S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Basic Communication on the Internet:

CSCI 6962: Server-side Design and Programming Input Validation and Error Handling.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

Phishing – Read Behind The Lines Veljko Pejović

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 The Internet, Intranets, and Extranets Chapter 7.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,

1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

What does the course cover:  The course is a practical guide to use digital marketing to effectively reach out to internet audience while building your.

“If you build it, they will come.”. Virtual Business  There is much more that goes into a virtual business than just building the web site.  You will.

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.

Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

JOHN P. JOHN FANG YU YINGLIAN XIE MARTÍN ABADI ARVIND KRISHNAMURTHY PRESENTATION BY SAM KLOCK Searching the Searchers with SearchAudit.

Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.

John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

Network and Systems Security By, Vigya Sharma (2011MCS2564) FaisalAlam(2011MCS2608) DETECTING SPAMMERS ON SOCIAL NETWORKS.

DELOVODNIK PRO A short presentation. Standard mail record keeping Most companies these days receive and send a lot of paper mail. Too many of them keep.

Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 9/19/2015Slide 1 (of 32)

The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .

Introduction To Internet

When Experts Agree: Using Non-Affiliated Experts To Rank Popular Topics Meital Aizen.

Cloak and Dagger: Dynamics of Web Search Cloaking David Y. Wang, Stefan Savage, and Geoffrey M. Voelker University of California, San Diego 左昌國 Seminar.

1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,

Report on “Spamming Botnets: Signatures and Characteristics ” Heyong Wang Department of Computer Science Iowa State University.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

The Panda Update. Who Am I? Co-author of The Art of SEO President of Stone Temple Consulting 20+ person SEO and PPC firm Trainer for Instant E-Training.

Detecting Dominant Locations from Search Queries Lee Wang, Chuang Wang, Xing Xie, Josh Forman, Yansheng Lu, Wei-Ying Ma, Ying Li SIGIR 2005.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Evaluation of Spam Detection and Prevention Frameworks for and Image Spam - A State of Art Pedram Hayati, Vidyasagar Potdar Digital Ecosystems and.

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

MsSEM.comHelen M. Overland MsSEM.com The Canonical URL Tag How to Use the Canonical Tag to Avoid Duplicate Content Filters in Google, Yahoo & Live.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao, Yinglian Xie, Fang Yu, Qifa Ke, Yuan Yu, Yan Chen, and Eliot Gillum Speaker: 林佳宜.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov. SIGCOMM, Presented.

Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li.

A Scalable Machine Learning Approach for Semi-Structured Named Entity Recognition Utku Irmak(Yahoo! Labs) Reiner Kraft(Yahoo! Inc.) WWW 2010(Information.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Internet Architecture and Governance

Principles of Information Systems, Sixth Edition 1 The Internet, Intranets, and Extranets Chapter 7.

Leveraging Delivery for Spam Mitigation.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Bloom Cookies: Web Search Personalization without User Tracking Authors: Nitesh Mor, Oriana Riva, Suman Nath, and John Kubiatowicz Presented by Ben Summers.

“In the beginning -- before Google -- a darkness was upon the land.” Joel Achenbach Washington Post.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

Fabricio Benevenuto, Gabriel Magno, Tiago Rodrigues, and Virgilio Almeida Universidade Federal de Minas Gerais Belo Horizonte, Brazil ACSAC 2010 Fabricio.

Spam By Dan Sterrett. Overview ► What is spam? ► Why it’s a problem ► The source of spam ► How spammers get your address ► Preventing Spam ► Possible.

Introduction Before the internet became an integral part of our lives, advertising a business was done mainly on outdoor billboards, posters, tv ads and.

Free But Effective Listing Building and Marketing Service How to easily and quickly grow a list of potential buyers and constantly send them marketing.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park

Dec 14, 2014, Harvard University

Internet Protocol Mr. Paulk.

Design open relay based DNS blacklist system

Spam Fighting at CERN 12 January 2019 Emmanuel Ormancey.

What is Four51?.

