- Main
Addressing Device Compromise from the Perspective of Large Organizations
- DeKoven, Louis Floyd
- Advisor(s): Savage, Stefan;
- Voelker, Geoffrey M
Abstract
Addressing compromised device is a problem for virtually all large
organizations. Compromised devices can propagate malware resulting in
theft of computing resources, loss of sensitive data, and extortion of
money. Unfortunately, large organizations do not have an oracle into
device compromise. Instead, organizations must address compromise
without straightforward answers to critical questions such as: "Is
this device compromised?", "Why/How is this device compromised?",
"What's the correct intervention?". This problem, in part, results
from limited observational vantage points, differences in intervention
capabilities, and evolving adversaries with differing incentives. In
this dissertation, I develop systems that empirically address multiple
types of device compromise using large-scale observations within
different organizations, thus placing us on a stronger footing to
devise better interventions.
I first describe an approach used at Facebook for detecting malicious
browsers extensions. I present a methodology whereby users exhibiting
suspicious online behaviors are scanned (with permission) to identify
extensions in their browsers, and those extensions are in turn labeled
based on the threat indicators they contain. Employing this
methodology at Facebook I identify more than 1,700 lexically distinct
malicious extensions, and use this labeling to drive user device
clean-up efforts as well notify browser vendors.
Next, I examine for-profit services offering to artificially
manipulate a user's social standing on Instagram. I identify the
techniques used by these services to drive social actions, detail how
they are structured to evade straightforward detection, and
characterize the dynamics of their customer base. Finally, I construct
controlled experiments to disrupt these services and analyze how
different approaches to intervention can drive different reactions,
thus providing distinct trade-offs for defenders.
Lastly, I describe a large-scale measurement of 15,000 laptop and
desktop devices on a university's network to characterize the
prevalence of security "best practices" and security-relevant
behaviors, and quantify how they relate to device compromise. I use
passive network traffic analysis techniques to infer a broad range of
device features and per-machine compromise state. I find a number of
behaviors positively correlate with host compromise, and few "best
practices" exhibit negative correlations that would support their
value in improving end user security.
Main Content
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-
-
-