The combination of widespread software homogeneity and the Internet's unrestricted communication model creates an ideal climate for infectious, self-propagating pathogens - "worms" and "viruses" - with each new generation of outbreaks demonstrating increasing speed, virulence, and sophistication. The Center for Internet Epidemiology and Defenses aims to address twin fundamental needs: to better understand the behavior and limitations of Internet epidemics, and to develop systems that can automatically defend against new outbreaks in real-time.
Understanding the scope and emergent behavior of Internet-scale worms seen in the wild constitutes a new science termed "Internet epidemiology". To gain visibility into pathogens propagating across the global Internet, the Center is pursuing the construction and operation of a distributed "network telescope" of unprecedented scale. The telescope in turn feeds a "honeyfarm" collection of vulnerable "honeypot" servers whose infection serves to indicate the presence of an Internet-scale worm.
To then fight worms once detected, the Center works on developing mechanisms for deriving "signatures" of a worm's activity and disseminating these to worm suppression devices deployed throughout the global network.
Finally, the Center strives to ground its research in the potentially thorny, but highly relevant, "real-world" issues of informing the development of legal frameworks in terms of the appropriate use of anti-worm technologies and their applications for providing forensic evidence; and enabling the development of actuarial models for quantifying exposure to aggregate risk and liability from Internet epidemics, critical for supporting the emerging cyber-insurance industry.
(CCIED) was a joint effort between researchers at the University of California, San Diego, and the International Computer Science Institute in Berkeley, California. The Center addressed the critical challenges posed by large-scale Internet-based attacks: pathogens, such as "worms" and "viruses", and, during the later part of CCIED's lifetime, the rise of "botnets". Its activities spanned 2004-2012. CCIED pursued a multi-faceted approach to countering these large-scale threats: measuring and analyzing in detail numerous outbreaks over much of the past decade; assessing the behavior, limitations, and likely evolution of the malware used to launch the attacks; developing early-warning and forensic capabilities; devising novel defense technologies; and illuminating the broader criminal "ecosystem" that plays a crucial role in fueling today's large-scale attacks by rendering them both easy to launch and financially profitable to those who conduct them. A key enabler of CCIED's successes was the team's extensive work on developing new technologies for supporting the observation and analysis of large-scale Internet attacks. These capabilities included "network telescopes" capable of recording and engaging with malicious probes received on hundreds of thousands of Internet addresses; "honeyfarms" that can safely execute malware that relies upon Internet communication; a Web crawling infrastructure for processing hundreds of millions of potentially malicious Web URLs seen in disparate high-volume "spam feeds"; and high-performance protocol analyzers that can spot complex patterns of activity seen in network links that carry tens of thousands of packets per second. The Center's earlier activities focused on the threat of worms: malware that rapidly self-propagates across the global Internet. The team's most significant results include developing a system that can detect with very high confidence the onset of such outbreaks in seconds; a mechanism for rapidly suppressing the "scanning" that many such worms employ to find new victims to infect; and a highly detailed forensic analysis of one outbreak that developed strong evidence indicating the worm specifically targeted a United States military base. As the team further analyzed the evolution of large-scale attacks, it became increasingly apparent that attackers were shifting their efforts away from self-propagating worms and instead to the employment of more tightly controlled "botnets". In addition, growing anecdotes indicated that the users of these botnets did not conduct their activities in isolation, but increasingly drew upon an extensive "underground economy" that makes available for purchase myriad goods and services that miscreants can tap to efficiently profit from large-scale Internet attacks. In 2006/2007 CCIED conducted and published the first extensive, rigorous study of one of the underground economy's thriving on-line marketplaces. Drawing upon several million marketplace messages, the team characterized thriving trade in stolen credit cards, computer accounts, malware toolkits, attack-for-hire, and money laundering for "cash out". This initial study led the team to formulate a hypothesis that came to shape much of the later work conducted by the Center: perhaps the most effective way to combat large-scale Internet attacks is not by constructing point-wise defenses against various specific threats, but instead to render it more difficult for miscreants to financially profit from launching such attacks. Assessing this hypothesis first required developing an understanding of how Internet attackers conduct their activities. To this end, CCIED researchers undertook to "infiltrate" a botnet that conducted huge spam campaigns consisting of sending billions of unwanted emails. By reverse-engineering the workings of the botnet, the team was able to insert components under their own control to both monitor the botnet's activity and perturb its operation. This enabled the first-ever study of email spam as seen from the perspective of the spammer, including the remarkable finding that the spammer had to send on average more than 12,000,000 spam emails to sell a single order of counterfeit pharmaceuticals (such as Viagra). Yet, the study also found that the volume of spam is so intense that employing the botnet in this fashion could still yield several million dollars in gross yearly revenue. In its final years, CCIED further investigated numerous facets of both cybercrime profitability and defensive techniques for undermining different components that attackers employ for their enterprise. The most significant undertaking regarding this was the Center's study of the attacker infrastructure associated with several hundred million spam URLs to determine which elements represent the greatest structural weakness, i.e., where defender intervention could prove the most disruptive. This analysis led to the striking finding that a small number of merchant banks process almost all of the payments associated with spam-advertised fraudulent products. Disrupting this payment process would essentially de-monetize an entire underground industry - a finding heralded by a New York Times article and subsequent editorial, and now being pursued by various parties.
