Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Published byAngel Garrett Modified over 10 years ago

Similar presentations

Presentation on theme: "Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University."— Presentation transcript:

1 Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University

2 Outline Motivation and background SPOT algorithm on detecting compromised machines Performance evaluation Summary 2

3 Motivation Botnet becoming a major security issue –Spamming, DDoS, and identity theft Hard to defend botnet based attacks –Sheer volume, wide spread Lack of effective method to detect bots in local networks 3

4 Motivation Utility-based online detection method SPOT –Detecting subset of compromised machines involved in spamming Bots increasingly used in sending spam –70% - 80% of all spam from bots in recent years –In response to blacklisting –Spamming provides key economic incentive for controller 4

5 Network Model Machines in a network –Either compromised H 1 or normal H 0 – How to detect if a machine compromised as msgs pass SPOT sequentially? –Sequential Probability Ratio Test (SPRT) 5

6 Sequential Probability Ratio Test Statistical method for testing –Null hypothesis against alternative hypothesis One-dimensional random walk –With two boundaries corresponding to hypotheses 6 A B

7 SPRT Advantages –Online algorithm Applying to observations arriving sequentially –Fast detection Minimizing average number of observation required –Controlled results False positive and false negative errors can be bounded by user-specified thresholds 7

8 SPRT X denote a Bernoulli random variable with unknown parameter θ SPRT tests null hypothesis H 0 θ = θ 0 against alternative hypothesis H 1 θ = θ 1 8

9 SPRT How likely to have sequence of X 1, X 2, …, X n, under H 1 and H 0, respectively? 9

10 SPRT Test Process Given two constant A and B, where A < B, at each step n, compute How to determine A and B –Let α and β be user-desired false positive and negative rates 10

11 SPRT Bounds Relationship between actual false positive α’ and false negative β’ and desired ones α and β Average number of observation to reach decision 11

12 SPOT Detection Algorithm Based on SPRT –H 1 : machine is compromised –H 0 : machine is normal Maintain Λ n for each IP observed Update Λ n in each step Compare Λ n to A and B Terminate when B is approached Restart when A is approached – after resetting Λ n 12

13 Determining SPOT Parameters Four parameters: α, β, θ 0, θ 1 –α, β are user desired error rates, normally in range 0.01 to 0.05 –Ideally, θ 0 and θ 1 should be probability a normal and compromised machine send spam –SPOT does not require precise knowledge of θ 0 and θ 1 An imprecise (but reasonably) knowledge of θ 0 and θ 1 will only affect N In practice, they can model the false positive and detection rate of spam filter 13

14 Averaged Number of Observations Required β = 0.01 14

15 Trace-based Performance Evaluation Two month email trace received on FSU campus net SpamAssassin and anti-virus software –About 73% of all emails are spam 15

16 Sending IP Addresses 16 –FSU has higher percentage of mixed IP addresses –FSU has higher percentage of IP addresses sending virus

17 Performance of SPOT –Α = 0.01, β = 0.01, θ 0 = 0.2, θ 1 = 0.9 –110 confirmed by virus information –16 confirmed by high spam sending percentage (> 98%) 62.5% of these are dynamic IP –6 cannot be confirmed by either way –7 machines SPOT identified as normal carried virus 17

18 Number of Actual Observations 18

19 Impacts of Dynamic IP Addresses SPOT assumes one-to-one mapping between IP address and machine Intuitively, dynamic IP will not have any major impacts, given fast detection of SPOT 19

20 Distribution of Spam in Each Cluster –T = 30 minutes –90% of clusters >= 10 spam –96% of clusters >= 3 spam 20

21 Discussions Practical deployment issues –Msgs may pass a few relay servers before leaving network –Method 1: deploy SPOT at each relay server –Method 2: identify originating machine by Received header Limitation –IID assumption of message arrivals 21

22 Summary SPOT –Effective and efficient spam zombie detection system –Based Sequential Probability Ratio Test A utility-based detection scheme –How to generalize the idea to detect compromised machines used for other purposes? 22

Download ppt "Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Inventory Control Models.

Inventory Control Models.
Introduction to Hypothesis Testing

Introduction to Hypothesis Testing
Pricing for Utility-driven Resource Management and Allocation in Clusters Chee Shin Yeo and Rajkumar Buyya Grid Computing and Distributed Systems (GRIDS)

Pricing for Utility-driven Resource Management and Allocation in Clusters Chee Shin Yeo and Rajkumar Buyya Grid Computing and Distributed Systems (GRIDS)
Part 3 Probabilistic Decision Models

Part 3 Probabilistic Decision Models
STATISTICS HYPOTHESES TEST (I)

STATISTICS HYPOTHESES TEST (I)
STATISTICS POINT ESTIMATION Professor Ke-Sheng Cheng Department of Bioenvironmental Systems Engineering National Taiwan University.

STATISTICS POINT ESTIMATION Professor Ke-Sheng Cheng Department of Bioenvironmental Systems Engineering National Taiwan University.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
ARIN Public Policy Meeting

ARIN Public Policy Meeting
Network Security Highlights Nick Feamster Georgia Tech.

Network Security Highlights Nick Feamster Georgia Tech.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
On Scheduling Vehicle-Roadside Data Access Yang Zhang Jing Zhao and Guohong Cao The Pennsylvania State University.

On Scheduling Vehicle-Roadside Data Access Yang Zhang Jing Zhao and Guohong Cao The Pennsylvania State University.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
15.082 and 6.855J Cycle Canceling Algorithm. 2 A minimum cost flow problem 1 24 35 10, $4 20, $1 20, $2 25, $2 25, $5 20, $6 30, $7 25 0 0 0-25.

and 6.855J Cycle Canceling Algorithm. 2 A minimum cost flow problem , $4 20, $1 20, $2 25, $2 25, $5 20, $6 30, $
BUS 220: ELEMENTARY STATISTICS

BUS 220: ELEMENTARY STATISTICS
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.

0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

Similar presentations

Ads by Google