Posts by Collection


A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists

Published in Asia Computer and Communication Security Conference (CCS), 2019

Abstract: This paper focuses on reporting of Internet malicious activity (ormal-activity in short) by public blacklists with the objective of pro-viding a systematic characterization of what has been reportedover the years, and more importantly, the evolution of reportedactivities. Using an initial seed of 22 blacklists, covering the periodfrom January 2007 to June 2017, we collect more than 51 millionmal-activity reports involving 662K unique IP addresses worldwide.Leveraging the Wayback Machine, antivirus (AV) tool reports andseveral additional public datasets (e.g., BGP Route Views and Inter-net registries) we enrich the data with historical meta-informationincluding geo-locations (countries), autonomous system (AS) num-bers and types of mal-activity. Furthermore, we use the initiallylabelled dataset of approx. 1.57 million mal-activities (obtained from pub-lic blacklists) to train a machine learning classifier to classify theremaining unlabeled dataset of approx. 44 million mal-activities obtainedthrough additional sources. We make our unique collected dataset(and scripts used) publicly available for further research.

Recommended citation: Benjamin Zi Hao Zhao, Muhammad Ikram, Hassan Asghar, Mohamed Ali Kaafar, Abdelberi Chaabane, and Kanchana Thilakarathna, "A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists", In Asia Computer and Communication Security Conference (CCS), 2019.

Decentralized Control: A Case Study of Russia

Published in Network and Distributed Systems Security (NDSS), 2020

Abstract: Although past censorship research has largely fo-cused on blocking in highly centralized networks such as China’s, censorship in decentralized networks is on the rise. It was long thought that large-scale censorship on decentralized networks with thousands of ISPs was prohibitively difficult. Our in-depth investigation of the mechanisms underlying decentralized infor-mation control in Russia shows that such large-scale censorship can be achieved in decentralized networks through inexpensive commodity equipment. This new form of information control presents a host of problems for censorship measurement, in-cluding difficulty identifying censored content, requiring measurements from diverse perspectives, and variegated censorshipmechanisms that require significant effort to identify in a robust manner.

Recommended citation: Reethika Ramesh, Ram Sundara Raman, Matthew Bernhard, Victor Ongkowijaya, Leonid Evdokimov, Anne Edmundson, Steven Sprecher, Muhammad Ikram, and Roya Ensafi, "Decentralized Control: A Case Study of Russia", In Network and Distributed Systems Security (NDSS), 2020.

Measuring and Analysing the Chain of Implicit Trust: A Study of Third-party Resources Loading

Published in In ACM Transaction on Privacy and Security (TOPS), 2020

Abstract: The web is a tangled mass of interconnected services, whereby websites import a range of external resourcesfrom various third-party domains. The latter can also load further resources hosted on other domains. Foreach website, this creates a dependency chain underpinned by a form of implicit trust between the first-partyand transitively connected third-parties. The chain can only be loosely controlled as first-party websitesoften have little, if any, visibility on where these resources are loaded from. This paper performs a large-scalestudy of dependency chains in the web, to find that around 50% of first-party websites render content thatthey do not directly load. Although the majority (84.91%) of websites have short dependency chains (below 3levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of thesethird-parties are classified as suspicious – although seemingly small, this limited set of suspicious third-partieshave remarkable reach into the wider ecosystem. We find that 73% of websites under-study load resourcesfrom suspicious third-parties, and 24.8% of first-party webpages contain at least three third-parties classifiedas suspicious in their dependency chain. By running sandboxed experiments, we observe a range of activitieswith the majority of suspicious JavaScript codes downloading malware.

Recommended citation: Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kaafar, Roya Ensafi, "Measuring and Analysing the Chain of Implicit Trust: A Study of Third-party Resources Loading", ACM Transaction on Privacy and Security (TOPS), 2020.