Defense Event

A Macroscopic Study of Network Security Threats at the Organizational Level

Jing Zhang

Thursday, September 10, 2015
08:30am - 10:30am
3725 Beyster Bldg.

Add to Google Calendar

About the Event

Defenders of today's network are confronted with a large number of malicious activities such as spam, malware, and denial-of-service attacks. Although many studies have been performed on how to mitigate security threats, the interaction between attackers and defenders is like a game of Whac-a-Mole, in which the security community is chasing after attackers and malicious hosts rather than helping defenders to build systematic defensive solutions. As a complement to these studies that focus on attackers or end hosts, this thesis studies security threats from the perspective of the organization, the central authority that manages and defends a group of end hosts. This perspective provides a balanced position to understand security problems and to deploy and evaluate defensive solutions. This thesis explore how a macroscopic view of network security from an organization's perspective can be formed to help effectively measure, understand, and mitigate security threats. To realize this goal, we bring together a broad collection of reputation blacklists that cover malicious sources involved in Spam, Phishing/Malware, and active scanning. We first measure the properties of the malicious sources identified by these blacklists and their impact on an organization. We reveal that the malicious sources have a surprisingly high impact on an organization's traffic --- about 17% of the organization's traffic is from or to malicious sources. We then aggregate the malicious sources to Internet organizations and characterize the maliciousness of organizations and their evolution over a period of two and half years. We find that the maliciousness of organizations varies greatly: while more than half of the organizations remain ``clean'', some organizations have a disproportionally large fraction of their IP addresses involved in malicious activities. We also find that both the average magnitude and the dynamic of maliciousness have increased significantly over the past two and half years. Next, we aim to understand the cause of different maliciousness levels in different organizations. By systematically examining the relationship between eight security mismanagement symptoms and the maliciousness of organizations, we find a strong positive correlation between mismanagement and maliciousness of organizations. Lastly, motivated by the observation that there are organizations that have a significant fraction of their IP addresses involved in malicious activities, we evaluate the tradeoff of one type of mitigation solution at the organization level --- network takedowns. Based on a broad set of cost and benefit metrics and tradeoff analysis, we identify hundreds of Internet organizations for whom this analysis shows significant favorable returns, with minor costs when they are shuttered.

Additional Information

Sponsor(s): Michael Donald Bailey and Mingyan Liu

Open to: Public