BURN: Baring Unknown Rogue Networks

Francesco Rovetafrancesco.roveta@mail.polimi.it

Politecnico di Milano

Luca Di Marioluca.dimario@mail.polimi.it

Federico Maggifmaggi@elet.polimi.itPolitecnico di Milano

Giorgio Cavigliagiorgio.caviglia@polimi.it

Stefano Zanerozanero@elet.polimi.itPolitecnico di Milano

Paolo Ciuccarellipaolo.ciuccarelli@polimi.it

BURNBARING UNKNOWN ROGUE NETWORKS

La visualizzazione come strumento per analizzareil comportamento dei network malevoli

Malicious Activity on the Internet

Malicious Activity on the InternetRogue or Fake Software AD/Click Fraud Targeted Attacks Phishing

Exposing Malicious Hosts

FIRE: FInding RoguE Networkswww.maliciousnetworks.orgFunded by WOMBAT FP7 EU Project

Four top Internet threats

Funded by WOMBAT FP7 EU Project

Four top Internet threats

Four top Internet threatsMalware

Four top Internet threatsMalware Botnets

Four top Internet threatsMalware Botnets Phishing

Four top Internet threatsMalware Botnets Phishing Spam

Autonomous System (AS)

FIRE: Per-AS Malicious Activity

Activity

Data source

Malware Botnet Phishing Spam

Anubis Anubis PhishTank SpamHaus

Activity

Data source

Malware Botnet Phishing Spam

Anubis Anubis PhishTank SpamHaus

Overall Malicious Score

Many “shady” ISPs exposed Many unaware ISPs helped

Activity

Data source

Outcome

Downside?

Visualization and Knowledge Discoveryon top of FIRE

AcademicsPractitioners aim

AcademicsPractitioners

InternetUsersaim

System Overview

Global view

AS view

Global view

AS view

Global viewTimeline

AS view

Global viewTimeline

ity fil

AS Tracking List

Country filter

AS view

Global viewTimeline

ity fil

AS Tracking List

Country filter

le chart

Geographical map

Trend chart

AS view

Global viewTimeline

ity fil

AS Tracking List

Country filter

le chart

Geographical map

Trend chart

Global view

le chart

Geographical map

Trend chart

Global view

le chart

Geographical map

Trend chart

Global view

le chart

Geographical map

Trend chart

Global view

le chart

Geographical map

Trend chart

Global view

le chart

Geographical map

Trend chart

Global view

le chart

Geographical map

Trend chart

Bubble Chart

Geographical Map

Trend Chart

Global view

AS view

tails HistoryMigra

Longevity

AS view

tails HistoryMigra

Longevity

History Chart

Service Longevity Chart

Service Migration Screen

tails HistoryMigra

Longevity

AS view

Rogue behavior analysis

Service Migration

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

Service Migration

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%&"'("

)*$"+,"-%

Shutdowns

Service Migration

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

!"#$%&"'("

)*$"+,"-%

!"#$%&"'("

)*$"+,"-%

Shutdowns

Possible Migrations

Service Migration - Details

!"#$%&"'("

)*$"+,"-%

!"#$%&"'("

)*$"+,"-%Shutdowns

!"#$%&"'("

)*$"+,"-%

Possible Migrations

Compatibility Score

Source AS Destination AS

Compatibility Score

Malware

Phishing

Compatibility Score

High compatibility

Malware

Phishing

!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0

!"#$%&%'()$$#'*+,-#.%/%$%.0

1234562782

Compatibility Score

Malware

Phishing

!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0

!"#$%&%'()$$#'*+,-#.%/%$%.0

1234562782

Low compatibility

Compatibility Score

Malware

Phishing

!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0

!"#$%&%'()$$#'*+,-#.%/%$%.0

1234562782

Low compatibility

Mi C(j) : Si�AS ⌅⇥ [0, 1]

j ⇤ J =

{phishing,malware, spam, bot}

C(j)(s, d) :=mina�{s,d} �

(j)(a)

maxa�{s,d} �(j)(a),

�(j)min �(j)max �(j)(·)

Cs,d :=

�j�J C(j)(s, d) · �(j)(s)

�j�J �(j)(s)

j 2 {C&C, Malware, Spam, Phishing}

Compatibility Score

Malware

Phishing

!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0

!"#$%&%'()$$#'*+,-#.%/%$%.0

1234562782

Low compatibility

Mi C(j) : Si�AS ⌅⇥ [0, 1]

j ⇤ J =

(j)(a)

�(j)min �(j)max �(j)(·)

Cs,d :=

�j�J C(j)(s, d) · �(j)(s)

�j�J �(j)(s)

j 2 {C&C, Malware, Spam, Phishing}

Mi C(j) : Si�AS ⌅⇥ [0, 1]

j ⇤ J =

(j)(a)

�(j)min �(j)max �(j)(·)

Cs,d :=

�j�J C(j)(s, d) · �(j)(s)

�j�J �(j)(s)

Tolerance to long-living rogue hosts

AS view

Global viewTimeline

ity fil

AS Tracking List

Country filter

Timeline and Time Range selection

Activity Filter

Country Filter

Autonomous System Tracking List

Conclusions

Limitations

Future Work

BURN improves FIRE

Knowledge discovery through data exploration

Academics / Practitioners / Internet users

Conclusions

Limitations

Future Work

BURN improves FIRE

Conclusions

Migrations are difficult to validate

Stress feature to avoid cluttered bubble map

Limitations

Future Work

BURN improves FIRE

Conclusions

Migrations are difficult to validate

Stress feature to avoid cluttered bubble map

Limitations

BURN is in private beta — DEMO available

Future Work

Bot meta-data from Anubis for migration analysis

Usability study with three target users

BURN: Baring Unknown Rogue Networks

Technology

Lending Booms Baring Version10 07

A Monetary and Financial Wreck: The Baring Crisis, 1890-91 · “rogue trader,” Nick Leeson of the Singapore office, who ran up unauthorized bets on Japanese equity, government

Overseas Investment Plan - Offshore Fund Baring ASEAN ......Overseas Investment Plan - Offshore Fund * Baring ASEAN Frontiers Fund Offshore Fund Investment Objective The objective

Rogue Trader Introduction - 1jour-1jeu...Title Rogue Trader Introduction - 1jour-1jeu.com Author 1jour-1jeu.com Subject Rogue Trader Introduction - 1jour-1jeu.com Keywords Rogue Trader

S. Baring-Gould - The Book of Were-wolves

Baring Gould Book of Fairy Tales

Baring Archive

Rogue River National Recreation Trail MapTitle: Rogue River National Recreation Trail Map Author: Medford District Subject: Rogue River Keywords: Rogue River Trail Map, Rogue River

Baring Asset Management

Particle Acceleration at Astrophysical Shocks · 2006-04-11 · Particle Acceleration at Astrophysical Shocks Matthew G. Baring Rice University baring@rice.edu Cargese School,

Ageing Artfully - Baring Foundation

From Rogue Creditors to Rogue Debtors: Implications of

Disco Inferno. Burn baby burn! Burn baby burn! Burn baby burn! Burn baby burn! Burnin'! To mass fires, yes! One hundred stories high People gettin' loose

Baring International Umbrella Fund - …€¦ · BARING INTERNATIONAL UMBRELLA FUND ... Baring Asset Management GmbH Ulmenstrasse 37-39 60325, Frankfurt Germany Mark Thorne Dillon

What is meaningful learning (mark baring)

Baring Bank-Rogue Trader

Managing Rogue Devices - Cisco · Managing Rogue Devices Additional References for Rogue Detection. Feature History and Information For Performing Rogue Detection Configuration Release

Baring Global Opportunities Umbrella Fund · Baring World Dynamic Asset Allocation Fund Investment objective and policy The investment objective of Baring World Dynamic Asset Allocation

History, Impact and Future - Baring Foundation

Baring Gould in Troubadour Land