This is the Sign In page for the Dashboard

Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment

Presentation transcript:

S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework

I NTRODUCTION Paper: Spamming Botnets: Signatures and Characteristics Authors: Yinglian Xie, Fang Yu, Kannan Achan, Rina Pangigraphy, Geoff Hulten*, Ivan Osipkov* Microsoft Research, Silicon Valley Microsoft Corporation* Presented at: SIGCOMM ‘08, August , Seattle, Washington, USA Special Interest Group on Data Communication (SIGCOMM), a group of the Association for Computing Machinery (ACM).

I NTRODUCTION Figures in presentation credited to original paper Presentation by Jon Rhoades – Digital Forensics Program – UCF Questions during presentation are welcome Speaking without understanding is just a waste of everyone's time

O VERVIEW Developed AutoRE What it is. Spam signature generation framework Targets botnet-based spam by using URLs in the SPAM Determines botnet members Output is regular expression signatures to detect botnet spam What it is not. A traditional reactive method such as RBL, Spamhaus, etc. A system requiring pre-classifying of IPs or message content A framework that has a need for whitelists

A UTO RE D ETAILS Input - volume of unfiltered and unclassified messages Output set of SPAM URL signatures botnet host IP addresses Comprised of 3 modules URL Pre-Processing Group selector RegEx generator Fundamental observation is botnet spam contains URLs (74%). The goal is to get the recipient to go to the main URL of the message.

URL P RE -P ROCESSING Extracts data and groups according to web domain Extracted Data URL string Source server IP sending time Drops forwarded s (17% of sample) Dropped with no URL Partitioning observation Identify SPAM campaigns Advertise same product or service from same domain $$ They are not spamming you just to spam you $$

URL P RE -P ROCESSING C HALLENGES Multiple URLs in messages Common sites randomly added for confusion. ( etc.) in the same campaign will still have a common URL

URL P RE -P ROCESSING Polymorphic URLs Random strings User based information How to deal with them An message could be in multiple URL groups

G ROUP S ELECTOR Find the URL group that best identifies SPAM campaign Spam campaigns are “bursty” Use factors to create a score of URL groups Total number of IP addresses that sent at least one URL in a group in a finite time period. URL groups with sharp spikes are ranked higher

R EGULAR E XPRESSION G ENERATION Detailing Generate regular expression rules to match URLs included in selected URL group

R EGULAR E XPRESSION G ENERATION Generalization Merge domain-specific expressions into domain- agnostic expressions

E XPRESSION S IGNATURE F INDINGS Complete URL expressions (CU) Example card Accounted for 70-80% of spammer campaigns Regular Expression (RE) Example Accounted for 20-30% of spammer campaigns

A UTO RE P ERFORMANCE 3 Month Sample of from Hotmail 5.38M messages in sample 7,721 botnet based spam campaigns 340,050 unique botnet host IP addresses 580,466 spam messages Regular Expression 10 times better then complete URL (fixed string) times better than token matching in regards to false positives

A UTO RE P ERFORMANCE Low false positive rates.2% (SPAM).5% (Botnet Host) Detected SPAM that passed through other solutions Detected 16-18% of SPAM that passed well know solutions (Spamhaus) Adapt to domain modifications tracking SPAM URLs. Being domain agnostic and adapting to new domains AutoRE was able to capture 15 times more SPAM.

C ONTRIBUTIONS Provided a framework (AutoRE) to consider for battling botnet spam Traditional method is not fast enough to catch spam campaigns that might come and go within a day or two In-depth analysis of spamming botnet characteristics Spam campaigns doubled in 8 months Botnet hosts increased 10% content varies greatly URLs have patterns Different campaigns have similar patterns showing they are probably using same tools

W EAKNESS Not actionable for IT security groups Not clear on how well it works real-time to stop bursty spam campaigns, left for future work If AutoRE became popular spammers could engineer to make it less effective Simple new top-level domains a.com, b.com hard to pick up patterns Add more legit domains to SPAM Use URL redirection techniques Establish a forwarding process for SPAM Google search of AutoRE Spam did not pick up much

I MPROVEMENT Run it in production Start with a company Move on to a University Try a large provider like hotmail.com Provide a whitelist capability