understanding the ecosystem of iot ddos services · and provide monitoring of iot ddos services....
TRANSCRIPT
![Page 1: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/1.jpg)
Understanding the Ecosystem ofIoT DDoS servicesDamon McCoy| New York University
Oct. 24th, 2019
![Page 2: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/2.jpg)
Team Profile MINIONS - MitigatINg IOt-based DDoS attacks via DNS NYU Ph.D. Students Rasika Bhalerao and Maxwell
Aliapoulios Dutch Collaborators: Michel van Eeten, Carlos Ganan,
Arman Noroozian, Elsa Turcios Rodriguez
![Page 3: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/3.jpg)
Customer Need We lack tools to understand the structure, economics,
and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law enforcement and private
security companies. No understanding of the structure and economics of IoT
DDoS services and monitoring is ad-hoc
![Page 4: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/4.jpg)
Approach (Part 1) Automated techniques to discover DDoS services
advertising on underground forums Create trained natural language processing models to
detect underground forum posts selling and buying DDoS services
Requires a manually labeled corpus of posts selling and buying DDoS services and set of text features adapted to this problem.
![Page 5: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/5.jpg)
Approach (Continued, Part 2) Automated methods to detect replies indicating that a
member has purchased the product sold in a thread. Create a supervised natural language processing model
to detect buy replies. Requires a manually labeled corpus of buying replies
and text features adapted to this problem.
![Page 6: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/6.jpg)
Approach (Continued, Part 3) Method to detect DDoS related supply chains. Combination of prior approaches and graph algorithms.
![Page 7: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/7.jpg)
Benefits Automated DDoS service discovery and supply chain
reconstruction that are often performed manually using ad-hoc keyword searches.
Benefit: Provides scalable solution that requires less manual effort and has improved recall.
Risk: Might need to be trained for each forum.
![Page 8: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/8.jpg)
Competition/Alternatives Many companies offer keyword based searching portals
that analysts and law enforcement use to discover DDoS services.
Prone to false positives and false negatives and requires domain knowledge to generate lists of keywords.
Expensive and skilled labor intensive.
![Page 9: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/9.jpg)
Current Status (Part 1) Labeled data from two underground forums: Hack
Forum (EN), AntiChat (RU) Built models to detect 14 types of products including
DDoS services F1 scores range from 0.81-0.87 for the four models Executed it over the entire forum and identified DDoS
services sellers, buyers, and supply chains.
![Page 10: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/10.jpg)
Current Status (Continued, Part 2) Published academic study at IEEE eCrime Symposium Mapping the Underground: Supervised Discovery of
Cybercrime Supply Chains, Rasika Bhalerao, Maxwell Aliapoulios, Ilia Shumailov, Sadia Afroz, Damon McCoy, IEEE eCrime 2019
Fulfils first NYU led Milestone
![Page 11: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/11.jpg)
Current Status (Continued, Part 3) Releasing code, annotations, models, and other artifacts
required to reproduce results. TUDelft/NYU Collaboration on Economic study of Bullet
Proof Hosting which relates to infrastructure used by IoTDDoS Botnets
Published at USENIX Security 2019
![Page 12: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/12.jpg)
Current Status (Continued, Part 4) Working on exploring economics and structure of IoT
DDoS services, and monitoring tools.
![Page 13: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/13.jpg)
Transition/Completion Activities Flashpoint working on implementing parts of our code
into their production platform. Early access to results provided data sharing agreement.
Dutch Police amended their case based on our findings of Bulletproof Hoster.
![Page 14: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/14.jpg)
Lessons Learned (Part 1) Many of the IoT DDoS services switch to using Telegram
instead of underground forums. Need tools to analyze Telegram chat data. Manual labeling should be on posts from the specific
forum and need to be updated every 2-3 months.
![Page 15: Understanding the Ecosystem of IoT DDoS services · and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law](https://reader034.vdocuments.site/reader034/viewer/2022052006/601a61d24f97a374fc24bab3/html5/thumbnails/15.jpg)
Lessons Learned (Continued, Part 2) Challenging to distinguish IoT from Virtual Private Server
based DDoS services. Weak connection to DNS since many of the IoT botnets
are not registering domains for their Command and Control servers.