Malicious Activity and Risky Behavior in Residential Networks

Similar documents
Operational Experiences With High-Volume Network Intrusion Detection

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

Enhancing Byte-Level Network Intrusion Detection Signatures with Context

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware

UTM 5000 WannaCry Technote

Training UNIFIED SECURITY. Signature based packet analysis

Kaseya 2. User Guide. Version 1.1

The Bro Cluster The Bro Cluster

Technical Brochure F-SECURE THREAT SHIELD

Sophos Central Admin. help

How to Configure ATP in the Firewall

How to Configure ATP in the HTTP Proxy

NetDefend Firewall UTM Services

Get Max Internet Security where to buy software for students ]

Sophos Central Admin. help

Kaseya 2. User Guide. Version 1.2

The Need for Collaboration between ISPs and P2P

The Need for Collaboration between ISPs and P2P

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Quick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.

Stochastic Blockmodels as an unsupervised approach to detect botnet infected clusters in networked data

2 ZyWALL UTM Application Note

Sophos Central Admin. help

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Introduction Challenges with using ML Guidelines for using ML Conclusions

CounterACT Check Point Threat Prevention Module

Kaspersky PURE 2.0. Mail Anti-Virus: security levels

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

AccessEnforcer Version 4.0 Features List

The Bro Network Intrusion Detection System

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model:

Small Office Security 2. Mail Anti-Virus

Understanding Online Social Network Usage from a Network Perspective

Seqrite Endpoint Security

CompTIA E2C Security+ (2008 Edition) Exam Exam.

Zillya Internet Security User Guide

Lecture 12. Application Layer. Application Layer 1

DETERMINATION OF THE PERFORMANCE

Botnets Behavioral Patterns in the Network

CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

SOLUTION MANAGEMENT GROUP

BOTNET-GENERATED SPAM

Quick Heal AntiVirus Pro. Tough on malware, light on your PC.

Cyber Security. Our part of the journey

Securing Your Business Against the Diversifying Targeted Attacks Leonard Sim

SIEM (Security Information Event Management)

Internet Security Mail Anti-Virus

A Guide to Closing All Potential VDI Security Gaps

Port Mirroring in CounterACT. CounterACT Technical Note

CompTIA Security+(2008 Edition) Exam

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

A First Look at Modern Enterprise Traffic

Manually Update Kaspersky Virus Removal Tool

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Next Generation Endpoint Security Confused?

Cisco s Appliance-based Content Security: IronPort and Web Security

ForeScout Extended Module for Symantec Endpoint Protection

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Intermediaries and regulation

Review Kaspersky Internet Security - multi-device 2015 online software downloader ]

Managing SonicWall Gateway Anti Virus Service

User Guide. Version R94. English

Antivirus Technology

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

Configuring the Botnet Traffic Filter

Potential Threats to Mobile Network Security

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

A Review Paper on Network Security Attacks and Defences

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

A Multi-Perspective Analysis of Carrier-Grade NAT Deployment

The evolution of malevolence

MX Sizing Guide. 4Gon Tel: +44 (0) Fax: +44 (0)

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

ID: Cookbook: urldownload.jbs Time: 19:53:36 Date: 07/03/2018 Version:

PROTECTING YOUR BUSINESS ASSETS

Beyond Blind Defense: Gaining Insights from Proactive App Sec


European Internet Situation Awareness The Global View

Remove Manually Norton Internet Security 2012 Will Not Start

ID: Sample Name: dronefly.apk Cookbook: default.jbs Time: 10:24:54 Date: 07/06/2018 Version:

Quick Heal Total Security Multi-Device (Mac) Simple, fast and seamless protection for Mac.

