Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

Published byDarren Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,"— Presentation transcript:

1 Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten, Ivan Osipkov, Microsoft Corporation 2008 ACM SIGCOMM 1

2 OUTLINE  1.INTRODUCTION  2.AUTORE  3.AUTOMATIC URL REGULAR EXPRESSION GENERATION  4.DATASETS AND RESULTS  5.BOTNET VALIDATION  6.UNDERSTANDING SPAMMING BOTNET CHARACTERISTICS  7.DISCUSSION  8.CONCLUSION 2

3 1.INTRODUCTION  Botnets have been widely used for sending spam emails  AutoRE that identifies botnet hosts by generating botnet spam signatures from emails.  Challenging to derive URL. 3

4 1.INTRODUCTION(cont.)  Complete URL based signatures, Conjunction based signatures and Regular expression signatures.  Desirable features of AutoRE  Spamming botnet characteristics and their activity trends. 4

5 2. AUTORE  Bursty and Distributed  AutoRE is comprised of the following three modules:  URL Pre-Processing  URL Group Selection  Signature Generation and Botnet Identification 5

6 2. AUTORE(cont.) 6

7 URL Pre-Processing  Information extracting.  Discard all forwarded emails.  Grouping URLs from the same domain together. 7

8 URL Group Selection  Each email might be associated with multiple groups.  Bursty property. 8

9 Signature Generation and Botnet Identification  Complete URL based signatures and Regular expression signatures.  Distributed, Bursty, and Specific  This signature characterizes the set of matching emails as botnet-based spam and the originating mail servers as botnet hosts. 9

10 3.AUTOMATIC URL REGULAR EXPRESSION GENERATION  Generation module:  Signature Tree Construction  Regular Expression Generation  Signature Quality Evaluation  Polymorphic URLs 10

11 Signature Tree Construction  Most frequent substring that is both bursty and distributed.  Keyword-based signature tree. 11

12 Regular Expression Generation  Detailing and Generalization.  C{l 1, l 2 }, C is the character set, and l 1 and l 2 are the min. and max. substring lengths. 12

13 Signature Quality Evaluation  Entropy reduction, the probability of a random string matching a signature.  1  AutoRE discards all signatures whose entropy reductions are smaller than a preset threshold. 13

14 4.DATASETS AND RESULTS  Dataset was collected in Nov 2006, Jun 2007, and Jul 2007, with a total of 5,382,460 sampled emails (sampling rate 1:25000).  Excluding those that originated from blacklisted IPs, such as the ones published by Spamhaus.  Ignored the classification labels. 14

15 DATASETS AND RESULTS(cont.)  AutoRE identified 7,721 botnet-based spam campaigns. Include 580,466 spam messages, sent from 340,050 distinct botnet host IP addresses spanning 5,916 ASes. 15

16 DATASETS AND RESULTS(cont.)  CU category (70.3-79.6%)  RE category (20.4-29.7%) 16

17 DATASETS AND RESULTS(cont.)  Cumulative distribution of botnet size in terms of number of distinct IPs involved. 17

18 DATASETS AND RESULTS(cont.)  Number of regular expression patterns before and after generalization. 18

19 DATASETS AND RESULTS(cont.)  Percentage of spam captured by AutoRE signatures. 19

20 5.BOTNET VALIDATION 20

21 Evaluation of Botnet URL Signatures  False Positive Rate: 21

22 Evaluation of Botnet URL Signatures  Ability to Detect Future Spam.  The signatures derived in Nov 2006 and Jun 2007 to the (sampled) emails collected in Jul 2007. 22

23 Evaluation of Botnet URL Signatures  Regular Expressions vs Keyword Conjunctions. (e.g., token1.*token2.*token3) 23

24 Evaluation of Botnet URL Signatures  Domain-Specific vs Domain-Agnostic Signatures. 24

25 Evaluation of Botnet IP Addresses  (a) The false positive rate over the total identified IPs (sessions).  (b) Total botnet-based spam volume. 25

26 Is Each Campaign a Group? 26

27 6.UNDERSTANDING SPAMMING BOTNET CHARACTERISTICS  All Botnet Hosts: A General Perspective  Per Campaign: An Individual Perspective  Comparison of Different Campaigns  Correlation with Scanning Traffic 27

28 All Botnet Hosts: A General Perspective  Distribution of Botnet IP Addresses 28

29 All Botnet Hosts: A General Perspective  The number of ASes vs. the number of IPs for each spam campaign. 29

30 All Botnet Hosts: A General Perspective  More than 80% of campaigns have at least half of their hosts in the dynamic IP ranges. 30

31 All Botnet Hosts: A General Perspective  Spam Sending Patterns  Number of recipients per email  Connections per second  Nonexisting recipient frequency 31

32 Per Campaign: An Individual Perspective  Similarity of Email Properties  Similarity of Sending Time  Similarity of Email Sending Behavior 32

33 Similarity of Email Properties  The contents are quite different even though their target web pages are similar. 33

34 Similarity of Sending Time  50% of campaigns have std (standard deviation) less than 1.81 hours. 34

35 Similarity of Email Sending Behavior 35

36 Comparison of Different Campaigns  Botnets sharing a domain-agnostic signature barely overlap with each other. 36

37 Correlation with Scanning Traffic  Botnet attacks have different phases. 37

38 7.DISCUSSION  AutoRE has the potential to work in real time mode.  Spammers may attempt to craft emails to evade the AutoRE URL selection process.  Spammers may wish to evade detection by having no patterns in their URLs. 38

39 7.DISCUSSION(cont.)  AutoRE leverages the bursty and distributed features of botnet attacks for detection.  URL redirection techniques. 39

40 8.CONCLUSION  AutoRE generates regular expression signatures, which were previously written by human experts only.  Low false positive rate.  Botnets several important findings.  Botnets are evolving and getting increasingly sophisticated. 40

Download ppt "Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.

Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.

Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.
1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium.

Correlating Spam Activity with IP Address Characteristics Chris Wilcox, Christos Papadopoulos CSU John Heidemann USC/ISI IEEE Global Internet Symposium.
BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,
Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Similar presentations

Ads by Google