UC Santa Barbara

The rise in popularity of online services such as social networks,

web-based emails, and blogs has made them a popular platform for attackers.

Cybercriminals leverage such services to spread spam, malware, and steal

personal information from their victims.

In a typical cybercriminal operation, miscreants first infect their victims' machines with malicious software and have them

join a botnet, which is a network of compromised computers. In the second step,

the infected machines are often leveraged to connect to legitimate online

services and perform malicious activities.

As a consequence, online services receive activity from both

legitimate and malicious users. However, while legitimate users use these services for the

purposes they were designed for, malicious parties exploit them for their

illegal actions, which are often linked to an economic gain. In this thesis, I show

that the way in which malicious users and legitimate ones interact with Internet

services presents differences. I then develop mitigation techniques that

leverage such differences to detect and block malicious parties that misuse

Internet services.

As examples of this research approach, I first study the problem of spamming

botnets, which are misused to send hundreds of millions of spam emails to

mailservers spread across the globe. I show that botmasters typically split a

list of victim email addresses among their bots, and that it is possible to

identify bots belonging to the same botnet by enumerating the mailservers that

are contacted by IP addresses over time. I developed a system, called

BotMagnifier, which learns the set of mailservers contacted by the bots belonging

to a certain botnet, and finds more bots belonging to that same botnet.

I then study the problem of misused accounts on online social networks. I first

look at the problem of fake accounts that are set up by cybercriminals to spread

malicious content. I study the modus operandi of the cybercriminals

controlling such accounts, and I then develop a system to automatically flag a

social network accounts as fake. I then look at the problem of legitimate

accounts getting compromised by miscreants, and I present COMPA, a system that

learns the typical habits of social network users and considers messages that

deviate from the learned behavior as possible compromises.

As a last example, I present EvilCohort, a system that detects communities of

online accounts that are accessed by the same botnet. EvilCohort works by

clustering together accounts that are accessed by a common set of IP addresses,

and can work on any online service that requires the use of accounts (social

networks, web-based emails, blogs, etc.).