Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Botnet Judo: Fighting Spam with Itself.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Liang, Introduction to Java Programming, Ninth Edition, (c) 2013 Pearson Education, Inc. All rights reserved. 1 Chapter 9 Strings.

Click Trajectories: End-to-End Analysis of the Spam Value Chain Author : Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, M’ark F’elegyh’azi,

Overview What is Dynamic Programming? A Sequence of 4 Steps

All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing s. In Proceedings.

Design and Evaluation of a Real-Time URL Spam Filtering Service

DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.

A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang,

LEDIR : An Unsupervised Algorithm for Learning Directionality of Inference Rules Advisor: Hsin-His Chen Reporter: Chi-Hsin Yu Date: From EMNLP.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Aki Hecht Seminar in Databases (236826) January 2009

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.

An Introduction to Machine Learning In the area of AI (earlier) machine learning took a back seat to Expert Systems Expert system development usually consists.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Spam May CS239. Taxonomy (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Scalable and Distributed GPS free Positioning for Sensor Networks Rajagopal Iyengar and Biplab Sikdar Department of ECSE, Rensselaer Polytechnic Institute.

Practice for Midterm 1. Practice problems These slides have six programming problems for in-class practice There are an additional seven programming problems.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.

S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano.

Click Trajectories: End-to-End Analysis of the spam value chain Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Tristan Halvorson,

2010/6/7 Spamalytics An Empirical Analysis of Spam Marketing Conversion Author: Chris Kanich Christian Kreibich Kirill Levchenko Brandon Enright Geoffrey.

Web Page Language Identification Based on URLs Reporter: 鄭志欣 Advisor: Hsing-Kuo Pao 1.

UOS 1 Ontology Based Personalized Search Zhang Tao The University of Seoul.

Cloak and Dagger: Dynamics of Web Search Cloaking David Y. Wang, Stefan Savage, and Geoffrey M. Voelker University of California, San Diego 左昌國 Seminar.

Protocol-Independent Adaptive Replay of Application Dialog Authors: Vern Paxson, Nicholas C. Weaver, Randy H. Katz Published At: 13th Annual Network and.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

BOTNET JUDO Fighting Spam with Itself By: Pitsillidis, Levchenko, Kreibich, Kanich, Voelker, Paxson, Weaver, and Savage Presentation by: Heath Carroll.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Set Containment Joins: The Good, The Bad and The Ugly Karthikeyan Ramasamy Jointly With Jignesh Patel, Jeffrey F. Naughton and Raghav Kaushik.

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

11 Spamcraft: An Inside Look At Spam Campaign Orchestration Reporter: 林佳宜 Advisor: Chun-Ying Huang /6/3.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao, Yinglian Xie, Fang Yu, Qifa Ke, Yuan Yu, Yan Chen, and Eliot Gillum Speaker: 林佳宜.

©Brooks/Cole, 2001 Chapter 9 Regular Expressions ( 정규수식 )

LOGO 1 Corroborate and Learn Facts from the Web Advisor ： Dr. Koh Jia-Ling Speaker ： Tu Yi-Lang Date ： Shubin Zhao, Jonathan Betz (KDD '07 )

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Leveraging Delivery for Spam Mitigation.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Detection and Mitigation of Spam in IP Telephony Networks using Signaling Protocol Analysis MacIntosh, R Vinokurov, D Advances in Wired and Wireless Communication,

Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Energy Efficient Data Management for Wireless Sensor Networks with Data Sink Failure Hyunyoung Lee, Kyoungsook Lee, Lan Lin and Andreas Klappenecker †

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

Spamalytics: An Empirical Analysis of Spam Marketing Conversion

Automatic Network Protocol Analysis

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Click Trajectories: End to End Analysis of the Spam Value Chain

BOTNET JUDO : Fighting Spam with Itself

SAS in Data Cleaning.

An Inductive Chosen Plaintext Attack against WEP/WEP2

Text Mining Application Programming Chapter 9 Text Categorization

Presentation transcript:

Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Botnet Judo: Fighting Spam with Itself

Conference 2015/12/4 2 Botnet Judo: Fighting Spam with Itself Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.

Outline 2015/12/4 3 Introduction Template-based Spam Judo system The Signature Generator Leveraging Domain Knowledge Signature Update Evaluation Single Template Inference Multiple Template Inference Real-world Deployment Conclusion

Introduction 2015/12/4 4 Reactive Defenses Reversed engineering Black-box stream of All messages -> Regular expression Quickly producing precise mail filters

Template-based Spam 2015/12/4 5

Storm’s template Language 2015/12/4 6

Judo system 2015/12/4 7 Judo system consists of three components. Bot farm : running instances of spamming botnets in a contained environment. Signature generator : maintains a set of regular expression signatures for spam sent by each botnet. Spam filter : Updating the system

Judo spam filter model 2015/12/4 8

System Assumptions 2015/12/4 9 First and foremost, we assume that bots compose spam using a template system.

The Signature Generator 2015/12/4 10 Anchors Macros Dictionary Macros. Micro-Anchors. Noise Macros. Leveraging Domain Knowledge Header Filtering Special Tokens Signature Update Second Chance Mechanism Pre-Clustering.

Step of algorithm 2015/12/4 11

Anchors 2015/12/4 12 Extracting the longest ordered set of substrings have length at least q that are common to every messages.

Macros 2015/12/4 13 Dictionary Macros. Hypothesis test (Dictionary Test ) Micro-Anchors. a substring that consists of non-alphanumeric. Using LCS (q don’t limit) again to find Micro-Anchors. Once micro-anchors partition the text, the algorithm performs the dictionary test on each set of strings delimited by the micro- anchors. Noise Macros. generates random characters from some character set POSIX character classes or Arbitary repetition “*” or “+”

POSIX character classes 2015/12/4 14

Leveraging Domain Knowledge 2015/12/4 15 Improve the performance of the algorithm. Header Filtering Headers ignore all but the following headers: A message must match all header for a signature to be considered a match. Special Tokens Like dates,IP addresses … etc. “expire” after it was generated pre- and post- processing as anchor

Signature Update 2015/12/4 16 We would like to use a training buffer as small as necessary to generate good signatures. Train buffer is controlled by k. Second Chance Mechanism. solving the train buffer is too small. Pre-Clustering Mitigate the effects of a large training buffer.

Second Chance Mechanism 2015/12/4 17

Evaluation 2015/12/4 18 Judo is indeed safe and effective for filtering botnet- originated spam. first, spam generated synthetically from actual templates used by the Storm botnet Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot. Last, deployment scenario, training and testing on different instances of the same bot.

Single Template Inference 2015/12/4 19

Multiple Template Inference 2015/12/4 20

Real-world Deployment 2015/12/4 21

Conclusion 2015/12/4 22 We have shown that it is practical to generate high-quality spam content signatures simply by observing the output of bot instances and inferring the likely conten of their underlying template.