No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A study of malware in peer-to-peer networks
Abstract
Peer-to-peer (P2P) networks continue to be popular means of trad- ing content. However, very little protection is in place to make sure that the les exchanged in these networks are not malicious, mak- ing them an ideal medium for spreading malware. We instrument two different open source P2P networks, Limewire and OpenFT, to examine the prevalence of malware in P2P networks. Our results from over a month of data show that 68% of all downloadable re- sponses in Limewire containing archives and executables contain malware. The corresponding number for OpenFT is 3%. Also, most infections are from a very small number of distinct malware. In particular, in Limewire, the top three most prevalent malware account for 99% of all the malicious responses. The corresponding number for OpenFT is 75%. We also investigate the sources of ma- licious responses. To our surprise, 28% of all malicious responses in Limewire come from private address ranges. In OpenFT, the top virus, which accounts of 67% of all the malicious responses, is served by a single host. Further, our study provides a useful in- sight into ltering malware: ltering downloads based on the most commonly seen sizes of the most popular malware could block a large portion of malicious les with a very low rate of false posi- tives. While current Limewire mechanisms detect only about 6% of malware containing responses, our size based ltering would detect over 99% of them.
... Furthermore, we have seen that most of the published fake content is associated with illegitimate activities such as malware propagation . Few previous works have studied the malware propagation through P2P systems [12, 8, 10] . Specifically , Kalafut et al. [8] analyse LimeWire whereas Shin et al. [10] analysed KaZaa. ...
... Few previous works have studied the malware propagation through P2P systems [12, 8, 10] . Specifically , Kalafut et al. [8] analyse LimeWire whereas Shin et al. [10] analysed KaZaa. These authors look at the problem from the content perspective instead of the fake publisher perspective used in this paper. ...
... This avoids that they discover more sophisticated strategies as those reported in our study in which the content itself is not the malware but includes a link to the malware. Finally, the authors of [8] propose to filter those content with a specific size since most of the malware content has specifically this size. Unfortunately, this solution is not valid for BitTorrent. ...
In this paper we conduct a large scale measurement study in order to analyse
the fake content publishing phenomenon in the BitTorrent Ecosystem. Our results
reveal that fake content represents an important portion (35%) of those files
shared in BitTorrent and just a few tens of users are responsible for 90% of
this content. Furthermore, more than 99% of the analysed fake files are linked
to either malware or scam websites. This creates a serious threat for the
BitTorrent ecosystem. To address this issue, we present a new detection tool
named TorrentGuard for the early detection of fake content. Based on our
evaluation this tool may prevent the download of more than 35 millions of fake
files per year. This could help to reduce the number of computer infections and
scams suffered by BitTorrent users. TorrentGuard is already available and it
can be accessed through both a webpage or a Vuze plugin.
... P2P networks have been known to be vulnerable to computer infections and security attacks, as some P2P applications generate revenue from third parties by embedding spyware and malware [60]. Studies show that 68% of all downloadable responses in LimeWire contained malware, and 44% of the 4778 executable files downloaded through a KaZaA client application included viruses and Trojan horses [61,62]. Many mp3 files that are being shared contain a Trojan horse program that attacked over half a million computers in a week [63]. ...
... Prior studies showed that statistical evidence is effective since statistics provide a logical explanation and systematically represent a larger population. In the anti-piracy campaign messages, we included statistical information such as "the average settlement for the accused of illegal downloads ranges from $2000 to $5000," and "68% of all downloadable files in LimeWire are corrupted," retrieved from other studies [5,62]. After reading the message, participants were asked to evaluate the perceived effectiveness of the educational campaign message. ...
The objective of this study is to improve the effectiveness of anti-piracy educational strategies by identifying unique digital pirate segments and delivering personalized campaign messages to the target audiences. In the first study, we introduced a segmentation study of digital pirates based on different types of risks involved in pirating activities. We identify four digital pirate segments (anti-pirates, hard-core pirates, performance-sensitive pirates, and finance-sensitive pirates), each demonstrating distinctive characteristics. Further profiling of the segments revealed different risk perceptions regarding gender and piracy experience. In the second study, we conduct an experiment to test the effects of targeted campaign messages for the newly identified pirating segments. Our results show that targeted piracy campaign messages have a significantly higher message persuasiveness, while they damage the attitude towards piracy. However, we found that the targeted piracy campaign messages have a marginal effect on changing the intention to pirate. Findings from this study offer useful implications for the design and implementation of anti-piracy educational campaigns.
... And for the 41+ age group, we observe a decrease of 12% in the proportion between the total sample (16%) and the high-risk group (4%). Results from the analysis (Table 3) revealed a significant difference between the 25-40 age group and the reference group (18)(19)(20)(21)(22)(23)(24). However, as the value 1 is included in the 95% CI, nothing can be said on the nature of the association, that is whether it is a risk factor or a protective factor. ...
... Our finding provides evidence that engagement in P2P activity might be a contributing risk factor of malware attack. This seems plausible as P2P networks are known to be a popular medium for spreading malware [19]. ...
The success (or failure) of malware attacks depends upon both technological and human factors. The most security-conscious users are susceptible to unknown vulnerabilities, and even the best security mechanisms can be circumvented as a result of user actions. Although there has been significant research on the technical aspects of malware attacks and defence, there has been much less research on how users interact with both malware and current malware defences.
This article describes a field study designed to examine the interactions between users, antivirus (AV) software, and malware as they occur on deployed systems. In a fashion similar to medical studies that evaluate the efficacy of a particular treatment, our experiment aimed to assess the performance of AV software and the human risk factors of malware attacks. The 4-month study involved 50 home users who agreed to use laptops that were instrumented to monitor for possible malware attacks and gather data on user behaviour. This study provided some very interesting, non-intuitive insights into the efficacy of AV software and human risk factors. AV performance was found to be lower under real-life conditions compared to tests conducted in controlled conditions. Moreover, computer expertise, volume of network usage, and peer-to-peer activity were found to be significant correlates of malware attacks. We assert that this work shows the viability and the merits of evaluating security products, techniques, and strategies to protect systems through long-term field studies with greater ecological validity than can be achieved through other means.
... A similar research [5] showed that in FastTrack filesharing network for some popular items, about the 70% of their copies and the 60% of their versions were polluted. Kalafut et al. [6] measured that, 68% of all downloadable responses in Limewire containing archives and executables, were actually malware. Shin et al [7] reported that in KaZaA network ...
... A similar research [5] showed that in FastTrack filesharing network for some popular items, about the 70% of their copies and the 60% of their versions were polluted. Kalafut et al. [6] measured that, 68% of all downloadable responses in Limewire containing archives and executables, were actually malware. Shin et al [7] reported that in KaZaA network in response to 24 common query strings over 15% of the results were infected by 52 different viruses. ...
Content-centric networking is often regarded as a promising paradigm for future networks. Nevertheless current content-based networks-such as file sharing peer-to-peer (P2P) networks-have been proved to be vulnerable to content pollution attacks. A significant amount of research efforts has been launched in order to mitigate this kind of attacks. The majority of these efforts focuses on users' ranking, based on their behavior, while little work has been done in ranking information itself. We show in this paper that solutions based on users' ranking can be by-passed by malicious users. Furthermore we propose inforanking, a light-weight solution for ranking information, based exclusively on positive votes. We compare our solution to Credence object-based reputation system. Our solution demonstrates significant less burden to the network and outperforms Credence in terms of polluted content isolation.
