevalence of various security practices in situ as well as a range of other potentially security-relevant behaviors. We then explore the extent to which differences in key security behaviors impact real-world outcomes (i.e., that a device shows clear evidence of having been compromised).
安全是一门对外行用户寄予厚望的学科。因此,我们建议最终用户采用大量的技术和行为,从而降低他们的安全风险。然而,采用这些“最佳实践”——从使用防病毒产品到积极保持软件更新——并没有得到很好的理解,它们对安全风险的实际影响也没有得到很好的确认。本文通过在六个月内覆盖约15,000台计算机的大规模实证测量研究探讨了这两个问题。我们使用被动监测来推断和描述各种安全实践的流行情况,以及一系列其他潜在的安全相关行为。然后,我们探讨了关键安全行为的差异对现实世界结果的影响程度(即,设备显示出已被破坏的明确证据)。
{"title":"Measuring Security Practices and How They Impact Security","authors":"Louis F. DeKoven, A. Randall, A. Mirian, Gautam Akiwate, Ansel Blume, L. Saul, Aaron Schulman, G. Voelker, S. Savage","doi":"10.1145/3355369.3355571","DOIUrl":"https://doi.org/10.1145/3355369.3355571","url":null,"abstract":"Security is a discipline that places significant expectations on lay users. Thus, there are a wide array of technologies and behaviors that we exhort end users to adopt and thereby reduce their security risk. However, the adoption of these \"best practices\" --- ranging from the use of antivirus products to actively keeping software updated --- is not well understood, nor is their practical impact on security risk well-established. This paper explores both of these issues via a large-scale empirical measurement study covering approximately 15,000 computers over six months. We use passive monitoring to infer and characterize the prevalence of various security practices in situ as well as a range of other potentially security-relevant behaviors. We then explore the extent to which differences in key security behaviors impact real-world outcomes (i.e., that a device shows clear evidence of having been compromised).","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"47 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84790312","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 15
An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come? 端到端大规模测量dns加密:我们已经走了多远?
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355580
Chaoyi Lu, Baojun Liu, Zhou Li, S. Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Y. Liu, Zaifeng Zhang, Jianping Wu
DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.
根据初始标准,DNS数据包被设计成以未加密的形式通过Internet传输。最近的发现表明,现实世界的对手正在积极利用这种设计漏洞来损害互联网用户的安全和隐私。为了减轻这种威胁,已经提出了几种协议来加密DNS客户端和服务器之间的DNS查询,我们将其统称为DNS over- encryption。虽然一些建议已经标准化,并得到了业界的大力支持,但从全球用户的角度来理解它们的现状却做得很少。本文首次对dns over- encryption进行了端到端的大规模分析。通过收集来自互联网扫描、用户端测量和被动监控日志的数据,我们获得了一些独特的见解。一般来说,从可访问性和延迟方面来看,DNS-over-Encryption的服务质量是令人满意的。对于DNS客户端,与传统DNS相比,DNS over- encryption查询不太可能被路径内拦截中断,并且额外的开销是可以忍受的。然而,我们也发现了一些关于如何操作服务的问题。例如,我们发现25%的DNS-over-TLS服务提供商使用无效的SSL证书。与传统的DNS相比,使用DNS over- encryption的用户要少得多,但我们目睹了这种趋势的增长。因此,我们认为社区应该推动更广泛地采用DNS-over-Encryption,我们也建议服务提供商仔细审查他们的实现。
{"title":"An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?","authors":"Chaoyi Lu, Baojun Liu, Zhou Li, S. Hao, Haixin Duan, Mingming Zhang, Chunying Leng, Y. Liu, Zaifeng Zhang, Jianping Wu","doi":"10.1145/3355369.3355580","DOIUrl":"https://doi.org/10.1145/3355369.3355580","url":null,"abstract":"DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"130 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84452108","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 66
Measuring eWhoring 测量eWhoring
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355597
S. Pastrana, Alice Hutchings, Daniel R. Thomas, J. Tapiador