ID: Cookbook: urldownload.jbs Time: 08:25:02 Date: 29/10/2018 Version: Fire Opal

Basic Concepts in Intrusion Detection

Computer Network Vulnerabilities

Kaseya 2. User Guide. Version R8. English

Seeking Visibility Into Network Activity for Security Analysis

Free antivirus software download

ID: Sample Name: 5GeZNwROcB.bin Cookbook: default.jbs Time: 15:22:54 Date: 30/11/2017 Version:

Base64 The Security Killer

Intrusion Detection System

Performance and Quality-of-Service Analysis of a Live P2P Video Multicast Session on the Internet

Bitdefender GravityZone. Supreme protection against active threats for the SMB market

3 Ways to Prevent and Protect Your Clients from a Cyber-Attack. George Anderson Product Marketing Director Business October 31 st 2017

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Symantec Endpoint Protection Family Feature Comparison

GFI Product Comparison. GFI WebMonitor 2015 vs. McAfee Web Gateway

Security Gap Analysis: Aggregrated Results

Venusense UTM Introduction

QUICK CONFIGURATION GUIDE

Future-ready security for small and mid-size enterprises

Transcription:

Malicious Activity and Risky Behavior in Residential Networks Gregor Maier 1, Anja Feldmann 1, Vern Paxson 2,3, Robin Sommer 2,4, Matthias Vallentin 3 1 TU Berlin / Deutsche Telekom Laboratories 2 International Computer Science Institute (ICSI) 3 University of California, Berkeley 4 Lawrence Berkeley National Laboratories (LBNL) Malicious Activity and Risky Behavior in Residential Networks 1 1

Introduction q Common perception: Residential users responsible for much of insecurity q Even worse in developing regions q But: Few systematic studies to date q We undertake such a study q Also important: What influences security? o Anti-virus o Software updates o Risky behavior (requesting blacklistes URLs) Malicious Activity and Risky Behavior in Residential Networks 2

Outline q Data sets and vantage points q Methodology q Security awareness and risky behavior q Malicious activity q Discussion & Conclusion Malicious Activity and Risky Behavior in Residential Networks 3

Outline q Data sets and vantage points o European ISP o AirJaldi network in India o Lawrence Berkeley Lab o Data annotations q Methodology q Security awareness and risky behavior q Malicious activity q Discussion & Conclusion Malicious Activity and Risky Behavior in Residential Networks 4

Data sets: European ISP q Major ISP in Europe q Observations from 20,000 DSL customers q All data immediately anonymized q 14 day observation period q No traffic shaping or port filters q Traffic makeup: o More than 50% HTTP o Peer-to-Peer around 15% o NNTP also significant Malicious Activity and Risky Behavior in Residential Networks 5

Data sets: AirJaldi in India q Community network in rural India q 10,000 users; several 1,000 machines q All share 10Mbps uplink q 400 wireless routers, spread over 80km radius q Use "layered NAT" approach => Cannot identify individual hosts q 3 traces, 34-40hrs each q Traffic makeup: o 56 72% HTTP o Quite some VoIP and instant messenger traffic o Almost no Peer-to-Peer or NNTP Malicious Activity and Risky Behavior in Residential Networks 6

Data sets: LBNL q Lawrence Berkeley National Lab, CA, USA q 12,000 hosts q 4 day observation period; 7,000 hosts active q Open network policy but q Security staff: o Uses Bro IDS o Infected machines are taken offline immediately Ø We do not expect any/much malicious activity Malicious Activity and Risky Behavior in Residential Networks 7

Data annotation q Want to know more about DSL-lines q Identify influences on security q Is NAT used? How many hosts are connected q How active are they? o Group by number of HTTP request o Classify into high/medium/low activity q Operating systems o Are Macs more secure? o Identify by HTTP user-agent string o Check DSL lines with only Macs (and no Windows) Malicious Activity and Risky Behavior in Residential Networks 8

Outline q Data sets and vantage points q Methodology o Scanning o Spamming o Known malware families o Generic NIDS o Security awareness and risky behavior q Security awareness and risky behavior q Malicious activity q Discussion & Conclusion Malicious Activity and Risky Behavior in Residential Networks 9

