Benjamin Edwards
ABSTRACT
Many cybersecurity problems occur on a worldwide scale, but we lack rigorous methods for determining how best to intervene and mitigate damage globally, both short- and long-term. Analysis of longitudinal security data can provide insight into the effectiveness and differential impacts of security interventions on a global level. In this paper we consider the example of spam, studying a large high-resolution data set of messages sent from 260 ISPs in 60 countries over the course of a decade. The statistical analysis is designed to avoid common pitfalls that could lead to erroneous conclusions. We show how factors such as geography, national economics, Internet connectivity and traffic flow impact can affect local spam concentrations. Additionally, we present a statistical model to study temporal transitions in the dataset, and we use a simple extension of the model to investigate the effect of historical botnet takedowns on spam levels. We find that in aggregate most historical takedowns are beneficial in the short-term, but few have long-term impact. Further, even when takedowns are effective globally, they can be detrimental in specific geographic regions or countries. The analysis and modeling described here are based on a single data set. However, the techniques are general and could be adapted to other data sets to help improve decision making about when and how to deploy security interventions.
- R. Anderson et al. Measuring the cost of cybercrime. In WEIS, 2012.Google Scholar
- D. Asteriou and S. G. Hall. Applied Econometrics: a modern approach using eviews and microfit. Palgrave Macmillan New York, 2007.Google Scholar
- W. Bank. World bank data. http://data.worldbank.org/, Mar. 2015.Google Scholar
- BotFrei. botfrei.de: The anti-botnet advisory centre. https://www.botfrei.de/, May 2014.Google Scholar
- H. Chang et al. An empirical approach to modeling inter-as traffic matrices. In Proc. of ACM IMC. USENIX Association, 2005. Google ScholarDigital Library
- Z. Chen et al. Spatial-temporal characteristics of internet malicious sources. In INFOCOM. IEEE, 2008.Google ScholarCross Ref
- C. Y. Cho et al. Inference and analysis of formal models of botnet command and control protocols. In ACM CCS. ACM, 2010. Google ScholarDigital Library
- M. P. Collins et al. Using uncleanliness to predict future botnet addresses. In ACM IMC, 2007. Google ScholarDigital Library
- L. Corrons. Mariposa botnet. Panda Labs, Mar. 2010.Google Scholar
- D. Dagon et al. Modeling botnet propagation using time zones. In NDSS, 2006.Google Scholar
- A. Dhamdhere and C. Dovrolis. Ten years in the evolution of the internet ecosystem. In ACM IMC, 2008. Google ScholarDigital Library
- B. Donohue. Kapersky knocks down kelihos botnet again, but expects return. Threatpost.com, Mar. 2012.Google Scholar
- B. Edwards et al. Beyond the blacklist: Modeling malware spread and the effects of interventions. In NSPW, 2012. Google ScholarDigital Library
- B. Edwards et al. Internet topology over time. arXiv preprint arXiv:1202.3993, 2012.Google Scholar
- B. Edwards et al. Hype and heavy tails: A closer look at data breaches. In WEIS, 2015.Google Scholar
- T. Espiner. Dutch police take down bredolab botnet. ZDNet, Oct. 2010.Google Scholar
- D. Geer. Cybersecurity as realpolitik. http://geer.tinho.net/geer.blackhat.6viii14.txt, Aug. 2014.Google Scholar
- S. Goldberg and S. Forrest. Implications of security enhancements and interventions for core internet infrastructure. In TPRC42, 2014.Google Scholar
- D. Goodin. Waledac botnet 'decimated' by ms takedown. The Register, Mar. 2010.Google Scholar
- D. Goodin. "slain" kelihos botnet still spams from beyond the grave. arstechnica, Feb. 2012.Google Scholar
- Google. An update on our war against account hijackers. Google Official Blog, Feb. 2013.Google Scholar
- C. W. Granger. Investigating causal relations by econometric models and cross-spectral methods. Econometrica, 1969.Google ScholarCross Ref
