Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 1 Towards Modeling Legitimate and Unsolicited Email Traffic Using.

Published byHenry Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 1 Towards Modeling Legitimate and Unsolicited Email Traffic Using."— Presentation transcript:

1 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 1 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties Farnaz Moradi, Tomas Olovsson, Philippas Tsigas Farnaz Moradi, Tomas Olovsson, Philippas Tsigas

2 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 2 Legitimate and Unsolicited Email Traffic The battle between spammers and anti-spam strategies is not over yet.

3 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 3 Human-generated communications create implicit social networks Spam is sent automatically –It is expected that it does not exhibit the social network properties of human-generated communications Spam can be identified based on how it is sent –It is expected that this behavior is more difficult for the spammers to change than the content of the email Legitimate and Unsolicited Email Communications

4 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 4 Outline Email Dataset Email Networks Social Network Properties Implication Conclusions

5 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 5 Email Dataset SMTP packets were collected (port 25) Packets were aggregated into TCP flows Emails were re-constructed from flows Emails were classified into Accepted and Rejected by receiving mail servers Accepted emails classified into Ham and Spam using a well-trained SpamAssassin Automatic anonymization of email addresses extracted from SMTP headers and removal of packet content SUNET Customers Main Internet OptoSUNET Core Network Access Routers 2 Core Routers 40 Gb/s 10 Gb/s (x2) NORDUnet Packets Flows Spam Ham Rejected Emails Accepted 797 M 46.8 M 20 M 16.6 M 3.4 M 1.5 M1.9 M

6 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 6 Email Networks Implicit social networks: –Nodes (V): Email addresses –Edges (E): Transmitted Emails Dataset A: –|V| = 10,544,647 –|E| = 21,562,306 Dataset B: –|V| = 4,525,687 –|E| = 8,709,216

7 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 7 Structural and Temporal Properties of Email Networks Do email networks exhibit similar structural and temporal properties to other Social Networks? –Scale free (power law degree distribution) –Small world (short path length & high clustering) –Connected components (giant core)

8 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 8 Scale-Free Networks Power law degree distribution Ham SpamRejected Complete Dataset A

9 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 9 Scale-Free Networks Power law degree distribution Ham SpamRejected Complete Dataset B

10 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 10 Small-World Networks Small average shortest path length High average clustering coefficient Dataset A Dataset B

11 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 11 Connected Components Giant connected component Power law component size distribution Dataset A Dataset B

12 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 12 Implications Spam does not exhibit the social network properties of human-generated communications The unsolicited email traffic causes anomalies in the structural properties of email networks These anomalies can be identified by using an outlier detection mechanism Complete

13 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 13 Identifying Spamming Nodes DatasetNetwork Total spam Spam sent by outliers (1<k<100) 1 day68%95.5% A7 days70%96.8% 14 days70%96.9% 1 day40%82.7% B7 days35%81.3% 14 days39%87.3% 1 day 7 days Dataset A

14 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 14 Conclusions A network of legitimate email traffic can be modeled similar to other social networks –Small-world, scale-free network A network of unsolicited traffic differs from social networks –Spammers do not emulate a social network This unsocial behavior of spam is not hidden in the mixture of email traffic –Spammers can be identified without inspecting the content of the emails

15 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 15 Discussion SMTP traffic collected on a backbone link can reveal the unsocial behavior of spam Dataset features: –Asymmetric Routing A comparative analysis of the distinguishing behavior of spam and ham traffic –Missing Past Minor effects on the structural properties –Measurement Duration Evidence on how structural properties might change with longer periods of measurements SUNET Customers Main Internet OptoSUNET Core Network Access Routers 2 Core Routers 40 Gb/s 10 Gb/s (x2) NORDUnet

16 Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 16 Unsolicited Email Traffic Consumes network and mail server resources Goal: stop spam as close to its source as possible Core Routers Access Routers MTAs

Download ppt "Towards Modeling Legitimate and Unsolicited Email Traffic Using Social Network Properties 1 Towards Modeling Legitimate and Unsolicited Email Traffic Using."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Network Security Highlights Nick Feamster Georgia Tech.

Network Security Highlights Nick Feamster Georgia Tech.
Getting Traffic to your Cluster. Where to Tap WAN or Internal – WAN Detect intrusion attempts and out-bound misbehavior – Internal Detect internal-internal.

Getting Traffic to your Cluster. Where to Tap WAN or Internal – WAN Detect intrusion attempts and out-bound misbehavior – Internal Detect internal-internal.
Basic Communication on the Internet:

Basic Communication on the Internet:
An Evaluation of Community Detection Algorithms on Large-Scale Email Traffic 1 An Evaluation of Community Detection Algorithms on Large-Scale Email Traffic.

An Evaluation of Community Detection Algorithms on Large-Scale Traffic 1 An Evaluation of Community Detection Algorithms on Large-Scale Traffic.
Network biology Wang Jie Shanghai Institutes of Biological Sciences.

Network biology Wang Jie Shanghai Institutes of Biological Sciences.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
1 Greedy Forwarding in Dynamic Scale-Free Networks Embedded in Hyperbolic Metric Spaces Dmitri Krioukov CAIDA/UCSD Joint work with F. Papadopoulos, M.

1 Greedy Forwarding in Dynamic Scale-Free Networks Embedded in Hyperbolic Metric Spaces Dmitri Krioukov CAIDA/UCSD Joint work with F. Papadopoulos, M.
Analysis and Modeling of Social Networks Foudalis Ilias.

Analysis and Modeling of Social Networks Foudalis Ilias.
Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.
Towards Virtual Routers as a Service 6th GI/ITG KuVS Workshop on “Future Internet” November 22, 2010 Hannover Zdravko Bozakov.

Towards Virtual Routers as a Service 6th GI/ITG KuVS Workshop on “Future Internet” November 22, 2010 Hannover Zdravko Bozakov.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Asking Questions on the Internet

Asking Questions on the Internet
Topology Generation Suat Mercan. 2 Outline Motivation Topology Characterization Levels of Topology Modeling Techniques Types of Topology Generators.

Topology Generation Suat Mercan. 2 Outline Motivation Topology Characterization Levels of Topology Modeling Techniques Types of Topology Generators.
Network Layer and Transport Layer.

Network Layer and Transport Layer.
1 A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection 許富皓 資訊工程學系 中央大學 1.

1 A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection 許富皓 資訊工程學系 中央大學 1.
UNDERSTANDING VISIBLE AND LATENT INTERACTIONS IN ONLINE SOCIAL NETWORK Presented by: Nisha Ranga Under guidance of : Prof. Augustin Chaintreau.

UNDERSTANDING VISIBLE AND LATENT INTERACTIONS IN ONLINE SOCIAL NETWORK Presented by: Nisha Ranga Under guidance of : Prof. Augustin Chaintreau.
Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.

Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Similar presentations

Ads by Google