Skip to main content
SpringerLink
Log in

The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

Abstract

The underground commoditization of compromised hosts suggests a tacit capability where miscreants leverage the same machine—subscribed by multiple criminal ventures—to simultaneously profit from spam, fake account registration, malicious hosting, and other forms of automated abuse. To expedite the detection of these commonly abusive hosts, there are now multiple industry-wide efforts that aggregate abuse reports into centralized threat exchanges. In this work, we investigate the potential benefit of global reputation tracking and the pitfalls therein. We develop our findings from a snapshot of 45 million IP addresses abusing six Google services including Gmail, YouTube, and ReCaptcha between April 7–April 21, 2015. We estimate the scale of end hosts controlled by attackers, expose underground biases that skew the abuse perspectives of individual web services, and examine the frequency that criminals re-use the same infrastructure to attack multiple, heterogeneous services. Our results indicate that an average Google service can block 14 % of abusive traffic based on threats aggregated from seemingly unrelated services, though we demonstrate that outright blacklisting incurs an untenable volume of false positives.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We opt for these reports over existing threat exchange data because the nascent (and invite-only) state of industry threat exchanges precludes a representative dataset for study.

  2. 2.

    While clients may report spoofed User-Agents, we assume that the majority of non-abusive users accurately report their device information.

  3. 3.

    ASN transitions may also occur due to a single network operator controlling multiple AS numbers, or alternatively, users may log in from duplicate devices (in terms of User-Agents) in different networks. Geolocation variations are within the predicted error of geolocation services.

References

  1. Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M.J.G., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: Proceedings of the Workshop on Economics of Information Security (WEIS) (2012)

    Google Scholar 

  2. Asghari, H., Ciere, M., Van Eeten, M.J.: Post-mortem of a Zombie: conficker cleanup after six years. In: Proceedings of the USENIX Security Symposium (2015)

    Google Scholar 

  3. Taylor, B.: It’s not about the spam (2007). http://goo.gl/zzAL4N

  4. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: USENIX Security Symposium (2011)

    Google Scholar 

  5. Casado, M., Freedman, M.J.: Peering through the shroud: the effect of edge opacity on IP-based client identification. In: Proceedings of the Symposium on Networked Systems Design and Implementation (2007)

    Google Scholar 

  6. Czyz, J., Allman, M., Zhang, J., Iekel-Johnson, S., Osterweil, E., Bailey, M.: Measuring IPv6 adoption. In: Proceedings of the ACM Conference on SIGCOMM (2014)

    Google Scholar 

  7. DShield.: DShield (2015). https://www.dshield.org/

  8. Grier, C., Thomas, K., Paxson, V., Zhang, M.: @spam: the underground on 140 characters or less. In: Proceedings of the ACM Conference on Computer and Communications Security (2010)

    Google Scholar 

  9. Hammell, M.: ThreatExchange: sharing for a safer internet (2015). http://on.fb.me/1zvuPdS

  10. Hong, C.-Y., Fang, Y., Xie, Y.: Populated IP addresses: classification and applications. In: Proceedings of the Conference on Computer and Communications Security (2012)

    Google Scholar 

  11. Ihm, S., Pai, V.S.: Towards understanding modern web traffic. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2011)

    Google Scholar 

  12. Jung, J., Sit, E.: An empirical study of spam traffic and the use of DNS black lists. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2004)

    Google Scholar 

  13. Kreibich, C., Weaver, N., Nechaev, B., Paxson, V.: Netalyzr: illuminating the edge network. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2010)

    Google Scholar 

  14. Kührer, M., Rossow, C., Holz, T.: Paint it black: evaluating the effectiveness of malware blacklists. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 1–21. Springer, Heidelberg (2014)

    Google Scholar 

  15. Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Félegyházi, M., Grier, C., Halvorson, T., Kanich, C., et al.: Click trajectories: end-to-end analysis of the spam value chain. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)

    Google Scholar 

  16. Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2009)

    Google Scholar 

  17. McCoy, D., Pitsillidis, A., Jordan, G., Weaver, N., Kreibich, C., Krebs, B., Voelker, G.M., Savage, S., Levchenko, K.: Pharmaleaks: understanding the business of online pharmaceutical affiliate programs. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)

