spamming botnets: signatures and characteristics authors:yinglian xie, fang yu, kannan achan, rina...
TRANSCRIPT
![Page 1: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/1.jpg)
Spamming Botnets: Signatures and Characteristics
Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+
Presenter: Chia-Li Lin
![Page 2: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/2.jpg)
2
References
Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: Signatures and characteristics. In SIGCOMM, 2008
![Page 3: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/3.jpg)
3
Outline
IntroductionSpam Activity TrendsAutoRE StructureStudy ResultsConclusion
![Page 4: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/4.jpg)
4
Introduction
Developed a spam signature generation framework called:
AutoRE
To detect botnet-based spam emails and botnet membership
It outputs high quality regular expression signatures
![Page 5: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/5.jpg)
5
Contribution
Ability to detect frequent domain modifications
In-depth analysis of identified spamming botnet characteristics and their activity trends
![Page 6: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/6.jpg)
6
Two Observations
First, spammers often add random, legitimate URLs to content
legitimate and very general (e.g.,http://www.w3.org)
Second, customize polymorphic URLs
![Page 7: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/7.jpg)
7
Multi-URL spam emails
![Page 8: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/8.jpg)
8
Polymorphic URLs
![Page 9: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/9.jpg)
9
AutoRE
Automatically generating URL signatures to identify botnet-based spam campaigns
Produces two outputs:
a set of spam URL signatures complete URL string (CU) URL regular Expression (RE)
a related list of botnet host IP addresses
![Page 10: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/10.jpg)
10
Three modules
AutoRE is comprised of the following three modules
URL preprocessor Group selector RegEx generator
domain-specific domain-agnostic
![Page 11: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/11.jpg)
11
AutoRE Structure[1/2]
![Page 12: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/12.jpg)
12
AutoRE Structure[2/2]
![Page 13: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/13.jpg)
13
Suffix-array algorithm
![Page 14: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/14.jpg)
14
keyword-based signature tree
![Page 15: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/15.jpg)
15
Detailing and Generalization
Detailing returns a domain specific regular expression
using a keyword-based signature as input.
Generalization returns a more general domain-agnostic
regular expression by merging very similar domain-specific regular expressions
![Page 16: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/16.jpg)
16
Generalization
![Page 17: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/17.jpg)
17
Detect Results
Using three months of sampled emails from Hotmail
November 2006, June 2007, July 2007
AutoRE successfully detected
7,721 spam campaigns 340,050 distinct botnet host IP addresses spanning 5,916 ASes.
![Page 18: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/18.jpg)
18
CU & RE Statistics
![Page 19: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/19.jpg)
19
![Page 20: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/20.jpg)
20
False positive rate
![Page 21: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/21.jpg)
21
Conclutions
This is the first successful attempt to automatically generate regular expression signatures
The existence of botnet spam signatures and the feasibility of detecting botnet hosts using them
![Page 22: Spamming Botnets: Signatures and Characteristics Authors:Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+, Ivan Osipkov+ Presenter: Chia-Li](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f275503460f94c3f33c/html5/thumbnails/22.jpg)
22
Questions