Speaker: Dr. Juan Caballero, IMDEA, Spain
Speaker Bio: Juan Caballero is an Assistant Research Professor at the IMDEA Software Institute in Madrid, Spain. His research focuses on security issues in systems, software, and networks. He received his Ph.D. in Electrical and Computer Engineering from Carnegie Mellon University, USA and was a visiting student researcher at University of California, Berkeley for two years. His research regularly appears at top security venues and has won two best paper awards at the Usenix Security Symposium. He has been in the technical committee of venues such as IEEE S&P, ACM CCS, Usenix Security, NDSS, WWW, RAID, and DIMVA. He has been program co-chair for the Digital Forensics Research Symposium (DFRWS, 2014 & 2013), the European Workshop on Systems Security (EuroSec, 2015 & 2014) and the International Symposium on Engineering Secure Software and Systems (ESSoS, 2015).
Presentation Title: CyberProbe and AutoProbe: Towards Internet-Scale Active Detection of Malicious Servers
Presentation Description: Cybercriminals use different types of geographically distributed servers to run their operations such as C&C servers for managing their malware, exploit servers to distribute the malware, payment servers for monetization, and redirectors for anonymity. Identifying the server infrastructure used by a cybercrime operation is fundamental for defenders, as it enables take-downs that can disrupt the operation and is a critical step towards identifying the criminals behind it. In this work, we propose a novel active probing approach for detecting malicious servers and compromised hosts that listen for (and react to) incoming network requests. Our approach sends probes to remote hosts and examines their responses, determining whether the remote hosts are malicious or not. It identifies different malicious server types as well as malware that listen for incoming traffic such as P2P bots. Compared with existing defenses, our active probing approach is fast, cheap, easy to deploy, and achieves Internet scale. We have implemented our active probing approach in two tools called CyberProbe and AutoProbe. We have used them to identify over a hundred malicious servers and several thousand P2P bots through localized and Internet-wide scans. Of those servers the majority are unknown to publicly available databases of malicious servers, indicating that our tools can achieve up to 4 times better coverage than existing techniques. Our results also reveal an important provider locality property of the hosting of malicious servers.
University of Texas at Dallas
Engineering & Computer Science South building
Room ECSS 2.102