BOTNET JUDO Fighting Spam with Itself By: Pitsillidis, Levchenko, Kreibich, Kanich, Voelker, Paxson, Weaver, and Savage Presentation by: Heath Carroll.

Slides:

Advertisements

Similar presentations

Basic Communication on the Internet:

Advertisements

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.

DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis

Efficient Private Techniques for Verifying Social Proximity Michael J. Freedman and Antonio Nicolosi Discussion by: A. Ziad Hatahet.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

OFFENSE BY KALYAN MANDAGAUTAM BHASWAR.  4 years of study, covers only 6 Botnets reponsible for 79% of spam messages arriving at the University of Washington.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

1 Enhancing Address Privacy on Anti-SPAM by Dou Wang and Ying Chen School of Computer Science University of Windsor October 2007.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

CONTENT-BASED BOOK RECOMMENDING USING LEARNING FOR TEXT CATEGORIZATION TRIVIKRAM BHAT UNIVERSITY OF TEXAS AT ARLINGTON DATA MINING CSE6362 BASED ON PAPER.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

Spam Reduction Techniques Using greylisting and SpamAssassin.

By Hassan Abu daqen & montaser elsabe3 & Nidal Abu saif.

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

Chapter Nine Maintaining a Computer Part III: Malware.

What is it, how does it work, and why is it important?

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Botnets An Introduction Into the World of Botnets Tyler Hudak

May l Washington, DC l Omni Shoreham The ROI of Messaging Security JF Sullivan VP Marketing, Cloudmark, Inc.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

APT29 HAMMERTOSS Jayakrishnan M.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

BUSINESS B1 Information Security.

Digital Automata Unit 7-1 Managing the Digital Enterprise By Professor Michael Rappa.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.

A Neural Network Classifier for Junk Ian Stuart, Sung-Hyuk Cha, and Charles Tappert CSIS Student/Faculty Research Day May 7, 2004.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

Identification of Bot Commands By Run-time Execution Monitoring Younghee Park, Douglas S. Reeves North Carolina State University ACSAC

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

What’s New in WatchGuard XCS v9.1 Update 1. WatchGuard XCS v9.1 Update 1  Enhancements that improve ease of use New Dashboard items  Mail Summary >

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

WRITE MARKETING COPY and EXECUTE TARGETED S 3.07.

Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

How a major ISP built a new anti-abuse platform Mike O’Reirdan Comcast Distinguished Engineer Internet Systems Engineering Comcast National Engineering.

Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Botnet Judo: Fighting Spam with Itself.

Leveraging Delivery for Spam Mitigation.

Studying Spamming Botnets Using Botlab

Machine Learning for Spam Filtering 1 Sai Koushik Haddunoori.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

CERN - IT Department CH-1211 Genève 23 Switzerland t OIS Update on the anti spam system at CERN Pawel Grzywaczewski, CERN IT/OIS HEPIX fall.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

Spamalytics: An Empirical Analysis of Spam Marketing Conversion

Internet Quarantine: Requirements for Containing Self-Propagating Code

Unit 4 IT Security.

VIRUS HOAX + BOTS. VIRUS HOAX + BOTS Group Members Aneeqa Ikram Fatima Ishaque Tufail Rana Anwar Amjad.

BOTNET JUDO : Fighting Spam with Itself

Spam Fighting at CERN 12 January 2019 Emmanuel Ormancey.

Introduction to Internet Worm

Presentation transcript:

BOTNET JUDO Fighting Spam with Itself By: Pitsillidis, Levchenko, Kreibich, Kanich, Voelker, Paxson, Weaver, and Savage Presentation by: Heath Carroll

The Origins of Spam

Presentation Overview Abstract - What was the intent of the paper? Introduction - current problems faced and methods used to combat them Background - Def: Botnet, Regular Expression, Template-based Spam Approach - How the authors dealt with this problem

Abstract Botnet Judo: Fighting Spam with Itself or ‘Botnet Host Quarantine: What’d we learn?’ Examination of a controlled, isolated, Botnet host. Quick generation of precise and accurate spam filters with ~ 0 false positives

Introduction : Botnets Definition: Botnet - a collection of software agents, or robots, that run autonomously and automatically. The term is most commonly associated with malicious software, but it can also refer to a network of computers using distributed computing software. (en.wikipedia.org/wiki/Botnet) Example: DDoS attack against Blue Security, May 2, 2006

Botnets (cont’d) Common uses of botnets: –Denial-of-service attacks –Adware –Spyware – spam (template, image, etc) –Click fraud –Internet Access number replacement –Fast flux (DNS Url/IP address switching)

