UC San Diego

Addressing compromised device is a problem for virtually all large

organizations. Compromised devices can propagate malware resulting in

theft of computing resources, loss of sensitive data, and extortion of

money. Unfortunately, large organizations do not have an oracle into

device compromise. Instead, organizations must address compromise

without straightforward answers to critical questions such as: "Is

this device compromised?", "Why/How is this device compromised?",

"What's the correct intervention?". This problem, in part, results

from limited observational vantage points, differences in intervention

capabilities, and evolving adversaries with differing incentives. In

this dissertation, I develop systems that empirically address multiple

types of device compromise using large-scale observations within

different organizations, thus placing us on a stronger footing to

devise better interventions.

I first describe an approach used at Facebook for detecting malicious

browsers extensions. I present a methodology whereby users exhibiting

suspicious online behaviors are scanned (with permission) to identify

extensions in their browsers, and those extensions are in turn labeled

based on the threat indicators they contain. Employing this

methodology at Facebook I identify more than 1,700 lexically distinct

malicious extensions, and use this labeling to drive user device

clean-up efforts as well notify browser vendors.

Next, I examine for-profit services offering to artificially

manipulate a user's social standing on Instagram. I identify the

techniques used by these services to drive social actions, detail how

they are structured to evade straightforward detection, and

characterize the dynamics of their customer base. Finally, I construct

controlled experiments to disrupt these services and analyze how

different approaches to intervention can drive different reactions,

thus providing distinct trade-offs for defenders.

Lastly, I describe a large-scale measurement of 15,000 laptop and

desktop devices on a university's network to characterize the

prevalence of security "best practices" and security-relevant

behaviors, and quantify how they relate to device compromise. I use

passive network traffic analysis techniques to infer a broad range of

device features and per-machine compromise state. I find a number of

behaviors positively correlate with host compromise, and few "best

practices" exhibit negative correlations that would support their

value in improving end user security.