research-article

Discovery of emergent malicious campaigns in cellular networks

Authors:

Nathaniel Boggs,

Carol PincockAuthors Info & Claims

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

Pages 29 - 38

https://doi.org/10.1145/2523649.2523657

Published: 09 December 2013 Publication History

Abstract

The growth of Smartphones has bridged the telephony/SMS and the IP worlds, and this has resulted in new opportunities for financially motivated attackers. For example, some malicious campaigns in the cellular network aimed at extracting money fraudulently can do so even without any malware. Detecting and mitigating the variety of attacks in cellular network is difficult because they do not necessarily have a fixed 'signature', and new types of campaigns appear frequently. Further complicating matters, detecting a single malicious entity (a domain name, a phone number, or a short code) that is part of a malicious campaign, is usually not very effective, because the attacker simply moves to using another entity in its place. An effective strategy requires detecting all/most elements involved in the campaign at once. In this paper, we describe a system, based on ideas from anomaly detection and clustering, that aims to detect many different families of widespread malicious campaigns in cellular networks. The system reveals an entire campaign as a graph cluster which includes the various entities involved in the campaign and their relationship, such as malware download websites, C&C servers, spammers, etc. Using logs from both SMS and IP portions of the network for millions of users, we detect newly popular entities and cluster them to discover how they are related. By looking for cues of possible malicious behavior from any of the entities in a cluster, we attempt to ascertain whether a detected campaign might be malicious, providing valuable leads to a human analyst. Our system is live and generates daily clusters for human analysts. We provide detailed case studies of real, previously unseen families of malicious campaigns that this system has successfully brought to light.

References

[1]

The spamhaus project. http://www.spamhaus.org/.

[2]

Web of trust, safe browsing tool. http://www.mywot.com/.

[3]

Wikipedia article on mobile phone spam -- countermeasures. http://en.wikipedia.org/wiki/Mobile_phone_spam#Countermeasures.

[4]

Fortinet security blog: Zeus in the mobile (zitmo): Online banking's two factor authentication defeated. http://blog.fortinet.com/zeus-in-the-mobile-zitmo-online-bankings-two-factor-authentication-defeated/, Sept 2010.

[5]

S21sec security blog: Zeus mitmo: Man-in-the-mobile. http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html, Sept 2010.

[6]

Lookout security alert: Hacked websites serve suspicious android apps. https://blog.lookout.com/blog/2012/05/02/, May 2012.

[7]

Blondel, V., Guillaume, J., Lambiotte, R., and Lefebvre, E. Fast unfolding of communities in large networks. In Journal of Statistical Mechanics: Theory and Experiment (2008).

[8]

Cortes, C., Pregibon, D., and Volinsky, C. Communities of interest. In Proceedings of the 4th International Conference on Advances in Intelligent Data Analysis (London, UK, UK, 2001), IDA '01, Springer-Verlag, pp. 105--114.

Digital Library

[9]

Coskun, B., Dietrich, S., and Memon, N. Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts. In In Proc. of the 26 Annual Computer Security Applications Conference (ACSAC) (2010).

Digital Library

[10]

Coskun, B., and Giura, P. Mitigating SMS spam by online detection of repetitive near-duplicate messages. In IEEE ICC'12 Symposium on Communication and Information Systems Security (2012).

[11]

Dixit, S., Gupta, S., and Ravishankar, C. Lohit: An online detection & control system for cellular sms spam. In IASTED Communication, Network, and Information Security (2005).

[12]

Gu, G., Perdisci, R., Zhang, J., and Lee, W. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium (Security'08) (2008).

Digital Library

[13]

Jiang, N., Jin, Y., Skudlark, A., Hsu, W.-L., Jacobson, G., Prakasam, S., and Zhang, Z.-L. Isolating and analyzing fraud activities in a large cellular network via voice call graph analysis. In Proceedings of the 10th international conference on Mobile systems, applications, and services (New York, NY, USA, 2012), MobiSys '12, ACM, pp. 253--266.

Digital Library

[14]

Krügel, C., Toth, T., and Kirda, E. Service specific anomaly detection for network intrusion detection. In Proceedings of the 2002 ACM symposium on Applied computing (New York, NY, USA, 2002), SAC '02, ACM, pp. 201--208.

Digital Library

[15]

Lever, C., Antonakakis, M., Reaves, B., Traynor, P., and Lee., W. The core of the matter: Analyzing malicious traffic in cellular carriers. In Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS) (2013).

[16]

Liu, J., Ke, H., and Zhang, G. Real-time sms filtering system based on bm algorithm. In International Conference on Management and Service Science (MASS), 2010 (2010).

[17]

Lookout. Security alert: Spamsoldier. http://goo.gl/t2oit.

[18]

Lookout. You are a winner! or are you? the walmart gift card scam. http://goo.gl/WX6ps.

[19]

Security, L. M. Ggtracker technical tear down. blog.lookout.com/wp-content/uploads/2011/06/GGTracker-Teardown\_Lookout-Mobile-Security.pdf, 2011.

[20]

Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Tiwari, A., Yang, H., and Zhou, S. Specification-based anomaly detection: a new approach for detecting network intrusions. In Proceedings of the 9th ACM conference on Computer and communications security (New York, NY, USA, 2002), CCS '02, ACM, pp. 265--274.

Digital Library

[21]

Sommer, R., and Paxson, V. Outside the closed world: On using machine learning for network intrusion detection. In Security and Privacy (SP), 2010 IEEE Symposium on (may 2010).

