Academic Papers

A Strategic Analysis of Spam Botnets Operations

O. Thonnard and M. Dacier, 2011.

We present in this paper a strategic analysis of spam botnets operations, i.e., we study the inter-relationships among botnets through their spam campaigns, and we focus on identifying similarities or differences in their modus operandi. The contributions of this paper are threefold. First, we provide an in-depth analysis which, in contrast with previous studies on spamming bots, focuses on the long-term, strategic behavior of spam botnets as observed through their aggregate spam campaigns. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly Message Labs) through worldwide distributed spamtraps. Secondly, we demonstrate the usefulness of emerging attack attribution methodologies to extract intelligence from large spam data sets, and to correlate spam campaigns according to various combinations of different features. By leveraging these techniques relying on data fusion and multi-criteria decision analysis, we show that some tight relationships exist among different botnet families (like Rustock/Grum or Lethic/Maazben), but we also underline some profound differences in spam campaigns performed by other bots, such as Rustock versus Lethic, Bagle or Xarvester. Finally, we use the very same attribution methodology to analyze the recent Rustock take-down, which took place on March 17, 2011. As opposed to previous claims, our experimental results show that Bagle has probably not taken over Rustock’s role, but instead, we found some substantial evidence indicating that part of Rustock activity may have been offloaded to Grum.

By: Olivier Thonnard* and Marc Dacier* (Symantec Research Labs)

Published in: Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEAS 2011), Perth, Australia, 1-2 September 2011

Please obtain a copy of this paper from the ACM.

An Analysis of Rogue AV Campaigns

M. Cova, C. Leita, O. Thonnard, A. Keromytis, and M. Dacier, 2010.

Rogue antivirus software has recently received extensive attention, justified by the diffusion and efficacy of its propagation. We present a longitudinal analysis of the rogue antivirus threat ecosystem, focusing on the structure and dynamics of this threat and its economics. To that end, we compiled and mined a large dataset of characteristics of rogue antivirus domains and of the servers that host them.

The contributions of this paper are threefold. Firstly, we offer the first, to our knowledge, broad analysis of the infrastructure underpinning the distribution of rogue security software by tracking 6,500 malicious domains. Secondly, we show how to apply attack attribution methodologies to correlate campaigns likely to be associated to the same individuals or groups. By using these techniques, we identify 127 rogue security software campaigns comprising 4,549 domains. Finally, we contextualize our findings by comparing them to a different threat ecosystem, that of browser exploits. We underline the profound difference in the structure of the two threats, and we investigate the root causes of this difference by analyzing the economic balance of the rogue antivirus ecosystem. We track 372,096 victims over a period of 2 months and we take advantage of this information to retrieve monetization insights. While applied to a specific threat type, the methodology and the lessons learned from this work are of general applicability to develop a better understanding of the threat economies.

By: Marco Cova (University of California, Santa Barbara), Corrado Leita (Symantec Research Labs), Olivier Thonnard (Royal Military Academy, Belgium), Angelos Keromytis (Columbia University), and Marc Dacier (Symantec Research Labs)

Published in: Proceedings of the 13th Symposium on Recent Advances in Intrusion Detection (RAID 2010), Ottawa, Canada, September 2010

Please obtain a copy of this paper from Springer Verlag LNCS.

Honeypot traces forensics: the observation view point matters

V. Pham and M. Dacier, 2009.

Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making

O. Thonnard, W. Mees, and M. Dacier, 2009.

In network traffic monitoring, and more particularly in the realm of threat intelligence, the problem of attack attribution refers to the process of effectively attributing new attack events to (un)-known phenomena, based on some evidence or traces left on one or several monitoring platforms. Real-world attack phenomena are often largely distributed on the Internet, or can sometimes evolve quite rapidly. This makes them inherently complex and thus difficult to analyze. In general, an analyst must consider many different attack features (or criteria) in order to decide about the plausible root cause of a given attack, or to attribute it to some given phenomenon. In this paper, we introduce a global analysis method to address this problem in a systematic way. Our approach is based on a novel combination of a knowledge discovery technique with a fuzzy inference system, which somehow mimics the reasoning of an expert by implementing a multi-criteria decision-making process built on top of the previously extracted knowledge. By applying this method on attack traces, we are able to identify large scale attack phenomena with a high degree of confidence. In most cases, the observed phenomena can be attributed to so-called zombie armies - or botnets, i.e. groups of compromised machines controlled remotely by a same entity. By means of experiments with real-world attack traces, we show how this method can effectively help us to perform a behavioral analysis of those zombie armies from a long-term, strategic viewpoint.

