September 29, 2017 | By Yacin Nadji
On September 27, Georgia Tech hosted the 15th Annual Georgia Tech Cyber Security Summit, where attribution of malicious campaigns was front and center. Two academic papers released from the Astrolavos Lab were presented as posters and during the breakout session. The first described a new class of domain name abuse and the second demonstrated an adversarial attack against a popular machine learning system. Both will be presented in October at ACM CCS 2017, one of the top conferences for academic security.
The first paper described combosquatted domains, which combine a popular trademark with one or more phrases, like betterfacebook.com or youtube-live.com. These domains masquerade as their trademark -- typically for abusive purposes, such as phishing, social engineering, affiliate abuse and even advanced persistent threats (APTs). The authors found that over 60% of these domains are active for more than 1,000 days.
The second paper breaks the graph clustering component of Pleiades, a machine-learning network detector. The authors showed that clever attackers can not only completely evade Pleiades, but can do so at low cost using only the knowledge extracted from their infected hosts. However, clever tuning of the models allows some of the damage to be mitigated.
IISP Analyst Yacin Nadji : (Full disclosure: both papers are from the lab I am a member of and I am a co-author of the second.)
"The two best parts of the combosquatting paper are 1.) these domains can readily be found to protect your company's customers and 2.) combosquatted domains can be directly tied to substantial abuse. It also shows that not only is the problem on the rise, but it is a serious one. Worse still, these domains are masquerading as a legitimate trademark, which may cause customers to lose faith. Thankfully, the abuse technique is simple, so trademark holders can easily find likely candidates, complain to ICANN and protect their customers from phishing attempts.
Adversarial machine learning in security is blowing up, and this second paper provides some nice contributions to the space: particularly introducing the concepts of the adversary's evasion cost and knowledge levels. In many security scenarios, an attacker evading detection comes at a cost, e.g., reduced connectivity to their infected machines. What is interesting is the authors demonstrate that in Pleiades' case, attackers can sometimes have more connected infrastructure while still evading detection. Second, they introduce a more realistic version of the attacker's knowledge level. In the simple case, they consider an attacker that only has knowledge a botmaster would have. But in the most advanced case (think nation-state actors), attackers possess the data used by the defenders themselves to construct their models. In the system-level case, this may be malware, which is not that scary. But in the network case, this would be network data from major ISPs. Considering such sophistication in attackers is, in my honest opinion, a direction that needs to be explored in the adversarial machine learning literature."
For further reading
- Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse: https://arxiv.org/pdf/1708.08519.pdf
- Practical Attacks Against Graph-based Clustering [paper]: http://iisp.gatech.edu/sites/default/files/images/practical_attacks_against_graph-based_clustering_-_arxiv.pdf