Abstract
There are an enormous number of security anomalies that occur across the Internet on a daily basis. These anomalies are typically viewed as individual security events that are manually analyzed in order to detect an attack and take action. Important characteristics of an attack may go unnoticed due to limited manual resources. Mobile attacks introduce further complexity by typically traversing multiple types of networks making correlation and detection even more challenging. In this paper, we propose a system Dandelion, which aims to automatically correlate individual security anomalies together to reveal an entire mobile attack campaign. The system also identifies previously unknown malicious network entities that are highly correlated. Our prototype system correlates thousands of network anomalies across both the SMS and IP networks of a large US tier-1 mobile service provider, reducing them to approximately \(20\sim 30\) groups of interest a day. To demonstrate Dandelion’s value, we show how our system has provided the critical information necessary to human analysts in detecting and mitigating previously unknown mobile attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Androguard. https://github.com/androguard/androguard
Droidbox. http://code.google.com/p/droidbox/
Anti-Phishing Working Group: Global phishing survey: trends and domain name use in 2014. http://goo.gl/cfPCEY
Baliga, A., Bickford, J., Daswani, N.: Triton: A carrier-based approach for detecting and mitigating mobile malware. Journal of Cyber Security 3(2), 1–30 (2012)
Boggs, N., Wang, W., Mathur, S., Coskun, B., Pincock, C.: Discovery of emergent malicious campaigns in cellular networks. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 29–38. ACM, New York (2013)
Brin, S., Page, L.: The anatomy of a large-scale hypertextual web search engine. In: Seventh International World-Wide Web Conference (1998)
Cortes, C., Pregibon, D., Volinsky, C.: Communities of interest. In: Hoffmann, F., Hand, D.J., Adams, N., Fisher, D., Guimaraes, G. (eds.) IDA 2001. LNCS, vol. 2189, pp. 105–114. Springer, Heidelberg (2001)
Coskun, B., Dietrich, S., Memon, N.: Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts. In: Proc. of the 26 Annual Computer Security Applications Conference (ACSAC) (2010)
Coskun, B., Giura, P.: Mitigating SMS spam by online detection of repetitive near-duplicate messages. In: IEEE ICC 2012 Symposium on Communication and Information Systems Security (2012)
Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Security Symposium, pp. 139–154 (2008)
Gyöngyi, Z., Garcia-Molina, H., Pedersen, J.: Combating web spam with trustrank. In: 13th International Conference on Very Large Data Bases, pp. 576–587 (2004)
He, Y., Zhong, Z., Krasser, S., Tang, Y.: Mining dns for malicious domain registrations. In: CollaborateCom, pp. 1–6. IEEE (2010)
Lever, C., Antonakakis, M., Reaves, B., Traynor, P., Lee., W.: The core of the matter: analyzing malicious traffic in cellular carriers. In: Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS) (2013)
Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In: 2013 IEEE Symposium on Security and Privacy, pp. 112–126 (2013)
Li, Z., Zhang, K., Xie, Y., Yu, F., Wang, X.: Knowing your enemy: understanding and detecting malicious web advertising. In: 2012 ACM Conference on Computer and Communications Security, pp. 674–686 (2012)
Lookout: 2014 mobile threat report. http://goo.gl/9aYO9B
Lookout: Security alert: Shoot the bulk messenger. https://blog.lookout.com/blog/2013/12/19/shoot-the-bulk-messenger/
Lookout: You are a winner! or are you? the walmart gift card scam. http://goo.gl/WX6ps.
Lookout: U.S. targeted by coercive mobile ransomware impersonating the FBI, July 2014. https://blog.lookout.com/blog/2014/07/16/scarepakage
McAfee: Mcafee labs threats report. http://mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2014.pdf
Murynets, I., Piqueras Jover, R.: Crime scene investigation: Sms spam data analysis. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference, pp. 441–452 (2012)
Nadji, Y., Antonakakis, M., Perdisci, R., Lee, W.: Connected colors: unveiling the structure of criminal networks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 390–410. Springer, Heidelberg (2013)
Wikipedia: Whois. http://en.wikipedia.org/wiki/Whois
Wolda, H.: Similarity indices, sample size and diversity. Oecologia 50(3), 296–302 (1981)
Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 48–61 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Wang, W., Istomin, M., Bickford, J. (2015). Dandelion - Revealing Malicious Groups of Interest in Large Mobile Networks. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science(), vol 9408. Springer, Cham. https://doi.org/10.1007/978-3-319-25645-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-25645-0_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25644-3
Online ISBN: 978-3-319-25645-0
eBook Packages: Computer ScienceComputer Science (R0)