“If I have seen further than others, it is by standing upon the shoulders of giants”, Isaac Newton.
Three researchers from Georgia Tech, University of Georgia and Princeton University have just released a paper on bulletproof hosting Autonomous Systems (ASes), using CIRCL’s BGP Ranking project and open data as a key reference to evaluate the results of their own model, ASwatch.
Bulletproof hosting ASes are often used by cyber criminals as they include the hosting of a wide range of illegal content, botnet C&C servers, and other malicious resources. They provide cyber criminals with a large number of resources to operate with.
The researchers present ASwatch as a system that identifies malicious ASes “using exclusively the control-plane (i.e., routing) behavior of ASes. It is based on the intuition that, in an attempt to evade possible detection and remediation efforts, malicious ASes exhibit “agile” control plane behavior. We evaluate our system on known malicious ASes; our results show that ASwatch detects up to 93% of malicious ASes with a 5% false positive rate, which is reasonable to effectively complement existing defense systems”, as noted in the research paper.
BGP Ranking is a free software developed by CIRCL to calculate the security ranking of Internet Service Provider (ASN). The system gathers external datasources in order to evaluate the ranking over time. The purpose is to detect fast any malicious activities of a specific AS number and to validate the data sources used for security.
The research compares the performance of ASwatch with BGP Ranking, “a state-of-the-art AS reputation system that relies on data-plane information. Our analysis over nearly three years shows that ASwatch detects about 72% of the malicious ASes that were observable over this time period, whereas BGP Ranking detects only about 34%”. “These results suggest that a potential collaboration and sharing on this topic would be highly interesting to improve overall security on Internet. Another engaging part is the use of open data in order to improve research validation and provide a ground for new research in the field of information security.”, explains Alexandre Dulaunoy from CIRCL.
Read the full paper here : Konte, Maria, Roberto Perdisci, and Nick Feamster. “ASwatch: An AS Reputation System to Expose Bulletproof Hosting ASes.” Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication. ACM, 2015.