Saturday, August 15, 2009
Microsoft Team Traces Malicious Users Technology Review (08/13/09) Lemos, Robert
In a paper that will be presented at ACM SIGCOMM 2009, which takes place Aug. 17-21 in Barcelona, Spain, Microsoft researchers will demonstrate HostTracker, software that removes the anonymity from malicious Internet activity. The researchers were able to identify the machines responsible for anonymous attacks, even when the host's IP address rapidly changed. The researchers say HostTracker could lead to better defenses against online attacks and spam campaigns. For example, security firms could create a clearer picture of which Internet hosts should be blocked from sending traffic to their clients, and cybercriminals would have a more difficult time disguising their activities as legitimate communications. The researchers analyzed a month's worth of data collected from a large email service provider to attempt to determine users responsible for sending spam. Tracking the origins of a message involved reconstructing relationships between account IDs and the hosts used to connect to the email service. The researchers grouped all the IDs accessed from different hosts over a certain time period, and the HostTracker software searched through this data to resolve any conflicts. The researchers also developed a way to automatically blacklist traffic from an IP address if HostTracker determines that the host at that address has been compromised. HostTracker was able to block malicious traffic with an error rate of 5 percent, and using additional information to identify good-user behavior reduced the error rate to less than 1 percent.