By: Olivier Thonnard, Wim Mees (Royal Military Academy, Belgium); and Marc Dacier (Symantec Research Labs)

Published in: Proceedings of KDD’09, 15th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Workshop on CyberSecurity and Intelligence Informatics, Paris, France, June 2009

Conference Best Paper Award

Please obtain a copy of this paper from the publisher listed above.

Behavioral Analysis of Zombie Armies

O. Thonnard, W. Mees, and M. Dacier, 2009.

Zombie armies - or botnets, i.e., large groups of compromised machines controlled remotely by a same entity - pose today a significant threat to national security. Recent cyber-conflicts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the long term behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of "unclean networks”, and iv) the large proportion of home users' machines with high-speed Internet connections among the bot population.

By: Olivier Thonnard (Royal Military Academy, Belgium), Wim Mees (Eurecom), and Marc Dacier (Symantec Research Labs)

Published in: Proceedings of the Cyber Warfare Conference (CWCon), Cooperative Cyber Defense Center Of Excellence (CCD-COE), Tallinn, Estonia, June 2009

Please obtain a copy of this paper from the publisher listed above.

Actionable Knowledge Discovery for Threats Intelligence Support Using a Multi-dimensional Data Mining Methodology

O. Thonnard and M. Dacier, 2008.

Data Loss Prevention Using an Ephemeral Key

W. Blanke, 2011.

GRAPHITE: A Visual Query System for Large Graphs

D. Chau, C. Faloutsos, H. Tong, J. Hong, B. Gallagher, and T. Eliassi-Rad, 2008.

What to Do When Search Fails: Finding Information by Association

D. Chau, B. Myers, and A. Faulring, 2008.

Feldspar: A System for Finding Information by Association

D. Chau, B. Myers, and A. Faulring, 2008.

Guaranteeing Eventual Coherency across Data Copies, in a Highly Available Peer-to-Peer Distributed File System

Bijayalaxmi Nanda, Anindya Banerjee, and Navin Kabra, 2009.

Fast Memory State Synchronization for Virtualization-based Fault Tolerance

M. Lu and T. Chiueh, 2009.

Accurate and Efficient Inter-Transaction Dependency Tracking

T. Chiueh and S. Bajpai, 2008.

PhorceField: A Phish-Proof Password Ceremony

M. Hart*, C. Castille, M. Harpalani, J. Toohill, and R. Johnson, 2011.

Many widely deployed phishing defense schemes, such as SiteKey, use client-side secrets to help users confirm that they are visiting the correct website before entering their passwords. Unfortunately, studies have demonstrated that up to 92% of users can be convinced to ignore missing client-side secrets and enter their passwords into phishing pages. However, since client-side secrets have already achieved industry acceptance, they are an attractive building block for creating better phishing defenses. We present PhorceField, a phishing resistant password ceremony that combines client-side secrets and graphical passwords in a novel way that provides phishing resistance that neither achieves on its own. PhorceField enables users to login easily, but forces phishers to present victims with a fundamentally unfamiliar and onerous user interface. Victims that try to use the phisher’s interface to enter their password find the task so difficult that they give up without revealing their password. We have evaluated PhorceField’s phishing resistance in a user study in which 21 participants used PhorceField for a week and were then subjected to a simulated phishing attack. On average, participants were only able to reveal 20% of the entropy in their password, and none of them revealed their entire password. This is a substantial improvement over previous research that demonstrated that 92% of users would reveal their entire password to a phisher, even if important security indicators were missing.

PhorceField is easy to deploy in sites that already use client-side secrets for phishing defense—it requires no client-side software and can be implemented entirely in javascript. Banks and other high value websites could therefore deploy it as a drop-in replacement for existing defenses, or deploy it on an “opt-in” basis, as Google has done with its phone-based “2-step verification” system.

By: Michael Hart*, Claude Castille, Manoj Harpalani, Jonathan Toohill, and Rob Johnson (Stony Brook University)

Published in: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC 2011), Orlando, Florida, December, 2011

Please obtain a copy of this paper from the ACM.

Field Data Available at Symantec Research Labs: The Worldwide Intelligence Network Environment (WINE)

T. Dumitras, 2011.

Exploiting diverse observation perspectives to get insights on the malware landscape

C. Leita, U. Bayer, and E. Kirda, 2010.

Automatic Generation of String Signatures for Malware Detection

K. Griffin, S. Schneider, X. Hu, and T. Chiueh, 2009.

An Experimental Study of Diversity with Off-The-Shelf AntiVirus Engines

I. Gashi, V. Stankovic, C. Leita, and O. Thonnard, 2009.

Execution Trace-Driven Automated Attack Signature Generation

S. Nanda and T. Chiueh, 2008.

Large scale malware collection: lessons learned

J. Canto, M. Dacier, E. Kirda, and C. Leita, 2008.

A Study of the Packer Problem and Its Solutions

F. Guo, P. Ferrie, and T. Chiueh, 2008.

Detecting Known and New Salting Tricks in Unwanted Emails

A. Bergholz, G. Paass, F. Reichartz, S. Strobel, M. Moens, and B. Witten, 2008.

A Forced Sampled Execution Approach to Kernel Rootkit Identification

J. Wilhelm and T. Chiueh, 2007.

Malware Evolution: A Snapshot of Threats and Countermeasures in 2005

B. Witten and C. Nachenberg, 2006.

Conservative Garbage Collection for General Memory Allocators

G. Rodriguez-Rivera, M. Spertus, and C. Fiterman, 2000.

A Non-Fragmenting Non-Moving, Garbage Collector

G. Rodriguez-Rivera, M. Spertus, and C. Fiterman, 1998.

Predictive Methods for Improved Vehicular WiFi Access

P. Deshpande, A. Kashyap, C. Sung, and S. Das, 2009.

The eBay graph: How do online auction users interact?

Y. Beyene, M. Faloutso, D. Horng Chau, and C. Faloutsos, 2008.

Online auctions have revolutionized the ability of people to buy and sell items without middlemen, and sales reaching more than $57 billion every year on eBay alone. The user interactions at online auctions form a network of interactions akin to a social network. Unlike other online social networks, online auction networks have not been studied so far. In this paper, we model and characterize the structure and evolution of the network of user interactions on eBay. Specifically, we use over 54 million eBay transaction feedback that users leave for each other. A distinguishing feature of the graph is the rich meaning that nodes and edges can have (for example, an edge could be positive or negative, posted by a buyer or a seller) in contrast to other graphs such as the topology of the Internet. First, we provide the vital statistics of the emerging graph, which we call eBay graph. We observe that the graph exhibits both significant differences and similarities to commonly studied graphs. Second, we study the feedback behavior of users: feedback is not always reciprocal, and negative feedback is scarce (less than 1%), but few negative feedbacks could discourage new users. Finally, we develop an intuitive model that captures key properties of the graph in a visual and memorable way. Our work can be seen as a first step in understanding online auction graphs, which could enable us to detect trends, abnormalities and ultimately fraudulent behavior.

By: Yordanos Beyene, Michalis Faloutso (University of California, Riverside), Duen Horng Chau**, and Christos Faloutsos (Carnegie Mellon University)

Published in: IEEE Global Internet Symposium 2008, copublished in proceedings of the 27th Conference on Computer Communication (INFOCOM 2008), Phoenix AZ, April 2008

Please obtain a copy of this paper from the publisher listed above.

RapidUpdate: Peer-Assisted Distribution of Security Content

D. Serenyi and B. Witten, 2008.

Comparison of QoS Guarantee Techniques for VoIP over IEEE802.11
Wireless LAN

F. Guo, and T. Chiueh, 2008.

A System for Generating Static Analyzers for Machine Instructions

J. Lim and T. Reps, 2008.

Fast Bounds Checking Using Debug Register

T. Chiueh, 2008.

Garbage Collection in the Next C++ Standard

M. Spertus and H. Boehm, 2009.

C++ has traditionally relied on manual memory management. Sometimes this has been augmented by limited reference counting, implemented in libraries, and requiring use of separate pointer types. In spite of the fact that conservative garbage collectors have been used with C for decades, and with C++ for almost as long, they have not been well-supported by language standards. This in turn has limited their use.

We have led an effort to change this by supporting optional "transparent" garbage collection in the next C++ standard. This is designed to either garbage collect or detect leaks in code using normal unadorned C++ pointers. We initially describe an ambitious effort that would have allowed programmers to explicitly request garbage collection. It faced a number of challenges, primarily in correct interaction with existing libraries relying on explicit destructor invocation. This effort was eventually postponed to the next round of standardization. This initial effort was then temporarily replaced by minimal support in the language that officially allows garbage collected implementations. Such minimal support is included in the current committee draft for the next C++ standard. It imposes an additional language restriction that makes it safe to garbage collect C++ programs. Stating this restriction proved subtle.

We also provide narrow interfaces that make it easy to both correct code violating this new restriction, and to supply hints to a conservative garbage collector to improve its performance. These provide interesting implementation challenges. We discuss partial solutions.

By: Mike Spertus* (Symantec Research Labs) and Hans-J. Boehm (HP Laboratories)

Published in: Proceedings of the 2009 International Symposium on Memory Management (ISMM '09), Dublin, Ireland, June 19-20, 2009, pp. 30-38.

Please obtain a copy of this paper from the ACM.

Toward a Standard Benchmark for Computer Security Research: The Worldwide Intelligence Network Environment (WINE)

T. Dumitras and D. Shou, 2011.

HARMUR: Storing and Analyzing Historic Data on Malicious Domains

C. Leita and M. Cova, 2011.

An Attack Surface Metric

P. Manadhata and J. Wing, 2010.

Responsibility for the Harm and Risk of Software Security Flaws

C. Goldschmidt, M. Dark, and H. Chaudhry, 2010.

Advances in Topological Vulnerability Analysis

S. Noel, M. Elder, S. Jajodia, P. Kalapa, S. O’Hare, and K. Prole, 2009

Reducing E-Discovery Cost by Filtering Included Emails

T. Ngan, 2008.

Data Space Randomization

S. Bhatkar and R. Sekar, 2008.

Over the past several years, US-CERT advisories, as well as most critical updates from software vendors, have been due to memory corruption vulnerabilities such as buffer overflows, heap overflows, etc. Several techniques have been developed to defend against the exploitation of these vulnerabilities, with the most promising defenses being based on randomization. Two randomization techniques have been explored so far: address space randomization (ASR) that randomizes the location of objects in virtual memory, and instruction set randomization (ISR) that randomizes the representation of code. We explore a third form of randomization called data space randomization (DSR) that randomizes the representation of data stored in program memory. Unlike ISR, DSR is effective against non-control data attacks as well as code injection attacks. Unlike ASR, it can protect against corruption of non-pointer data as well as pointer-valued data. Moreover, DSR provides a much higher range of randomization (typically 232 for 32-bit data) as compared to ASR. Other interesting aspects of DSR include (a) it does not share a weakness common to randomization-based defenses, namely, susceptibility to information leakage attacks, and (b) it is capable of detecting some exploits that are missed by full bounds-checking techniques, e.g., some of the overflows from one field of a structure to the next field. Our implementation results show that with appropriate design choices, DSR can achieve a performance overhead in the range of 5% to 30% for a range of programs.

By: Sandeep Bhatkar (Symantec Research Labs) and R. Sekar (Stony Brook University)

Publication: Proceedings of the 5th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2008), July 2008

Please obtain a copy of this paper from the publisher listed above.

Engineering Sufficiently Secure Computing

B. Witten, 2006.

Measurement and Gender-Specific Analysis of User Publishing Characteristics on MySpace

