Abstract
In this paper we study the structure of criminal networks, groups of related malicious infrastructures that work in concert to provide hosting for criminal activities. We develop a method to construct a graph of relationships between malicious hosts and identify the underlying criminal networks, using historic assignments in the DNS. We also develop methods to analyze these networks to identify general structural trends and devise strategies for effective remediation through takedowns. We then apply these graph construction and analysis algorithms to study the general threat landscape, as well as four cases of sophisticated criminal networks. Our results indicate that in many cases, criminal networks can be taken down by de-registering as few as five domain names, removing critical communication links. In cases of sophisticated criminal networks, we show that our analysis techniques can identify hosts that are critical to the network’s functionality and estimate the impact of performing network takedowns in remediating the threats. In one case, disabling 20% of a criminal network’s hosts would reduce the overall volume of successful DNS lookups to the criminal network by as much as 70%. This measure can be interpreted as an estimate of the decrease in the number of potential victims reaching the criminal network that would be caused by such a takedown strategy.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, pp. 41–52 (2006)
Bastian, M., Heymann, S., Jacomy, M.: Gephi: An Open Source Software for Exploring and Manipulating Networks. In: International AAAI Conference on Weblogs and Social Media (2009)
T. Bates, P. Smith, and G. Huston. CIDR report bogons
Blondel, V., Guillaume, J.L., Lambiotte, R., Lefebvre, E.: Fast unfolding of communities in large networks. Journal of Statistical Mechanics: Theory and Experiment (2008)
Brin, S., Page, L.: The anatomy of a large-scale hypertextual web search engine. In: Proceedings of the Seventh International Conference on World Wide Web 7, WWW7, pp. 107–117. Elsevier Science Publishers B. V., Amsterdam (1998)
Caballero, J., Grier, C., Kreibich, C.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: Proceedings of the USENIX Security Symposium (2011)
Cho, C., Caballero, J., Grier, C.: Insights from the inside: A view of botnet management from infiltration. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2010)
Christin, N., Yanagihara, S.S., Kamataki, K.: Dissecting one click frauds. In: Proceedings of the 17th ACM Conference on Computer and Communiations Security, CCS (2010)
Collins, M., Shimeall, T., Faber, S., Janies, J., Weaver, R., Shon, M.D.: Predicting future botnet addresses with uncleanliness. In: Proc. of IMC, CERT Network Situational Awareness Group (2007)
Correa, A.D.: Malware patrol
Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An analysis of rogue AV campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010)
dn1nj4. RBN ”Rizing”. Technical report, Shadowserver.org (2008)
DNS-BH. Malware prevention through DNS redirection
dnsbl.abuse.ch. dnsbl.abuse.ch
Holz, T., Engelberth, M., Freiling, F.: Learning more about the underground economy: A case-study of keyloggers and dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)
Internet Systems Consortium. Security Information Exchange Portal
Konte, M., Feamster, N., Jung, J.: Fast flux service networks: Dynamics and roles in hosting online scams. Technical report (2008)
Konte, M., Feamster, N., Jung, J.: Dynamics of online scam hosting infrastructure. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds.) PAM 2009. LNCS, vol. 5448, pp. 219–228. Springer, Heidelberg (2009)
Leontiadis, N., Moore, T., Christin, N.: Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In: Proceedings of the USENIX Security Symposium (August 2011)
Lu, L., Yegneswaran, V., Porras, P., Lee, W.: BLADE: an attack-agnostic approach for preventing drive-by malware infections. In: Proceedings of the 17th ACM Conference on Computer and Communiations Security, CCS 2010. Georgia Tech, SRI International (2010)
Malc0de. Malc0de DNS blacklist
Malware Domain List. Malware domain list.
McCoy, D., Pitsillidis, A., Jordan, G., Weaver, N., Kreibich, C., Krebs, B., Voelker, G.M., Savage, S., Levchenko, K.: Pharmaleaks: Understanding the business of online pharmaceutical affiliate programs. In: 21st Usenix Security Symposium, USENIX 2012 (2012)
McMillan, R.: After takedown, botnet-linked ISP Troyak resurfaces (2010)
Nagaraja, S., Anderson, R.: The topology of covert conflict. In: Workshop on the Economics of Information Security, WEIS (2006)
Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., Borisov, N.: Botgrep: finding p2p bots with structured graph analysis. In: Proceedings of the 19th USENIX Conference on Security, USENIX Security 2010, p. 7. USENIX Association, Berkeley (2010)
Newman, M.: Networks: An Introduction, 1st edn. Oxford University Press (May 2010)
Roveta, F., Mario, L.D., Maggi, F., Caviglia, G., Zanero, S., Ciuccarelli, P.: BURN: Baring Unknown Rogue Networks. In: VizSec. Politecnico di Milano (2011)
Snort Labs. Snort DNS/IP/URL lists
SpamHaus. drop.lasso
SpyEye Tracker. SpyEye tracker
Stone-Gross, B., Kruegel, C., Almeroth, K., Moser, A., Kirda, E.: Fire: Finding rogue networks. In: ACSAC. UCSB, Technical University Vienna, Eurocom (2009)
Stranger, P., McQuaid, J., Burn, S., Glosser, D., Freezel, G., Thompson, B., Rogofsky, W.: Top 50 Bad Hosts and Networks. Tech Report
Team Cymru. Bogons
Weimer, F.: Passive DNS replication. In: 17th Annual FIRST Conference on Computer Security Incidents (2005)
West, D.B.: Introduction to Graph Theory, 2nd edn. Prentice Hall (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nadji, Y., Antonakakis, M., Perdisci, R., Lee, W. (2013). Connected Colors: Unveiling the Structure of Criminal Networks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)