Presentation is loading. Please wait.

Presentation is loading. Please wait.

BOTNET JUDO : Fighting Spam with Itself

Published byStanley Rodgers Modified over 6 years ago

Similar presentations

Presentation on theme: "BOTNET JUDO : Fighting Spam with Itself"— Presentation transcript:

1 BOTNET JUDO : Fighting Spam with Itself
Andreas Pitsillidis Kirill Levchenko Christian Kreibich Chris Kanich Geoffrey M. Voelker Vern Paxson Nicholas Weaver Stefan Savage Presented by: Mohan Krishna Karanam

2 Agenda Introduction: What is Spam ? Background and Related Work
Current Antispam Approaches Spamming Botnets Template-based Spam Signature Generator Evaluation Conclusion

3 What is spam ? Terminology Unsolicited Commercial Email
Unsolicited Bulk Examples

4 What is spam ?

5 Introduction How do spammers operate ?
They exploit small time advantages to deliver large overall gains How does the receiver block spam ? Install filters to block spam based on pattern detection (signature). How do the filters work? How much do you know about your opponent’s next move and how quickly can you act on it? It is all about how actions and counter reactions.

6 Introduction What is a Botnet ? Components of a Botnet
Command and control Fast Flux DNS Zombie computer Botnet: A number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by .command and control or by passing messages to one another. They have been many times been used to send spam or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation. Botnets can be legal and illegal(en.wikipedia.org/wiki/Botnet).

7 Introduction Types of attacks using a botnet :
Distributed Denial-of-Service attacks Spyware Spam Click fraud Bitcoin Mining

8 E-mail Spam Target: Mail servers Generate a bulk of mails
Contain attractive content which misleads the user spams are generated based on a template Templates are designed in a way such that the messages being derived from them are not generic, thus allowing the spam to escape/cross the spam filters High amounts of varied templates are generated and the detection becomes difficult as it needs manual effort. The filter cannot determine if it is a spam as the content is not generic. Difficult for both [Sender] and [Content] filter to detect the spam. Requires alternative methods to combat botnet.

9 Anti spam approaches Content based Sender based Template based
Popular preventive measures include Anti-virus software, Passive OS fingerprinting, Network based approaches (nullrouting) and Spam filtering. The filter would be derived from templates followed by spammers and this can potentially identify spam s. Can require significant manual effort to Reverse Engineer each unique protocol Here comes blackbox approach

10 Content based spam Oldest and the best known filtering technique.
Filters based on the textual content Textual Content may include: Message Body Anomalous Headers Undesirable Messages Transition from manual configuration to systems based on supervised learning.

11 Sender Based spam Focuses on means by which spam is delivered.
Any IP address delivering spam is highly likely to repeat this act and unlikely to send any legitimate communication. Makes use of blacklists to store IP addresses of internet hosts which send spam. Disadvantages: Scalability and increase in number of hosts.

12 BOTNET Judo: Black Box approach
Individual botnet instances are executed in a controlled environment and the spam messages they attempt to send are analyzed online. Produce comprehensive regular expression Captures all messages generated from a template. Avoids extraneous matches. Produce zero false positives against non-spam mail Match all spam based on same template

13 Background work General approach for inferring generation templates (e.g., mail header anomalies, subject lines, URLs) Concrete algorithm to generate an initial high-quality regular expression update in fraction of seconds if needed. Test empirically against live botnet spam, demonstrate its effectiveness, and identify the requirements for practical use.

14 Template based Spam Uses macros Personalize each message
Avoid spam filtering based on message content The figure shows a regex signature generated from 1000 message instances

15 Template Elements Macros are of two types: Noise Macros :
Used to randomize strings for which there are few semantic rules Dictionary Macros : Used for content that must be semantically appropriate in context.

16 Real time Filtering Macros can be converted to regular expressions
Noise macros become repeated character classes Dictionary macros become a disjunction of the dictionary elements These regexes then match all spam generated from the template The process of obtaining templates in highly time consuming as it involves reverse engineering the botnet ‘command and control’ panel. This is overcome by using the ‘Template Inference Algorithm’

17 Architecture of the judo system
The judo filtering system has three components: A Bot Farm Signature Generator Spam Filter

18 System Assumptions: Our proposed spam filtering system operates on a number of assumptions. we assume that bots compose spam using a template system as described. rely on spam campaigns employing a small number of templates at any point in time. System assumes that the first few messages of a new template do not appear intermixed with messages from other new templates.