- D. Gudkova. Kaspersky security bulletin: Spam evolution 2013, Jan. 2013.Google Scholar
- S. Hird. Technical solutions for controlling spam. Proc. of AUUG, 2002.Google Scholar
- S. Hofmeyr et al. Modeling internet-scale policies for cleaning up malware. In Economics of Information Security and Privacy III. Springer, 2013.Google ScholarCross Ref
- B. Johnson et al. Metrics for measuring isp badness: The case of spam. In Financial Cryptography and Data Security. 2012.Google ScholarCross Ref
- P. Kalakota and C.-T. Huang. On the benefits of early filtering of botnet unwanted traffic. In ICCCN, 2009. Google ScholarDigital Library
- C. Kanich et al. Spamalytics: An empirical analysis of spam marketing conversion. In ACM CCS, 2008. Google ScholarDigital Library
- C. Kanich et al. Show me the money: Characterizing spam-advertised revenue. In USENIX, 2011. Google ScholarDigital Library
- A. Karasaridis et al. Wide-scale botnet detection and characterization. In Proc. of HotBots. Cambridge, MA, 2007. Google ScholarDigital Library
- G. Keizer. Rustock take-down proves botnets can be crippled, says microsoft. Computer World, July 2011.Google Scholar
- M. Kendall et al. Rank correlation methods. Rank correlation methods., 1948.Google Scholar
- M. Kokkodis and M. Faloutsos. Spamming botnets: Are we losing the war. Proc. of CEAS, 2009.Google Scholar
- I. Kotenko et al. Agent-based modeling and simulation of botnets and botnet defense. In Conf. on Cyber Conflict, 2010.Google Scholar
- B. Krebs. Host of internet spam groups is cut off. The Washington Post, Nov. 2008.Google Scholar
- B. Krebs. Organized crime behind a majority of data breaches. The Washington Post, Apr. 2009.Google Scholar
- B. Krebs. The scrap value of a hacked pc. The Washington Post, May 2009.Google Scholar
- B. Krebs. Microsoft ambushes waledac botnet, shutters whistleblower site. Krebs on Security, Feb. 2010.Google Scholar
- B. Krebs. Takedowns: The shuns and stuns that take the fight to the enemy. McAfee Security Journal, 2010.Google Scholar
- B. Krebs. U.s. government takes down coreflood botnet. Krebs on Security, 2011.Google Scholar
- B. Krebs. Rogue pharma, fake av vendors feel credit card crunch. Krebs On Security, Oct. 2012.Google Scholar
- B. Krebs. Polish takedown targets 'virut' botnet. Krebs On Security, Jan. 2013.Google Scholar
- J. Leydon. Google: Botnet takedowns fail to stem spam tide, Apr. 2010.Google Scholar
- Z. Li et al. Botnet economics: uncertainty matters. In Managing Information Risk and the Economics of Security. 2009.Google ScholarCross Ref
- X. Liu et al. To filter or to authorize: Network-layer dos defense against multimillion-node botnets. In ACM SIGCOMM, 2008. Google ScholarDigital Library
- Y. Liu et al. Predicting cyber security incidents using feature-based characterization of network-level malicious activities. In Proc. of ACM IWSPA, 2015. Google ScholarDigital Library
- M. LLC. Maxmind geoip, 2008.Google Scholar
- R. Mahajan et al. Understanding bgp misconfiguration. In SIGCOMM, 2002. Google ScholarDigital Library
- D. McCoy et al. Priceless: The role of payments in abuse-advertised goods. In Proc. of ACM CCS, 2012. Google ScholarDigital Library
- Microsoft. Microsoft security intelligence report, Aug. 2011.Google Scholar
- T. Moore and R. Clayton. Discovering phishing dropboxes using email metadata. In Proc. of eCrime, 2012.Google ScholarCross Ref
- T. Morrison. Spam botnets: The fall of grum and the rise of festi. SpamHaus Blog, Aug. 2012.Google Scholar
- G. C. Moura. Internet bad neighborhoods. Number 12 in University of Twente Dissertation. Giovane Cesar Moreira Moura, 2013.Google Scholar
- Y. Nadji et al. Beheading hydras: performing effective botnet takedowns. In SIGSAC. ACM, 2013. Google ScholarDigital Library
- Y. Namestnikov. The economics of botnets. Analysis on Viruslist.com, Kapersky Lab, 2009.Google Scholar
- U. Nations. Un geographic division. http://millenniumindicators.un.org/unsd/methods/m49/m49regin.htm, Oct. 2013.Google Scholar
