Speaker: Juan Caballero (IMDEA Software Institute, ES)
Title: CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers
Juan Caballero is an Assistant Research Professor at the IMDEA Software Institute in Madrid, Spain. His research focuses on security issues in systems, software, and networks. He received his Ph.D. in Electrical and Computer Engineering from Carnegie Mellon University, USA and was a visiting researcher at University of California, Berkeley for two years. His research has appeared (and has won best paper awards) at top security venues. He has
been in the technical committee of venues such as IEEE S&P, NDSS, WWW, RAID, and DIMVA. He is program chair for the 2014 Digital Forensics Research Symposium (DFRWS) and program co-chair for the 2014 EuroSec workshop.
Cybercriminals use different types of geographically distributed servers to run their operations such as C&C servers for managing their malware, exploit servers to distribute the malware, payment servers for monetization, and redirectors for anonymity. Identifying the server infrastructure used by a cybercrime operation is fundamental for defenders, as it enables take-downs that can disrupt the operation and is a critical step towards identifying the criminals behind it. In this paper, we propose a novel active probing approach for detecting malicious servers and compromised hosts that listen for (and react to) incoming network requests. We have implemented our active probing approach in a tool called CyberProbe and have used CyberProbe to identify 151 malicious servers and 7,881 P2P bots.