The Internet has never ceased to be a central battle for adversarial actors to launch various attacks and abuses. More importantly, these actions have not received sufficient attention they deserve in the community, as most threat detection and defense works are devoted to tackle direct attacks/abuses instead of adversarial ones that enable and cloak direct threats. A significant portion of adversarial actions on the Internet target content blockers, which are primarily purposed to detect and overthrow unwanted and ill-intended Internet resources and traffic, because of their ever-growing popularity and dominance. Given the status quo, a more complete understanding of these threats is urgently needed, as well as effectual countermeasures and defenses against them.
In this dissertation, I aim at demystifying emerging adversarial actions against content blockers from different layers of the Internet, and design defenses for protecting user security and privacy accordingly. For discerning and analyzing these actions, I propose automated analysis, or learning-based methods as technical solutions, which range from program analysis, software instrumentation to machine learning. I then develop platforms for measuring and detecting adversarial actions in the wild. At the core of my analysis, I observe that the fundamental nature of adversarial actions lies in differential/conditional reaction, which refers to how adversarial actors distinctly determine their behaviours depending on what they perceive from the target content blocker. This is because unlike other general attacks or abuses, adversarial actions, by definition, are specifically designed to evade deployed detection and protections (i.e., content blockers). Moreover, I find that such a unique differential behavioural pattern is best captured by examining and comparing low-level/high-resolution contextual traces under different settings of the deployed content blocking system. Therefore, I build platforms to define, extract and analyze such signals from Internet data and code, and use them to discover adversarial activities. Furthermore, in order to thwart unearthed adversarial actions, I design defenses that conceal distinguishable traces from the system protected by content blockers to prevent adversaries from activating their adversarial differential reactions.
In Chapter 2, 3 and 4 of this dissertation, I focus on the upper-level application layer of the Internet, and tackle adversarial threats there from web advertising practitioners. In Chapter 5, I turn to the lower-level infrastructure layer of the Internet, and detect/counter evasions that are designed for eluding intrusion detection systems based on packet inspections. In summary, by hardening layers of the Internet, I attempt to make it a more secure and private place overall, through learning and other automated analysis approaches. At the end of this dissertation (Chapter 6), I conclude my research contributions and highlight some open research questions that are worth investigating in the future.