    Google Scholar 

  18. Metwally, A., Paduano, M.: Estimating the number of users behind IP addresses for combating abusive traffic. In: Proceedings of the SIGKDD International Conference on Knowledge Discovery and Data Mining (2011)

    Google Scholar 

  19. Miller, R.: AlienVault announces more social threat exchange (2015). http://tcrn.ch/1FL7E8A

  20. Neville, A., Gibb, R.: ZeroAccess indepth (2013). http://goo.gl/j0eMHr

  21. Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in zeroaccess. In: Proceedings of the Conference on Computer and Communications Security (2014)

    Google Scholar 

  22. Pitsillidis, A., Kanich, C., Voelker, G.M., Levchenko, K., Savage, S.: Taster’s choice: a comparative analysis of spam feeds. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2012)

    Google Scholar 

  23. Provos, N.: Safe browsing - protecting web users for 5 years and counting (2012). http://goo.gl/psdXkP

  24. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proceedings of the USENIX Security Symposium (2008)

    Google Scholar 

  25. Rains, T.: Microsoft interflow: a new security and threat information exchange platform (2015). http://bit.ly/1SKpcs2

  26. Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: Proceedings of the ACM Conference on SIGCOMM (2006)

    Google Scholar 

  27. Rowinski, M.: More than 1,000 organizations join IBM to battle cybercrime (2015). https://www-03.ibm.com/press/us/en/pressrelease/46856.wss

  28. Sinha, P., Boukhtouta, A., Belarde, V.H., Debbabi, M.: Insights from the analysis of the Mariposa botnet. In: Proceedings of the International Conference on Risks and Security of Internet and Systems (CRiSIS) (2010)

    Google Scholar 

  29. Sinha, S., Bailey, M., Jahanian, F.: Improving spam blacklisting through dynamic thresholding and speculative aggregation. In: Proceedings of the Network & Distributed System Security Symposium (2010)

    Google Scholar 

  30. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the ACM Conference on Computer and Communications Security (2009)

    Google Scholar 

  31. Thomas, K., Grier, C., Song, D., Paxson, V.: Suspended accounts in retrospect: an analysis of Twitter spam. In: Proceedings of the Internet Measurement Conference (2011)

    Google Scholar 

  32. Thomas, K., Huang, D.Y., Wang, D., Bursztein, E., Grier, C., Holt, T.J., et al.: Framing dependencies introduced by underground commoditization. In: Proceedings of the Workshop on the Economics of Information Security (2015)

    Google Scholar 

  33. Thomas, K., McCoy, D., Grier, C., Kolcz, A., Paxson, V.: Trafficking fraudulent accounts: the role of the underground market in Twitter spam and abuse. In: Proceedings of the USENIX Security Symposium (2013)

    Google Scholar 

  34. Xie, Y., Fang, Y., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are IP addresses? In: Proceedings of the ACM Conference on SIGCOMM (2007)

    Google Scholar 

  35. Fang, Y., Xie, Y., Ke, Q.: Sbotminer: large scale search bot detection. In: Proceedings of the ACM International Conference on Web Search and Data Mining (2010)

    Google Scholar 

  36. Zhang, J., Chivukula, A., Bailey, M., Karir, M., Liu, M.: Characterization of blacklists and tainted network traffic. In: Roughan, M., Chang, R. (eds.) PAM 2013. LNCS, vol. 7799, pp. 218–228. Springer, Heidelberg (2013)

    Google Scholar 

Download references

Acknowledgments

This work was supported in part by the National Science Foundation under contracts CNS 1409758, CNS 1111699, and CNS 1518741. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.

Author information

Authors and Affiliations

  1. Google, Inc., Mountain View, USA

    Kurt Thomas, Rony Amira, Adi Ben-Yoash, Ori Folger, Amir Hardon, Ari Berger & Elie Bursztein

  2. University of Illinois, Urbana-Champaign, Champaign, USA

    Michael Bailey

Authors
  1. Kurt Thomas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rony Amira
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Adi Ben-Yoash
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ori Folger
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Amir Hardon
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ari Berger
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Elie Bursztein
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Michael Bailey
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kurt Thomas .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Thomas, K. et al. (2016). The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation