Skip to main content
SpringerLink
Log in

Connected Colors: Unveiling the Structure of Criminal Networks

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Included in the following conference series:

Abstract

In this paper we study the structure of criminal networks, groups of related malicious infrastructures that work in concert to provide hosting for criminal activities. We develop a method to construct a graph of relationships between malicious hosts and identify the underlying criminal networks, using historic assignments in the DNS. We also develop methods to analyze these networks to identify general structural trends and devise strategies for effective remediation through takedowns. We then apply these graph construction and analysis algorithms to study the general threat landscape, as well as four cases of sophisticated criminal networks. Our results indicate that in many cases, criminal networks can be taken down by de-registering as few as five domain names, removing critical communication links. In cases of sophisticated criminal networks, we show that our analysis techniques can identify hosts that are critical to the network’s functionality and estimate the impact of performing network takedowns in remediating the threats. In one case, disabling 20% of a criminal network’s hosts would reduce the overall volume of successful DNS lookups to the criminal network by as much as 70%. This measure can be interpreted as an estimate of the decrease in the number of potential victims reaching the criminal network that would be caused by such a takedown strategy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, pp. 41–52 (2006)

    Google Scholar 

  2. Bastian, M., Heymann, S., Jacomy, M.: Gephi: An Open Source Software for Exploring and Manipulating Networks. In: International AAAI Conference on Weblogs and Social Media (2009)

    Google Scholar 

  3. T. Bates, P. Smith, and G. Huston. CIDR report bogons

    Google Scholar 

  4. Blondel, V., Guillaume, J.L., Lambiotte, R., Lefebvre, E.: Fast unfolding of communities in large networks. Journal of Statistical Mechanics: Theory and Experiment (2008)

    Google Scholar 

  5. Brin, S., Page, L.: The anatomy of a large-scale hypertextual web search engine. In: Proceedings of the Seventh International Conference on World Wide Web 7, WWW7, pp. 107–117. Elsevier Science Publishers B. V., Amsterdam (1998)

    Google Scholar 

  6. Caballero, J., Grier, C., Kreibich, C.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: Proceedings of the USENIX Security Symposium (2011)

    Google Scholar 

  7. Cho, C., Caballero, J., Grier, C.: Insights from the inside: A view of botnet management from infiltration. In: Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2010)

    Google Scholar 

  8. Christin, N., Yanagihara, S.S., Kamataki, K.: Dissecting one click frauds. In: Proceedings of the 17th ACM Conference on Computer and Communiations Security, CCS (2010)

    Google Scholar 

  9. Collins, M., Shimeall, T., Faber, S., Janies, J., Weaver, R., Shon, M.D.: Predicting future botnet addresses with uncleanliness. In: Proc. of IMC, CERT Network Situational Awareness Group (2007)

    Google Scholar 

  10. Correa, A.D.: Malware patrol

    Google Scholar 

  11. Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An analysis of rogue AV campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  12. dn1nj4. RBN ”Rizing”. Technical report, Shadowserver.org (2008)

    Google Scholar 

  13. DNS-BH. Malware prevention through DNS redirection

    Google Scholar 

  14. dnsbl.abuse.ch. dnsbl.abuse.ch

    Google Scholar 

  15. Holz, T., Engelberth, M., Freiling, F.: Learning more about the underground economy: A case-study of keyloggers and dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  16. Internet Systems Consortium. Security Information Exchange Portal

    Google Scholar 

  17. Konte, M., Feamster, N., Jung, J.: Fast flux service networks: Dynamics and roles in hosting online scams. Technical report (2008)

    Google Scholar 

  18. Konte, M., Feamster, N., Jung, J.: Dynamics of online scam hosting infrastructure. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds.) PAM 2009. LNCS, vol. 5448, pp. 219–228. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  19. Leontiadis, N., Moore, T., Christin, N.: Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In: Proceedings of the USENIX Security Symposium (August 2011)

    Google Scholar 

  20. Lu, L., Yegneswaran, V., Porras, P., Lee, W.: BLADE: an attack-agnostic approach for preventing drive-by malware infections. In: Proceedings of the 17th ACM Conference on Computer and Communiations Security, CCS 2010. Georgia Tech, SRI International (2010)

    Google Scholar 

  21. Malc0de. Malc0de DNS blacklist

    Google Scholar 

  22. Malware Domain List. Malware domain list.

    Google Scholar 

  23. McCoy, D., Pitsillidis, A., Jordan, G., Weaver, N., Kreibich, C., Krebs, B., Voelker, G.M., Savage, S., Levchenko, K.: Pharmaleaks: Understanding the business of online pharmaceutical affiliate programs. In: 21st Usenix Security Symposium, USENIX 2012 (2012)

    Google Scholar 

  24. McMillan, R.: After takedown, botnet-linked ISP Troyak resurfaces (2010)

    Google Scholar 

  25. Nagaraja, S., Anderson, R.: The topology of covert conflict. In: Workshop on the Economics of Information Security, WEIS (2006)

    Google Scholar 

  26. Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., Borisov, N.: Botgrep: finding p2p bots with structured graph analysis. In: Proceedings of the 19th USENIX Conference on Security, USENIX Security 2010, p. 7. USENIX Association, Berkeley (2010)

    Google Scholar 

  27. Newman, M.: Networks: An Introduction, 1st edn. Oxford University Press (May 2010)

    Google Scholar 

  28. Roveta, F., Mario, L.D., Maggi, F., Caviglia, G., Zanero, S., Ciuccarelli, P.: BURN: Baring Unknown Rogue Networks. In: VizSec. Politecnico di Milano (2011)

    Google Scholar 

  29. Snort Labs. Snort DNS/IP/URL lists

    Google Scholar 

  30. SpamHaus. drop.lasso

    Google Scholar 

  31. SpyEye Tracker. SpyEye tracker

    Google Scholar 

  32. Stone-Gross, B., Kruegel, C., Almeroth, K., Moser, A., Kirda, E.: Fire: Finding rogue networks. In: ACSAC. UCSB, Technical University Vienna, Eurocom (2009)

    Google Scholar 

  33. Stranger, P., McQuaid, J., Burn, S., Glosser, D., Freezel, G., Thompson, B., Rogofsky, W.: Top 50 Bad Hosts and Networks. Tech Report

    Google Scholar 

  34. Team Cymru. Bogons

    Google Scholar 

  35. Weimer, F.: Passive DNS replication. In: 17th Annual FIRST Conference on Computer Security Incidents (2005)

    Google Scholar 

  36. West, D.B.: Introduction to Graph Theory, 2nd edn. Prentice Hall (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Computing, Georgia Institute of Technology, USA

    Yacin Nadji & Wenke Lee

  2. Damballa, Inc., USA

    Manos Antonakakis

  3. Department of Computer Science, University of Georgia, USA

    Roberto Perdisci

Authors
  1. Yacin Nadji
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Manos Antonakakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Roberto Perdisci
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wenke Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Nadji, Y., Antonakakis, M., Perdisci, R., Lee, W. (2013). Connected Colors: Unveiling the Structure of Criminal Networks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_20

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation