Download pdf - BURN: Baring Unknown Rogue Networks

Francesco [email protected]

Politecnico di Milano

Luca Di [email protected]


Federico [email protected] di Milano

Giorgio [email protected]


Stefano [email protected] di Milano

Paolo [email protected]


BURNBARING UNKNOWN ROGUE NETWORKS

La visualizzazione come strumento per analizzareil comportamento dei network malevoli













Malicious Activity on the Internet

Malicious Activity on the InternetRogue or Fake Software AD/Click Fraud Targeted Attacks Phishing

Malicious Activity on the InternetRogue or Fake Software AD/Click Fraud Targeted Attacks Phishing

Exposing Malicious Hosts

. . .

FIRE: FInding RoguE Networkswww.maliciousnetworks.orgFunded by WOMBAT FP7 EU Project

Four top Internet threats

Funded by WOMBAT FP7 EU Project

Four top Internet threats

Four top Internet threatsMalware

Four top Internet threatsMalware Botnets

Four top Internet threatsMalware Botnets Phishing

Four top Internet threatsMalware Botnets Phishing Spam

Four top Internet threatsMalware Botnets Phishing Spam

Autonomous System (AS)

FIRE: Per-AS Malicious Activity


Activity

Data source

Malware Botnet Phishing Spam


Anubis Anubis PhishTank SpamHaus

Activity

Data source

Malware Botnet Phishing Spam


Anubis Anubis PhishTank SpamHaus

Overall Malicious Score

Many “shady” ISPs exposed Many unaware ISPs helped

Activity

Data source

Outcome

Downside?

Downside?





Visualization and Knowledge Discoveryon top of FIRE




aim




AcademicsPractitioners aim




AcademicsPractitioners

InternetUsersaim

System Overview

Global view

AS view

Global view

AS view

Global viewTimeline

AS view

Global viewTimeline

Activ

ity fil

ter

AS Tracking List

Country filter

AS view

Global viewTimeline

Activ

ity fil

ter

AS Tracking List

Country filter

Bubb

le chart

Geographical map

Trend chart

AS view

Global viewTimeline

Activ

ity fil

ter

AS Tracking List

Country filter

Bubb

le chart

Geographical map

Trend chart

Global view

Bubb

le chart

Geographical map

Trend chart

Global view

Bubb

le chart

Geographical map

Trend chart

Global view

Bubb

le chart

Geographical map

Trend chart

Global view

Bubb

le chart

Geographical map

Trend chart

Global view

Bubb

le chart

Geographical map

Trend chart

Global view

Bubb

le chart

Geographical map

Trend chart

Bubble Chart

Bubble Chart

Bubble Chart

Bubble Chart

Bubble Chart

Geographical Map

Geographical Map

Geographical Map

Geographical Map

Geographical Map

Geographical Map

Trend Chart

Trend Chart

Global view

AS view

AS view

De

tails HistoryMigra

tion

Longevity

AS view

De

tails HistoryMigra

tion

Longevity

History Chart

History Chart

History Chart

Service Longevity Chart




Service Migration Screen





De

tails HistoryMigra

tion

Longevity

AS view

Rogue behavior analysis

Service Migration

Service Migration

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

Service Migration

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$

!"#$%&"'("

)*$"+,"-%

Shutdowns

Service Migration

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$%$&'()*+,-+,().)/$0+

12)3&-45)3&-16)*+7

85

455

!"#$

!"#$%&"'("

)*$"+,"-%

!"#$

!"#$%&"'("

)*$"+,"-%

Shutdowns

Possible Migrations

Service Migration - Details

Service Migration - Details

!"#$

!"#$%&"'("

)*$"+,"-%

!"#$

!"#$%&"'("

)*$"+,"-%Shutdowns

!"#$

!"#$%&"'("

)*$"+,"-%

Possible Migrations

Compatibility Score

Compatibility Score

Source AS Destination AS

Compatibility Score

C&C

Malware

Phishing

Spam


Compatibility Score

High compatibility

C&C

Malware

Phishing

Spam


!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0

!"#$%&%'()$$#'*+,-#.%/%$%.0

12

13

14

154

>

>

>

>

637

64

687

65

137

14

187

15

>

>

>

>

637

64

687

65

!"#$

1234562782

Compatibility Score

C&C

Malware

Phishing

Spam


!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0

!"#$%&%'()$$#'*+,-#.%/%$%.0

12

13

14

154

>

>

>

>

637

64

687

65

137

14

187

15

>

>

>

>

637

64

687

65

!"#$

1234562782

Low compatibility

Compatibility Score

C&C

Malware

Phishing

Spam


!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0

!"#$%&%'()$$#'*+,-#.%/%$%.0

12

13

14

154

>

>

>

>

637

64

687

65

137

14

187

15

>

>

>

>

637

64

687

65

!"#$

1234562782

Low compatibility

Mi C(j) : Si�AS ⌅⇥ [0, 1]

j ⇤ J =

{phishing,malware, spam, bot}

C(j)(s, d) :=mina�{s,d} �

(j)(a)

maxa�{s,d} �(j)(a),

�(j)min �(j)max �(j)(·)

j

J

Cs,d :=

�j�J C(j)(s, d) · �(j)(s)

�j�J �(j)(s)

Si

j 2 {C&C, Malware, Spam, Phishing}

Compatibility Score

C&C

Malware

Phishing

Spam


!"#$%&'(')'&*+,+- !"#$%&'(')'&*+,+./-0

!"#$%&%'()$$#'*+,-#.%/%$%.0

12

13

14

154

>

>

>

>

637

64

687

65

137

14

187

15

>

>

>

>

637

64

687

65

!"#$

1234562782

Low compatibility

Mi C(j) : Si�AS ⌅⇥ [0, 1]

j ⇤ J =



(j)(a)


�(j)min �(j)max �(j)(·)

j

J

Cs,d :=

�j�J C(j)(s, d) · �(j)(s)

�j�J �(j)(s)

Si

j 2 {C&C, Malware, Spam, Phishing}

Mi C(j) : Si�AS ⌅⇥ [0, 1]

j ⇤ J =



(j)(a)


�(j)min �(j)max �(j)(·)

j

J

Cs,d :=

�j�J C(j)(s, d) · �(j)(s)

�j�J �(j)(s)

Si

Tolerance to long-living rogue hosts




AS view

Global viewTimeline

Activ

ity fil

ter

AS Tracking List

Country filter

Timeline and Time Range selection

Timeline and Time Range selection

Activity Filter

Activity Filter

Country Filter

Country Filter

Autonomous System Tracking List

Autonomous System Tracking List

Conclusions

Limitations

Future Work

BURN improves FIRE

Knowledge discovery through data exploration

Academics / Practitioners / Internet users

Conclusions

Limitations

Future Work

BURN improves FIRE



Conclusions

Migrations are difficult to validate

Stress feature to avoid cluttered bubble map

Limitations

Future Work

BURN improves FIRE



Conclusions

Migrations are difficult to validate

Stress feature to avoid cluttered bubble map

Limitations

BURN is in private beta — DEMO available

Future Work

Bot meta-data from Anubis for migration analysis

Usability study with three target users











