Abstract
Driven by the potential economic profits, cyber-criminals are on the rise and use the Web to exploit unsuspecting users. Indeed, a real underground black market with thousands of collaborating organizations and individuals has developed, which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. Among the various malicious activities of cyber-criminals, rogue security software campaigns have evolved into one of the most lucrative criminal operations on the Internet. In this paper, we present a novel method to analyze rogue security software campaigns, by studying a number of different features that are related to their operation. Contrary to existing data mining techniques for multivariate data, which are mostly based on the definition of appropriate proximity measures on a per-feature basis and data fusion techniques to combine per-feature mining results, we take advantage of the structural properties of the k-partite graph formed by considering the natural interconnections between objects of different types. We show that the proposed method is straightforward, fast and scalable. The results of the analysis of rogue security software campaigns are further assessed by a visual analysis tool and their accuracy is documented.
This work has been partially supported by the European Commission through project FP7-ICT-257495-VIS-SENSE funded by the 7th framework program. The opinions expressed in this paper are those of the authors and do not necessarily reflect the views of the European Commission.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Thonnard, O.: A multi-criteria clustering approach to support attack attribution in cyberspace. PhD thesis, École Doctorale d’Informatique, Télécommunications et Électronique de Paris (March 2010)
Wang, Y.M., Beck, D., Jiang, X., Roussev, R.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: NDSS (2006)
Fossi, M., Turner, D., Johnson, E., Mack, T., Adams, T., Blackbird, J., Low, M.K., McKinney, D., Dacier, M., Keromytis, A., Leita, C., Cova, M., Overton, J., Thonnard, O.: Symantec report on rogue security software. Technical report, Symantec (October 2009)
Rajab, M.A., Ballard, L., Mavrommatis, P., Provos, N., Zhao, X.: The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. In: Workshop on Large-Scale Exploits and Emergent Threats (April 2010)
Zhuge, J., Holz, T., Song, C., Guo, J., Han, X., Zou, W.: Studying Malicious Websites and the Underground Economy on the Chinese Web. In: 2008 Workshop on the Economics of Information Security, WEIS 2008 (2008)
Franklin, J., Paxson, V.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 375–388. ACM, New York (2007)
Stone-Gross, B., Abman, R., Kemmerer, R., Kruegel, C., Steigerwald, D., Vigna, G.: The Underground Economy of Fake Antivirus Software. In: Proceedings of the Workshop on Economics of Information Security, WEIS (2011)
Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An Analysis of Rogue AV Campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010)
Cova, M., Leita, C., Thonnard, O., Keromytis, A., Dacier, M.: Gone Rogue: An Analysis of Rogue Security Software Campaigns. In: Proceedings of the 2009 European Conference on Computer Network Defense, EC2ND 2009, pp. 1–3. IEEE Computer Society (2009)
Dongen, S.V.: Graph Clustering by Flow Simulation. PhD thesis, University of Utrecht (2000)
Satuluri, V., Parthasarathy, S.: Scalable graph clustering using stochastic flows: applications to community discovery. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2009, pp. 737–746. ACM, New York (2009)
Leita, C., Cova, M.: HARMUR: storing and analyzing historic data on malicious domains. In: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2011, pp. 46–53. ACM, New York (2011)
The WOMBAT Project, http://www.wombat-project.eu
The VIS-SENSE Project, http://www.vis-sense.eu/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tsigkas, O., Tzovaras, D. (2012). Analysis of Rogue Anti-Virus Campaigns Using Hidden Structures in k-Partite Graphs. In: Pieprzyk, J., Sadeghi, AR., Manulis, M. (eds) Cryptology and Network Security. CANS 2012. Lecture Notes in Computer Science, vol 7712. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35404-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-35404-5_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35403-8
Online ISBN: 978-3-642-35404-5
eBook Packages: Computer ScienceComputer Science (R0)