W. Gauvin, B. Ribeiro, B. Liu, D. Towsley, and J. Wang, 2010.

Building a High-performance Deduplication System

F. Guo and P. Efstathopoulos, 2011.

Modern deduplication has become quite effective at eliminating duplicates in data, thus multiplying the effective capacity of disk-based backup systems, and enabling them as realistic tape replacements. Despite these improvements, single-node raw capacity is still mostly limited to tens or a few hundreds of terabytes, forcing users to resort to complex and costly multi-node systems, which usually only allow them to scale to single-digit petabytes. As the opportunities for deduplication efficiency optimizations become scarce, we are challenged with the task of designing deduplication systems that will effectively address the capacity, throughput, management and energy requirements of the petascale age. In this paper we present our high-performance deduplication prototype, designed from the ground up to optimize overall single-node performance, by making the best possible use of a node's resources, and achieve three important goals: scale to large capacity, provide good deduplication efficiency, and near-raw-disk throughput. Instead of trying to improve duplicate detection algorithms, we focus on system design aspects and introduce novel mechanisms—that we combine with careful implementations of known system engineering techniques. In particular, we improve single-node scalability by introducing progressive sampled indexing and grouped mark-and-sweep, and also optimize throughput by utilizing an event-driven, multi-threaded client-server interaction model. Our prototype implementation is able to scale to billions of stored objects, with high throughput, and very little or no degradation of deduplication efficiency.

By: Fanglu Guo* and Petros Efstathopoulos* (Symantec Research Labs)

Published in: Proceedings of the 2011 USENIX Annual Technical Conference (USENIX ATC ’11), Portland, OR, USA, June 15–17, 2011, pp. 271-284.

Conference Best Paper Award

Please obtain a copy of this paper from The USENIX Association.

Towards SIRF: Self-contained Information Retention Format

S. Rabinovici-Cohen, M. Baker, R. Cummings, S. Fineberg, and J. Marberg, 2011.

U Can’t Touch This: Block-Level Protection for Portable Storage

K. Butler and P. Efstathopoulos, 2009.

Rethinking Deduplication Scalability

P. Efstathopoulos and F. Guo, 2008.

DAFT: Disk Geometry-Aware File System Traversal

F. Guo and T. Chiueh, 2009.

An Incremental File System Consistency Checker for Block-Level CDP Systems

M. Lu and T. Chiueh, 2008.

Availability and Fairness Support for Storage QoS Guarantee

P. Gang and T. Chiueh, 2008.

A Simple, Fast, and Compact Static Dictionary

S. Schneider and M. Spertus, 2011.

Noncirculant Toeplitz Matrices All of Whose Powers are Toeplitz

K. Griffin, J. Stuart, and M. Tsatsomeros, 2008.

Applications of Feather-Weight Virtual Machine

Y. Yu, H. Kolam Govindarajan, L. Chung-Lam, and T. Chiueh, 2008.

A Feather-weight Virtual Machine (FVM) is an OS-level virtualization technology that enables multiple isolated execution environments to exist on a single Windows kernel. The key design goal of FVM is efficient resource sharing among VMs so as to minimize VM startup/shutdown cost and scale to a larger number of concurrent VM instances. As a result, FVM provides an effective platform for fault-tolerant and intrusion-tolerant applications that require frequent invocation and termination of dispensable VMs. This paper presents three complete applications of the FVM technology: scalable web site testing; shared binary service for application deployment and distributed Display-Only File Server (DOFS). To identify malicious web sites that exploit browser vulnerabilities, we use a web crawler to access untrusted sites, render their pages in multiple browsers each running in a separate VM, and monitor their execution behaviors. To allow Windows-based end user machines to share binaries that are stored, managed and patched on a central location, we run shared binaries in a special VM on the end user machine whose runtime environment is imported from the central binary server. To protect confidential files in a file server against information theft by insiders, we ensure that file viewing/editing programs run in a VM, which grants file content display but prevents file content from being saved on the host machine. In this paper, we show how to customize the generic FVM framework to accommodate the needs of the three applications, and present experimental results that demonstrate their performance and effectiveness.

By: Yang Yu, Hariharan Kolam Govindarajan, Lap Chung-Lam and Tzi-cker Chiueh* (Stony Brook University)

Published in: Proceedings of the 2008 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE08), Seattle, WA, March 2008

Please obtain a copy of this paper from the publisher listed above.

Graphics Engine Resource Management

M. Bautin, A. Dwarakinath, and T. Chiueh, 2008.

Topic categories:

Attack Attribution

Cryptography

Data Mining

High-Availability Systems

Human Computer Interaction and Phishing

Malware Analysis

Memory Management

Networking

Program Analysis

Programming Languages

Security

Social Networks

Storage

Theory

Virtualization