- S. F. News. A young botnet suspect arrested by russian authorities. SpamFighter, July 2012.Google Scholar
- R. Oliveira et al. The (in) completeness of the observed internet as-level structure. IEEE/ACM Transactions on Networking (ToN), 2010. Google ScholarDigital Library
- R. Path. The global email deliverability benchmark report, 2h 2011, Mar. 2012.Google Scholar
- A. Ramachandran et al. Filtering spam with behavioral blacklisting. In ACM CCS, 2007. Google ScholarDigital Library
- A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In ACM SIGCOMM. ACM, 2006. Google ScholarDigital Library
- F. Y. Rashid. Grum botnet: Down one month, no impact on spam, Aug. 2012.Google Scholar
- Y. Rinott and M. Tam. Monotone regrouping, regression, and simpson's paradox. The American Statistician, (2), 2003.Google Scholar
- M. Roughan. Simplifying the synthesis of internet traffic matrices. ACM SIGCOMM, (5), 2005. Google ScholarDigital Library
- F. Roveta et al. Burn: Baring unknown rogue networks. In Proc. of VizSec, 2011. Google ScholarDigital Library
- SpamHaus. Spamhaus composite blocking list. http://cbl.abuseat.org/totalflow.html, May 2015.Google Scholar
- B. Stone-Gross et al. Fire: Finding rogue networks. In ACSAC, 2009. Google ScholarDigital Library
- Symantec. 2012 internet security threat report, Apr. 2013.Google Scholar
- Symantec. 2014 internet security threat report, Apr. 2015.Google Scholar
- Q. Tang et al. Reputation as public policy for internet security: A field study. In Proc. of ICIS, 2012.Google Scholar
- B. Taylor. Sender reputation in a large webmail service. In CEAS, 2006.Google Scholar
- I. T. Union. Ict facts and figures. Technical report, International Telecommunications Union, May 2014.Google Scholar
- M. van Eeten et al. The role of internet service providers in botnet mitigation: An empirical analysis based on spam data. Technical report, OECD Publishing, 2010.Google Scholar
- S. Venkataraman et al. Automatically inferring the evolution of malicious activity on the internet. In NDSS, 2013.Google Scholar
- B. Violino. Spam levels creep back after rustock botnet takedown, Apr. 2011.Google Scholar
- Visa. Visa international operating regulations summary of changes, Oct. 2011.Google Scholar
- S. Walsh. Canadian pharmacy spam group reinvents self as "world pharmacy". All Spammed Up, Dec. 2010.Google Scholar
- C. Wilcox et al. Correlating spam activity with ip address characteristics. In INFOCOM WKSHPS, 2010.Google ScholarCross Ref
- C. Wong et al. A student t-mixture autoregressive model with applications to heavy-tailed financial data. Biometrika, (3), 2009.Google Scholar
- P. Wurzinger et al. Automatically generating models for botnet detection. In ESORICS 2009. 2009. Google ScholarDigital Library
- T.-F. Yen and M. K. Reiter. Revisiting botnet models and their implications for takedown strategies. In Principles of Security and Trust. 2012. Google ScholarDigital Library
- J. Zhang et al. On the mismanagement and maliciousness of networks. In NDSS, 2013.Google Scholar
- L. Zhuang et al. Characterizing botnets from email spam records. LEET, 2008. Google ScholarDigital Library
Index Terms
- Analyzing and Modeling Longitudinal Security Data: Promise and Pitfalls
Recommendations
Analyzing UCE/UBE traffic
ICEC '07: Proceedings of the ninth international conference on Electronic commerceAn empirical study of unsolicited commercial/bulk e-mail traffic collected from various spam traps (honeypots) is summarized and discussed. Some of these spam traps were created specifically for this study and thus could be monitored since their ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the InternetMany of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Mobile Security: Finally a Serious Problem?
The growing popularity of wireless technology may have finally attracted enough hackers to make the potential for serious security threats a reality.
Comments