UC San Diego

Defenders combat online adversaries by understanding their behavior, the resources theydepend on, and their strategies and tactics. However, measuring adversarial activity directly is often challenging, because adversaries take steps to obfuscate their behavior and evade detection by defenders. To overcome this challenge, defenders may leverage the knowledge that adversaries rely on licit, external resources, whose business models do not require secrecy. These resources may therefore leak valuable information, including the prevalence of threats, the relative effectiveness of competing adversaries, the strategies adversaries use, or the resources and infrastructure they rely upon. Such information can help defenders prioritize threats and decide which components of an ecosystem to target for interventions. This dissertation presents a new framework for designing measurement techniques and interventions for online adversaries: I leverage the information leaked by naming systems. I show that because naming systems are both lists of an adversary’s resources and critical resources themselves, observing them enables defenders to measure adversaries’ prevalence, compare their harmfulness, analyze their infrastructure, and more, thus improving interventions by identifying the most effective resources to target and prioritizing the most dangerous threats. I present four studies that each leverage some aspect of a naming system to measure an adversary’s behavior and inform defenses against it. First, I measure the prevalence of overt stalkerware in the wild, by using privacy-preserving DNS cache snooping on four public DNS resolvers. Second, I determine the location in the network of DNS redirection attacks, by exploiting the format of certain special DNS responses. Third, I investigate the abuse of blockchain-based naming systems (BNSes) by malware operators, and design interventions leveraging BNS components to disrupt malware campaigns. Finally, I measure an emerging web privacy threat, UID smuggling, by participating in the naming system built by trackers to link user identifiers with behavioral data. In each case, I measure or design defenses against an adversary that would be difficult to study without examining the information leaked by a naming system.