eWhoring is the term used by offenders to refer to a type of online fraud in which cybersexual encounters are simulated for financial gain. Perpetrators use social engineering techniques to impersonate young women in online communities, e.g., chat or social networking sites. They engage potential customers in conversation with the aim of selling misleading sexual material -- mostly photographs and interactive video shows -- illicitly compiled from third-party sites. eWhoring is a popular topic in underground communities, with forums acting as a gateway into offending. Users not only share knowledge and tutorials, but also trade in goods and services, such as packs of images and videos. In this paper, we present a processing pipeline to quantitatively analyse various aspects of eWhoring. Our pipeline integrates multiple tools to crawl, annotate, and classify material in a semi-automatic way. It builds in precautions to safeguard against significant ethical issues, such as avoiding the researchers' exposure to pornographic material, and legal concerns, which were justified as some of the images were classified as child exploitation material. We use it to perform a longitudinal measurement of eWhoring activities in 10 specialised underground forums from 2008 to 2019. Our study focuses on three of the main eWhoring components: (i) the acquisition and provenance of images; (ii) the financial profits and monetisation techniques; and (iii) a social network analysis of the offenders, including their relationships, interests, and pathways before and after engaging in this fraudulent activity. We provide recommendations, including potential intervention approaches.
eWhoring是犯罪分子用来指一种网络欺诈行为的术语,这种网络欺诈行为通过模拟网络性接触来获取经济利益。犯罪者使用社会工程技术在在线社区(例如聊天或社交网站)中冒充年轻女性。他们与潜在客户进行对话,目的是出售从第三方网站非法编辑的误导性性材料——主要是照片和互动视频节目。嫖娼是地下社区的热门话题,而论坛则是犯罪的入口。用户不仅分享知识和教程,还交易商品和服务,如图片和视频包。在本文中,我们提出了一个处理流水线来定量地分析eWhoring的各个方面。我们的管道集成了多种工具,以半自动的方式对材料进行抓取、注释和分类。它建立了预防措施,以防止重大的道德问题,例如避免研究人员接触色情材料,以及法律问题,因为一些图像被归类为儿童剥削材料,这是合理的。我们用它对2008年至2019年10个专业地下论坛的网络嫖娼活动进行了纵向测量。我们的研究集中在三个主要的eWhoring组成部分:(i)图像的获取和来源;(ii)财务利润和货币化技术;(iii)对罪犯的社会网络分析,包括他们在参与这种欺诈活动之前和之后的关系、兴趣和途径。我们提供建议,包括潜在的干预方法。
{"title":"Measuring eWhoring","authors":"S. Pastrana, Alice Hutchings, Daniel R. Thomas, J. Tapiador","doi":"10.1145/3355369.3355597","DOIUrl":"https://doi.org/10.1145/3355369.3355597","url":null,"abstract":"eWhoring is the term used by offenders to refer to a type of online fraud in which cybersexual encounters are simulated for financial gain. Perpetrators use social engineering techniques to impersonate young women in online communities, e.g., chat or social networking sites. They engage potential customers in conversation with the aim of selling misleading sexual material -- mostly photographs and interactive video shows -- illicitly compiled from third-party sites. eWhoring is a popular topic in underground communities, with forums acting as a gateway into offending. Users not only share knowledge and tutorials, but also trade in goods and services, such as packs of images and videos. In this paper, we present a processing pipeline to quantitatively analyse various aspects of eWhoring. Our pipeline integrates multiple tools to crawl, annotate, and classify material in a semi-automatic way. It builds in precautions to safeguard against significant ethical issues, such as avoiding the researchers' exposure to pornographic material, and legal concerns, which were justified as some of the images were classified as child exploitation material. We use it to perform a longitudinal measurement of eWhoring activities in 10 specialised underground forums from 2008 to 2019. Our study focuses on three of the main eWhoring components: (i) the acquisition and provenance of images; (ii) the financial profits and monetisation techniques; and (iii) a social network analysis of the offenders, including their relationships, interests, and pathways before and after engaging in this fraudulent activity. We provide recommendations, including potential intervention approaches.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"505 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76394274","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 23
Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs 在黑洞下:拆除ixp中BGP黑洞的操作实践
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355593
Marcin Nawrocki, Jeremias Blendin, C. Dietzel, T. Schmidt, Matthias Wählisch
Large Distributed Denial-of-Service (DDoS) attacks pose a major threat not only to end systems but also to the Internet infrastructure as a whole. Remote Triggered Black Hole filtering (RTBH) has been established as a tool to mitigate inter-domain DDoS attacks by discarding unwanted traffic early in the network, e.g., at Internet eXchange Points (IXPs). As of today, little is known about the kind and effectiveness of its use, and about the need for more fine-grained filtering. In this paper, we present the first in-depth statistical analysis of all RTBH events at a large European IXP by correlating measurements of the data and the control plane for a period of 104 days. We identify a surprising practice that significantly deviates from the expected mitigation use patterns. First, we show that only one third of all 34k visible RTBH events correlate with indicators of DDoS attacks. Second, we witness over 2000 blackhole events announced for prefixes not of servers but of clients situated in DSL networks. Third, we find that blackholing on average causes dropping of only 50% of the unwanted traffic and is hence a much less reliable tool for mitigating DDoS attacks than expected. Our analysis gives also rise to first estimates of the collateral damage caused by RTBH-based DDoS mitigation.
大型分布式拒绝服务(DDoS)攻击不仅对终端系统,而且对整个Internet基础设施都构成了重大威胁。远程触发黑洞过滤(RTBH)已经被建立为一种工具,通过在网络早期丢弃不需要的流量来减轻域间DDoS攻击,例如在互联网交换点(ixp)。到目前为止,人们对其使用的类型和有效性知之甚少,也不知道是否需要更细粒度的过滤。在本文中,我们首次对欧洲大型IXP的所有RTBH事件进行了深入的统计分析,将数据和控制平面的测量结果相关联,为期104天。我们发现了一个令人惊讶的做法,它明显偏离了预期的缓解使用模式。首先,我们表明,在所有34k个可见RTBH事件中,只有三分之一与DDoS攻击指标相关。第二,我们见证了超过2000个黑洞事件,不是服务器的前缀,而是位于DSL网络中的客户端的前缀。第三,我们发现黑洞平均只导致50%的不需要的流量下降,因此它是一个比预期更不可靠的缓解DDoS攻击的工具。我们的分析还对基于rthh的DDoS缓解造成的附带损害进行了初步估计。
{"title":"Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs","authors":"Marcin Nawrocki, Jeremias Blendin, C. Dietzel, T. Schmidt, Matthias Wählisch","doi":"10.1145/3355369.3355593","DOIUrl":"https://doi.org/10.1145/3355369.3355593","url":null,"abstract":"Large Distributed Denial-of-Service (DDoS) attacks pose a major threat not only to end systems but also to the Internet infrastructure as a whole. Remote Triggered Black Hole filtering (RTBH) has been established as a tool to mitigate inter-domain DDoS attacks by discarding unwanted traffic early in the network, e.g., at Internet eXchange Points (IXPs). As of today, little is known about the kind and effectiveness of its use, and about the need for more fine-grained filtering. In this paper, we present the first in-depth statistical analysis of all RTBH events at a large European IXP by correlating measurements of the data and the control plane for a period of 104 days. We identify a surprising practice that significantly deviates from the expected mitigation use patterns. First, we show that only one third of all 34k visible RTBH events correlate with indicators of DDoS attacks. Second, we witness over 2000 blackhole events announced for prefixes not of servers but of clients situated in DSL networks. Third, we find that blackholing on average causes dropping of only 50% of the unwanted traffic and is hence a much less reliable tool for mitigating DDoS attacks than expected. Our analysis gives also rise to first estimates of the collateral damage caused by RTBH-based DDoS mitigation.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"55 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86916868","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 19
Characterizing JSON Traffic Patterns on a CDN 在CDN上表征JSON流量模式
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355594
Santiago Vargas, U. Goel, Moritz Steiner, A. Balasubramanian
