Spamming Botnets: Signatures and Characteristics



Similar documents
SPAMMING BOTNETS: SIGNATURES AND CHARACTERISTICS

Host Fingerprinting and Tracking on the Web: Privacy and Security Implications

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

An Efficient Methodology for Detecting Spam Using Spot System

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Comprehensive Filtering. Whitepaper

Anti Spam Best Practices

Spam DNA Filtering System

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

SANS Top 20 Critical Controls for Effective Cyber Defense

Social Media Mining. Data Mining Essentials

SPAM DETECTOR: A TOOL TO MONITOR AND DETECT SPAM ATTACKS

Thexyz Premium Webmail

Barracuda Intrusion Detection and Prevention System

Kaspersky Anti-Spam 3.0

NSFOCUS Web Application Firewall White Paper

The spam economy: the convergent spam and virus threats

Zero day attacks anatomy & countermeasures. By Cade Zvavanjanja Cybersecurity Strategist

Attack and Defense Techniques 2

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity

Dynamics of Online Scam Hosting Infrastructure

Fighting Advanced Threats

The Hillstone and Trend Micro Joint Solution

ASAV Configuration Advanced Spam Filtering

Image Based Spam: White Paper

Detecting peer-to-peer botnets

De-anonymizing the Internet Using Unreliable IDs

Finding Security in the Cloud

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

Application Description

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

Symantec Cyber Security Services: DeepSight Intelligence

security

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

The Latest Internet Threats to Affect Your Organisation. Tom Gillis SVP Worldwide Marketing IronPort Systems, Inc.

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Threat Spotlight: Angler Lurking in the Domain Shadows

Comprehensive Filtering: Barracuda Spam Firewall Safeguards Legitimate

Shellshock. Oz Elisyan & Maxim Zavodchik

UNMASKCONTENT: THE CASE STUDY

Detecting Network Anomalies. Anant Shah

Dynamics of Online Scam Hosting Infrastructure

How To Filter From A Spam Filter

EVILSEED: A Guided Approach to Finding Malicious Web Pages

CS 558 Internet Systems and Technologies

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Conclusions and Future Directions

BotGraph: Large Scale Spamming Botnet Detection

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Taxonomy of Intrusion Detection System

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Computer Security DD2395

MALWARE ANALYSIS 1. STYX EXPLOIT PACK: INSIDIOUS DESIGN Aditya K. Sood & Richard J. Enbody Michigan State University, USA COMMUNICATION DESIGN

Trend Micro Hosted Security Stop Spam. Save Time.

Ipswitch IMail Server with Integrated Technology

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

SonicWALL Global Management System Reporting Guide Standard Edition

Firewall Testing Methodology W H I T E P A P E R

Marketing 201. How a SPAM Filter Works. Craig Stouffer Pinpointe On-Demand cstouffer@pinpointe.com (408) x125

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

TEPZZ 96 A_T EP A1 (19) (11) EP A1. (12) EUROPEAN PATENT APPLICATION published in accordance with Art.

Domain Name Abuse Detection. Liming Wang

Firewalls and Intrusion Detection

Calculation Algorithm for Network Flow Parameters Entropy in Anomaly Detection

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

SEC-GDL-005-Anatomy of a Phishing

FIREWALL INTELLIGENCE. 1 Copyright 2014 Juniper Networks, Inc.

Transcription:

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, Ivan Osipkov Presented by Hee Dong Jung Adapted from slides by Hongyu Gao and Yinglian Xie

Motivation Botnets have been widely used for sending spam emails at a large scale Detection and blacklisting is difficult as: Each botmay send only a few spam emails Attacks are transient in nature Little effort devoted to understanding aggregate behaviors of botnets from perspective of large email servers 2

Methodology Use email dataset from a large email service provider (MSN Hotmail) Focus on URLs embedded in email content Derive signatures for spam based on URLs Detect spam using signatures and find out characteristics of botnets 3

Methodology Challenges: Random, legitimate URLs are added URL obfuscation technique (polymorphic URLs, Redirection) 4

AutoRE Is there a way to circumvent any of these steps? 5

Automatic URL Regular Expression Generation Signature Tree Construction Regular Expression Generation Detailing Generalization 6

Datasets and Results Able to identify spam emails and related botnet hosts(ip addresses / ASes)

AutoRE Performance Low False Positive Rate (between 0.0015 and 0.0020) Regular expressions reduce false positive rates by a factor of 10 to 30 After generalization, AutoRE can detect 9.9 to 20.6% more spam without affecting false positive rates 8

Spamming Botnet Characteristics Botnet IP addresses are spread across a large number of Ases 69% of botnet IP addresses are dynamic IPs; more than 80% of campaigns have at least half their hosts in dynamic IP ranges 9

Spamming Botnet Characteristics Comparison of Different Campaigns It is uncommon for different spam campaigns to overlap Correlation with Scanning Traffic Amount of scanning traffic in Aug is higher than in Nov, when botnetips were used to send spam Suggests that botnets could have different phases 10

Discussion and Conclusion AutoRE has potential to work in real-time mode Leverages bursty and distributed features of botnet attacks for detection Major Findings Botnethosts are widespread across Internet, with no distinctive sending patterns when viewed individually Existence of botnetspam signatures and feasibility of detecting botnet hosts using them Botnetsare evolving and getting increasingly sophisticated 11

Discussion Points Do you think Bursty and Distributed properties represent the spam emails? Are there other properties that should be considered? When would this URL based approach not work? 12

Thank you Questions? 13

AutoRE Framework for automatically generating URL signatures Takes set of unlabeled email messages, produces 2 outputs: Set of spam URL signatures Related list of botnethost IP addresses Iteratively selects spam URLs based on distributed yet bursty property of botnetsbased spam campaigns Uses generated spam URL signatures to group emails into spam campaigns 14

Group Selector (backup) Explores the bursty property of botnet email traffic Construct n time windows S(k) Si(k) is defined as the total number of IP addresses that sent at least one URL in group i in window k URL groups with sharp spikes are higher ranked 15

Automatic URL Regular Expression Generation (backup) Signature Quality Evaluation Quantitatively measures quality of signature and discards signatures that are too general Metric: entropy reduction Leverages on information theory to quantify probability of a random string matching a signature Given a regular expression e, let Be(u) and B(u) denote expected # bits to encode a random string u with and without signature Entropy reduction d(e) = B(u)-Be(u) reflects probability of arbitrary string with expected length allowed by e and matching e, but not encoded using e 16

Botnet Validation Verify if each spam campaign is correctly grouped together by computing similarity of destination Web pages Web pages pointed to by each set of Web pages pointed to by each set of polymorphic URLs are similar to each other, while pages from different campaigns are different.

Spamming Botnet Characteristics For each campaign, standard deviation (std) of spam email sending time is computed 50% of campaigns have std less than 1.81 hours 90% of campaigns have std less than 24 hours and likely located at different time zones For each campaign, host sending patterns are generally well-clustered Number of recipients per email Connection rate Botnet hosts do not exhibit distinct sending patterns for them to be identified 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information