Presentation is loading. Please wait.

Presentation is loading. Please wait.

June 2013 Univ. of Birmingham1 Research of Alan Sprague: Using Data Mining to Combat Spam, Phishing, and Malware Department of Computer and Information.

Published byTracy McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "June 2013 Univ. of Birmingham1 Research of Alan Sprague: Using Data Mining to Combat Spam, Phishing, and Malware Department of Computer and Information."— Presentation transcript:

1 June 2013 Univ. of Alabama @ Birmingham1 Research of Alan Sprague: Using Data Mining to Combat Spam, Phishing, and Malware Department of Computer and Information Sciences University of Alabama at Birmingham

2 We offer BS and MS degrees with an emphasis on forensics; the Criminal Justice Department participates in these programs. Research center: CIA/JFR: http://thecenter.uab.edu Gary Warner Blog “Cyber Crime and Doing Time” http://garwarner.blogspot.com My research Spam Phishing Malware June 2013 Univ. of Alabama @ Birmingham2 Computer Forensics at UAB

3 June 2013 Univ. of Alabama @ Birmingham3 Outline This presentation will describe my research interests in spam and malware. The next 9 slides: spam. Subsequent slides: malware.

4 June 2013 Univ. of Alabama @ Birmingham4 Spam and the criminal web 70-80% of all email in the world is spam. Spam enables various classes of antisocial activity: Spam advertises opportunities to buy counterfeit goods, for example, pills (possibly adulterated pills) Spam delivers phish, which commonly are intended to steal credentials to banks and other financial institutions. Spam delivers malware.

5 People commonly expect our research to be classification of emails as ham or spam: desired or undesired. They then expect us to help filter email, so that spam will not be delivered. That is not our research. Instead, we start with a data file that we expect is entirely spam, and our goal is to cluster it into spam campaigns. This is an important goal, because after we understand the various spam campaigns, we know which are the largest, and we know what type of criminal activity each campaign enables. This enabled law enforcement to focus attention on the most harmful campaigns. June 2013 Univ. of Alabama @ Birmingham5 Spam: Clustering, not Classification

6 Background on Data Mining Data Mining studies the challenges and opportunities offered by huge data files. Three methods are central to Data Mining. Clustering: group together records in the data file if they resemble each other (without knowing the “meaning” of any resulting group, called a cluster). Classification: assign each record to one of several “classes”, each of which corresponds to a known type of data. Frequent sets and association rules June 2013 Univ. of Alabama @ Birmingham6

7 Our spam data Each day: 1 million spam messages Stored into UAB Spam Data Mine June 2013 Univ. of Alabama @ Birmingham7

8 June 2013 Univ. of Alabama @ Birmingham8 Preprocessing of spam data Parsing Subject Sender IP Sendername If body contains a URL: Its domain, and IP Word count of body

9 Some spams, parsed Subject Sender Sender Name Username Order HCG online y5fh6 EfrenGriffith artq.com Order HCG online vfe3ih Victor musicradio.com Pfizer Inc Discount 43681 lefley uab.edu Buy Cialis Online Tam Smith adeptis.com Your LinkedIn blocked John Fial irs.gov June 2013 Univ. of Alabama @ Birmingham9

10 June 2013 Univ. of Alabama @ Birmingham10 Goal, for the Spam Data Mine Cluster each day’s emails, to find largest spam campaigns, and then to find clues: where are they coming from? Relate each day’s clusters to the previous day’s clusters. Any new types of spam are considered “emerging threats”.

11 June 2013 Univ. of Alabama @ Birmingham11 Largest Cluster on a particular day

12 June 2013 Univ. of Alabama @ Birmingham12 Why Is This Work Useful? A large number of domains used by leading spammers to counter domain blacklisting Shutdown of those domains and their hosting servers can greatly cripple spammers’ ability to conduct spam-related cyber crimes. Further investigation of domains and IP addresses may lead to the identities of spammers.

13 June 2013 Univ. of Alabama @ Birmingham13 Transition Spam clustering is an ongoing project. A different thrust is the study of malware. I describe two methods of static analysis of malware: using blocks and jumps (slide 16), and using strings (slides 17-23).

14 June 2013 Univ. of Alabama @ Birmingham14 Malware What is malware? A program that performs actions that the user does not want Executable file, i.e., machine code Each day, we add 5000 new malwares to our database Two types of analysis: Static analysis Dynamic analysis

15 June 2013 Univ. of Alabama @ Birmingham15 Goals Malwares belong to families, such as Zeus, Reveton, Perfect keylogger Eventual goal: Put each malware into its family. Current goal: Cluster malwares, based on their strings.

16 Static Analysis, using Blocks and Jumps Method to encode malwares: Jumps (e.g. subroutines, and subroutine calls) Disassemble each malware, split it into “blocks”, compute a hash value for each block. Also find each jump, and write which block it is from and which it is to. Result: each malware is a directed graph. When malwares are encoded this way, malwares will be clustered together if their graphs are similar. July 2013 Univ. of Alabama @ Birmingham16

17 Static Analysis, using strings of printable characters at least 4 characters long, ending with \0 cxczxczxczxcc Enter %d-%02d-%02d_%02d-%02d-%02d-%d JPEG Image saved successfully!^ Screenshot saving cancelled because of logging disabled.^ COXJPEGFile::fill_input_buffer : Catching CFileException^ %d-%d-%d_%d-%d-%d _controlfp 1.12782 @.rsrc Password: June 2013 Univ. of Alabama @ Birmingham17

18 June 2013 Univ. of Alabama @ Birmingham18 Data File for 1 Day Each row is the list of strings in one malware. A sample file of 5000 malwares looks like: m1: cxczxczxczxcc, Enter, _controlfp, …. m2: ……………. m3: ……………. m4: …………….. m5000: ………….

19 Frequent sets A typical application is retail data. Data File: Purchases at a large store. Each record: List of purchases of one customer. Question: Which items are often bought together? Our application: malware. Our data file: Strings in malwares. Each record: List of strings of one malware. Question: Which strings are often found together? Dual Question: which malwares have many common strings? June 2013 Univ. of Alabama @ Birmingham19

20 Frequent sets: Tiny example 6 malwares (so 6 records), 4 strings. The malwares: a, b, c, d b, c, d a, c, d a, b c, d b, d July 2013 Incidence matrix a b c d 1 1 1 1 0 1 1 1 1 0 1 1 1 1 0 0 0 0 1 1 0 1 0 1 Univ. of Alabama @ Birmingham20

21 Frequent sets: Tiny example Strings a,c are a frequent set (records r1 and r3 contain both) But a,c is not maximal, because d is in both records Incidence matrix a b c d r1 *1 1 *1 *1 r2 0 1 1 1 r3 *1 0 *1 *1 r4 1 1 0 0 r5 0 0 1 1 r6 0 1 0 1 Univ. of Alabama @ Birmingham21

22 Closed frequent sets A frequent set is closed if it equals the intersection of the records containing it. Alternate definition: a closed set is a maximal all-ones submatrix. Since rows and columns play the same role in this, one can let malwares and strings exchange roles. Ex: Incidence matrix a b c d r1 *1 1 *1 *1 r2 0 1 1 1 r3 *1 0 *1 *1 r4 1 1 0 0 r5 0 0 1 1 r6 0 1 0 1 July 2013 Univ. of Alabama @ Birmingham22

23 Closed Frequent Sets for Malware Analysis Wanted closed frequent sets, with threshold 30. The lowest the state-of-the-art algorithm could do was 1000. By being willing to discard strings that appear more than 10 times, we recently managed threshold 20. Ongoing June 2013 Univ. of Alabama @ Birmingham23

24 The end. July 2008 Univ. of Alabama @ Birmingham24

Download ppt "June 2013 Univ. of Birmingham1 Research of Alan Sprague: Using Data Mining to Combat Spam, Phishing, and Malware Department of Computer and Information."

Similar presentations

Internet Investigations COEN 252 Computer Forensics  Thomas Schwarz, S.J. 2006.

Internet Investigations COEN 252 Computer Forensics  Thomas Schwarz, S.J
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Prescription for Criminal Justice Forensics. The government has all but declared a national state of emergency regarding computer-related crimes and has.

Prescription for Criminal Justice Forensics. The government has all but declared a national state of emergency regarding computer-related crimes and has.
Malware Identification and Classification

Malware Identification and Classification
What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via email, text message, online chat, blogs or various other.

What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via , text message, online chat, blogs or various other.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.

6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
MEPO Training MEPO Database Access Training Presentation Copyright 2011 Rodger B. Fluke, MPA.

MEPO Training MEPO Database Access Training Presentation Copyright 2011 Rodger B. Fluke, MPA.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Breaking Trust On The Internet

Breaking Trust On The Internet
Course 201 – Administration, Content Inspection and SSL VPN Filtering

Course 201 – Administration, Content Inspection and SSL VPN Filtering
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.

SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.
Recommender systems Ram Akella November 26 th 2008.

Recommender systems Ram Akella November 26 th 2008.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
Email June 2013. Email Email is an easy way to communicate. It costs nothing to send an email, but it does require a connection to the Internet. You can.

June is an easy way to communicate. It costs nothing to send an , but it does require a connection to the Internet. You can.
Introduction to Data Mining 12-1. Data mining is a rapidly growing field of business analytics focused on better understanding of characteristics and.

Introduction to Data Mining Data mining is a rapidly growing field of business analytics focused on better understanding of characteristics and.
1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

Similar presentations

Ads by Google