TY - GEN
T1 - ASwatch
T2 - ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015
AU - Konte, Maria
AU - Perdisci, Roberto
AU - Feamster, Nick
PY - 2015/8/17
Y1 - 2015/8/17
N2 - Bulletproof hosting Autonomous Systems (ASes)-malicious ASes fully dedicated to supporting cybercrime-provide freedom and resources for a cyber-criminal to operate. Their services include hosting a wide range of illegal content, botnet C&C servers, and other malicious resources. Thousands of new ASes are registered every year, many of which are often used exclusively to facilitate cybercrime. A natural approach to squelching bulletproof hosting ASes is to develop a reputation system that can identify them for takedown by law enforcement and as input to other attack detection systems (e.g., spam filters, botnet detection systems). Unfortunately, current AS reputation systems rely primarily on data-plane monitoring of malicious activity from IP addresses (and thus can only detect malicious ASes after attacks are underway), and are not able to distinguish between malicious and legitimate but abused ASes. As a complement to these systems, in this paper, we explore a fundamentally different approach to establishing AS reputation. We present ASwatch, a system that identifies malicious ASes using exclusively the control-plane (i.e., routing) behavior of ASes. ASwatch's design is based on the intuition that, in an attempt to evade possible detection and remediation efforts, malicious ASes exhibit "agile" control plane behavior (e.g., short-lived routes, aggressive re-wiring). We evaluate our system on known malicious ASes; our results show that ASwatch detects up to 93% of malicious ASes with a 5% false positive rate, which is reasonable to effectively complement existing defense systems.
AB - Bulletproof hosting Autonomous Systems (ASes)-malicious ASes fully dedicated to supporting cybercrime-provide freedom and resources for a cyber-criminal to operate. Their services include hosting a wide range of illegal content, botnet C&C servers, and other malicious resources. Thousands of new ASes are registered every year, many of which are often used exclusively to facilitate cybercrime. A natural approach to squelching bulletproof hosting ASes is to develop a reputation system that can identify them for takedown by law enforcement and as input to other attack detection systems (e.g., spam filters, botnet detection systems). Unfortunately, current AS reputation systems rely primarily on data-plane monitoring of malicious activity from IP addresses (and thus can only detect malicious ASes after attacks are underway), and are not able to distinguish between malicious and legitimate but abused ASes. As a complement to these systems, in this paper, we explore a fundamentally different approach to establishing AS reputation. We present ASwatch, a system that identifies malicious ASes using exclusively the control-plane (i.e., routing) behavior of ASes. ASwatch's design is based on the intuition that, in an attempt to evade possible detection and remediation efforts, malicious ASes exhibit "agile" control plane behavior (e.g., short-lived routes, aggressive re-wiring). We evaluate our system on known malicious ASes; our results show that ASwatch detects up to 93% of malicious ASes with a 5% false positive rate, which is reasonable to effectively complement existing defense systems.
KW - As reputation
KW - Bulletproof hosting
KW - Malicious networks
UR - http://www.scopus.com/inward/record.url?scp=84962228227&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84962228227&partnerID=8YFLogxK
U2 - 10.1145/2785956.2787494
DO - 10.1145/2785956.2787494
M3 - Conference contribution
AN - SCOPUS:84962228227
T3 - SIGCOMM 2015 - Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication
SP - 625
EP - 638
BT - SIGCOMM 2015 - Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication
PB - Association for Computing Machinery, Inc
Y2 - 17 August 2015 through 21 August 2015
ER -