Embed Size (px)
Citation preview
Understanding the Ecosystem ofIoT DDoS servicesDamon McCoy| New York University
Oct. 24th, 2019
Team Profile MINIONS - MitigatINg IOt-based DDoS attacks via DNS NYU Ph.D. Students Rasika Bhalerao and Maxwell
Aliapoulios Dutch Collaborators: Michel van Eeten, Carlos Ganan,
Arman Noroozian, Elsa Turcios Rodriguez
Customer Need We lack tools to understand the structure, economics,
and provide monitoring of IoT DDoS services. Useful to discover more efficient points for undermining. Potential costumers: Law enforcement and private
security companies. No understanding of the structure and economics of IoT
DDoS services and monitoring is ad-hoc
Approach (Part 1) Automated techniques to discover DDoS services
advertising on underground forums Create trained natural language processing models to
detect underground forum posts selling and buying DDoS services
Requires a manually labeled corpus of posts selling and buying DDoS services and set of text features adapted to this problem.
Approach (Continued, Part 2) Automated methods to detect replies indicating that a
member has purchased the product sold in a thread. Create a supervised natural language processing model
to detect buy replies. Requires a manually labeled corpus of buying replies
and text features adapted to this problem.
Approach (Continued, Part 3) Method to detect DDoS related supply chains. Combination of prior approaches and graph algorithms.
Benefits Automated DDoS service discovery and supply chain
reconstruction that are often performed manually using ad-hoc keyword searches.
Benefit: Provides scalable solution that requires less manual effort and has improved recall.
Risk: Might need to be trained for each forum.
Competition/Alternatives Many companies offer keyword based searching portals
that analysts and law enforcement use to discover DDoS services.
Prone to false positives and false negatives and requires domain knowledge to generate lists of keywords.
Expensive and skilled labor intensive.
Current Status (Part 1) Labeled data from two underground forums: Hack
Forum (EN), AntiChat (RU) Built models to detect 14 types of products including
DDoS services F1 scores range from 0.81-0.87 for the four models Executed it over the entire forum and identified DDoS
services sellers, buyers, and supply chains.
Current Status (Continued, Part 2) Published academic study at IEEE eCrime Symposium Mapping the Underground: Supervised Discovery of
Cybercrime Supply Chains, Rasika Bhalerao, Maxwell Aliapoulios, Ilia Shumailov, Sadia Afroz, Damon McCoy, IEEE eCrime 2019
Fulfils first NYU led Milestone
Current Status (Continued, Part 3) Releasing code, annotations, models, and other artifacts
required to reproduce results. TUDelft/NYU Collaboration on Economic study of Bullet
Proof Hosting which relates to infrastructure used by IoTDDoS Botnets
Published at USENIX Security 2019
Current Status (Continued, Part 4) Working on exploring economics and structure of IoT
DDoS services, and monitoring tools.
Transition/Completion Activities Flashpoint working on implementing parts of our code
into their production platform. Early access to results provided data sharing agreement.
Dutch Police amended their case based on our findings of Bulletproof Hoster.
Lessons Learned (Part 1) Many of the IoT DDoS services switch to using Telegram
instead of underground forums. Need tools to analyze Telegram chat data. Manual labeling should be on posts from the specific
forum and need to be updated every 2-3 months.
Lessons Learned (Continued, Part 2) Challenging to distinguish IoT from Virtual Private Server
based DDoS services. Weak connection to DNS since many of the IoT botnets
are not registering domains for their Command and Control servers.
