An Effective Defense Against Email Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava.

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Firewalls and Intrusion Detection Systems
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering An Effective Defense Against Spam Laundering Mengjun Xie, Heng Yin, Haining.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,
Office 365 SMTP Relay June Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.
SIM334. Internet Comprehensive Protection Multi-Engine Antivirus and Multi layered continuously evolving Anti-spam In the Leader’s quadrant in the.
An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Towards Modeling Legitimate and Unsolicited Traffic Using Social Network Properties 1 Towards Modeling Legitimate and Unsolicited Traffic Using.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Midterm Review - Network Layers. Computer 1Computer 2 2.
Chapter 6: Packet Filtering
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Packet-Marking Scheme for DDoS Attack Prevention
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Protocols and Architecture Slide 1 Use of Standard Protocols.
Intrusion Detection System
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
CERN - IT Department CH-1211 Genève 23 Switzerland t OIS Update on the anti spam system at CERN Pawel Grzywaczewski, CERN IT/OIS HEPIX fall.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Security fundamentals
Lecture (2).
CONNECTING TO THE INTERNET
Packets & Routing Lower OSI layers (1-3) concerned with packets and the network Packets carry data independently through the network, and into other networks…
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
PROJECT PRESENTATION ON INTERNET FIREWALLS PRESENTED BY THE GUARDS
Firewalls.
Preventing Internet Denial-of-Service with Capabilities
DDoS Attack Detection under SDN Context
IS4680 Security Auditing for Compliance
FIREWALL By Abhishar Baloni I.D
Firewalls Jiang Long Spring 2002.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Introduction to Internet Worm
Outline The concept of perimeter defense and networks Firewalls.
Presentation transcript:

An Effective Defense Against Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava

Overview Introduction Spam Laundering Anti spam techniques Proxy based spam behavior DBSpam Evaluation Review

Introduction Presently spam makes 60% of s Spam has evolved in parallel with anti spam techniques. Spammers hide using, proxies and compromised computers known as zombies

Introduction cont. Detecting spam at its source by monitoring bidirectional traffic of a network DBSpam uses “packet symmetry” to break spam laundering in a network

Spam Laundering Spam Proxy

Anti Spam Techniques Existing “Anti spam techniques” are classified into, 1. “Recipient Oriented” 2. “Sender Oriented” 3. “HoneySpam”

Anti Spam Techniques (contd.) Recipient Oriented anti-spam techniques functions They block spam from reaching recipients mailbox Or Remove / mark spam in recipients mailbox

Anti Spam Techniques (contd.) Recipient Oriented anti-spam techniques are further classified as Content based address filters Heuristic filters Machine learning based filters Non content based

Anti Spam Techniques (contd.) Recipient Oriented anti-spam techniques are further classified as Content based Non content based DNSBL MARID Challenge response Delaying Sender behavior analysis

Anti Spam Techniques (contd.) Sender Oriented Techniques Usage Regulations  E.g. blocking port 25, SMTP authentication Cost based approaches  Charge the sender (postage)

Anti Spam Techniques (contd.) HoneySpam It is a honeypot framework based on honeyD It deters “ address harvesters”, poison spam address databases and blocks spam that goes through the open relay / proxy decoys set by HoneySpam

Proxy based spam behavior Laundry path of Proxy Spamming

Proxy based spam behavior (contd.) Connection Correlation There is one-to-one mapping between the upstream and downstream connections along the spam laundry path This kind of connection is a common for proxy based spamming In normal delivery there is only one connection; between sender and receiving MTA

Proxy based spam behavior (contd.) Spam laundering for single proxy

Proxy based spam behavior (contd.) Spam laundering for multiple proxies

Proxy based spam behavior (contd.) Message symmetry at application layer leads to packet symmetry at network layer Exception: one to one mapping between inbound and outbound streams can be violated Reasons: packet fragmentation, packet compression and packet retransmission

Proxy based spam behavior (contd.) The packet symmetry is a key to distinguish the suspicious upstream / downstream connections along the spam laundry path from normal background traffic

DBSpam Goals Fast detection of spam laundering with high accuracy Breaking spam laundering via throttling or blocking after detection Support for spammer tracking Support for spam message fingerprinting

DBSpam DBSpam consists of two major components Spam detection module Simple connection correlation detection algorithm Spam suppression module

DBSpam Deployment of DBSpam It is placed at a network vantage point which may connect costumer network to the Internet DBSpam works well if it is deployed at the primary ISP edge router

DBSpam Packet symmetry for spam TCP is 1 For a normal TCP connection it is one with very small probability of occurrence DBSpam uses a statistical method, “sequential probability ratio test” (SPRT)

DBSpam “sequential probability ratio test” (SPRT) checks probability between bounds for each observation The algorithm contains a variable X which is checked for correlation Variables A and B form the bounds If X is between A and B, the algorithm does another observation, else it stops with a conclusion

Evaluation DBSpam detection time is mainly decided by the SPRT detection time Number of observations needed to reach a decision Actual time spent by SPRT

Evaluation

Strengths Can detect spam even if its content is encrypted Low false positives Does not degrade network performance

weakness It cannot efficiently detect spam with short reply rounds Its it more effective only if it can be installed on an ISP edge router

Improvements DBSpam algorithm should be made more efficient so as to detect new evolving spam

. Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.