Measurement and monitoring of security from the perspective of a service provider

Han, Xiao

Attackers constantly deliver advanced attacks targeting legitimate services and users while defenders struggle to protect them. In this context, the service providers may play a very important, but often neglected or under-estimated, role in existing security models.

In this thesis, we explore several directions a service provider may follow to provide better security for both its customers and other Internet users. More precisely, we leverage the valuable information providers have access to in order to measure and monitor a diverse set of security threats, including malware abuses, compromised instances hosting phishing kits, and external web attacks.

Recent anecdotal evidence shows that cloud services are abused by malware writers. However, little was known about this phenomenon. We thus present a systematic large-scale study, and show that the existing security mechanisms adopted by service providers are insufficient to measure and detect this type of abuses.

In the second part, we look at a provider ability to monitor attacks that are otherwise difficult to study for third-party researchers. In particular, we designed and implemented PhishEye, a system to analyze phishing kit in an ethical way, which enabled us for the first time to understand the entire life-cycle of phishing attacks.

Finally, we explore alternative techniques, in particular deception techniques that a service provider may employ to add an additional layer of security for its customers. We conduct a comprehensive survey of existing techniques. Furthermore, we present two experiments to evaluate the efficiency of such techniques when they are used to protect web applications.


Sécurité numérique
Eurecom Ref:
© TELECOM ParisTech. Personal use of this material is permitted. The definitive version of this paper was published in Thesis and is available at :
See also: