-
CGraph: Graph Based Extensible Predictive Domain Threat Intelligence Platform
Authors:
Wathsara Daluwatta,
Ravindu De Silva,
Sanduni Kariyawasam,
Mohamed Nabeel,
Charith Elvitigala,
Kasun De Zoysa,
Chamath Keppitiyagama
Abstract:
Ability to effectively investigate indicators of compromise and associated network resources involved in cyber attacks is paramount not only to identify affected network resources but also to detect related malicious resources. Today, most of the cyber threat intelligence platforms are reactive in that they can identify attack resources only after the attack is carried out. Further, these systems…
▽ More
Ability to effectively investigate indicators of compromise and associated network resources involved in cyber attacks is paramount not only to identify affected network resources but also to detect related malicious resources. Today, most of the cyber threat intelligence platforms are reactive in that they can identify attack resources only after the attack is carried out. Further, these systems have limited functionality to investigate associated network resources. In this work, we propose an extensible predictive cyber threat intelligence platform called cGraph that addresses the above limitations. cGraph is built as a graph-first system where investigators can explore network resources utilizing a graph based API. Further, cGraph provides real-time predictive capabilities based on state-of-the-art inference algorithms to predict malicious domains from network graphs with a few known malicious and benign seeds. To the best of our knowledge, cGraph is the only threat intelligence platform to do so. cGraph is extensible in that additional network resources can be added to the system transparently.
△ Less
Submitted 16 February, 2022;
originally announced February 2022.
-
PhishChain: A Decentralized and Transparent System to Blacklist Phishing URLs
Authors:
Shehan Edirimannage,
Mohamed Nabeel,
Charith Elvitigala,
Chamath Keppitiyagama
Abstract:
Blacklists are a widely-used Internet security mechanism to protect Internet users from financial scams, malicious web pages and other cyber attacks based on blacklisted URLs. In this demo, we introduce PhishChain, a transparent and decentralized system to blacklisting phishing URLs. At present, public/private domain blacklists, such as PhishTank, CryptoScamDB, and APWG, are maintained by a centra…
▽ More
Blacklists are a widely-used Internet security mechanism to protect Internet users from financial scams, malicious web pages and other cyber attacks based on blacklisted URLs. In this demo, we introduce PhishChain, a transparent and decentralized system to blacklisting phishing URLs. At present, public/private domain blacklists, such as PhishTank, CryptoScamDB, and APWG, are maintained by a centralized authority, but operate in a crowd sourcing fashion to create a manually verified blacklist periodically. In addition to being a single point of failure, the blacklisting process utilized by such systems is not transparent. We utilize the blockchain technology to support transparency and decentralization, where no single authority is controlling the blacklist and all operations are recorded in an immutable distributed ledger. Further, we design a page rank based truth discovery algorithm to assign a phishing score to each URL based on crowd sourced assessment of URLs. As an incentive for voluntary participation, we assign skill points to each user based on their participation in URL verification.
△ Less
Submitted 16 February, 2022;
originally announced February 2022.
-
Uncovering IP Address Hosting Types Behind Malicious Websites
Authors:
Nimesha Wickramasinghe,
Mohamed Nabeel,
Kenneth Thilakaratne,
Chamath Keppitiyagama,
Kasun De Zoysa
Abstract:
Hundreds of thousands of malicious domains are created everyday. These malicious domains are hosted on a wide variety of network infrastructures. Traditionally, attackers utilize bullet proof hosting services (e.g. MaxiDed, Cyber Bunker) to take advantage of relatively lenient policies on what content they can host. However, these IP ranges are increasingly being blocked or the services are taken…
▽ More
Hundreds of thousands of malicious domains are created everyday. These malicious domains are hosted on a wide variety of network infrastructures. Traditionally, attackers utilize bullet proof hosting services (e.g. MaxiDed, Cyber Bunker) to take advantage of relatively lenient policies on what content they can host. However, these IP ranges are increasingly being blocked or the services are taken down by law enforcement. Hence, attackers are moving towards utilizing IPs from regular hosting providers while staying under the radar of these hosting providers. There are several practical advantages of accurately knowing the type of IP used to host malicious domains. If the IP is a dedicated IP (i.e. it is leased to a single entity), one may blacklist the IP to block domains hosted on those IPs as welll as use as a way to identify other malicious domains hosted the same IP. If the IP is a shared hosting IP, hosting providers may take measures to clean up such domains and maintain a high reputation for their users.
△ Less
Submitted 28 November, 2021; v1 submitted 29 October, 2021;
originally announced November 2021.
-
COMONet: Community Mobile Network
Authors:
Primal Wijesekera,
Chamath I. Keppitiyagama
Abstract:
The density of mobile phones has increased rapidly in recent years. One drawback of the current mobile telephone technology is that it forces all the calls to go through cellular base stations even if the caller and the callee are within the radio range of each other. Hybrid cellular networks and Unlicensed Mobile Access (UMA) have been proposed as solutions that enable mobile phone users to bypas…
▽ More
The density of mobile phones has increased rapidly in recent years. One drawback of the current mobile telephone technology is that it forces all the calls to go through cellular base stations even if the caller and the callee are within the radio range of each other. Hybrid cellular networks and Unlicensed Mobile Access (UMA) have been proposed as solutions that enable mobile phone users to bypass cellular base stations. However, these technologies either require special hardware or in some cases have to rely on the service providers. We identified that most of the Commodity-off-the-Shelf mobile phones are Wi-Fi (and Bluetooth) enabled. We propose a Community Mobile Network (COMONet) which utilizes Wi-Fi (and Bluetooth) to build ad hoc network among mobile phone users to bypass GSM base stations whenever possible. COMONet does not depend on special noncommodity hardware and it is a software based solution. COMONet monitors all the available paths over the ad hoc network and it transparently switches to the regular path over the service provider's GSM base station if a path is not available over the ad hoc network. In COMONet the caller and the callee do not have to be within the Wi-Fi or Bluetooth range of each other to make a call since the COMONet is capable of routing calls through the other mobile nodes that are participating in the COMONet.
△ Less
Submitted 13 September, 2020;
originally announced September 2020.
