Proactive Cyberfraud Detection Through Infrastructure Analysis
Loading...
Can’t use the file because of accessibility barriers? Contact us with the title of the item, permanent link, and specifics of your accommodation need.
Date
2010-12-13
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
[Bloomington, Ind.] : Indiana University
Permanent Link
Abstract
Internet users are threatened daily by spam, phishing, and malware.
These attacks are often launched using armies of compromised machines,
complicating identification of the miscreants behind the attacks.
Unfortunately, most current approaches to fight these problems are
reactive in nature, allowing significant damage before security
measures are adapted to new attacks. For example, blacklisting
prevents communications with known malicious hosts, but many users may
fall victim to an attack before blacklists are updated. In this
dissertation we argue for a proactive approach to fighting cybercrime.
Our approach relies on the observation that to avoid attribution and
to stay up amidst take-down attempts, miscreants must provision their
infrastructure differently than legitimate web sites. Thus, we
propose to proactively identify malicious activity using unique
characteristics of malicious web site provisioning. Specifically,
using near real-time feeds of malicious web hosts, we investigate the
extent to which miscreants use five specific provisioning practices.
The first three are based on the Domain Name System (DNS), which
translates host names to IP addresses. We first examine fast-flux, a
practice where the association between name and address changes much
more frequently than usual. We then investigate the use of DNS
wildcards, which point many host names to a single address. Next, we
examine the use of orphan DNS servers, which are DNS servers in
non-existent domains. Then, we study the concentration of malicious
activity in certain networks. Finally, we examine web redirects, which
may appear to be links to legitimate web sites but in reality trick
users into visiting malicious sites. We find that although good web
sites sometimes make use of some of these techniques, malicious web
sites are more likely to use them. Consequently, their presence can
be used for proactive identification of malicious web sites.
Description
Thesis (Ph.D.) - Indiana University, Computer Sciences, 2010
Keywords
Cyberfraud, Infrastructure, Security
Citation
Journal
DOI
Link(s) to data and video for this item
Relation
Rights
Type
Doctoral Dissertation