Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks

Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks

BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH service...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Alrwais, Sumayah, Xiaojing Liao, Xianghang Mi, Peng Wang, Xiaofeng Wang, Feng Qian, Beyah, Raheem, McCoy, Damon
Format: Tagungsbericht
Sprache:eng
Schlagworte:
BulletProof
Computer crime
Ecosystems
Feature extraction
hosting
IP networks
malicious
Servers
sub-allocations
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 823
container_issue
container_start_page 805
container_title
container_volume
creator Alrwais, Sumayah
Xiaojing Liao
Xianghang Mi
Peng Wang
Xiaofeng Wang
Feng Qian
Beyah, Raheem
McCoy, Damon
description BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.
doi_str_mv 10.1109/SP.2017.32
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_RIE</sourceid><recordid>TN_cdi_ieee_primary_7958611</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>7958611</ieee_id><sourcerecordid>7958611</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-93ed6e9a1ae7b25677b1b1225735c9825dd0d2ced7ede9062e5218e1efce28e23</originalsourceid><addsrcrecordid>eNotTk1PAjEUrCYmInLx6qV_YLHv1W633hQ_MCFKsnImy_YB1XVL2gLx37ugp8nMZD4YuwIxBBDmppwOUYAeSjxhA6MLUMIIpaSUp6yHUqsMUOhzdhHjpxAopLntse2stRR4WhMv15X1e-6XvNy2ce1auuNHN6aqta5d8Q74IyWq04E9bJuG0ib4LjH28aj5lk9o5ZL7rlLXSGHnauLT4HfuMPNGae_DV7xkZ8uqiTT4xz6bPT99jMbZ5P3ldXQ_yRxolTIjyeZkKqhIL1DlWi9gAYhKS1WbApW1wmJNVpMlI3IkhVAQ0LImLAhln13_9Toimm9Cdyv8zLVRRQ4gfwH9Klwb</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks</title><source>IEEE Electronic Library (IEL)</source><creator>Alrwais, Sumayah ; Xiaojing Liao ; Xianghang Mi ; Peng Wang ; Xiaofeng Wang ; Feng Qian ; Beyah, Raheem ; McCoy, Damon</creator><creatorcontrib>Alrwais, Sumayah ; Xiaojing Liao ; Xianghang Mi ; Peng Wang ; Xiaofeng Wang ; Feng Qian ; Beyah, Raheem ; McCoy, Damon</creatorcontrib><description>BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.</description><identifier>EISSN: 2375-1207</identifier><identifier>EISBN: 9781509055333</identifier><identifier>EISBN: 1509055339</identifier><identifier>DOI: 10.1109/SP.2017.32</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>BulletProof ; Computer crime ; Ecosystems ; Feature extraction ; hosting ; IP networks ; malicious ; Servers ; sub-allocations</subject><ispartof>2017 IEEE Symposium on Security and Privacy (SP), 2017, p.805-823</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/7958611$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,796,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/7958611$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Alrwais, Sumayah</creatorcontrib><creatorcontrib>Xiaojing Liao</creatorcontrib><creatorcontrib>Xianghang Mi</creatorcontrib><creatorcontrib>Peng Wang</creatorcontrib><creatorcontrib>Xiaofeng Wang</creatorcontrib><creatorcontrib>Feng Qian</creatorcontrib><creatorcontrib>Beyah, Raheem</creatorcontrib><creatorcontrib>McCoy, Damon</creatorcontrib><title>Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks</title><title>2017 IEEE Symposium on Security and Privacy (SP)</title><addtitle>SP</addtitle><description>BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.