TY - GEN
T1 - The abuse sharing economy
T2 - 19th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2016
AU - Thomas, Kurt
AU - Amira, Rony
AU - Ben-Yoash, Adi
AU - Folger, Ori
AU - Hardon, Amir
AU - Berger, Ari
AU - Bursztein, Elie
AU - Bailey, Michael
N1 - Funding Information:
This work was supported in part by the National Science Foundation under contracts CNS 1409758, CNS 1111699, and CNS 1518741. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.
Publisher Copyright:
© Springer International Publishing Switzerland 2016.
PY - 2016
Y1 - 2016
N2 - The underground commoditization of compromised hosts suggests a tacit capability where miscreants leverage the same machine— subscribed by multiple criminal ventures—to simultaneously profit from spam, fake account registration, malicious hosting, and other forms of automated abuse. To expedite the detection of these commonly abusive hosts, there are now multiple industry-wide efforts that aggregate abuse reports into centralized threat exchanges. In this work, we investigate the potential benefit of global reputation tracking and the pitfalls therein.We develop our findings from a snapshot of 45 million IP addresses abusing six Google services including Gmail, YouTube, and ReCaptcha between April 7–April 21, 2015. We estimate the scale of end hosts controlled by attackers, expose underground biases that skew the abuse perspectives of individual web services, and examine the frequency that criminals re-use the same infrastructure to attack multiple, heterogeneous services. Our results indicate that an average Google service can block 14% of abusive traffic based on threats aggregated from seemingly unrelated services, though we demonstrate that outright blacklisting incurs an untenable volume of false positives.
AB - The underground commoditization of compromised hosts suggests a tacit capability where miscreants leverage the same machine— subscribed by multiple criminal ventures—to simultaneously profit from spam, fake account registration, malicious hosting, and other forms of automated abuse. To expedite the detection of these commonly abusive hosts, there are now multiple industry-wide efforts that aggregate abuse reports into centralized threat exchanges. In this work, we investigate the potential benefit of global reputation tracking and the pitfalls therein.We develop our findings from a snapshot of 45 million IP addresses abusing six Google services including Gmail, YouTube, and ReCaptcha between April 7–April 21, 2015. We estimate the scale of end hosts controlled by attackers, expose underground biases that skew the abuse perspectives of individual web services, and examine the frequency that criminals re-use the same infrastructure to attack multiple, heterogeneous services. Our results indicate that an average Google service can block 14% of abusive traffic based on threats aggregated from seemingly unrelated services, though we demonstrate that outright blacklisting incurs an untenable volume of false positives.
KW - Reputation systems
KW - Threat exchanges
KW - Underground specialization
UR - http://www.scopus.com/inward/record.url?scp=84988596407&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84988596407&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-45719-2_7
DO - 10.1007/978-3-319-45719-2_7
M3 - Conference contribution
AN - SCOPUS:84988596407
SN - 9783319457185
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 143
EP - 164
BT - Research in Attacks, Intrusions, and Defenses - 19th International Symposium, RAID 2016, Proceedings
A2 - Dacier, Marc
A2 - Monrose, Fabian
A2 - Blanc, Gregory
A2 - Garcia-Alfaro, Joaquin
PB - Springer
Y2 - 19 September 2016 through 21 September 2016
ER -