Digital Library

[22]

Thottan, M., Liu, G., and Ji, C. Anomaly detection approaches for communication networks. In Algorithms for Next Generation Networks, G. Cormode and M. Thottan, Eds., Computer Communications and Networks. Springer London, 2010, pp. 239--261.

[23]

Wang, C., Zhang, Y., Chen, X., Liu, Z., Shi, L., Chen, G., Qiu, F., Ying, C., and Lu, W. A behavior-based sms antispam system. IBM J. Res. Dev. 54 (November 2010).

Digital Library

[24]

Wolda, H. Similarity indices, sample size and diversity. Oecologia 50, 3 (1981), 296--302.

[25]

Yen, T.-F., and Reiter, M. K. Traffic aggregation for malware detection. In DIMVA '08: Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment (2008).

Digital Library

[26]

Zhou, Y., and Jiang, X. Dissecting android malware: Characterization and evolution. In IEEE Symposium on Security and Privacy (2012).

Digital Library

Cited By

Srinivasan BKountouras AMiramirkhani NAlam MNikiforakis NAntonakakis MAhamad MChampin PGandon FMédini LLalmas MIpeirotis P(2018)Exposing Search and Advertisement Abuse Tactics and Infrastructure of Technical Support ScammersProceedings of the 2018 World Wide Web Conference10.1145/3178876.3186098(319-328)Online publication date: 10-Apr-2018
https://dl.acm.org/doi/10.1145/3178876.3186098
Shichkina YKupriyanov MMoldachev S(2018)Application of Docker Swarm cluster for testing programs, developed for system of devices within paradigm of Internet of thingsJournal of Physics: Conference Series10.1088/1742-6596/1015/3/0321291015(032129)Online publication date: 21-May-2018
https://doi.org/10.1088/1742-6596/1015/3/032129
Sadeghi ABagheri HGarcia JMalek S(2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
https://doi.org/10.1109/TSE.2016.2615307
Show More Cited By

Index Terms

Discovery of emergent malicious campaigns in cellular networks

Recommendations

Detecting Malicious Exploit Kits using Tree-based Similarity Searches
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Unfortunately, the computers we use for everyday activities can be infiltrated while simply browsing innocuous sites that, unbeknownst to the website owner, may be laden with malicious advertisements. So-called malvertising, redirects browsers to web-...
A learning system for discriminating variants of malicious network traffic
CSIIRW '13: Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop

Modern computer network defense systems rely primarily on signature-based intrusion detection tools, which generate alerts when patterns that are pre-determined to be malicious are encountered in network data streams. Signatures are created reactively, ...
Detecting malicious campaigns in crowdsourcing platforms
ASONAM '16: Proceedings of the 2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining

Crowdsourcing systems enable new opportunities for requesters with limited funds to accomplish various tasks using human computation. However, the power of human computation is abused by malicious requesters who create malicious campaigns to manipulate ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

December 2013

374 pages

ISBN:9781450320153

DOI:10.1145/2523649

Conference Chair:
Charles N. Payne
Adventium Labs

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '13

Sponsor:

ACSA

ACSAC '13: Annual Computer Security Applications Conference

December 9 - 13, 2013

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
280
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Srinivasan BKountouras AMiramirkhani NAlam MNikiforakis NAntonakakis MAhamad MChampin PGandon FMédini LLalmas MIpeirotis P(2018)Exposing Search and Advertisement Abuse Tactics and Infrastructure of Technical Support ScammersProceedings of the 2018 World Wide Web Conference10.1145/3178876.3186098(319-328)Online publication date: 10-Apr-2018
https://dl.acm.org/doi/10.1145/3178876.3186098
Shichkina YKupriyanov MMoldachev S(2018)Application of Docker Swarm cluster for testing programs, developed for system of devices within paradigm of Internet of thingsJournal of Physics: Conference Series10.1088/1742-6596/1015/3/0321291015(032129)Online publication date: 21-May-2018
https://doi.org/10.1088/1742-6596/1015/3/032129
Sadeghi ABagheri HGarcia JMalek S(2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
https://doi.org/10.1109/TSE.2016.2615307
Coskun B(2017)(Un)wisdom of CrowdsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2017.266333312:6(1406-1417)Online publication date: 1-Jun-2017
https://dl.acm.org/doi/10.1109/TIFS.2017.2663333
Wang WBickford J(2016)WhatApp: Modeling mobile applications by domain names2016 IEEE 12th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob)10.1109/WiMOB.2016.7763253(1-10)Online publication date: Oct-2016
https://doi.org/10.1109/WiMOB.2016.7763253
Gendreau AMoorman M(2016)Survey of Intrusion Detection Systems towards an End to End Secure Internet of Things2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud)10.1109/FiCloud.2016.20(84-90)Online publication date: Aug-2016
https://doi.org/10.1109/FiCloud.2016.20
Srinivasan BGupta PAntonakakis MAhamad M(2016)Understanding Cross-Channel Abuse with SMS-Spam Support Infrastructure AttributionComputer Security – ESORICS 201610.1007/978-3-319-45744-4_1(3-26)Online publication date: 15-Sep-2016
https://doi.org/10.1007/978-3-319-45744-4_1
Wang WIstomin MBickford J(2015)Dandelion - Revealing Malicious Groups of Interest in Large Mobile NetworksNetwork and System Security10.1007/978-3-319-25645-0_1(3-17)Online publication date: 6-Nov-2015
https://doi.org/10.1007/978-3-319-25645-0_1

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents