Stepping Up the Cybersecurity Game: Protecting Online Services from Malicious Activity
- Author(s): Stringhini, Gianluca
- Advisor(s): Kruegel, Christopher
- et al.
The rise in popularity of online services such as social networks,
web-based emails, and blogs has made them a popular platform for attackers.
Cybercriminals leverage such services to spread spam, malware, and steal
personal information from their victims.
In a typical cybercriminal operation, miscreants first infect their victims' machines with malicious software and have them
join a botnet, which is a network of compromised computers. In the second step,
the infected machines are often leveraged to connect to legitimate online
services and perform malicious activities.
As a consequence, online services receive activity from both
legitimate and malicious users. However, while legitimate users use these services for the
purposes they were designed for, malicious parties exploit them for their
illegal actions, which are often linked to an economic gain. In this thesis, I show
that the way in which malicious users and legitimate ones interact with Internet
services presents differences. I then develop mitigation techniques that
leverage such differences to detect and block malicious parties that misuse
As examples of this research approach, I first study the problem of spamming
botnets, which are misused to send hundreds of millions of spam emails to
mailservers spread across the globe. I show that botmasters typically split a
list of victim email addresses among their bots, and that it is possible to
identify bots belonging to the same botnet by enumerating the mailservers that
are contacted by IP addresses over time. I developed a system, called
BotMagnifier, which learns the set of mailservers contacted by the bots belonging
to a certain botnet, and finds more bots belonging to that same botnet.
I then study the problem of misused accounts on online social networks. I first
look at the problem of fake accounts that are set up by cybercriminals to spread
malicious content. I study the modus operandi of the cybercriminals
controlling such accounts, and I then develop a system to automatically flag a
social network accounts as fake. I then look at the problem of legitimate
accounts getting compromised by miscreants, and I present COMPA, a system that
learns the typical habits of social network users and considers messages that
deviate from the learned behavior as possible compromises.
As a last example, I present EvilCohort, a system that detects communities of
online accounts that are accessed by the same botnet. EvilCohort works by
clustering together accounts that are accessed by a common set of IP addresses,
and can work on any online service that requires the use of accounts (social
networks, web-based emails, blogs, etc.).