SPAM!! –Template Based Spam Botnet uses a RE to produce massive amounts of highly varied spam Harder to [content] filter initially due to varied message makeup –Requires defenders to collect ‘suspect’ spam in order to lobby an effective content-based filter Harder to [sender] filter due to massive host lists –Requires defenders to rely on alternative methods to combat the botnet

SPAM!! Preventative measures: –Anti-virus software –Passive OS fingerprinting –Network based approaches (nullrouting) –Spam filtering –Directed study The last two are covered by this paper

Anti-spam!! Basically 2 different approaches: –Content-based : Filtering based on established heuristics and learning algorithms focused against specific message features Can be highly effective (esp against targeted botnets) Labor intensive to maintain since the basic technique can be countered by chaff and poisoning attacks Hard to maintain low false positives from the filter Blacklisting URLs can also be effective, but needs large up-to-date white-lists to avoid poisoning –Doesn’t do anything if spam doesn’t utilize URLs

Anti-Spam!! (cont’d) –Sender-based Focuses on spam delivery system Assumes sender of spam is likely to repeat sending spam, and not likely to send legitimate messages Basically works by Blacklisting offending senders after the fact Doesn’t work against newest spam Botnets are an effective work-around since the controller distributes his spam over a large number of hosts

Anti-Spam!! (cont’d) Template-based spam filtering: –Suspected Botnet generated spam is examined and deconstructed into a Regular Expression (RE) –Works very well against static botnets, but requires a lot of instances of suspected spam to deconstruct –Useless if controller changes the RE used by the bots

Regular Expressions

Regular Expressions (cont’d) Review:

JUDO!! Generates regular expression signatures to thwart spam Operates by examining the output from quarantined botnet Uses template inference algorithm to generate a set of signatures matching all previous messages

JUDO!! (cont’d) 1.Header Filtering 2.Anchor identification 3.Macro classification Dictionary Micro-anchor Noise 4.Special Tokens 5.Signature Update Second Chance Pre-clustering

Judo - Second Chance Mechanism Used to mitigate the effects of a small training buffer If a message signature fails to match an existing signature –It is re-checked using only anchors –If matched, signature is updated

Judo - Pre-clustering Used to mitigate the effects of overly large training buffers (potentially mixed RE’s) –Skeleton signatures used to sort incoming messages prior to running Judo on them –Similar to second chance mechanism, but with a larger allowable anchor size

Experimental Results Requirements of a good spam filter: –Safe: does not classify legitimate mail as spam Low false positive rate –Effective: correctly identifies the targeted class of spam Low false negative rate

Experimental Results (cont’d) Testing: 4 tiers –Signature safety Signatures from 3 other tiers run against legitimate mail ‘corpora’ to access false positive rate to prevent age bias, they tested the signatures only on the subject and body of the corpora

Experimental Results (cont’d) –Controlled single template inference Generated 5000 instances of spam from a ‘Storm’ bot from templates gained through reverse engineering –1000 for signature generation –4000 for testing false negative rate –Done for each of 10,676 templates (53,380,000 messages) Results: Also, at k = 1000 false positive rate = 0% for all sigs

Experimental Results (cont’d) –Controlled multi-template inference Spam used for testing generated during the Botlab project at the University of Washington 4 bots used: 1 each from Mega-D, Pushido, Rustock, and Srizbi botnets First million messages from each split into training and testing sets, then Judo run chronologically on each test message –True matches determined if a match generated from signature generated from previous test messages –Otherwise counted as false negative

Experimental Results (cont’d) Results: Only false positives from Rustock bot tests

Experimental Results (cont’d) –Real world deployment: 2xXarvester + 2xMega-D + 4xRustock + 6xGheg = 14 bots Messages generated: Ran the test as in multi-template runs

Experimental Results (cont’d) Results: –Worst Case: Rustock again only source of false positives: 1 in 12,500 messages. All others 0 total false positives in corpora

Experimental Results (cont’d) Efficiency: Since the goal of the project was an accurate RE generator, efficiency wasn’t a priority –Initial RE generation using buffer size 50 with 6000 character length messages takes about 2 sec using an average desktop circa 2009 –Signature updates at ~ ms

Response Time Based on the message out rate of the bot(s) generating the spam May be complicated by the existance of multiple bots or templates Bots used in this experiment generated > 100 spam messages per minute. –Since acceptable results from k >= 500, should only take a few minutes to generate a working signature

Overview ‘Judo’ is basically a learning spam filter –Content based –Requires training to produce effective signatures –Safe and Effective (both greater than 99.75%) Controlled tests show exceptional results Simulated real world tests show promise, but could be worked around by bots that can randomly generate new templates

Any Questions?