Arman Noroozian

Apples, oranges and hosting providers: Heterogeneity and security in the hosting market

Hosting services are associated with various security threats, yet the market has barely been studied empirically. Most security research has relied on routing data and equates providers with Autonomous Systems, ignoring the complexity and heterogeneity of the market. To overcome these limitations, we combined passive DNS data with WHOIS data to identify providers and some of their properties. We found 45,434 hosting providers, spread around a median address space size of 1,517 IP addresses. There is surprisingly little consolidation in the market, even though its services seem amenable to economies of scale. We applied cluster analysis on several measurable characteristics of providers. This uncovered a diverse set of business profiles and an indication of what fraction of the market fits each profile. The profiles are associated with significant differences in security performance, as measured by the uptime of phishing sites. This suggests the approach provides an effective way for security researchers to take the heterogeneity of the market into account.

Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service

A lot of research has been devoted to understanding the technical properties of amplification DDoS attacks and the emergence of the DDoS-as-a-service economy, especially the so-called booters. Much less is known about the consequences for victimization patterns. We profile victims via data from amplification DDoS honeypots. We develop victimization rates and present explanatory models capturing key determinants of these rates. Our analysis demonstrates that the bulk of the attacks are directed at users in access networks, not at hosting, and even less at enterprise networks. We find that victimization in broadband ISPs is highly proportional to the number of ISP subscribers and that certain countries have significantly higher or lower victim rates which are only partially explained by institutional factors such as ICT development. We also find that victimization rate in hosting networks is proportional to the number of hosted domains and number of routed IP addresses and that content popularity has a minor impact on victimization rates. Finally, we reflect on the implications of these findings for the wider trend of commoditization in cybercrime.

Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting

Hosting providers play a key role in fighting web compromise, but their ability to prevent abuse is constrained by the security practices of their own customers. Shared hosting, offers a unique perspective since customers operate under restricted privileges and providers retain more control over configurations. We present the first empirical analysis of the distribution of web security features and software patching practices in shared hosting providers, the influence of providers on these security practices, and their impact on web compromise rates. We construct provider-level features on the global market for shared hosting -- containing 1,259 providers -- by gathering indicators from 442,684 domains. Exploratory factor analysis of 15 indicators identifies four main latent factors that capture security efforts: content security, webmaster security, web infrastructure security and web application security. We confirm, via a fixed-effect regression model, that providers exert significant influence over the latter two factors, which are both related to the software stack in their hosting environment. Finally, by means of GLM regression analysis of these factors on phishing and malware abuse, we show that the four security and software patching factors explain between 10% and 19% of the variance in abuse at providers, after controlling for size. For web-application security for instance, we found that when a provider moves from the bottom 10% to the best-performing 10%, it would experience 4 times fewer phishing incidents. We show that providers have influence over patch levels--even higher in the stack, where CMSes can run as client-side software--and that this influence is tied to a substantial reduction in abuse levels.

The Role of Hosting Providers in Fighting Command and Control Infrastructure of Financial Malware

A variety of botnets are used in attacks on financial services. Banks and security firms invest a lot of effort in detecting and combating malware-assisted takeover of customer accounts. A critical resource of these botnets is their command-and-control (C&C) infrastructure. Attackers rent or compromise servers to operate their C&C infrastructure. Hosting providers routinely take down C&C servers, but the effectiveness of this mitigation strategy depends on understanding how attackers select the hosting providers to host their servers. Do they prefer, for example, providers who are slow or unwilling in taking down C&Cs? In this paper, we analyze 7 years of data on the C&C servers of botnets that have engaged in attacks on financial services. Our aim is to understand whether attackers prefer certain types of providers or whether their C&Cs are randomly distributed across the whole attack surface of the hosting industry. We extract a set of structural properties of providers to capture the attack surface. We model the distribution of C&Cs across providers and show that the mere size of the provider can explain around 71% of the variance in the number of C&Cs per provider, whereas the rule of law in the country only explains around 1%. We further observe that price, time in business, popularity and ratio of vulnerable websites of providers relate significantly with C&C counts. Finally, we find that the speed with which providers take down C&C domains has only a weak relation with C&C occurrence rates, adding only 1% explained variance. This suggests attackers have little to no preference for providers who allow long-lived C&C domains.

Towards Simulating Heterogeneous Drivers with Cognitive Agents

Every driver behaves differently in traffic. However, when it comes to micro-simulation of drivers with a high level of detail no framework manages to model the complexities of various driving styles as well as scale up to larger simulations. We propose a framework of micro-simulation combined with cognitive agents to facilitate such simulation tasks. Our goal is to (i) model individual drivers, and (ii) use this framework for the purpose of simulating realistic highway traffic with heterogeneous driving styles. The challenge is therefore to create a framework that facilitates such complex modeling and supports large scale simulations. We evaluate the framework from two perspectives. First, the ability to represent, model and simulate dissimilar drivers in addition to study and compare emerging behavior. Second, the scalability of the framework. We report on our experiences with the framework, outline several challenges and identify future areas for development.

Incentivizing Cooperation in P2P File Sharing

The fundamental problem with P2P networks is that quality of service depends on altruistic resource sharing by participating peers. Many peers freeride on the generosity of others. Current solutions like sharing ratio enforcement and reputation systems are complex, exploitable, inaccurate or unfair at times. The need to design scalable mechanisms that incentivize cooperation is evident. We focus on BitTorrent as the most popular P2P file sharing application and introduce an extension which we refer to as the indirect interaction mechanism (IIM). With IIM BitTorrent peers are able to barter pieces of different files (indirect interaction). We provide novel game theoretical models of BitTorrent and the IIM mechanism and demonstrate through analysis and simulations that IIM improves BitTorrent performance. We conclude that IIM is a practical solution to the fundamental problem of incentivizing cooperation in P2P networks.

Cybercrime After the Sunrise: A Statistical Analysis of DNS Abuse in New gTLDs

To enhance competition and choice in the domain name system, ICANN introduced the new gTLD program, which added hundreds of new gTLDs (e.g. .nyc, .io) to the root DNS zone. While the program arguably increased the range of domain names available to consumers, it might also have created new opportunities for cybercriminals. To investigate that, we present the first comparative study of abuse in the domains registered under the new gTLD program and legacy gTLDs (18 in total, such as .com, .org). We combine historical datasets from various sources, including DNS zone files, WHOIS records, passive and active DNS and HTTP measurements, and 11 reputable abuse feeds to study abuse across gTLDs. We find that the new gTLDs appear to have diverted abuse from the legacy gTLDs: while the total number of domains abused for spam remains stable across gTLDs, we observe a growing number of spam domains in new gTLDs which suggests a shift from legacy gTLDs to new gTLDs. Although legacy gTLDs had a rate of 56.9 spam domains per 10,000 registrations (Q4 2016), new gTLDs experienced a rate of 526.6 in the same period-which is almost one order of magnitude higher. In this study, we also analyze the relationship between DNS abuse, operator security indicators and the structural properties of new gTLDs. The results indicate that there is an inverse correlation between abuse and stricter registration policies. Our findings suggest that cybercriminals increasingly prefer to register, rather than hack, domain names and some new gTLDs have become a magnet for malicious actors. ICANN is currently using these results to review the existing anti-abuse safeguards, evaluate their joint effects and to introduce more effective safeguards before an upcoming new gTLD rollout.