Botnet Judo: Fighting Spam with Itself - PowerPoint PPT Presentation

Botnet judo fighting spam with itself
1 / 22

  • Uploaded on
  • Presentation posted in: General

Botnet Judo: Fighting Spam with Itself. Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Conference. Botnet Judo: Fighting Spam with Itself

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Botnet Judo: Fighting Spam with Itself

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Botnet judo fighting spam with itself

Botnet Judo: Fighting Spam with Itself

Reporter :鄭志欣

Advisor:Hsing-Kuo Pao



Botnet Judo: Fighting Spam with Itself

Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.



  • Introduction

  • Template-based Spam

  • Judo system

    • The Signature Generator

    • Leveraging Domain Knowledge

    • Signature Update

  • Evaluation

    • Single Template Inference

    • Multiple Template Inference

    • Real-world Deployment

  • Conclusion



  • Reactive Defenses

  • Reversed engineering

  • Black-box

    • stream of All messages -> Regular expression

    • Quickly producing precise mail filters

Template based spam

Template-based Spam

Storm s template language

Storm’s template Language

Judo system

Judo system

  • Judo system consists of three components.

    • Bot farm : running instances of spamming botnets in a contained environment.

    • Signature generator : maintains a set of regular expression signatures for spam sent by each botnet.

    • Spam filter : Updating the system

Judo spam filter model

Judo spam filtermodel

System assumptions

System Assumptions

  • First and foremost , we assume that bots compose spam using a template system.

The signature generator

The Signature Generator

  • Anchors

  • Macros

    • Dictionary Macros.

    • Micro-Anchors.

    • Noise Macros.

  • Leveraging Domain Knowledge

    • Header Filtering

    • Special Tokens

  • Signature Update

    • Second Chance Mechanism

    • Pre-Clustering.

Step of algorithm

Step of algorithm



  • Extracting the longest ordered set of substrings have length at least q that are common to every messages.



  • Dictionary Macros.

    • Hypothesis test (Dictionary Test )

  • Micro-Anchors.

    • a substring that consists of non-alphanumeric .

    • Using LCS (q don’t limit) again to find Micro-Anchors.

    • Once micro-anchors partition the text, the algorithm performs the dictionary test on each set of strings delimited by the micro-anchors.

  • Noise Macros.

    • generates random characters from some character set

    • POSIX character classes or Arbitary repetition “*” or “+”

Posix character classes

POSIX character classes

Leveraging domain knowledge

Leveraging Domain Knowledge

  • Improve the performance of the algorithm.

  • Header Filtering

    • Headers ignore all but the following headers:

    • A message must match all header for a signature to be considered a match.

  • Special Tokens

    • Like dates,IP addresses … etc.

    • “expire” after it was generated

    • pre- and post- processing as anchor

Signature update

Signature Update

  • We would like to use a training buffer as small as necessary to generate good signatures.

  • Train buffer is controlled by k.

  • Second Chance Mechanism.

    • solving the train buffer is too small.

  • Pre-Clustering

    • Mitigate the effects of a large training buffer.

Second chance mechanism

Second Chance Mechanism



  • Judo is indeed safe and effective for filtering botnet-originated spam.

  • first, spam generated synthetically from actual templates used by the Storm botnet

  • Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot.

  • Last, deployment scenario , training and testing on different instances of the same bot.

Single template inference

Single Template Inference

Multiple template inference

Multiple Template Inference

Real world deployment

Real-world Deployment



  • We have shown that it is practical to generate high-quality spam content signatures simply by observing the output of bot instances and inferring the likely conten of their underlying template.

  • Login