Geopolitical Research: E-Crime

L Jean Camp

My work combines large-scale modeling and datasets with targeted smaller experiments to create effective insights for the greater whole. In routing, we combined large scale route views with geographical and political data for measures of trustworthiness of route updates. In certificates we combined small scale local browsing communities with terabytes of certificate data, proving that important features for the detection of rogue and phishing certificates is the geography and governance of the recipient, the entity certified, and the certificate authority. In addition our group has implemented traditional macroeconomic regression techniques to identify features that are correlated with different types of ecrime.

The Politics of Routing

BGP has proven resilient in the face of failures, attacks, and general maliciousness and incompetence. Yet in recent years several trends have emerged that have illustrated the vulnerability of the control plane. One source is misguided network configurations. China Telecom, for example, announced its ownership of 15% of all IPv4 space in April of 2010, resulting in loss of traffic. This was represented as an error, and given that the traffic did not reach its intended destination, this would have been an extremely clumsy attack.

Our current work in this area explores BGP integrity by combining machine learning and graph theoretical techniques on axes that include the technical, temporal, economic, and geopolitical to identify anomalies. We have published and shown a proof of concept that generates firewall rules based on BGP changes.

Since 2001 route hijacking has been turned into an attack [10]. Many of these attacks appear to remain undetected and unreported, creating a call for a ubiquitous cryptographic solution, e.g., [12]. Some of them are clearly associated with other crimes, such as spam, and in one case the control plane was used to steal bitcoins from a miners‘ pool. [7]. Yet like many previous solutions, RPKI is incentive misaligned and requires widespread adoption. It also does not address unallocated address space. BGPSEC is an example of a solution that was operationally and economically misaligned to the problem it was intended to solve. BGPSEC has requirements and benefits for early adopters that discourage adoption. Should BGPSEC be adopted it may not be resistant to political attacks nor mis-configurations. As the experience with certificate authorities issuing X509 certificates for the Web, political attacks are difficult to prevent and detect with an all-or-nothing cryptographic model of trust. Sometimes malicious authorities are necessarily trusted for purposes of access, interoperability, and connectivity. Other solutions call for the creation of trusted third parties [13] or other changes in the infrastructure.

We examined the jurisdictions of routes and evaluated both how to identify the risk and how to avoid it. The conference publications addressed how to categorize routing anomalies [11] and provided a coded demonstration project that showed how to respond [9]. The first paper, “Incompetents, Criminals, or Spies: Macroeconomic Analysis of Routing Anomalies”, accepted by the journal ACM Computers & Security. A more detailed, technical description of the code described in the policy conference was published in MILCOM [3].

Other results [1] were a description of the application of models and results in the previous work to larger financial institutions. The goal of this was to identify disruption for these institutions should blocking based on our estimates of risk be adopted. Before that work we published a model of interactions of ISPs under different filtering regimes [2].

Kevin Benton has defended his dissertation, Securing The Internet Control Plane, and Pablo Mariano is planning to graduate in 2019. Pablo is using graphical analyses to examine and provide early detection of control plane disruptions. This work is currently accepted at the Complex Systems Conference as an extended abstract.

The Geography of Certificates

Phishing and Man-In-The-Middle (MITM) attacks leverage the lack of meaningful authentication of remote sites. The verification of blacklisted domains and X.509 certificates could have theoretically solved these problems. For a plethora of reasons, these technologies as implemented have proven inadequate to the task of defeating masquerade attacks. Traditional blacklists and certificate verification fail in the perspectives of correctness, timeliness, completeness, and resilience to adversarial learning attacks. In early work he examined the value of increase of information in a small dataset, examining the marginal value of each addition in a network where trust is critical [4].

In building local validation we observed that the vast majority of domains and certificates were repeatedly view. The geographical distribution of certificate authorities was even more strongly skewed.

His first work on certificates used clustering, to detect highly trustworthy, marginally trustworthy, or suspicious certificates [6]. From this we implemented a more complete analysis, using six algorithms Random Forrest, K- Nearest Neighbors, C4.5, Decision Table, Naive Bayes Tree, and Simple Logistic models. That work received a best paper award at the annual eCrime Symposium [5].

In Zheng Dong‘s dissertation, “Small Communities with Strong Ties (and, vs, or) Big Data in Detecting Masquerade Attacks” he noted that since all individuals are both a part of small networks with strong ties and the larger internet as a whole, the two approaches can combine to provide effective, timely, complete and resilient defense against the range of masquerade attacks. For homogeneous online users, or homophilous, small self-organized communities with leptokurtically distributed browsing habits can provide strong defense against malicious domains. These are small networks with high degrees of trust, and no strangers. Such mechanisms can provide additional benefits such as information sharing. For a larger population of heterogeneous network users, a machine-learning mechanism based on public key certificates can identify malicious sites with a high degree of precision. Machine-learning models can also effectively detect malicious certificates that are technically valid, known as “rogue certificates”. In particular, the model for rogue certificates depends on geographical variables including the history and current nation of the 1) subject of the certificate, 2) the certificate authority, and 3) the AS of the IP which is serving the certificate. The result was a machine learning approach patented by Microsoft that considers nation of origin as a risk factor. (Microsoft hired my student.)