... Detection, analysis, and classification of malware require another perspective, which is not the main focus of this work. However, there exist various sources for classification (Kolter and Maloof, 2006; Chien, 2003; Wang et al., 2006; Kalafut et al., 2006; Chouchane et al., 2007; Karagiannis et al., 2004), and detection of malware (Yin et al., 2007; Kang et al., 2007; Bose et al., 2008; Ye et al., 2007; Preda et al., 2007). Upon successful infections, caused by email-attachments, instant messaging programs, and local or peer-to-peer (P2P) fileshares, vulnerable computers providing fileshares or hosting email agents will most probably fail to operate appropriately. ...
... 2007 ) filesharing system and also ICQshared folders. A study of malware in P2P networks is presented in Kalafut et al. (2006), and Shin et al. (2006) examines the prevalence of malware in the KazaA network, the malware's propagation behavior in the P2P network environment, and the characteristics of infected hosts. The work in Lia et al. (2007) discusses impacts of P2P systems caused via active worm propagations through the Internet. ...
In this paper we present a cost model to analyze impacts of Internet malware in order to estimate the cost of incidents and risk caused by them. The model is useful in determining parameters needed to estimate recovery efficiency, probabilistic risk distributions, and cost of malware incidents. Many users tend to underestimate the cost of curiosity coming with stealth malware such as email-attachments, freeware/shareware, spyware (including keyloggers, password thieves, phishing-ware, network sniffers, stealth backdoors, and rootkits), popups, and peer-to-peer fileshares. We define two sets of functions to describe evolution of attacks and potential loss caused by malware, where the evolution functions analyze infection patterns, while the loss functions provide risk-impact analysis of failed systems. Due to a wide range of applications, such analyses have drawn the attention of many engineers and researchers. Analysis of malware propagation itself has little to contribute unless tied to analysis of system performance, economic loss, and risks.
... Some epidemiological models have been proposed to study the propagation of scanning strategy-based worms and local subnet scanning worms [2, 4]; however, they can not be used to model passive P2P worms, because of the particular characteristics of passive P2P worms' propagation. Several passive worm propagation models have been investigated in earlier work [1, 3, 8, 10, 14, 15, 16, 17, 18, 19]. An important omission of the above models is the effect of network throughput. ...
... Chen et al. [3] provide a workload-driven simulation framework to characterize three types of non-scanning worms (e.g., passive worm, reactive worm, and proactive worm) and identify the parameters influencing their propagations, which states that the type of worm that would spread over such a network would not be detected by many of current methods. Kalafut et al. [8] point out the fact that 68% of the executable files contain passive worms through months of data. Xia et al. [16] present epidemic models of P2P worms in three typical structured P2P networks, outline the worms' rapid spreading capability, and reveal the negative influences of overlay topologies on the worms' propagation. ...
Passive worm have posed serious security threats to the functioning of unstructured P2P networks. A delayed SEIRS epidemic model with death, off line and online rate is constructed based on the actual situation of P2P users. The basic reproduction number that governs whether a passive worm is extinct or not is obtained. In this model, time delay consists of latent and temporary immunity periods. The impact of different parameters on this model is studied with simulation results, especially the effect of time delay, which can provide an important guideline in the control of unstructured P2P networks as well as passive worm defense.
... Deterministic and Stochastic propagation models have emerged to characterize P2P malware spread in continuous and discrete-time nature. The mathematical models [10] [4] has helped researchers to derive models that can eradicate topology-based malwares as well as limit and control the malware spread, previous work [11] [19] [7] [16] presented certain strategies to prevent topology-based malwares from spreading. For example, Sellke et al [16] relied on the branching process model to characterize the propagation of random scanning malwares rather than on mathematical analysis. ...
Peer-to-Peer (P2P) network is increasingly becoming the most important means of trading content throughout the last years due to the constant evolvement of the cyber world. This popularity made the P2P network susceptible to the spread of malware. The detection of the cause of malware propagation is now critical to the survival of P2P networks. This paper offers a review of the current relevant mathematical propagation models that have been proposed to date to predict the propagation behavior of a malware in a P2P network. We analyzed the models proposed by researchers and experts in the field by evaluating their limitations and a possible alternative for improving the analysis of the expected behavior of a malware spread
... Obfuscation is achieved by manipulation of filename, extension and possibly the icon displayed by the proprietary browsing system of the P2P application. Replication occurs by the malware sharing itself through the user's P2P application [95,120]. ...
... In an attempt to propagate itself, many malwares will connect to a popular P2P network and attempt to get other users to download and infect their machines. Many of these self-propagating malwares will cleverly respond with a dynamic filename based on whatever keywords the incoming request query contains [99]. ...
The scalable, low overhead attributes of Peer-to-Peer (P2P) Internet protocols and networks lend themselves well to being exploited by criminals to execute a large range of cybercrimes. The types of crimes aided by P2P technology include copyright infringement, sharing of illicit images of children, fraud, hacking/cracking, denial of service attacks and virus/malware propagation through the use of a variety of worms, botnets, malware, viruses and P2P file sharing. This project is focused on study of active P2P nodes along with the analysis of the undocumented communication methods employed in many of these large unstructured networks. This is achieved through the design and implementation of an efficient P2P monitoring and crawling toolset. The requirement for investigating P2P based systems is not limited to the more obvious cybercrimes listed above, as many legitimate P2P based applications may also be pertinent to a digital forensic investigation, e.g, voice over IP, instant messaging, etc. Investigating these networks has become increasingly difficult due to the broad range of network topologies and the ever increasing and evolving range of P2P based applications. In this work we introduce the Universal P2P Network Investigation Framework (UP2PNIF), a framework which enables significantly faster and less labour intensive investigation of newly discovered P2P networks through the exploitation of the commonalities in P2P network functionality. In combination with a reference database of known network characteristics, it is envisioned that any known P2P network can be instantly investigated using the framework, which can intelligently determine the best investigation methodology and greatly expedite the evidence gathering process. A proof of concept tool was developed for conducting investigations on the BitTorrent network.
... While "legitimate" sharing of copyrighted content is the primary focus of the network, it was quickly exploited for malicious purposes by cybercriminals, e.g., the spread of viruses, worms and botnets. In 2008, Kalafut et al. found that 68% of all downloadable responses in Limewire (Gnutella's largest client at the time) containing archives and executables contained malware[79]. ...
... For example, malicious peers can easily propagate (low-integrity) malicious code over today's P2P networks by publishing it under a misleading name. Recent studies [5,6] have concluded that at as much as 68% of all executable content in KaZaA and 15% of all files exchanged over LimeWire contain malware. ...
... Sen [2] suggested that the P2P workload was a good candidate for being managed with its high volume and good stability properties. In [3], a useful insight into filtering malware in P2P networks was presented: filtering downloads based on the most commonly seen sizes of the most popular malware could block a large portion of malicious files with a very low rate of false positives. Dario Bonfiglio [4][5][6]devised a target category. ...
Traffic identification of the target category is currently a significant challenge for network monitoring and management. To identify the target category with pertinence, a feature extraction algorithm based on the subset with highest proportion is presented in this paper. The method is proposed to be applied to the identification of any category that is assigned as the target one, but not restricted to certain specific category. We divide the process of feature extraction into two stages. In the stage of primary feature extraction, the feature subset is extracted from the dataset which has the highest proportion of the target category. In the stage of secondary feature extraction, the features that can distinguish the target and interfering categories are added to the feature subset. Our theoretical analysis and experimental observations reveal that the proposed algorithm is able to extract fewer features with greater identification ability of the target category. Moreover, the universality of the proposed algorithm proves to be available with the experiment that every category is set to be the target one.
... Its purpose is to trap a user with a malicious email, or URL, to make him install a malware on its computer. Peer-to-peer file sharing systems have also been and still are a common way to spread malwares packaged inside various files [8]. Nowadays, a lot of online service providers are using a two-factor authentication scheme, like a One-Time Password (OTP) sent by SMS or generated by a personal device [5]. ...
... Une stratégie légèrement différente consiste à placer le logiciel malveillant (ou le lien vers celui-ci) dans des lieux où les personnes vont volontairement les chercher :• Camouflés dans un logiciel (ou tout autre fichier) qui sera téléchargé sur un site Web et ouvert, soit sous forme de cheval de Troie (cf. définition 1.6 page 31), soit par exploitation d'une vulnérabilité dans un format de fichier pour procéder à l'installation du logiciel malveillant ;• par téléchargement sur les réseaux pair-à-pair -ceux-ci sont assez largement pollués par des codes malveillants[KAG06] ;• et enfin, les magasins (stores) des plates-formes de téléphonie mobile, moyen le plus efficace pour atteindre les téléphones portables [TLN + 14].Définition 1.28 (drive-by-download). Le drive-by-download ou téléchargement au cours de la navigation est l'ensemble des méthodes qui permettent de déclencher un téléchargement d'un code malveillant -et éventuellement son exécution -sans intervention de l'utilisateur ou en le trompant (par exemple en l'invitant à installer une extension à son navigateur) alors qu'il navigue sur un site Web (ou qu'il utilise toute application affichant des contenus distants). ...
Les botnets, ou réseaux d’ordinateurs infectés par un code malveillant et connectés à un système de commande et de contrôle, constituent l’un des premiers outils de la délinquancesur Internet aujourd’hui. Ils permettent de concrétiser le développement d’un nouveau type d’activités criminelles : le crime comme un service (ou « crime as a service », CaaS). Ilsconstituent un défi en matière de répression. D’abord par l’importance de leur impact sur la sécurité des réseaux et la commission d’infractions sur Internet. Ensuite par la dimensionextrêmement internationale de leur diffusion et donc une certaine difficulté à mener des investigations. Enfin, par le grand nombre des acteurs qui peuvent être impliqués (codeurs,maîtres de botnets, intermédiaires financiers, etc.).Cette thèse porte sur l’étude des botnets (composantes, fonctionnement, acteurs), la proposition d’une méthode de collecte de données sur les activités liées aux botnets et enfinles dispositifs techniques et organisationnels de lutte contre les botnets ; elle conclut sur des propositions en matière de stratégie pour cette lutte. Les travaux menés ont permis de confirmer la pertinence, pour l’étude efficace des botnets, d’un modèle englobant l’ensemble de leurs composants, y compris les infrastructures et les acteurs. Outre un effort de définition, la thèse apporte un modèle complet du cycle de vie d’un botnet et propose des méthodes de catégorisation de ces objets.Il en ressort la nécessité d’une stratégie partagée qui doit comporter les éléments de détection, de coordination entre les acteurs et la possibilité, voire l’obligation, pour les opérateursde mettre en oeuvre des mesures de mitigation.
... Une stratégie légèrement différente consiste à placer le logiciel malveillant (ou le lien vers celui-ci) dans des lieux où les personnes vont volontairement les chercher :• Camouflés dans un logiciel (ou tout autre fichier) qui sera téléchargé sur un site Web et ouvert, soit sous forme de cheval de Troie (cf. définition 1.6 page 31), soit par exploitation d'une vulnérabilité dans un format de fichier pour procéder à l'installation du logiciel malveillant ;• par téléchargement sur les réseaux pair-à-pair -ceux-ci sont assez largement pollués par des codes malveillants[KAG06] ;• et enfin, les magasins (stores) des plates-formes de téléphonie mobile, moyen le plus efficace pour atteindre les téléphones portables [TLN + 14].Définition 1.28 (drive-by-download). Le drive-by-download ou téléchargement au cours de la navigation est l'ensemble des méthodes qui permettent de déclencher un téléchargement d'un code malveillant -et éventuellement son exécution -sans intervention de l'utilisateur ou en le trompant (par exemple en l'invitant à installer une extension à son navigateur) alors qu'il navigue sur un site Web (ou qu'il utilise toute application affichant des contenus distants). ...
Botnets, or networks of computers infected with malware and connected to a command and control system, is one of the main tools for criminal activities on the Internet today. They allow the development of a new type of crime: crime as a service (CaaS). They are a challenge for law enforcement. First by the importance of their impact on the security of networks and the commission of crimes on the Internet. Next, with regards to the extremely international dimension of their dissemination and therefore the enhanced difficulty in conducting investigations. Finally, through the large number of actors that may be involved (software developers, botnet masters, financial intermediaries, etc.).
This thesis proposes a thorough study of botnets (components, operation, actors), the proposal for a data collection method on botnet related activities and finally the technical and organizational arrangements in the fight against botnets; it concludes on proposals on the strategy for this fight.
The work carried out has confirmed the relevance, for the effective study of botnets, of a model encompassing all their components, including infrastructure and actors. Besides an effort in providing definitions, the thesis describes a complete model of the life cycle of a botnet and offers methods for categorization of these objects.
This work shows the need for a shared strategy which should include the detection elements, coordination between actors and the possibility or even the obligation for operators to implement mitigation measures.
... Recent research [89,98] on malware in peer-to-peer networks has proven that often more than fty percent transpired as malicious code. ...
... It is difficult for them to detect hosts infected with malware such as Trojan horse, because generally, these kind of communications neither consume significant bandwidth nor involve a large number of targets. Analysis can be further complicated if a malware encrypts the network traffic, using rebound port [10] and communicating over peer-to-peer (P2P) protocols to blending with P2P file-sharing traffic [11]. ...
With the increasing of new malicious software attacks, the host-based malware detection methods cannot always detect the latest unknown malware. Intrusion detection system does not focus on malware detection, whereas the behavior-based detection methods still have some difficulties in being deployed in the network layer. This paper presents a malware detection method based on network behavior evidence chains. The proposed new method will detect the specific network behavior characteristics on three different stages as connection establishment, operating control, and connection maintenance. Then a final detection decision will be concluded according to the results detected in the different stages before. A system prototype is implemented to proof concept the proposed malware detection methods. Copyright © 2014 John Wiley & Sons, Ltd.
... With the advent of botnets, malware authors changed their modus operandi. In fact, bots rarely propagate by scanning for and exploiting vulnerable machines; instead, they are distributed through driveby download exploits [36], spam emails [22], or file sharing networks [23]. However, bots do need to communicate with a command and control infrastructure. ...
