7 CAPITULO : CONCLUSIONES Y RECOMENDACIONES
8.1 REFEENCIAS BIBLIOGRAFICAS
An attacker who is aware of COMPA has several possibilities to prevent his compro- mised accounts from being detected by COMPA. First, the attacker can post messages that align with the behavioral profiles of the compromised accounts. As described in Section 6.3, this would require the attacker to invest significant time and computational resources to gather the necessary profile information from his victims. Furthermore, so- cial networks have mechanisms in place that prevent automated crawling, thus slowing down such data gathering endeavors.
Second, an attacker could send messages that evade our similarity measures, and thus, although such messages might violate their compromised accounts’ behavioral pro- files, they would not get grouped together. To counter such evasion attempts, COMPA can be easily extended with additional and more comprehensive similarity measures. For example, it would be straight-forward to create a similarity measure that uses the landing page instead of the URLs contained in the messages to find groups of similar messages. Furthermore, more computationally expensive similarity measures, such as text shingling or edit distances for text similarity can also be implemented. Other sim- ilarity measures might leverage the way in which messages propagate along the social graph to evaluate message similarity.
6.9
Conclusions
In this chapter, we presented a novel approach to detect compromised accounts in social networks. More precisely, we developed statistical models to characterize the behavior of social network users, and we used anomaly detection techniques to identify sudden changes in their behavior. We developed COMPA, a prototype tool that implements this approach, and we applied it to a large stream of messages. The results show that our approach reliably detects compromised accounts, even though we do not have full visibility of every message exchanged on Facebook and Twitter.
Detecting The Relations Between
Malicious Hosts and Online Accounts
Detecting Malicious Account
Communities on Online Services
7.1
Introduction
As we mentioned in Chapter 1.1, attackers need two resources to carry out malicious campaigns on online services: online accountsandinfected machines. Almost all on- line services require users to sign up and create accounts before they can access the functionality that these services offer. Accounts allow online services to associate data with users (such as emails, posts, pictures, ...), and they also serve as a convenient way to regulate and restrict access. Infected machines (bots) are the typical mean through which attackers access online accounts. They are the devices (hosts) that run the clients that allow the miscreants to connect to online services. Infected machines work well for
cybercriminals because they serve as a convenient way for the attacker to log into the targeted service and issue the necessary commands to send spam or harvest personal information of legitimate users. However, attackers do not necessarily have to lever- age infected machines to connect to online services. They could also use compromised servers, or even the cybercriminal’s personal device. For this reason, to keep our anal- ysis generic in this chapter we refer to any device used by a cybercriminal to an online account as aconnection point.
In the previous chapters of this thesis we focused on systems that either detect infected computers or malicious accounts on online services. In this chapter instead we propose a novel detection approach based on the analysis of the interactions between attackers and an online service. More precisely, we look at the interplay between accounts, connection points, and actions. That is, we observe which account carries out what action, and which connection point is responsible for originating that action.
The basis for our detection approach is the intuition that cybercriminals use online services differently than regular users. Cybercriminals need to make money, and this requires automated operations at a large scale. Thus, when such operations are carried out, they involve many accounts, connection points, and actions. Moreover, accounts and connection points are related in interesting ways that can be leveraged for detection. A key reason for these interesting relationships is the fact that attackers use botnets (as connection points) to access the online accounts that participate in a campaign. By linking accounts and the connection points that are used to access these accounts, we see that maliciouscommunitiesemerge, and these communities can be detected.
accessed from a number of shared connection points (we use IP addresses to identify these connection points). That is, we observe a number of IP addresses and accounts, and each account is accessed by a non-trivial portion of these IP addresses. Typically, these IP addresses correspond to bot-infected machines, and they are used to log into the accounts that are under the control of the attacker. To identify communities, we consume a log ofinteraction eventsthat the online services record. An interaction event can be any action that a user performs in relation to an account on an online service, such as logging in, sending an email, or making a friend request. Each event also contains the account that is involved, as well as the IP address that sends the request.
In a next step, we analyze the characteristics of accounts within a community and iden- tify typical behaviors that are indicative of malicious activity. Such characteristics in- clude suspicious activity frequencies over time, synchronized activity of the machines using the accounts in the community and the distribution of the types of browsers used by the infected machines to connect to the online accounts. Analyzing additional char- acteristics allows us to identify communities of accounts that are used for legitimate purposes, and, thus, reduce false positives. Interestingly, our results show that the over- whelming majority of accounts that are part of communities are actually malicious. Hence, we do not need to leverage additional characteristics for detection. Instead, we explore them to shed light onto the operations of cybercriminals on online services.
One advantage of our approach is that it is very general. We do not leverage specific information of a particular online service, and our definition of interaction events can be very broad. In fact, we show that our approach works both for the detection of spammers on a webmail service, as well as for the identification of malicious accounts
on social networks. In the former case, interaction events correspond to the sending of emails, while in the latter case, an interaction event is recorded when a user logs into her account. This is different from previous work that looked at malicious activity on online services. For instance, our approach can be applied to different types of actions. These actions can include account generation and login operations. In these cases, it might be possible to detect malicious accounts before they distribute any malicious content, as an early warning system. Also, it can help to identify abuses where no malicious content is spread. An example of this are botnets that use online social networks as part of their command-and-control (C&C) infrastructure [123], or botnets that crawl the address books of webmail users looking for victim email addresses [1].
We implemented our approach in a system called EVILCOHORT. We evaluated EVIL-
COHORTon real-world data collected from five different online services, and monitored
the communities of online accounts that were detected. Over a period of five months,
EVILCOHORTdetected more than one million online accounts as malicious.
In summary, this chapter makes the following contributions:
• We find that a significant amount of malicious activity is carried out by accounts that form communities (when looking at the connection points that access them). We also find that these accounts are harder to detect for online services and re- main active longer.
• We present an approach to detect malicious communities (and hence, accounts controlled by cybercriminals). This approach works by detecting accounts that are accessed by a common, shared set of IP addresses.
• We implemented our approach in a system called EVILCOHORT. We evaluated
EVILCOHORTon datasets of different types of interactions collected on five dif-
ferent online services. Over a period of five months, EVILCOHORT detected
more than one million accounts used to perform malicious activity. We show that
EVILCOHORTis effective in detecting malicious online communities regardless
of the type of accounts analyzed, making it a valuable tool to protect a variety of online services from being abused.
• We analyzed the communities detected by EVILCOHORT. We show that mali- cious account communities have very peculiar characteristics, which could sup- port automated detection but also prevention of false positives.