-
Unraveling Threat Intelligence Through the Lens of Malicious URL Campaigns
Authors:
Mahathir Almashor,
Ejaz Ahmed,
Benjamin Pick,
Sharif Abuadbba,
Jason Xue,
Raj Gaire,
Shuo Wang,
Seyit Camtepe,
Surya Nepal
Abstract:
The daily deluge of alerts is a sombre reality for Security Operations Centre (SOC) personnel worldwide. They are at the forefront of an organisation's cybersecurity infrastructure, and face the unenviable task of prioritising threats amongst a flood of abstruse alerts triggered by their Security Information and Event Management (SIEM) systems. URLs found within malicious communications form the b…
▽ More
The daily deluge of alerts is a sombre reality for Security Operations Centre (SOC) personnel worldwide. They are at the forefront of an organisation's cybersecurity infrastructure, and face the unenviable task of prioritising threats amongst a flood of abstruse alerts triggered by their Security Information and Event Management (SIEM) systems. URLs found within malicious communications form the bulk of such alerts, and pinpointing pertinent patterns within them allows teams to rapidly deescalate potential or extant threats. This need for vigilance has been traditionally filled with machine-learning based log analysis tools and anomaly detection concepts. To sidestep machine learning approaches, we instead propose to analyse suspicious URLs from SIEM alerts via the perspective of malicious URL campaigns. By first grou** URLs within 311M records gathered from VirusTotal into 2.6M suspicious clusters, we thereafter discovered 77.8K malicious campaigns. Corroborating our suspicions, we found 9.9M unique URLs attributable to 18.3K multi-URL campaigns, and that worryingly, only 2.97% of campaigns were found by security vendors. We also confer insights on evasive tactics such as ever lengthier URLs and more diverse domain names, with selected case studies exposing other adversarial techniques. By characterising the concerted campaigns driving these URL alerts, we hope to inform SOC teams of current threat trends, and thus arm them with better threat intelligence.
△ Less
Submitted 26 August, 2022;
originally announced August 2022.
-
Characterizing Malicious URL Campaigns
Authors:
Mahathir Almashor,
Ejaz Ahmed,
Benjamin Pick,
Sharif Abuadbba,
Raj Gaire,
Seyit Camtepe,
Surya Nepal
Abstract:
URLs are central to a myriad of cyber-security threats, from phishing to the distribution of malware. Their inherent ease of use and familiarity is continuously abused by attackers to evade defences and deceive end-users. Seemingly dissimilar URLs are being used in an organized way to perform phishing attacks and distribute malware. We refer to such behaviours as campaigns, with the hypothesis bei…
▽ More
URLs are central to a myriad of cyber-security threats, from phishing to the distribution of malware. Their inherent ease of use and familiarity is continuously abused by attackers to evade defences and deceive end-users. Seemingly dissimilar URLs are being used in an organized way to perform phishing attacks and distribute malware. We refer to such behaviours as campaigns, with the hypothesis being that attacks are often coordinated to maximize success rates and develop evasion tactics. The aim is to gain better insights into campaigns, bolster our grasp of their characteristics, and thus aid the community devise more robust solutions. To this end, we performed extensive research and analysis into 311M records containing 77M unique real-world URLs that were submitted to VirusTotal from Dec 2019 to Jan 2020. From this dataset, 2.6M suspicious campaigns were identified based on their attached metadata, of which 77,810 were doubly verified as malicious. Using the 38.1M records and 9.9M URLs within these malicious campaigns, we provide varied insights such as their targeted victim brands as well as URL sizes and heterogeneity. Some surprising findings were observed, such as detection rates falling to just 13.27% for campaigns that employ more than 100 unique URLs. The paper concludes with several case-studies that illustrate the common malicious techniques employed by attackers to imperil users and circumvent defences.
△ Less
Submitted 28 August, 2021;
originally announced August 2021.
-
The f2(1565) in pbar-p -> (omega-omega)pizero interactions at rest
Authors:
C. A. Baker,
B. M. Barnett,
C. J. Batty,
K. Braune,
D. V. Bugg,
O. Cramer,
V. Crede,
N. Djaoshvili,
W. Dunnweber,
M. A. Faessler,
N. P. Hessey,
P. Hidas,
C. Hodd,
D. Jamnik,
H. Kalinowsky,
J. Kisiel,
E. Klempt,
C. Kolo,
L. Montanet,
B. Pick,
W. Roethel,
A. Sarantsev,
I. Scott,
C. Strassburger,
U. Thoma
, et al. (5 additional authors not shown)
Abstract:
Data are presented on the reaction pbar-p -> omega-omega-pizero at rest from the Crystal Barrel detector. These data identify a strong signal due to f2(1565) -> omega-omega. The relative production from initial pbar-p states 3P2, 3P1 and 1S0 is well determined from omega-omega decay angular correlations; P-state annihilation dominates strongly. A combined fit is made with data on pbar-p -> 3pizero…
▽ More
Data are presented on the reaction pbar-p -> omega-omega-pizero at rest from the Crystal Barrel detector. These data identify a strong signal due to f2(1565) -> omega-omega. The relative production from initial pbar-p states 3P2, 3P1 and 1S0 is well determined from omega-omega decay angular correlations; P-state annihilation dominates strongly. A combined fit is made with data on pbar-p -> 3pizero at rest, where f2(1565) -> pizero-pizero is observed.
△ Less
Submitted 11 September, 2011;
originally announced September 2011.