A distinguishing characteristic of bots is their ability to establish a command and control (C&C) channel. The typical approach to build detection models for C&C traf-fic and to identify C&C endpoints (IP addresses and do-mains of C&C servers) is to execute a bot in a controlled environment and monitor its outgoing network connec-tions. Using the bot traffic, one can then craft signa-tures that match C&C connections or blacklist the IP addresses or domains that the packets are sent to. Un-fortunately, this process is not as easy as it seems. For example, bots often open a large number of additional connections to legitimate sites (to perform click fraud or query for the current time), and bots can deliberately produce "noise" – bogus connections that make the anal-ysis more difficult. Thus, before one can build a model for C&C traffic or blacklist IP addresses and domains, one first has to pick the C&C connections among all the network traffic that a bot produces. In this paper, we present JACKSTRAWS, a system that accurately identifies C&C connections. To this end, we leverage host-based information that provides insights into which data is sent over each network connection as well as the ways in which a bot processes the informa-tion that it receives. More precisely, we associate with each network connection a behavior graph that captures the system calls that lead to this connection, as well as the system calls that operate on data that is returned. By using machine learning techniques and a training set of graphs that are associated with known C&C con-nections, we automatically extract and generalize graph templates that capture the core of different types of C&C activity. Later, we use these C&C templates to match against behavior graphs produced by other bots. Our results show that JACKSTRAWS can accurately detect C&C connections, even for novel bot families that were not used for template generation.
... There are two studies that measure the prevalence of malware in Peer-to-Peer (P2) networks. Kalafut et al. study malware in the P2P networks Limewire and OpenFT [3], while Shin et al. perform a similar study for the KaZaA file-sharing network [11]. In the study by Kalafut et al., they collected data for more than one month and could show that 68% of all downloadable responses in Limewire, which are either executables or archives, contain malware. ...
Autonomous spreading malware in the form of bots or worms is a con- stant threat in today's Internet. In the form of botnets, networks of compromised machines that can be remotely controlled by an attacker, malware can cause lots of harm. In this paper, we present a measurement setup to study the spreading and prevalence of malware that propagates autonomously. We present the results when observing about 16,000 IPs within a university environment for a period of eight weeks. We collected information about 13,4 million successful exploits and study the system- and network-level behavior of the collected 2,034 valid, unique malware binaries.
... Such vulnerabilities are a major issue for real-world P2P implementations today. For example, two studies published in 2006 detected malware in as much as 68% of all executable content exchanged over KaZaA [13] and in 15% of all files exchanged over Limewire [14]. Integrity violations are therefore a significant concern for owners, administrators, and users of these networks. ...
An overview of recent advances in secure peer-to-peer networking is presented, toward enforcing data integrity, confidentiality, availability, and access control policies in these decentralized, distributed systems. These technologies are combined with reputation-based trust management systems to enforce integrity-based discretionary access control policies. Particular attention is devoted to the problem of developing secure routing protocols that constitute a suitable foundation for implementing this security system. The research is examined as a basis for developing a secure data management system for trusted collaboration applications such as e-commerce, situation awareness, and intelligence analysis.
... For example, malicious peers can easily propagate (low-integrity) malicious code over today's P2P networks by publishing it under a misleading name. Recent studies [5,6] have concluded that at as much as 68% of all executable content in KaZaA and 15% of all files exchanged over LimeWire contain malware. ...
This paper describes the design of a peer-to-peer network that supports integrity and confidentiality labeling of shared data. A notion of data ownership privacy is also enforced, whereby peers can share data without revealing which data they own. Security labels are global but the implementation does not require a centralized label server. The network employs a reputation-based trust management system to assess and update data labels, and to store and retrieve labels safely in the presence of malicious peers. The security labeling scheme preserves the efficiency of network operations; lookup cost including label retrieval is O(log N), where N is the number of agents in the network.
... Crawling P2P networks or the Web is one alternative to the more traditional honeypots and spam traps, and may help reduce the time it takes to collect a new piece of malware. This is true in particular for malware that spread mainly via P2P [19,7]. Another collection strategy may be to use an executables sniffer, which may be deployed at the edge of a network to "sniff" the PE (portable executable) executables that the users of the monitored network are downloading [22]. ...
In this work, we propose Malware Collection Booster (McBoost), a fast statistical malware detection tool that is intended to improve the scalability of existing malware collection and analysis approaches. Given a large collection of binaries that may contain both hitherto unknown malware and benign executables, McBoost reduces the overall time of analysis by classifying and filtering out the least suspicious binaries and passing only the most suspicious ones to a detailed binary analysis process for signature extraction.The McBoost framework consists of a classifier specialized in detecting whether an executable is packed or not, a universal unpacker based on dynamic binary analysis, and a classifier specialized in distinguishing between malicious or benign code. We developed a proof-of-concept version of McBoost and evaluated it on 5,586 malware and 2,258 benign programs. McBoost has an accuracy of 87.3%, and an Area Under the ROC curve (AUC) equal to 0.977. Our evaluation also shows that McBoost reduces the overall time of analysis to only a fraction (e.g., 13.4%) of the computation time that would otherwise be required to analyze large sets of mixed malicious and benign executables.
... trying to cheat the user. 1) P2P networks: P2P networks, which do not have integrated security mechanisms, are a natural propagation method for malware. According to some recent studies [9], almost the 50% of the executable binaries found on P2P networks are infected with some kind of malware. For increasing the attractive of binaries, and to persuade users to download and execute them, most of the binaries are hidden using the world's oldest lure: sex. ...
8 pages, 6 figures.-- Contributed to: X Spanish Meeting on Cryptology and Information Security (Salamanca, Spain, Sep 2-5, 2008). In this work it is shown how current online banking and payment methods are highly insecure. All the countermeasures currently used by financial institutions are vulnerable to some kind of attack, mainly to the recent and powerful last generation trojans, which are able to defeat mechanisms as strong as SSL sessions or two-factor authentication schemes. We point out the problems of these models and we propose a mobile phone OTP scheme with a new method for the challenge generation. This work has been done in the frame of the project HESPERIA (http://www.proyecto-hesperia.org) supported by Centro para el Desarrollo Tecnológico Industrial (CDTI) under programme CENIT and also supported by the enterprises: Soluziona Consultoría y Tecnología, Unión Fenosa, Tecnobit, Visual-Tools, BrainStorm, SAC and TechnoSafe. Peer reviewed
... The P2P epidemics [10] [11] leverage the overlay networks while other intermediate attacks focus on the services themselves. Content pollution is a type of attacks that degrade the level of data availability by tampering the original content of targeted systems. ...
There has been significant progress in the development and deployment of Peer-to-Peer (P2P) live video streaming systems. However, there has been little study on the security aspect in such systems. Our prior experiences in Anysee exhibit that existing systems are largely vulnerable to intermediate attacks, in which the content pollution is a common attack that can significantly reduce the content availability, and consequently impair the playback quality. This paper carries out a formal analysis of content pollution and discusses its implications in P2P live video streaming systems. Specifically, we establish a probabilistic model to capture the progress of content pollution. We verify the model using a real implementation based on Anysee system; we evaluate the content pollution effect through extensive simulations. We demonstrate that (1) the number of polluted peers can grow exponentially, similar to random scanning worms. This is vital that with 1% polluters, the overall system can be compromised within minutes; (2) the effective bandwidth utilization can be sharply decreased due to the transmission of polluted packets; (3) Augmenting the number of polluters does not imply a faster progress of content pollution, in which the most influential factors are the peer degree and access bandwidth. We further examine several techniques and demonstrate that a hash-based signature scheme can be effective against the content pollution, in particular when being used during the initial phase.