Content delivery networks serve a major fraction of the Internet traffic, and their geographically deployed infrastructure makes them a good vantage point to observe traffic access patterns. We perform a large-scale investigation to characterize Web traffic patterns observed from a major CDN infrastructure. Specifically, we discover that responses with application/json content-type form a growing majority of all HTTP requests. As a result, we seek to understand what types of devices and applications are requesting JSON objects and explore opportunities to optimize CDN delivery of JSON traffic. Our study shows that mobile applications account for at least 52% of JSON traffic on the CDN and embedded devices account for another 12% of all JSON traffic. We also find that more than 55% of JSON traffic on the CDN is uncacheable, showing that a large portion of JSON traffic on the CDN is dynamic. By further looking at patterns of periodicity in requests, we find that 6.3% of JSON traffic is periodically requested and reflects the use of (partially) autonomous software systems, IoT devices, and other kinds of machine-to-machine communication. Finally, we explore dependencies in JSON traffic through the lens of ngram models and find that these models can capture patterns between subsequent requests. We can potentially leverage this to prefetch requests, improving the cache hit ratio.
内容交付网络服务于Internet流量的主要部分,其地理上部署的基础设施使其成为观察流量访问模式的良好有利位置。我们进行了大规模的调查,以表征从主要CDN基础设施观察到的Web流量模式。具体来说,我们发现application/json内容类型的响应在所有HTTP请求中占越来越大的比例。因此,我们试图了解哪些类型的设备和应用程序正在请求JSON对象,并探索优化JSON流量的CDN交付的机会。我们的研究表明,移动应用程序占CDN上JSON流量的至少52%,嵌入式设备占所有JSON流量的另外12%。我们还发现CDN上超过55%的JSON流量是不可缓存的,这表明CDN上很大一部分JSON流量是动态的。通过进一步观察请求的周期性模式,我们发现6.3%的JSON流量是周期性请求的,这反映了(部分)自主软件系统、物联网设备和其他类型的机器对机器通信的使用。最后,我们通过ngram模型探索JSON流量中的依赖关系,并发现这些模型可以捕获后续请求之间的模式。我们可以潜在地利用这一点来预取请求,提高缓存命中率。
{"title":"Characterizing JSON Traffic Patterns on a CDN","authors":"Santiago Vargas, U. Goel, Moritz Steiner, A. Balasubramanian","doi":"10.1145/3355369.3355594","DOIUrl":"https://doi.org/10.1145/3355369.3355594","url":null,"abstract":"Content delivery networks serve a major fraction of the Internet traffic, and their geographically deployed infrastructure makes them a good vantage point to observe traffic access patterns. We perform a large-scale investigation to characterize Web traffic patterns observed from a major CDN infrastructure. Specifically, we discover that responses with application/json content-type form a growing majority of all HTTP requests. As a result, we seek to understand what types of devices and applications are requesting JSON objects and explore opportunities to optimize CDN delivery of JSON traffic. Our study shows that mobile applications account for at least 52% of JSON traffic on the CDN and embedded devices account for another 12% of all JSON traffic. We also find that more than 55% of JSON traffic on the CDN is uncacheable, showing that a large portion of JSON traffic on the CDN is dynamic. By further looking at patterns of periodicity in requests, we find that 6.3% of JSON traffic is periodically requested and reflects the use of (partially) autonomous software systems, IoT devices, and other kinds of machine-to-machine communication. Finally, we explore dependencies in JSON traffic through the lens of ngram models and find that these models can capture patterns between subsequent requests. We can potentially leverage this to prefetch requests, improving the cache hit ratio.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"7 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87056063","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
What You See is NOT What You Get: Discovering and Tracking Social Engineering Attack Campaigns 你所看到的不是你得到的:发现和跟踪社会工程攻击活动
Pub Date : 2019-10-21 DOI: 10.1145/3355369.3355600
