UC San Diego

Fraud, theft and other abuses are unfortunate realities of the modern Internet. While defenders work to stop these bad things from happening, attackers are constantly evolving to try to stay one step ahead. Experience shows that not all attacks can be prevented, so defenders must also work to detect ongoing attacks quickly to contain the inevitable damage.

As attacks evolve, detecting them requires new methods. A challenge remains on how to efficiently develop these new methods across the diverse threat landscape given that attack methods vary widely, and most current systems to detect attacks are deeply domain-specific and hard to generalize. Despite first appearances, however, many attacks do have something important in common: their underlying motivations.

These common motivations can help guide the development of new detection and mitigation methods, regardless of how the attack is ultimately carried out. For financially-driven malicious actors in particular, there is an inherent tension in evading detection: the better they maintain their illusions, the more effectively they can monetize their attack, but good evasion is expensive and cuts into the attacker's profit. As such, attackers construct illusions that are good enough only to counter expected defenses, rather than blend in perfectly. Understanding these incentives and constraints guides us not only to identify what attackers may target, but also where they are most likely to leave themselves unprotected.

In this dissertation, I demonstrate the value and applicability of this approach in three vastly different environments. I use it to detect web site compromise at scale by leveraging the incentive to perform password re-use attacks, to mitigate fraud on search engine advertising by eliminating verticals where fraudsters are forced to congregate, and to identify deceptive commercial VPN providers by identifying when providers strategically deceive users in what vantage points they offer. In each case, understanding where malicious actors would not or could not effectively mask their activity yields concrete techniques to detect and mitigate their malicious activity.