The Macroeconomics of eCrime

Our research group has been an innovator in using the World Bank and Transparency International data to explore indicators and correlations between different components of ecrime [8]. We have found nation and region of origin to be relevant in analyses of spam [14] as did incidentally, Microsoft from their own data [19]. We began the work with an argument that there is a reasonable basis from criminology to expect that ecrime would be correlated with different governance variables, although different theories point to different factors. [8, 18] In our earlier we explored the incidence of different criminology theories in the production of malware by a statistical analysis of the nation-state variables. [15] Later we applied the same framework to spam. [9] We found that while governance and economic variables correlated with both malware and spam, there was a significant difference in which factors these were. Looking further, we examined the most human component of ecrime — the crowdsourcing necessary to create email account, solves CAPCHAs, and provide human interaction. [16] Further macroeconomic analysis has also found state-level variables to be significant in the distribution of malware, including the economic variables we considered in the routing work [14].

References

[1] Kevin Benton and L Jean Camp. Firewalling scenic routes: Preventing data exfiltration via political and geographic routing policies. In Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, pages 31–36. ACM, 2016.

[2] Kevin Benton, L Jean Camp, Timothy Kelley, and Martin Swany. Filtering ip source spoofing using feasible path reverse path forwarding with sdn. In 5th International Conference on Communication and Network Security. IEEE, 2015.

[3] Kevin Benton, L Jean Camp, and Martin Swany. Bongo: A bgp speaker built for defending against bad routes. In Military Communications Conference, MILCOM 2016-2016 IEEE, pages 735–739. IEEE, 2016.

[4] Zheng Dong and L Jean Camp. The decreasing marginal value of evaluation network size. ACM SIGCAS Computers and Society, 41(1):23–37, 2011.

[5] Zheng Dong, Apu Kapadia, Jim Blythe, and L Jean Camp. Beyond the lock icon: real-time detection of phishing websites using public key certificates. In Electronic Crime Research (eCrime), 2015 APWG Symposium on, pages 1–12. IEEE, 2015.

[6] Zheng Dong, Apu Kapadia, and L. Jean Camp. Pinning & binning: Real time classification of certificates, 2013. Poster presented at ACSAC 2013, Dec. 9–13, New Orleans, LA.

[7] Quentin Jacquemart. Towards uncovering BGP hijacking attacks. PhD thesis, T́el ́ecom ParisTech, 2015.

[8] V. Garg, & L. J. Camp, “Why cybercrime?” ACM SIGCAS Computers and Society, 45(2), 20-28 (2015).

[9] Kevin Benton and L. Jean Camp. Examining the Jurisdictions of Internet Routes to Prevent Data Exfiltra- tion. TPRC, October 2016.

[10] Taka Mizuguchi and Tomoya Yoshida. Inter-domain routing securitỹ bgp route hijacking̃. In Proceedings of Asia Pacific Regional Internet conference on Operational Technologies (APRICOT 2007), 2007.

[11] Pablo Morianoa and L. Jean Camp. Incompetents, Criminals, or Spies: Macroeconomic Analysis of Routing Anomalies. TPRC, October 2016.

[12] Matthias Ẅahlisch, Olaf Maennel, and Thomas C Schmidt. Towards detecting bgp route hijacking using the rpki. ACM SIGCOMM Computer Communication Review, 42(4):103–104, 2012.

[13] Zheng Zhang, Ying Zhang, Y Charlie Hu, and Z Morley Mao. Practical defenses against bgp prefix hijacking. In Proceedings of the 2007 ACM CoNEXT conference, page 3. ACM, 2007.

[14] V. Garg and L. J. Camp. Macroeconomic Analysis of Malware. In Network and Distributed System Security Symposium Extended Abstracts, 2013.

[15] Vaibhav Garg & L Jean Camp, “Macroeconomic Analysis of Malware”, NDSS (San Diego, CA) 24-27 February 2013, (extended abstract)

[16] V. Garg & L. Jean Camp, “Macroeconomics of eCrime”, Security and Human Behavior (NY, NY) 4-5 June 2012.

[17] Vaibhav Garg, Thomas Koster and L. Jean Camp, “Cross-country Analysis of Spambots”, EURASIP Journal on Information Security, December, Vol. 3. (2013)

[18] V. Garg, L. Jean Camp & N. Husted, “The Smuggling Theory Approach to Organized Digital Crime.”, Sixth Annual APWG eCrime Researchers Summit, (San Diego, CA) 8-9 November 2011 Best paper award.

[19] Microsoft. Microsoft Security Intelligence Report. https://www.microsoft.com/en- us/download/details. aspx?id=27605, 2011.