This paper introduces the Risk Activities Dataset 2024 (RBD24), an open-source dataset designed to facilitate the identification and analysis of risk activities within the cybersecurity domain. The RBD24 Dataset is derived from multimodal application logs collected over a two-week period at a Spanish state university, identifying activities aligned with the early stages of the attack scenario. This dataset paves the way for novel User and Entity behaviour Analytics (UEBA) and risk assessment frameworks within the cybersecurity domain. In detail, the dataset offers a fully user-centric approach by providing ground-truth data for various risk behaviours, including cryptocurrency activities, outdated software usage, P2P file sharing, and phishing incidents. These ground-truth data, identified through intrusion detection systems (IDS) and experimental campaigns, are represented as a set of indicators extracted from DNS, HTTP, SSL, and SMTP protocol logs. This dataset is expected to be a valuable resource for developing and benchmarking cybersecurity models, particularly in the realm of risk behaviour assessment.
Die Bachelorarbeit mit dem Titel „Die Rolle der Spielpiraterie bei der Erhaltung digitaler Spiele“ untersucht die Bedeutung der Spielpiraterie im Kontext der Bewahrung von Videospielen als kulturelles Erbe. Sie analysiert die Chancen und Herausforderungen, die mit der Archivierung von Videospielen verbunden sind, und zeigt, wie Piraterie zur Erhaltung von Spielen beiträgt, die sonst durch technologische Obsoleszenz oder das Ende ihrer kommerziellen Verfügbarkeit verloren gehen würden.
Die Arbeit beleuchtet verschiedene Methoden wie ROM-Hacking, Emulation und die Aktivitäten von Online-Communities. Diese Ansätze helfen dabei, vergriffene oder veraltete Spiele zugänglich zu machen. Die Thesis diskutiert auch die rechtlichen Rahmenbedingungen und deren Einfluss auf Archivierungsbemühungen. Sie argumentiert, dass ein Gleichgewicht zwischen Urheberrechtsschutz und der Notwendigkeit, kulturelles Erbe zu bewahren, erforderlich ist.
Zusammenfassend stellt die Arbeit fest, dass Spielpiraterie trotz ihrer rechtlichen Problematik eine wesentliche Rolle in der langfristigen Archivierung und dem Erhalt digitaler Spiele spielt.
The Internet has become the primary vehicle for doing almost everything online, and smartphones are needed for almost everyone to live their daily lives. As a result, cybersecurity is a top priority in today’s world. As Internet usage has grown exponentially with billions of users and the proliferation of Internet of Things (IoT) devices, cybersecurity has become a cat-and-mouse game between attackers and defenders. Cyberattacks on systems are commonplace, and defense mechanisms are continually updated to prevent them. Based on a literature review of cybersecurity vulnerabilities, attacks, and preventive measures, we find that cybersecurity problems are rooted in computer system architectures, operating systems, network protocols, design options, heterogeneity, complexity, evolution, open systems, open-source software vulnerabilities, user convenience, ease of Internet access, global users, advertisements, business needs, and the global market. We investigate common cybersecurity vulnerabilities and find that the bare machine computing (BMC) paradigm is a possible solution to address and eliminate their root causes at many levels. We study 22 common cyberattacks, identify their root causes, and investigate preventive mechanisms currently used to address them. We compare conventional and bare machine characteristics and evaluate the BMC paradigm and its applications with respect to these attacks. Our study finds that BMC applications are resilient to most cyberattacks, except for a few physical attacks. We also find that BMC applications have inherent security at all computer and information system levels. Further research is needed to validate the security strengths of BMC systems and applications.
Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed websites and scareware to name a few. This article presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial.
The botnet phenomenon has recently garnered attention throughout both academia and in-dustry. Unfortunately, botnets are still a mystery. In fact, today, very little is known about even the most basic botnet properties, such as size, growth, or demographics. The primary reason for this lack of knowledge is the fact that the existing approaches for measuring such properties are simply inadequate; honeypots [30], even those with advanced virtual-ization [40], cannot scale to the task of botnet tracking, while silent drones do not offer the dynamism necessary to persistently track botnets. Furthermore, both of these techniques provide only one, internal, view of the botnet. As we will demonstrate, this single view will often fail to provide relevant information on botnet size or diversity. Indeed, the fog has yet to clear. In order to gain a firm understanding of botnet dynamics, we have developed a lightweight infrastructure that overcomes many of the problems of prior approaches. Our infrastructure follows the entire life cycle of the botnet, beginning with the capture of botnet executables from various Internet vantage points. We apply novel techniques to automatically learn the
Zusammenfassung Dieses Papier ist eine Zusammenfassung von [KAM 06] und [SJB 06]. Beschrieben wird der momentane Stand der Verbreitung von Malware in verschiedenen Peer-to-Peer-Netzwerken. Dabei werden die Häufigkeiten von Malware, Suchanfragen, die besonders viel Malware als Antworten generieren, sowie die Verteilung der Malware im Netz und die genaue Funktion der heruntergeladenen Malware untersucht. Die Messergebnisse besagen, dass in vielen Netzen mit einer Wahrscheinlichkeit vo uber 30% die heruntergeladenen Binärdateien mit Malware verseucht sind. Die genaue Verteilung der Malware wird analysiert, sowie deren Funktion näher be-leuchtet. Es stellt sich heraus, dass ein Grossteil der von Malware infizierten Rechner unter anderem zum Spamversand genutzt wird. Daraufhin werden das Schadensausmaß, sowie ogliche Gegenmaßnahmen diskutiert. ogliche Gegenmaßnahmen bestehen in einer Heuristik zur Erkennung von Malware anhand der Dateig oße oder der Ausstattung von Peer-to-Peer-Clients mit Virenscan-nern. Weiterhin schlage ich ein verteiltes System zur Bewertung von Dateiinhalten (bzgl. ihrer Infektion mit Malware) vor.
Search malware redirects nearly 100% of infected users' clicks on web search results to unintended websites. Most published research details how web-based malware works and technological interventions to stop it before users ever see it; however, the constant evolution of obfuscation techniques makes it difficult to prevent infection altogether. User interventions in the form of toolbars, dialogs, and user education have seen limited success. Previous research has focused on a prototypical type of malware; a sophisticated program that conceals itself (e.g., surreptitious download onto a host computer) or tries to fool the user by mimicking known, trusted websites (e.g., phishing attacks). The goal of our research is to understand users' experience, understanding of and response to search malware. The present research shows that even when confronted with blatantly unusual search behavior, people are unlikely to attribute blame to malware or to engage in behavior that may remedy the situation.
Zero-day malware is malware that is based on zero-day exploits and/or malware that is otherwise so new that it is not detected by any anti-virus or anti-malware scanners. This paper presents an empirical study that exposed updated Micsosoft Windows XP PCs with updated anti-virus software to a number of unsavoury Internet software repositories. A total of 124 zero-day malware instances were detected in our experiment. Our conclusion is that if a user is sufficiently adventurous (or foolish), no anti-virus protection can prevent a zero-day malware infection.
Peer-to-peer file sharing is a growing security risk for firms and individuals. Users who participate in these networks to share music, pictures, and video are subject to many security risks including inadvertent publishing of private information, exposure to viruses and worms, and the consequences of spyware. In this paper, we examine the peer-to-peer file sharing phenomena, including an overview of the industry, its business models, and evolution. We describe the information security risks users' face including personal identification disclosure and leakage of proprietary business information. We illustrate those risks through simple honey-pot experiments.
With voluntary users participating in an autonomic manner, peer-to-peer (P2P) systems have been proliferating in an unprecedented pace. Indeed, it is widely known that P2P traffic now constitutes over 60% of total Internet traffic. P2P systems are now used for file sharing, media streaming, and various other social networking applications. Furthermore, P2P systems are also extending their reach to the wireless realm. However, there are still two major system aspects that pose challenges to P2P systems’ designers and users: incentives and security. First and foremost, a P2P system, by its nature, is viable only if users contribute their resources to the community. Obviously, uniform and global altruistic behaviors cannot be expected for all users.
Passive worms can passively propagate through embedding themselves into some sharing files, which can result in significant
damage to unstructured P2P networks. To study the passive worm behaviors, this paper firstly analyzes and obtains the average
delay for all peers in the whole transmitting process due to the limitation of network throughput, and then proposes a mathematical
model for the propagation of passive worms over the unstructured P2P networks. The model mainly takes the effect of the network
throughput into account, and applies a new healthy files dissemination-based defense strategy according to the file popularity
which follows the Zipf distribution. The simulation results show that the propagation of passive worms is mainly governed
by the number of hops, initially infected files and uninfected files. The larger the number of hops, the more rapidly the
passive worms propagate. If the number of the initially infected files is increased by the attackers, the propagation speed
of passive worms increases obviously. A larger size of the uninfected file results in a better attack performance. However,
the number of files generated by passive worms is not an important factor governing the propagation of passive worms. The
effectiveness of healthy files dissemination strategy is verified. This model can provide a guideline in the control of unstructured
P2P networks as well as passive worm defense.
Since the introduction of Napster in 1999, millions of Internet users have exchanged massive amounts of files via P2P (Peer-to-Peer)
filesharing networks. Notwithstanding the widespread penetration of these systems among Internet consumers, little is known
about the usage process. Therefore, the aim of this chapter is to examine the usage of “illegal” P2P networks by means of
an exploratory, qualitative study. The main findings revealed significant differences between the uses of various systems.
Bittorrent clients were mainly used to download large files such as video, movies, and complete albums, while Gnutella clients
were particularly utilized for small files such as single songs. The results indicate that the type of content, the characteristics
of the client, the omnipresence of fake files and malware, the users’ motivations, the users’ lifestyles and the presence
of bandwidth caps had an impact on how the participants utilized P2P systems.
KeywordsBehavior-Activity theory-Motivations-Trust-Quality-Context
Program input syntactic structure is essential for a wide range of applications such as test case generation, software debugging, and network security. However, such important information is often not available (e.g., most malware programs make use of secret protocols to communicate) or not directly usable by machines (e.g., many programs specify their inputs in plain text or other random formats). Furthermore, many programs claim they accept inputs with a published format, but their implementations actually support a subset or a variant. Based on the observations that input structure is manifested by the way input symbols are used during execution and most programs take input with top-down or bottom-up grammars, we devise two dynamic analyses, one for each grammar category. Our evaluation on a set of real-world programs shows that our technique is able to precisely reverse engineer input syntactic structure from execution. We apply our technique to hierarchical delta debugging (HDD) and network protocol reverse engineering. Our technique enables the complete automation of HDD, in which programmers were originally required to provide input grammars, and improves the runtime performance of HDD. Our client study on network protocol reverse engineering also shows that our technique supersedes existing techniques.
In this work we analyze propagation of files in the BitTorrent network. The paper covers security problems in peer-to-peer networks and establishes a Malware propagation model. We give overview of existing models and their weaknesses and introduce a propagation or epidemiological model based on model based on real data and real user behavior in the peer-to-peer network BitTorrent. We describe our empirical epidemiological model in detail and propose some advanced strategies which can help in fight against malware. Further we present our empiric, as its application.
In this article we are dealing with security problems of peer-to-peer networks, with malware propagation model, establishing empirical model of file propagation in peer-to-peer networks and we are describing our system for automatic file downloading.
The open and autonomous nature of peer-to-peer (P2P) file-sharing invites the phenomenon of widespread decoys and free-riding. Reputation systems are introduced to assure data authenticity and to stimulate collaboration. We argue that, in a reputation-aided P2P file-sharing system, the faithful delivery of an authentic file depends on the authenticity of the file, its reputation (either the objective reputation of itself or the subjective reputation of its providing peer) and its index. Hence, we propose to add integrity control for the reputation and indexing storage/computation processing to enhance the authenticity of the resultant reputation values and service indexes. An integrity model is presented to articulate necessary mechanisms and rules for integrity protection. The existing proposals for P2P reputation and indexing are analyzed, accordingly.
Peer-to-peer file sharing is a growing security risk for firms and individuals. Users who participate in these networks to share music, pictures, and video are subject to many security risks including inadvertent publishing of private information, exposure to viruses and worms, and the consequences of spyware. In this paper, we examine the peer-to-peer file sharing phenomena, including an overview of the industry, its business models, and evolution. We describe the information security risks users' face including personal identification disclosure and leakage of proprietary business information. We illustrate those risks through honey-pot experiments and discuss how peer-to-peer industry dynamics are contributing to the security problem.*
The open and autonomous nature of peer-to-peer (P2P) systems invites the phenomenon of widespread decoys and free-riding.
Reputation systems are constructed to ensure file authenticity and stimulate collaboration. We identify the authenticity,
availability and privacy issues concerning the previous reputation management schemes. We propose to add integrity control
for the reputation storage/computation processing in order to enhance the authenticity of the resultant reputation values;
and present an integrity model to articulate necessary mechanisms and rules for integrity protection in a P2P reputation system.
We design a fully-distributed and secure reputation management scheme, Trusted Reputation Management Service (TRMS). Employing
Trusted Computing and Virtual Machine Technologies, a peer’s reputation values and specific transaction records can be stored,
accessed and updated in a tamper-proof way by the Trusted Reputation Agent (TRA) on the same platform, which guarantees the
authenticity of reputation values. Transaction partners exchange directly with each other for reputation values, services
and transaction comments with no reliance on a remote third party, ensuring the availability of reputation and peers’ privacy.
Propagation of passive worms in unstructured peer-to-peer (P2P) networks can result in significant damages and the loss of network security. This paper obtains the average delay for all peers in the entire transmitting process, and proposes a mathematical model for simulating unstructured P2P networks-based passive worms' propagation taking into account network throughput. According to the file popularity which follows the Zipf distribution, we propose a new healthy file dissemination-based defense strategy. Some parameters related to the propagation of passive worms are studied based on the proposed model. Finally, the simulation results verify the effectiveness of our model, which can provide an important guideline in the control of passive worms in unstructured P2P networks.
Firms face many different types of information security risk. Inadvertent disclosure of sensitive business information represents one of the largest classes of recent security breaches. We examine a specific instance of this problem-inadvertent disclosures through peer-to-peer file-sharing networks. We characterize the extent of the security risk for a group of large financial institutions using a direct analysis of leaked documents. We also characterize the threat of loss by examining search patterns in peer-to-peer networks. Our analysis demonstrates both a substantial threat and vulnerability for large financial firms. We find a statistically significant link between leakage and leak sources including the firm employment base and the number of retail accounts. We also find a link between firm visibility and threat activity. Finally, we find that firms with more leaks also experience increased threat.
Information security officials state that peer-to-peer (P2P) networks are posing significant threat for corporate and individual security. It is observed unrestricted file sharing on these networks leads to infringement of copyright issues potential damage of document and confidentiality. It has also been observed that criminals can access confidential information and files from these networks, posing threats for corporates and individuals. P2P file sharing represents a growing threat, due to the evolution of these networks. Internet service providers (ISP), companies, and copyright holders are making efforts, to find solutions to these challenges. These challenges have also influenced P2P developers, to create decentralized, encrypted, and anonymous networks that are unable to track. These networks are designed to accommodate large number of clients and are capable of transferring large volume of data safely.
Sessions generated by Instant Messaging and Peer-to-Peer systems (IM/P2Ps) not only consume considerable bandwidth and computing resources but also dramatically change the characteristics of data flows affecting both the operation and performance of networks. Most IM/P2Ps have known security loopholes and vulnerabilities making them an ideal platform for the dissemination of viruses, worms, and other malware. The lack of access control and weak authentication on shared resources further exacerbates the situation. Should IM/P2Ps be deployed in production environments, performance of conventional applications may significantly deteriorate and enterprise data may be contaminated. It is therefore imperative to identify, monitor and finally manage IM/P2P traffic. Unfortunately, this task cannot be easily attained as IM/P2Ps resort to advanced techniques to hide their traces including multiple channels to deliver services, port hopping, message encapsulation and encryption. In this paper, we propose an extensible framework that not only helps to identify and classify IM/P2P-generated sessions in real time but also assists in the manipulation of such traffic. Consisting of four modules namely, session manager, traffic assembler, IM/P2P dissector, and traffic arbitrator, our proposed framework uses multiple techniques to improve its traffic classification accuracy and performance. Through fine-tuned splay and interval trees that help organize IM/P2P sessions and packets in data streams, we accomplish stateful inspection, traffic re-assembly, data stream correlation, and application layer analysis that combined will boost the framework's identification precision. More importantly, we introduce IM/P2Ps "plug-and-play" protocol analyzers that inspect data streams according to their syntax and semantics; these analyzers render our framework easily extensible. Identified IM/P2P sessions can be shaped, blocked, or disconnected, and corresponding traffic can be stored for forensic analysis and threat evaluation. Experiments with our prototype show high IM/P2Ps detection accuracy rates under diverse settings and excellent overall performance in both controlled and real-world environments.
Peer-to-peer (P2P) file sharing accounts for an astonishing volume of current Internet traffic. This paper probes deeply into modern P2P file sharing systems and the forces that drive them. By doing so, we seek to increase our understanding of P2P file sharing workloads and their implications for future multimedia workloads. Our research uses a three-tiered approach. First, we analyze a 200-day trace of over 20 terabytes of Kazaa P2P traffic collected at the University of Washington. Second, we develop a model of multimedia workloads that lets us isolate, vary, and explore the impact of key system parameters. Our model, which we parameterize with statistics from our trace, lets us confirm various hypotheses about file-sharing behavior observed in the trace. Third, we explore the potential impact of locality-awareness in Kazaa.Our results reveal dramatic differences between P2P file sharing and Web traffic. For example, we show how the immutability of Kazaa's multimedia objects leads clients to fetch objects at most once; in contrast, a World-Wide Web client may fetch a popular page (e.g., CNN or Google) thousands of times. Moreover, we demonstrate that: (1) this "fetch-at-most-once" behavior causes the Kazaa popularity distribution to deviate substantially from Zipf curves we see for the Web, and (2) this deviation has significant implications for the performance of multimedia file-sharing systems. Unlike the Web, whose workload is driven by document change, we demonstrate that clients' fetch-at-most-once behavior, the creation of new objects, and the addition of new clients to the system are the primary forces that drive multimedia workloads such as Kazaa. We also show that there is substantial untapped locality in the Kazaa workload. Finally, we quantify the potential bandwidth savings that locality-aware P2P file-sharing architectures would achieve.
In recent years, more than 200 viruses have been reported to use a peer-to-peer (P2P) file-sharing network as a propagation vector. Disguised as files that are frequently exchanged over P2P networks, these malicious programs infect the user's host if downloaded and opened, leaving their copies in the user's sharing folder for fur- ther propagation. Using a light-weight crawler built for the KaZaA file-sharing network, we study the prevalence of malware in this popular P2P network, the malware's propagation behavior in the P2P network environment and the characteristics of infected hosts. We gathered information about more than 500,000 files returned by the KaZaA network in response to 24 common query strings. With 364 signatures of known malicious programs, we found that over 15% of the crawled files were infected by 52 different viruses. Many of the malicious programs that we find active in the KaZaA P2P network open a backdoor through which an attacker can re- motely control the compromised machine, send spam, or steal a user's confidential information. The assertion that these hosts were used to send spam was supported by the fact that over 70% of in- fected hosts were listed on DNS-based spam black-lists. Our mea- surement method is efficient: it enables us to investigate more than 30,000 files in an hour, identifying infected hosts without directly accessing their file system.
Peer-to-peer (P2P) worms exploit common vul- nerabilities in member hosts of a P2P network and spread topologically in the P2P network, a potentially more effective strategy than random scanning for locating victims. This paper describes the danger posed by P2P worms and initiates the study of possible mitigation mechanisms. In particular, the paper explores the feasibility of a self-defense infrastructure inside a P2P network, outlines the challenges, evaluates how well this defense mechanism contains P2P worms, and reveals correlations between containment and the overlay topology of a P2P network. Our experiments suggest a number of design directions to improve the resilience of P2P networks to worm attacks.
Peer-to-peer (P2P) computing has become an interesting research topic during recent years. In this paper, we address issue related to analyzing the worm-based attack in P2P systems. Particularly, our technologies include: 1) generic mathematical models for attacker/defender and different P2P systems; 2) practical and effective attack prevention schemes. We find that our proposed defense strategy can efficiently improve the performance of worm detection and system recovery.
Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address this problem by systematically analyzing a set of firewall logs collected over four months from over 1600 different networks world wide. The first part of our study is a general analysis focused on the issues of distribution, categorization and prevalence of intrusions. Our data shows both a large quantity and wide variety of intrusion attempts on a daily basis. We also find that worms like CodeRed, Nimda and SQL Snake persist long after their original release. By projecting intrusion activity as seen in our data sets to the entire Internet we determine that there are typically on the order of 25B intrusion attempts per day and that there is an increasing trend over our measurement period. We further find that sources of intrusions are uniformly spread across the Autonomous System space. However, deeper investigation reveals that a very small collection of sources are responsible for a significant fraction of intrusion attempts in any given month and their on/off patterns exhibit cliques of correlated behavior. We show that the distribution of source IP addresses of the non-worm intrusions as a function of the number of attempts follows Zipf's law. We also find that at daily timescales, intrusion targets often depict significant spatial trends that blur patterns observed from individual "IP telescopes"; this underscores the necessity for a more global approach to intrusion detection. Finally, we investigate the benefits of shared information, and the potential for using this as a foundation for an automated, global intrus...
