Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Network Security Highlights Nick Feamster Georgia Tech.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

Choosing and Defining a Research Problem Dr. U N Roy Associate Professor, NITTTR Chandigarh Mobile No: Dr U N Roy.

IMF Mihály Andó IT-IS 6 November Mihály Andó 2 / 11 6 November 2006 What is IMF? Intelligent Message Filter provides server-side message filtering,

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,

1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework.

Automated malware classification based on network behavior

CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

URLDoc: Learning to Detect Malicious URLs using Online Logistic Regression Presented by : Mohammed Nazim Feroz 11/26/2013.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.

JOHN P. JOHN FANG YU YINGLIAN XIE MARTÍN ABADI ARVIND KRISHNAMURTHY PRESENTATION BY SAM KLOCK Searching the Searchers with SearchAudit.

John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

Network and Systems Security By, Vigya Sharma (2011MCS2564) FaisalAlam(2011MCS2608) DETECTING SPAMMERS ON SOCIAL NETWORKS.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.

Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)

11 CANTINA: A Content- Based Approach to Detecting Phishing Web Sites Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/6/7.

1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,

Report on “Spamming Botnets: Signatures and Characteristics ” Heyong Wang Department of Computer Science Iowa State University.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao, Yinglian Xie, Fang Yu, Qifa Ke, Yuan Yu, Yan Chen, and Eliot Gillum Speaker: 林佳宜.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov. SIGCOMM, Presented.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/

Delivery for Spam Mitigation Usenix Security 2012 Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

© 2009 WatchGuard Technologies WatchGuard ReputationAuthority Rejecting Unwanted & Web Traffic at the Perimeter.

Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Botnet Judo: Fighting Spam with Itself.

Leveraging Delivery for Spam Mitigation.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Registration Services Mark Kosters 10 November 1998.

Tracking Malicious Regions of the IP Address Space Dynamically.

11 Shades of Grey: On the effectiveness of reputation- based “blacklists” Reporter: 林佳宜 /8/16.

KAIST TS & IS Lab. CS710 Know your Neighbors: Web Spam Detection using the Web Topology SIGIR 2007, Carlos Castillo et al., Yahoo! 이 승 민.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

1 Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Speaker: Jun-Yi Zheng 2010/01/18.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Dec 14, 2014, Harvard University

De-anonymizing the Internet Using Unreliable IDs

BOTNET JUDO : Fighting Spam with Itself

De-anonymizing the Internet Using Unreliable IDs By Yinglian Xie, Fang Yu, and Martín Abadi Presented by Peng Cheng 03/22/2017.

Design open relay based DNS blacklist system

RHMD: Evasion-Resilient Hardware Malware Detectors

Matcher functions boolean find() Attempts to find the next subsequence of the input sequence that matches the pattern. boolean lookingAt() Attempts to.

Botnet Detection by Monitoring Group Activities in DNS Traffic

Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution

Presentation transcript:

Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li Lin

2 References Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: Signatures and characteristics. In SIGCOMM, 2008

3 Outline Introduction Spam Activity Trends AutoRE Structure Study Results Conclusion

4 Introduction Developed a spam signature generation framework called: AutoRE To detect botnet-based spam s and botnet membership It outputs high quality regular expression signatures

5 Contribution Ability to detect frequent domain modifications In-depth analysis of identified spamming botnet characteristics and their activity trends

6 Two Observations First, spammers often add random, legitimate URLs to content  legitimate and very general (e.g., Second, customize polymorphic URLs

7 Multi-URL spam s

8 Polymorphic URLs

9 AutoRE Automatically generating URL signatures to identify botnet-based spam campaigns Produces two outputs: a set of spam URL signatures  complete URL string (CU)  URL regular Expression (RE) a related list of botnet host IP addresses

10 Three modules AutoRE is comprised of the following three modules URL preprocessor Group selector RegEx generator  domain-specific  domain-agnostic

11 AutoRE Structure[1/2]

12 AutoRE Structure[2/2]

13 Suffix-array algorithm

14 keyword-based signature tree

15 Detailing and Generalization Detailing returns a domain specific regular expression using a keyword-based signature as input. Generalization returns a more general domain-agnostic regular expression by merging very similar domain- specific regular expressions

16 Generalization

17 Detect Results Using three months of sampled s from Hotmail  November 2006, June 2007, July 2007 AutoRE successfully detected  7,721 spam campaigns  340,050 distinct botnet host IP addresses  spanning 5,916 ASes.

18 CU & RE Statistics

19

20 False positive rate

21 Conclutions This is the first successful attempt to automatically generate regular expression signatures The existence of botnet spam signatures and the feasibility of detecting botnet hosts using them

22 Questions