Botnet judo fighting spam with itself
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

Botnet Judo: Fighting Spam with Itself PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on
  • Presentation posted in: General

Botnet Judo: Fighting Spam with Itself. Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao E-mail:[email protected] Conference. Botnet Judo: Fighting Spam with Itself

Download Presentation

Botnet Judo: Fighting Spam with Itself

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Botnet judo fighting spam with itself

Botnet Judo: Fighting Spam with Itself

Reporter :鄭志欣

Advisor:Hsing-Kuo Pao

E-mail:[email protected]


Conference

Conference

Botnet Judo: Fighting Spam with Itself

Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.


Outline

Outline

  • Introduction

  • Template-based Spam

  • Judo system

    • The Signature Generator

    • Leveraging Domain Knowledge

    • Signature Update

  • Evaluation

    • Single Template Inference

    • Multiple Template Inference

    • Real-world Deployment

  • Conclusion


Introduction

Introduction

  • Reactive Defenses

  • Reversed engineering

  • Black-box

    • stream of All messages -> Regular expression

    • Quickly producing precise mail filters


Template based spam

Template-based Spam


Storm s template language

Storm’s template Language


Judo system

Judo system

  • Judo system consists of three components.

    • Bot farm : running instances of spamming botnets in a contained environment.

    • Signature generator : maintains a set of regular expression signatures for spam sent by each botnet.

    • Spam filter : Updating the system


Judo spam filter model

Judo spam filtermodel


System assumptions

System Assumptions

  • First and foremost , we assume that bots compose spam using a template system.


The signature generator

The Signature Generator

  • Anchors

  • Macros

    • Dictionary Macros.

    • Micro-Anchors.

    • Noise Macros.

  • Leveraging Domain Knowledge

    • Header Filtering

    • Special Tokens

  • Signature Update

    • Second Chance Mechanism

    • Pre-Clustering.


Step of algorithm

Step of algorithm


Anchors

Anchors

  • Extracting the longest ordered set of substrings have length at least q that are common to every messages.


Macros

Macros

  • Dictionary Macros.

    • Hypothesis test (Dictionary Test )

  • Micro-Anchors.

    • a substring that consists of non-alphanumeric .

    • Using LCS (q don’t limit) again to find Micro-Anchors.

    • Once micro-anchors partition the text, the algorithm performs the dictionary test on each set of strings delimited by the micro-anchors.

  • Noise Macros.

    • generates random characters from some character set

    • POSIX character classes or Arbitary repetition “*” or “+”


Posix character classes

POSIX character classes

http://www.regular-expressions.info/posixbrackets.html


Leveraging domain knowledge

Leveraging Domain Knowledge

  • Improve the performance of the algorithm.

  • Header Filtering

    • Headers ignore all but the following headers:

    • A message must match all header for a signature to be considered a match.

  • Special Tokens

    • Like dates,IP addresses … etc.

    • “expire” after it was generated

    • pre- and post- processing as anchor


Signature update

Signature Update

  • We would like to use a training buffer as small as necessary to generate good signatures.

  • Train buffer is controlled by k.

  • Second Chance Mechanism.

    • solving the train buffer is too small.

  • Pre-Clustering

    • Mitigate the effects of a large training buffer.


Second chance mechanism

Second Chance Mechanism


Evaluation

Evaluation

  • Judo is indeed safe and effective for filtering botnet-originated spam.

  • first, spam generated synthetically from actual templates used by the Storm botnet

  • Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot.

  • Last, deployment scenario , training and testing on different instances of the same bot.


Single template inference

Single Template Inference


Multiple template inference

Multiple Template Inference


Real world deployment

Real-world Deployment


Conclusion

Conclusion

  • We have shown that it is practical to generate high-quality spam content signatures simply by observing the output of bot instances and inferring the likely conten of their underlying template.


  • Login