Facebook ThreatData
Written by Andrew Johnson   
Friday, 28 March 2014

Facebook has developed a security-focused framework called ThreatData that it says will make it simpler to manage a range of online threats.

The framework attempts to provide a single source of information about threats on the Internet. According to Facebook's Internet Threat Researcher Mark Hammell, the idea behind it is:

“Given the pace of criminals today, one of the hard parts is actually keeping track of all the data related to malware, phishing, and other risks. We wanted an easier way to organize our work and incorporate new threat information we receive so that we can do more to protect people.”

The framework Facebook developers have created lets the company import information about “badness” on the Internet in arbitrary formats, store it efficiently, and making the data accessible for both real-time defensive systems and long-term analysis.

The ThreatData framework has three high-level parts: feeds, data storage, and real-time response.

Feeds collect data from a specific source and are implemented via a light-weight interface. The data can be in imported in most formats, and the feed transforms it into a simple schema that is capable of storing not only the basics of the threat (e.g., evil-malware-domain.biz) but also the context in which it was bad. The added context is used in other parts of the framework to make more informed, automatic decisions.

Once transformed, the data is fed into both Hive and Scuba; Hive is then used to answer questions based on long-term data such as “Have we ever seen this threat before?” and “What type of threat is more prevalent from our perspective: malware or phishing?”, while Scuba is used for more immediate analysis along the lines of “What new malware are we seeing today?” and “Where are most of the new phishing sites?”.

Facebook has also developed a processor to examine the data at the time of logging and act on each of these new threats. Hammell gave examples implemented so far including the fact that all malicious URLs collected from any feed are sent to the same blacklist used to protect people on facebook.com; and that interesting malware file hashes are automatically downloaded from known malware repositories, stored, and sent for automated analysis.

The analysis has highlighted some trends in malware, including a spam campaign aimed at feature phones that was capable of stealing a victim's address book, sending premium SMS spam, and using the phone's camera to take pictures. The framework also lets Facebook view where threats are coming from, arranged by type of attack, time, and frequency. The notes include a worldwide heat map showing malicious and victimized IP addresses, with a pie chart showing similar results for the U.S. by ISP.

 

In his post Hamell comments:

“Discoveries and detection capabilities like these are just the tip of the iceberg . We’re constantly finding new ways to improve and extend the ThreatData framework to encompass new threats and make smarter decisions with the ones we’ve already identified.”

 

Banner


Android L Is Lollipop And New Nexus Devices
16/10/2014

Google has finally officially launched Android 5 as Lollipop along with a bunch of new Nexus devices. So what does our new Android world look like?



Google APIs Adopt Promises
03/10/2014

Promises seem to be the way that every JavaScript framework is heading. The latest to embrace the Promise is Google's JavaScript Client Library.


More News

Last Updated ( Friday, 28 March 2014 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.