As a new mechanism to monetize web content, cryptocurrency mining is becoming increasingly popular. The idea simple: webpage delivers extra workload (JavaScript) that consumes computational resources on the client machine solve cryptographic puzzles, typically without notifying users or having explicit user consent. This mechanism, often heavily abused and thus considered threat termed "cryptojacking", estimated affect over 10 million every month; however, only few anecdotal reports exist so...

Content Delivery Network (CDN) and Hypertext Transfer Protocol Secure (HTTPS) are two popular but independent web technologies, each of which has been well studied individually independently. This paper provides a systematic study on how these work together. We examined 20 CDN providers 10,721 their customer sites using HTTPS. Our reveals various problems with the current HTTPS practice adopted by providers, such as widespread use invalid certificates, private key sharing, neglected...

Capability leak is a vulnerability in Android applications, which violates the enforcement of permission model and threatens secure usage phone users. Malicious applications can launch escalation attacks with this vulnerability. In paper, we propose dynamic Intent fuzzing mechanism to uncover vulnerable both markets closed source ROMs. We built prototype called IntentFuzzer. With it, analyzed more than 2000 Google Play hundreds in-rom inside two found that 161 have at least one leak, 26...

DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries actively exploiting this design vulnerability compromise users' security and privacy. To mitigate such threats, several protocols have been proposed encrypt queries between clients servers, which we jointly term as DNS-over-Encryption. While some proposals standardized gaining strong support from industry, little has done understand...

Online underground economy is an important channel that connects the merchants of illegal products and their buyers, which also constantly monitored by legal authorities. As one common way for evasion, buyers together create a vocabulary jargons (called "black keywords" in this paper) to disguise transaction (e.g., "smack" street name "heroin" [1]). Black keywords are often "unfriendly" outsiders, created either distorting original meaning words or tweaking other black keywords....

In this paper, we report a series of flaws in the software stack that leads to strong revival DNS cache poisoning --- classic attack which is mitigated practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison on typical server, an off-path adversary would need send impractical number $2^32 $ spoofed responses simultaneously guessing correct port (16-bit) transaction ID (16-bit). Surprisingly, discover weaknesses allow "divide...

Malicious activities on the Internet continue to grow in volume and damage, posing a serious risk society. Malware with remote control capabilities is considered one of most threatening malicious activities, as it can enable arbitrary types cyber-attacks. As countermeasure, many malware detection methods are proposed identify behaviours based traffic characteristics. However, emerging encryption evasion techniques pose substantial barriers full exploitation network information. This...

Malware, such as Trojan Horse, Worms and Spy ware severely threatens Internet. We observed that although malware its variants may vary a lot from content signatures, they share some behavior features at higher level which are more precise in revealing the real intent of malware. This paper investigates technique extraction, presents formal Malware Behavior Feature (MBF) extraction method, proposes malicious feature based detection algorithm. Finally we designed implemented MBF system,...

The performance and operational characteristics of the DNS protocol are deep interest to research network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion query-response pairs collected 600 globally distributed recursive resolvers. We use reaffirm findings in published work notice some significant differences that could be attributed both evolving nature traffic our differing perspective. For example, find although vary...

Domain names have been exploited for illicit online activities decades. In the past, miscreants mostly registered new domains their attacks. However, malicious purposes can be deterred by existing reputation and blacklisting systems. response to arms race, recently adopted a strategy, called domain shadowing, build attack infrastructures. Specifically, instead of registering domains, are beginning compromise legitimate ones spawn subdomains under them. This has rendered almost all...

Internationalized Domain Names (IDNs) are domain names containing non-ASCII characters. Despite its installation in DNS for more than 15 years, little has been done to understand how this initiative was developed and security implications. In work, we aim fill gap by studying the IDN ecosystem cyber-attacks abusing IDN. particular, performed far most comprehensive measurement study using IDNs discovered from 56 TLD zone files. Through correlating data auxiliary sources like WHOIS, passive...

In this paper, we design NETHCF, a line-rate in-network system for filtering spoofed traffic. NETHCF leverages the opportunity provided by programmable switches to novel defense against IP traffic, and it is highly efficient adaptive. One key challenge stems from restrictions of computational model memory resources switches. We address decomposing HCF into two complementary components-one component data plane another control plane. also aggregate IP-to-Hop-Count (IP2HC) mapping table usage,...

In this paper, we propose PHOENIX DOMAIN, a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain.PHOENIX DOMAIN has two variations affects all mainstream DNS software public resolvers overall because it does not violate any specifications best security practices.The is made possible through systematically "reverse engineer" cache operations of 8 implementations, new...

In the digital age, device search engines such as Censys and Shodan play crucial roles by scanning internet to catalog online devices, aiding in understanding mitigation of network security risks.While previous research has used these tools detect devices assess vulnerabilities, there remains uncertainty regarding assets they scan, strategies employ, whether adhere ethical guidelines.This study presents first comprehensive examination engines' operational dimensions.We developed a novel...

With the rise of generative large language models (LLMs) like LLaMA and ChatGPT, these have significantly transformed daily life work by providing advanced insights. However, as jailbreak attacks continue to circumvent built-in safety mechanisms, exploiting carefully crafted scenarios or tokens, risks LLMs come into focus. While numerous defense strategies--such prompt detection, modification, model fine-tuning--have been proposed counter attacks, a critical question arises: do defenses...

The performance and operational characteristics of the Domain Name System (DNS) protocol are deep interest to research network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected 600 globally distributed recursive resolvers. We use reaffirm findings in published work notice some significant differences that could be attributed both evolving nature traffic our differing perspective. For...

Promotional infection is an attack in which the adversary exploits a website's weakness to inject illicit advertising content. Detection of such challenging due its similarity legitimate activities. An interesting observation we make our research that almost always incurs great semantic gap between infected domain (e.g., university site) and content it promotes selling cheap viagra). Exploiting this gap, developed semantic-based technique, called Semantic Inconsistency Search (SEISE), for...

The popularity of online gambling could bring negative social impact, and many countries ban or restrict gambling. Taking China for example, violates Chinese laws hence is illegal. However, illegal websites are still thriving despite strict restrictions, since they able to make tremendous illicit profits by trapping cheating players. In this paper, we conduct the first deep analysis on targeting unveil its profit chain. After successfully identifying more than 967,954 suspicious websites,...