19 Assumptions for the judo system
Spam is composed by bots The experiment relies on spam campaigns employing a small number of templated at any point in time The judo system assumes that the first few messages of a new template do not appear intermixed with messages from other new templates

20 The Signature Generator
Template Interface Anchors Macros Dictionary Macros Micro-anchors Noise Macros Leveraging Domain Knowledge Header Filtering Special tokens Signature Update Second Chance Mechanism Pre-Clustering Execution Time

21

22

23 Signature Update There is a need for a set of signatures, rather than single signature because several templates may be in use at the same time Training buffer Trade off between signature selectivity and training time Two additional mechanisms for handling extreme cases: Second Chance Mechanism Pre-Clustering

24 Second Chance Mechanism
Used to mitigate the effects of a small training buffer Developed to combine the advantage of fast signature deployment with the eventual benefits of dictionaries. If a message signature fails to match an existing signature It is re-checked with existing signatures consisting only anchors If matched, signature is updated. Update is performed incrementally without needing to rerun a new instance of the inference algorithm Pre-Clustering: A large training buffer may intermix messages from different templates, resulting in an amalgamated signature. unclassified messages are clustered using skeleton signatures. A skeleton signature is a kin to an anchor signature, but is built with a larger minimum anchor size, More permissive Used to mitigate the effects of overly large training buffers (potentially mixed RE’s) Skeleton signatures used to sort incoming messages prior to running Judo on them. Similar to second chance mechanism, but with a larger allowable anchor size.

25 Pre-Clustering Large training buffers intermix messages from different templated, thus resulting in amalgamated signature. Pre-clustering is used to mitigate the effects of a large training buffer Skeleton signature If a message fails to match a full signature, an attempt to assign it to a training buffer using a skeleton signature is made Once the buffer is full, skeleton regex is generated. Several skeleton regex are then combined to form a full signature ready for use.

26 Evaluation and Methodology
Signature Safety Testing Methodology Single Template Inference Multiple Template Inference Real-world Deployment False Positives Response time Other Content based approaches

27 Single template inference Results
Template Inference Algorithm – Heart of the Judo System 0% False positive rate achieved at k=1000 Generated 5000 instances of spam from a ‘Storm’ bot from templates gained through reverse engineering Here ‘k’ is the size of the training buffer.

28 Multi Template interface Results
False negative rate decreases as the classification delay d increases. Increasing false negative rate as k increases, may seem counterintuitive(previous experiment -increasing k decreased the false negative rate).

29 DYNAMIC BEHAVIOUR

30 Real world deployment Results
Worst Case: Rustock is only source of false positives: 1 in 12,500 messages. All others 0 total false positives in corpora

31 Response Time Takes under 10 seconds in almost all cases to run the algorithm. The remaining time it takes is to build up the required training sets. Rustock bots deployed required only 20 hours sent 932,474 messages spamming rate of 194 messages per minute, for each bot

32 Conclusion Judo is an attractive system which generates highly specialized regexes. Judo also proves that it is practical to generate high-quality spam content signatures by observing the output of the bot instances.

33 Queries and Discussion

34 THANK YOU

Download ppt "BOTNET JUDO : Fighting Spam with Itself"

Similar presentations

Basic Communication on the Internet:

Basic Communication on the Internet:
Seyedehmehrnaz Mireslami, Mohammad Moshirpour, Behrouz H. Far Department of Electrical and Computer Engineering University of Calgary, Canada {smiresla,

Seyedehmehrnaz Mireslami, Mohammad Moshirpour, Behrouz H. Far Department of Electrical and Computer Engineering University of Calgary, Canada {smiresla,
What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via email, text message, online chat, blogs or various other.

What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via , text message, online chat, blogs or various other.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.

DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.

The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Spam Reduction Techniques Using greylisting and SpamAssassin.

Spam Reduction Techniques Using greylisting and SpamAssassin.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Telefonica Research Joint work with Kyungbaek.

SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation Michael Sirivianos Telefonica Research Telefonica Research Joint work with Kyungbaek.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Network and Systems Security By, Vigya Sharma (2011MCS2564) FaisalAlam(2011MCS2608) DETECTING SPAMMERS ON SOCIAL NETWORKS.

Network and Systems Security By, Vigya Sharma (2011MCS2564) FaisalAlam(2011MCS2608) DETECTING SPAMMERS ON SOCIAL NETWORKS.

Similar presentations

Ads by Google