Finding Scanners (1) q Problem: NIDS are tuned to find incoming scans o Often use threshold of unsuccessful connections per source q We want outgoing scans but o Scan traffic embedded in benign activity o Cannot use simple threshold q Idea (borrowed from TRW scan detector) o Ratio of successful connections / all connections per <DSL-line, remote-ip> pair o Does it work? Malicious Activity and Risky Behavior in Residential Networks 10

Finding Scanners (2) q Histogram: Success ratio per pair Malicious Activity and Risky Behavior in Residential Networks 11

Finding Scanners (3) q Next step: classify pair as successful or unsuccessful q Count #successful VS. #unsuccessful pairs per DSL-line Malicious Activity and Risky Behavior in Residential Networks 12

Finding Scanners (4) q Where's the problem? Ø Peer-to-Peer (P2P) protocols o Peer tries to contact peers' IPs o But peer might be offline now or moved to other IP Ø Many unsuccessful connections o But not only filesharing, WoW also uses P2P protocol for maps q Solution: Look only for suspicious / dangerous ports o E.g., windows SMB, databases, VNC, remote desktop Malicious Activity and Risky Behavior in Residential Networks 13

Finding Scanners (5) q #successful VS. #unsuccessful for suspicious ports Now we have a nice separation ð Classify as scanner if >100 (or 1,000) unsuccessful pairs Malicious Activity and Risky Behavior in Residential Networks 14

Finding Spammers q We omit the details for brevity q Similar idea to scanning: o Count number of contacted SMTP servers q DSL lines contact <<25 or >> 100 SMTP servers Ø Use cutoff of 100 for spam classification Malicious Activity and Risky Behavior in Residential Networks 15

Malware families q Use network signatures of known malware q Conficker o Tries to resolve known DNS names q Zlob o Changes DNS resolvers o Targets Macs and Windows q Zeus o Tries to resolve DNS names of C&C servers Domain names from blacklist Malicious Activity and Risky Behavior in Residential Networks 16

Generic NIDS q Use Snort with Emerging Threads rulesets q 3,500 rules (but undocumented) q 1million alarms per day, 90% of DSL lines Ø Unuseable q Includes everything o Adware: users might have installed them on purpose o "Spyware": includes Alexa toolbar, but Alexa clearly states what it does o etc. Ø Excluded those Malicious Activity and Risky Behavior in Residential Networks 17

Generic NIDS (2) q Still too many hits :-( q Lack of documentation ð Cannot tell: o How bad traffic triggering a specific rule is o False positives q E.g., signatures for botnet command & control: o Check for single or double-letter URL parameters (b=..., tm=...) o Many benign websites use them too q Conclusion o Emerging threads might be useful for small networks with strict policies but for our case o Document rules!!!! Malicious Activity and Risky Behavior in Residential Networks 18

Security awareness & risky behavior q Security awareness o Do user use/update anti-virus software? o Do user update operating systems? Ø Detecting by inspecting HTTP user-agents q Risky behavior o Do users request URLs blacklisted by Google Safe Browsing? o We update our blacklist copy every 25 minutes q Again: this helps to find factors influencing security problems Malicious Activity and Risky Behavior in Residential Networks 19

Methodology summary q Behaviroal metrics o Scanning o Spamming q Malware families o Conficker o Zlob o Zeus q Generic NIDS (Snort with Emerging Threads) o Unuseable q Security awareness and risky behavior Malicious Activity and Risky Behavior in Residential Networks 20

Outline q Data sets and vantage points q Methodology q Security awareness and risky behavior o Security awareness o Google blacklist o Comparision with AirJaldi and LBNL q Malicious activity q Discussion & Conclusion Malicious Activity and Risky Behavior in Residential Networks 21

Security awareness Up to 90% of DSL-lines update AV and software Malicious Activity and Risky Behavior in Residential Networks 22

