CybersecurityUsing Machine Learning to Hunt Down Cybercriminals
An increasingly popular form of cyber-attack is to hijack IP addresses for a range of goals, from sending spam and malware to stealing Bitcoin. It’s estimated that in 2017 alone, routing incidents such as IP hijacks affected more than 10 percent of all the world’s routing domains. Existing efforts to detect IP hijacks tend to look at specific cases only when they’re already in process. But what if we could predict these incidents in advance by tracing things back to the actual hijackers themselves?
An increasingly popular form of cyber-attack is to hijack IP addresses for a range of goals, from sending spam and malware to stealing Bitcoin. It’s estimated that in 2017 alone, routing incidents such as IP hijacks affected more than 10 percent of all the world’s routing domains. There have been major incidents at Amazon, Google and even nation-states – a study last year suggested that a Chinese telecom company used the approach to gather intelligence on western countries by rerouting their internet traffic through China.
Existing efforts to detect IP hijacks tend to look at specific cases only when they’re already in process. But what if we could predict these incidents in advance by tracing things back to the actual hijackers themselves?
UCSD says that that’s the idea behind a new machine learning system developed by researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and the Center for Applied Internet Data Analysis (CAIDA), based at the San Diego Supercomputer Center (SDSC) at UC San Diego. By illuminating some of the common qualities of what they call “serial hijackers,” the team trained their system to be able to identify roughly 800 suspicious networks - and found that some of them had been hijacking IP addresses for years.
“Network operators normally have to handle such incidents reactively and on a case-by-case basis, making it easy for cybercriminals to continue to thrive,” said lead author Cecilia Testart, a graduate student at CSAIL who will present the paper at the ACM Internet Measurement Conference October 21-23 in Amsterdam. “This is a key first step in being able to shed light on serial hijackers’ behavior and proactively defend against their attacks.”
The Nature of Nearby Networks
IP hijackers exploit a key shortcoming in the Border Gateway Protocol (BGP), a routing mechanism that essentially allows different parts of the internet to talk to each other. Through BGP, networks exchange routing information so that data packets find their way to the correct destination.
In a BGP hijack, a malicious actor convinces nearby networks that the best path to reach a specific IP address is through their network. That’s unfortunately not very hard to do, since BGP itself doesn’t have any security procedures for validating that a message is actually coming from the place it says it’s coming from.
“It’s like a game of Telephone, where you know who your nearest neighbor is, but you don’t know the neighbor’s five or 10 nodes away,” said Testart.