Peer-to-Peer (P2P) computing has become an interesting research topic during recent years. In this paper, we address issue related to analyzing the worm-based attack in P2P systems. Particularly, our technologies include: 1) generic mathematical models for attacker/defender and different P2P systems; 2) practical and effective attack prevention schemes. We find that our proposed defense strategy can efficiently improve the performance of worm detection and system recovery.
Both in terms of number of participating users and in traffic volume, FastTrack is one of the most important applications in the Internet today. Nevertheless, because FastTrack is proprietary and uses encryption, little is understood about FastTrack’s overlay structure and dynamics, its messaging protocol, and its index management. We have built two measurement apparatus—the FastTrack Sniffing Platform and the FastTrack Probing Tool—to unravel many of the mysteries behind FastTrack. We deploy the apparatus to study FastTrack’s overlay structure and dynamics, its neighbor selection, its use of dynamic port numbers to circumvent firewalls, and its index management. Although this study does not fully solve the FastTrack puzzle, it nevertheless leads to a coherent description of FastTrack and its overlay. Furthermore, we leverage the measurement results to set forth a number of key principles for the design of a successful unstructured P2P overlay. The measurement results and resulting design principles in this paper should be useful for future architects of P2P overlay networks as well as for engineers managing ISPs.
Malicious spyware poses a significant threat to desktop security and integrity. This paper examines that threat from an Internet perspective. Using a crawler, we performed a large-scale, longitudinal study of the Web, sampling both executables and conventional Web pages for malicious ob- jects. Our results show the extent of spyware content. For example, in a May 2005 crawl of 18 million URLs, we found spyware in 13.4% of the 21,200 executables we identified. At the same time, we found scripted "drive-by download" attacks in 5.9% of the Web pages we processed. Our analy- sis quantifies the density of spyware, the types of of threats, and the most dangerous Web zones in which spyware is likely to be encountered. We also show the frequency with which specific spyware programs were found in the content we crawled. Finally, we measured changes in the density of spyware over time; e.g., our October 2005 crawl saw a substantial reduction in the presence of drive-by download attacks, compared with those we detected in May.
Web homograph attacks have existed for some time, and the recent adoption of International Domain Names (IDNs) support by browsers and DNS registrars has exacerbated the problem [Gabr02]. Many international letters have similar glyphs, such as the Cyrillic letter P (lower case 'er,' Unicode 0x0440) and the Latin letter p. Because of the large potential for misuse of IDNs, browser vendors, policy advocates, and researchers have been exploring techniques for mitigating homograph attacks [=Mozi05, Appl05, Oper05, Mark05]. There has been plenty of attention on the problem recently, but we are not aware of any data that quantifies the degree to which Web homograph attacks are currently taking place. In this paper, we use a combination of passive network tracing and active DNS probing to measure several aspects of Web homographs. Our main findings are four-fold. First, many authoritative Web sites that users visit have several confusable domain names registered. Popular Web sites are much more likely to have such confusable domains registered. Second, registered confusable domain names tend to consist of single character substitutions from their authoritative domains, though we saw instances of five-character substitutions. Most confusables currently use Latin character homographs, but we did find a non-trivial number of IDN homographs. Third, Web sites associated with non-authoritative confusable domains most commonly show users advertisements. Less common functions include redirecting victims to competitor sites and spoofing the content of authoritative site. Fourth, during our nine-day trace, none of the 828 Web clients we observed visited a non-authoritative confusable Web site. Overall, our measurement results suggest that homograph attacks currently are rare and not severe in nature. However, given the recent increases in phishing incidents, homograph attacks seem like an attractive future method for attackers to lure users to spoofed sites.
Over the past few years, a relatively new computing phenomenon has gained momentum: the spread of "spy- ware." Though most people are aware of spyware, the research community has spent little effort to understand its nature, how widespread it is, and the risks it presents. This paper is a first attempt to do so. We first discuss background material on spyware, in- cluding the various types of spyware programs, their methods of transmission, and their run-time behavior. By examining four widespread programs (Gator, Cydoor, SaveNow, and eZula), we present a detailed analysis of their behavior, from which we derive signatures that can be used to detect their presence on remote computers through passive network monitoring. Using these signa- tures, we quantify the spread of these programs among hosts within the University of Washington by analyzing a week-long trace of network activity. This trace was gath- ered from August 26th to September 1st, 2003. From this trace, we show that: (1) these four pro- grams affect approximately 5.1% of active hosts on cam- pus, (2) many computers that contain spyware have more than one spyware program running on them concur- rently, and (3) 69% of organizations within the university contain at least one host running spyware. We conclude by discussing security implications of spyware and spe- cific vulnerabilities we found within versions of two of these spyware programs.
Existing studies on BitTorrent systems are single-torrent based, while more than 85% of all peers participate in multiple torrents according to our trace analysis. In addition, these studies are not sufficiently insightful and accurate even for single-torrent models, due to some unrealistic assumptions. Our analysis of representative Bit-Torrent traffic provides several new findings regarding the limitations of BitTorrent systems: (1) Due to the exponentially decreasing peer arrival rate in reality, service availability in such systems becomes poor quickly, after which it is difficult for the file to be located and downloaded. (2) Client performance in the BitTorrent-like systems is unstable, and fluctuates widely with the peer population. (3) Existing systems could provide unfair services to peers, where peers with high downloading speed tend to download more and upload less. In this paper, we study these limitations on torrent evolution in realistic environments. Motivated by the analysis and modeling results, we further build a graph based multi-torrent model to study inter-torrent collaboration. Our model quantitatively provides strong motivation for inter-torrent collaboration instead of directly stimulating seeds to stay longer. We also discuss a system design to show the feasibility of multi-torrent collaboration.
On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) worm in less than 14 hours. The cost of this epidemic, including subsequent strains of Code-Red, is estimated to be in excess of $2.6 billion. Despite the global damage caused by this attack, there have been few serious attempts to characterize the spread of the worm, partly due to the challenge of collecting global information about worms. Using a technique that enables global detection of worm spread, we collected and analyzed data over a period of 45 days beginning July 2nd, 2001 to determine the characteristics of the spread of Code-Red throughout the Internet.In this paper, we describe the methodology we use to trace the spread of Code-Red, and then describe the results of our trace analyses. We first detail the spread of the Code-Red and CodeRedII worms in terms of infection and deactivation rates. Even without being optimized for spread of infection, Code-Red infection rates peaked at over 2,000 hosts per minute. We then examine the properties of the infected host population, including geographic location, weekly and diurnal time effects, top-level domains, and ISPs. We demonstrate that the worm was an international event, infection activity exhibited time-of-day effects, and found that, although most attention focused on large corporations, the Code-Red worm primarily preyed upon home and small business users. We also qualified the effects of DHCP on measurements of infected hosts and determined that IP addresses are not an accurate measure of the spread of a worm on timescales longer than 24 hours. Finally, the experience of the Code-Red worm demonstrates that wide-spread vulnerabilities in Internet hosts can be exploited quickly and dramatically, and that techniques other than host patching are required to mitigate Internet worms.
The characteristic features of spread of Slammer worm are discussed. The worm's spreading strategy uses random scanning which randomly selects IP addresses, eventually finding and infecting all susceptible hosts. Slammer's scanner is limited by each compromised machine's Internet bandwidth. Slammer uses a linear congruent or power residue pseudo random number generation (PRNG) algorithm. The scanner of Slammer produced a heavy load in large traffic volume, lots of packets and large number of new destinations.