Senior Researcher, Security, Barcelona Digital Technology Centre
Jesús Luna received a Bachelor’s degree in Telecommunications Engineering from the National Polytechnic Institute (IPN) in Mexico in 1995, a Master’s degree in Computer Science in 2002 and a PhD in Computer Architecture from the Polytechnic University of Catalonia (UPC) in 2008. He was a postdoctoral researcher with the CoreGRID Network of Excellence (Greece/Cyprus) and has more than 15 years of experience in the field of computer security, working with public and private companies and universities in Mexico and southern Europe. He currently works as a security researcher with Barcelona Digital Technology Centre, where he collaborates on cloud security projects. He is the co-founder of the Cloud Security Alliance‘s Spanish Chapter. Jesus Luna can be contacted at firstname.lastname@example.org
Towards Cloud-based Intelligence Services: an IP Reputation system to detect ﬁnancial drones
Every day, hundreds or even thousands of computers are infected with ﬁnancial malware (i.e. Zeus) that forces them to become zombies or drones, capable of joining massive ﬁnancial botnets that can be hired by well-organized cyber-criminals in order to steal online banking customers’ credentials. Despite that detection and mitigation mechanisms for SPAM and DDoS-related botnets have been widely researched and developed, it is true that the passive nature (i.e. low network traﬃc, fewer connections) of ﬁnancial botnets greatly diﬃcult their countermeasures. Therefore cyber-criminals are still obtaining high economical
proﬁts at relatively low risk with ﬁnancial botnets.
In this paper we propose the use of publicly available IP blacklists to detect both, drones and Command & Control nodes that are part of ﬁnancial botnets. To prove this hypothesis we have developed a proof-of concept IP Reputation System based on a formal framework and, capable of evaluating the quality of a blacklist by comparing it versus a baseline by taking into account diﬀerent metrics (i.e. latency and completeness).
The contributed framework has been tested with approximately 500 million IP addresses, retrieved during a one-month period from seven diﬀerent well-known blacklists providers and taking as baseline a set of well-known ﬁnancial drones (obtained with business intelligence methods). Our experimental results showed that these IP blacklists are able to detect both, drones and C&C, related with the Zeus botnet. Even more important is that this novel methodology can be provided as a high performance solution and, at a lower cost that existing anti-fraud techniques.
In our research we also shown that it is possible to assign diﬀerent quality scores or reputations to each blacklist based on our metrics. With this information we have been able to design a high-performance IP reputation system for the Cloud, that uses the previously obtained blacklists’ reputation scores, in order to reply almost in real-time whether a certain IP is member of a ﬁnancial botnet or not. Our belief is that such system can be easily used as part of a set of intelligence services in the Cloud, in order to be integrated into existing e-banking anti-fraud systems.