</description><subject>BulletProof</subject><subject>Computer crime</subject><subject>Ecosystems</subject><subject>Feature extraction</subject><subject>hosting</subject><subject>IP networks</subject><subject>malicious</subject><subject>Servers</subject><subject>sub-allocations</subject><issn>2375-1207</issn><isbn>9781509055333</isbn><isbn>1509055339</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2017</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotTk1PAjEUrCYmInLx6qV_YLHv1W633hQ_MCFKsnImy_YB1XVL2gLx37ugp8nMZD4YuwIxBBDmppwOUYAeSjxhA6MLUMIIpaSUp6yHUqsMUOhzdhHjpxAopLntse2stRR4WhMv15X1e-6XvNy2ce1auuNHN6aqta5d8Q74IyWq04E9bJuG0ib4LjH28aj5lk9o5ZL7rlLXSGHnauLT4HfuMPNGae_DV7xkZ8uqiTT4xz6bPT99jMbZ5P3ldXQ_yRxolTIjyeZkKqhIL1DlWi9gAYhKS1WbApW1wmJNVpMlI3IkhVAQ0LImLAhln13_9Toimm9Cdyv8zLVRRQ4gfwH9Klwb</recordid><startdate>201705</startdate><enddate>201705</enddate><creator>Alrwais, Sumayah</creator><creator>Xiaojing Liao</creator><creator>Xianghang Mi</creator><creator>Peng Wang</creator><creator>Xiaofeng Wang</creator><creator>Feng Qian</creator><creator>Beyah, Raheem</creator><creator>McCoy, Damon</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>201705</creationdate><title>Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks</title><author>Alrwais, Sumayah ; Xiaojing Liao ; Xianghang Mi ; Peng Wang ; Xiaofeng Wang ; Feng Qian ; Beyah, Raheem ; McCoy, Damon</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-93ed6e9a1ae7b25677b1b1225735c9825dd0d2ced7ede9062e5218e1efce28e23</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2017</creationdate><topic>BulletProof</topic><topic>Computer crime</topic><topic>Ecosystems</topic><topic>Feature extraction</topic><topic>hosting</topic><topic>IP networks</topic><topic>malicious</topic><topic>Servers</topic><topic>sub-allocations</topic><toplevel>online_resources</toplevel><creatorcontrib>Alrwais, Sumayah</creatorcontrib><creatorcontrib>Xiaojing Liao</creatorcontrib><creatorcontrib>Xianghang Mi</creatorcontrib><creatorcontrib>Peng Wang</creatorcontrib><creatorcontrib>Xiaofeng Wang</creatorcontrib><creatorcontrib>Feng Qian</creatorcontrib><creatorcontrib>Beyah, Raheem</creatorcontrib><creatorcontrib>McCoy, Damon</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Alrwais, Sumayah</au><au>Xiaojing Liao</au><au>Xianghang Mi</au><au>Peng Wang</au><au>Xiaofeng Wang</au><au>Feng Qian</au><au>Beyah, Raheem</au><au>McCoy, Damon</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks</atitle><btitle>2017 IEEE Symposium on Security and Privacy (SP)</btitle><stitle>SP</stitle><date>2017-05</date><risdate>2017</risdate><spage>805</spage><epage>823</epage><pages>805-823</pages><eissn>2375-1207</eissn><eisbn>9781509055333</eisbn><eisbn>1509055339</eisbn><coden>IEEPAD</coden><abstract>BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.</abstract><pub>IEEE</pub><doi>10.1109/SP.2017.32</doi><tpages>19</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2375-1207
ispartof 2017 IEEE Symposium on Security and Privacy (SP), 2017, p.805-823
issn 2375-1207
language eng
recordid cdi_ieee_primary_7958611
source IEEE Electronic Library (IEL)
subjects BulletProof
Computer crime
Ecosystems
Feature extraction
hosting
IP networks
malicious
Servers
sub-allocations
title Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-22T18%3A09%3A03IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Under%20the%20Shadow%20of%20Sunshine:%20Understanding%20and%20Detecting%20Bulletproof%20Hosting%20on%20Legitimate%20Service%20Provider%20Networks&rft.btitle=2017%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(SP)&rft.au=Alrwais,%20Sumayah&rft.date=2017-05&rft.spage=805&rft.epage=823&rft.pages=805-823&rft.eissn=2375-1207&rft.coden=IEEPAD&rft_id=info:doi/10.1109/SP.2017.32&rft_dat=%3Cieee_RIE%3E7958611%3C/ieee_RIE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9781509055333&rft.eisbn_list=1509055339&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=7958611&rfr_iscdi=true