Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li Lin
Spamming Botnets: Signatures and Characteristics
Jan 02, 2016
Spamming Botnets: Signatures and Characteristics. Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+. Presenter: Chia-Li Lin. References. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Spamming Botnets: Signatures and Characteristics
Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+
Presenter: Chia-Li Lin
2
References
Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: Signatures and characteristics. In SIGCOMM, 2008
3
Outline
IntroductionSpam Activity TrendsAutoRE StructureStudy ResultsConclusion
4
Introduction
Developed a spam signature generation framework called:
AutoRE
To detect botnet-based spam emails and botnet membership
It outputs high quality regular expression signatures
5
Contribution
Ability to detect frequent domain modifications
In-depth analysis of identified spamming botnet characteristics and their activity trends
6
Two Observations
First, spammers often add random, legitimate URLs to content
legitimate and very general (e.g.,http://www.w3.org)
Second, customize polymorphic URLs
7
Multi-URL spam emails
8
Polymorphic URLs
9
AutoRE
Automatically generating URL signatures to identify botnet-based spam campaigns
Produces two outputs:
a set of spam URL signatures complete URL string (CU) URL regular Expression (RE)
a related list of botnet host IP addresses
10
Three modules
AutoRE is comprised of the following three modules
URL preprocessor Group selector RegEx generator
domain-specific domain-agnostic
11
AutoRE Structure[1/2]
12
AutoRE Structure[2/2]
13
Suffix-array algorithm
14
keyword-based signature tree
15
Detailing and Generalization
Detailing returns a domain specific regular expression
using a keyword-based signature as input.
Generalization returns a more general domain-agnostic
regular expression by merging very similar domain-specific regular expressions
16
Generalization
17
Detect Results
Using three months of sampled emails from Hotmail
November 2006, June 2007, July 2007
AutoRE successfully detected
7,721 spam campaigns 340,050 distinct botnet host IP addresses spanning 5,916 ASes.
18
CU & RE Statistics
19
20
False positive rate
21
Conclutions
This is the first successful attempt to automatically generate regular expression signatures
The existence of botnet spam signatures and the feasibility of detecting botnet hosts using them
22
Questions
Related Documents