Google blacklists q Up to 4.4% of DSL-lines request blacklisted URL per day q Over 14 days: 19% do so!!! q Google blacklist integrated in many browsers o Were users warned by browser and ignored it? o Google requires update every 30 min o Check whether same user-agent downloads blacklist and requests URL o Result: mixed. Some were warned, but ignored it!! Malicious Activity and Risky Behavior in Residential Networks 23

Compare to AirJaldi and LBNL q AirJaldi o Cannot do per DSL-line or host (NAT hierachy) o Fraction of requests for anti-virus and software updates similar o Fraction of requests that are blacklisted similar q LBNL: o Less anti-virus and software updates But central update servers at LBNL Other OS mix o Significantly less risky behavior Malicious Activity and Risky Behavior in Residential Networks 24

Outline q Data sets and vantage points q Methodology q Security awareness and risky behavior q Malicious activity o General results o Influences on malicious activity o Malicious activity and Macs o Comparison with AirJaldi and LBNL q Discussion & Conclusion Malicious Activity and Risky Behavior in Residential Networks 25

Malicious activity Only small fraction of lines trigger metrics <0.7% per day, < 1.3% overall Malicious Activity and Risky Behavior in Residential Networks 26

Malicious activity (2) q Malware families contribute most Ø Few DSL-lines scan or spam q 44% of spammers active only single day q 38% of Zeus lines only trigger single day q Zlob active on 8.4 (10) days on average (median) q Conficker active on 6.5 days mean, 6 median q Most others around 4 days (mean) and 2-4 days median q 92% of "bad" lines only trigger single metric Ø We likely underestimate total Malicious Activity and Risky Behavior in Residential Networks 27

Influences on malicious activity q No strong influence of anti-virus and OS updates o Prob. only 1.26% if not using anti-virus q No strong influence of NAT q A l%ittle influence of activity o High activity: 4.08% o Medium activity: 1.94% o Low activity: 0.46% q Only slight influence of blacklist hits o Prob. 3.19%. Less than high activity o Risky behavior does not impact infections much! Malicious Activity and Risky Behavior in Residential Networks 28

Malicious activity and Macs q 2.7% of DSL-lines have only Macs q Mac infections: 0.54% (compare to 1.23%) q But only Zlob triggers Ø No scanning, spamming, Conficker, Zeus on Macs q 0.54% of Macs have Zlob, only 0.24% overall q Mac not better than Windows q Malware that targets Macs is successful! Malicious Activity and Risky Behavior in Residential Networks 29

Comparison with AirJaldi and LBNL q No malicious activity at LBNL o As we expected o Scan and spam metrics trigger on q AirJaldi Benign mail server Penetration testing hosts that scan o 180 260 active IPs per trace o Each IP can have 1 1,000s of hosts o Cannot analyze per host (NAT) Malicious Activity and Risky Behavior in Residential Networks 30

AirJaldi malicious activity Not much malicious activity Comparable to European ISP Malicious Activity and Risky Behavior in Residential Networks 31

Outline q Data sets and vantage points q Methodology q Security awareness and risky behavior q Malicious activity q Discussion & Conclusion Malicious Activity and Risky Behavior in Residential Networks 32

Discussion & Conclusion (1) q We use behavioral metrics and malware signatures q Confident that metrics find what they should q Cannot know how much we miss o Lower bound o Might be significant (e.g., most lines trigger 1 metric) q Out approach mimics closely how security analysts work o Deploy toolbox of orthogonal strategies q Snort with emerging threads problematic o Many blacklists have similar problems Malicious Activity and Risky Behavior in Residential Networks 33

Discussion & Conclusion (2) q Residential users do not spam or scan Ø Likely not infected with such malware q Users are risk aware o Anti-virus and software updates widespread o Does not lower infection risk q Users exhibit risky behavior o Many request blacklisted URLs o Does not affect infection risk by as much as one may assume q Comparing to rural community network in India o Very similar in terms of malicious activity and risky behavior o No infections at LBL and less risky behavior Malicious Activity and Risky Behavior in Residential Networks 34

Questions? Malicious Activity and Risky Behavior in Residential Networks 35 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback