Fighting Large-scale Internet Abuse

Abstract

The widespread access to the Internet and the ubiquity of web-based services makes it easy to communicate and interact globally. Unfortunately, the software implementing the functionality of these services is often vulnerable to attacks. In turn, an attacker can exploit them to compromise and abuse the services for nefarious purposes. In my research, I aim to better understand, detect, and prevent these attacks.

In this talk, we first look at detecting website defacements, which can inflict significant harm on a website's owner through the loss of sales, the loss in reputation, or because of legal ramifications if not detected quickly. I detail Meerkat, a defacement detection system that requires no prior knowledge about the website's content or its structure, but only its URL.

Second, an attacker can also abuse vulnerabilities to distribute malware. Although a known problem, identifying malicious web sites has become a major challenge in today's Internet. I introduce Delta, a purely static analysis approach that extracts change-related features between two versions of the same website, derives a model of changes, identifies the underlying malicious infection vector campaign based on clustering, and generates an identifying signature for it.

Third, we look at the practicality and impact of domain takeover attacks, which an attacker can similarly abuse to spread misinformation or malware. Specifically, I present Cloud Strife, a technique that stops domain takeover attacks from being useful in the presence of HTTPS, by preventing TLS certificate issuance for domains that have been taken over.

Finally, I will sketch out interesting future directions on how to better understand, detect, and prevent Internet abuse.