Phani Vadrevu, R. Perdisci
Malicious ads often use social engineering (SE) tactics to coax users into downloading unwanted software, purchasing fake products or services, or giving up valuable personal information. These ads are often served by low-tier ad networks that may not have the technical means (or simply the will) to patrol the ad content they serve to curtail abuse. In this paper, we propose a system for large-scale automatic discovery and tracking of SE Attack Campaigns delivered via Malicious Advertisements (SEACMA). Our system aims to be generic, allowing us to study the SEACMA ad distribution problem without being biased towards specific categories of ad-publishing websites or SE attacks. Starting with a seed of low-tier ad networks, we measure which of these networks are the most likely to distribute malicious ads and propose a mechanism to discover new ad networks that are also leveraged to support the distribution of SEACMA campaigns. The results of our study aim to be useful in a number of ways. For instance, we show that SEACMA ads use a number of tactics to successfully evade URL blacklists and ad blockers. By tracking SEACMA campaigns, our system provides a mechanism to more proactively detect and block such evasive ads. Therefore, our results provide valuable information that could be used to improve defense systems against social engineering attacks and malicious ads in general.
恶意广告通常使用社会工程(SE)策略来诱骗用户下载不需要的软件,购买假冒产品或服务,或放弃有价值的个人信息。这些广告通常是由底层广告网络提供的,它们可能没有技术手段(或者只是意愿)来监督它们所提供的广告内容,以遏制滥用。在本文中,我们提出了一个大规模自动发现和跟踪通过恶意广告传递的SE攻击活动(SEACMA)的系统。我们的系统的目标是通用的,使我们能够研究SEACMA广告分发问题,而不偏向于特定类别的广告发布网站或SE攻击。从底层广告网络的种子开始,我们测量了这些网络中哪些最有可能传播恶意广告,并提出了一种机制来发现新的广告网络,这些广告网络也被用来支持SEACMA活动的传播。我们的研究结果在很多方面都是有用的。例如,我们展示了SEACMA广告使用许多策略来成功地逃避URL黑名单和广告拦截器。通过跟踪SEACMA活动,我们的系统提供了一种更主动地检测和阻止此类规避广告的机制。因此,我们的结果提供了有价值的信息,可用于改进防御系统,以抵御社会工程攻击和恶意广告。
{"title":"What You See is NOT What You Get: Discovering and Tracking Social Engineering Attack Campaigns","authors":"Phani Vadrevu, R. Perdisci","doi":"10.1145/3355369.3355600","DOIUrl":"https://doi.org/10.1145/3355369.3355600","url":null,"abstract":"Malicious ads often use social engineering (SE) tactics to coax users into downloading unwanted software, purchasing fake products or services, or giving up valuable personal information. These ads are often served by low-tier ad networks that may not have the technical means (or simply the will) to patrol the ad content they serve to curtail abuse. In this paper, we propose a system for large-scale automatic discovery and tracking of SE Attack Campaigns delivered via Malicious Advertisements (SEACMA). Our system aims to be generic, allowing us to study the SEACMA ad distribution problem without being biased towards specific categories of ad-publishing websites or SE attacks. Starting with a seed of low-tier ad networks, we measure which of these networks are the most likely to distribute malicious ads and propose a mechanism to discover new ad networks that are also leveraged to support the distribution of SEACMA campaigns. The results of our study aim to be useful in a number of ways. For instance, we show that SEACMA ads use a number of tactics to successfully evade URL blacklists and ad blockers. By tracking SEACMA campaigns, our system provides a mechanism to more proactively detect and block such evasive ads. Therefore, our results provide valuable information that could be used to improve defense systems against social engineering attacks and malicious ads in general.","PeriodicalId":20640,"journal":{"name":"Proceedings of the Internet Measurement Conference 2018","volume":"9 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87723891","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 32
期刊
Proceedings of the Internet Measurement Conference 2018
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1