TY - THES

T1 - Internet Bad Neighborhoods

AU - Moreira Moura, Giovane

N1 - CTIT Ph.D.-thesis series no. 12-237

PY - 2013/3/1

Y1 - 2013/3/1

N2 - A significant part of current Internet attacks originates from hosts that are distributed all over the Internet. However, there is evidence that most of these hosts are, in fact, concentrated in certain parts of the Internet. This behavior resembles the crime distribution in the real world: it occurs in most places, but it tends to be concentrated in certain areas. In the real world, high crime areas are usually labeled as “bad neighborhoods‿. The goal of this dissertation is to investigate Bad Neighborhoods on the Internet. The idea behind the Internet Bad Neighborhood concept is that the probability of a host in behaving badly increases if its neighboring hosts (i.e., hosts within the same subnetwork) also behave badly. This idea, in turn, can be exploited to improve current Internet security solutions, since it provides an indirect approach to predict new sources of attacks (neighboring hosts of malicious ones). In this context, the main contribution of this dissertation is to present the first systematic and multifaceted study on the concentration of malicious hosts on the Internet. We have organized our study according to two main research questions. In the first research question, we have focused on the intrinsic characteristics of the Internet Bad Neighborhoods, whereas in the second research question we have focused on how Bad Neighborhood blacklists can be employed to better protect networks against attacks. The approach employed to answer both questions consists in monitoring and analyzing network data (traces, blacklists, etc.) obtained from various real world production networks. One of the most important findings of this dissertation is the verification that Internet Bad Neighborhoods are a real phenomenon, which can be observed not only as network prefixes (e.g., /24, in CIDR notation), but also at different and coarser aggregation levels, such as Internet Service Providers (ISPs) and countries. For example, we found that 20 ISPs (out of 42,201 observed in our data sets) concentrated almost half of all spamming IP addresses. In addition, a single ISP was found having 62% of its IP addresses involved with spam. This suggests that ISP-based Bad Neighborhood security mechanisms can be employed when evaluating e-mail from unknown sources. This dissertation also shows that Bad Neighborhoods are mostly applicationspecific and that they might be located in neighborhoods one would not immediately expect. For example, we found that phishing Bad Neighborhoods are mostly located in the United States and other developed nations – since these nations hosts the majority of data centers and cloud computing providers – while spam comes from mostly Southern Asia. This implies that Bad Neighborhood based security tools should be application-tailored. Another finding of this dissertation is that Internet Bad Neighborhoods are much less stealthy than individual hosts, since they are more likely to strike again a target previously attacked. We found that, in a one-week period, nearly 50% of the individual IP addresses attack only once a particular target, while up to 90% of the Bad Neighborhoods attacked more than once. Consequently, this implies that historical data of Bad Neighborhoods attacks can potentially be successfully employed to predict future attacks. Overall, we have put the Internet Bad Neighborhoods under scrutiny from the point of view of the network administrator. We expect that the findings provided in this dissertation can serve as a guide for the design of new algorithms and solutions to better secure networks.

AB - A significant part of current Internet attacks originates from hosts that are distributed all over the Internet. However, there is evidence that most of these hosts are, in fact, concentrated in certain parts of the Internet. This behavior resembles the crime distribution in the real world: it occurs in most places, but it tends to be concentrated in certain areas. In the real world, high crime areas are usually labeled as “bad neighborhoods‿. The goal of this dissertation is to investigate Bad Neighborhoods on the Internet. The idea behind the Internet Bad Neighborhood concept is that the probability of a host in behaving badly increases if its neighboring hosts (i.e., hosts within the same subnetwork) also behave badly. This idea, in turn, can be exploited to improve current Internet security solutions, since it provides an indirect approach to predict new sources of attacks (neighboring hosts of malicious ones). In this context, the main contribution of this dissertation is to present the first systematic and multifaceted study on the concentration of malicious hosts on the Internet. We have organized our study according to two main research questions. In the first research question, we have focused on the intrinsic characteristics of the Internet Bad Neighborhoods, whereas in the second research question we have focused on how Bad Neighborhood blacklists can be employed to better protect networks against attacks. The approach employed to answer both questions consists in monitoring and analyzing network data (traces, blacklists, etc.) obtained from various real world production networks. One of the most important findings of this dissertation is the verification that Internet Bad Neighborhoods are a real phenomenon, which can be observed not only as network prefixes (e.g., /24, in CIDR notation), but also at different and coarser aggregation levels, such as Internet Service Providers (ISPs) and countries. For example, we found that 20 ISPs (out of 42,201 observed in our data sets) concentrated almost half of all spamming IP addresses. In addition, a single ISP was found having 62% of its IP addresses involved with spam. This suggests that ISP-based Bad Neighborhood security mechanisms can be employed when evaluating e-mail from unknown sources. This dissertation also shows that Bad Neighborhoods are mostly applicationspecific and that they might be located in neighborhoods one would not immediately expect. For example, we found that phishing Bad Neighborhoods are mostly located in the United States and other developed nations – since these nations hosts the majority of data centers and cloud computing providers – while spam comes from mostly Southern Asia. This implies that Bad Neighborhood based security tools should be application-tailored. Another finding of this dissertation is that Internet Bad Neighborhoods are much less stealthy than individual hosts, since they are more likely to strike again a target previously attacked. We found that, in a one-week period, nearly 50% of the individual IP addresses attack only once a particular target, while up to 90% of the Bad Neighborhoods attacked more than once. Consequently, this implies that historical data of Bad Neighborhoods attacks can potentially be successfully employed to predict future attacks. Overall, we have put the Internet Bad Neighborhoods under scrutiny from the point of view of the network administrator. We expect that the findings provided in this dissertation can serve as a guide for the design of new algorithms and solutions to better secure networks.

KW - IR-84507

KW - METIS-294794

KW - EWI-23193

U2 - 10.3990/1.9789036534604

DO - 10.3990/1.9789036534604

M3 - PhD Thesis - Research UT, graduation UT

SN - 978-90-365-3460-4

PB - Centre for Telematics and Information Technology (CTIT)

CY - Enschede

ER -