botnet judo fighting spam with itself n.
Skip this Video
Download Presentation
Botnet Judo: Fighting Spam with Itself

Loading in 2 Seconds...

play fullscreen
1 / 22

Botnet Judo: Fighting Spam with Itself - PowerPoint PPT Presentation

  • Uploaded on

Botnet Judo: Fighting Spam with Itself. Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Conference. Botnet Judo: Fighting Spam with Itself

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Botnet Judo: Fighting Spam with Itself' - cascata-firbis

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
botnet judo fighting spam with itself

Botnet Judo: Fighting Spam with Itself

Reporter :鄭志欣

Advisor:Hsing-Kuo Pao


Botnet Judo: Fighting Spam with Itself

Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.

  • Introduction
  • Template-based Spam
  • Judo system
    • The Signature Generator
    • Leveraging Domain Knowledge
    • Signature Update
  • Evaluation
    • Single Template Inference
    • Multiple Template Inference
    • Real-world Deployment
  • Conclusion
  • Reactive Defenses
  • Reversed engineering
  • Black-box
    • stream of All messages -> Regular expression
    • Quickly producing precise mail filters
judo system
Judo system
  • Judo system consists of three components.
    • Bot farm : running instances of spamming botnets in a contained environment.
    • Signature generator : maintains a set of regular expression signatures for spam sent by each botnet.
    • Spam filter : Updating the system
system assumptions
System Assumptions
  • First and foremost , we assume that bots compose spam using a template system.
the signature generator
The Signature Generator
  • Anchors
  • Macros
    • Dictionary Macros.
    • Micro-Anchors.
    • Noise Macros.
  • Leveraging Domain Knowledge
    • Header Filtering
    • Special Tokens
  • Signature Update
    • Second Chance Mechanism
    • Pre-Clustering.
  • Extracting the longest ordered set of substrings have length at least q that are common to every messages.
  • Dictionary Macros.
    • Hypothesis test (Dictionary Test )
  • Micro-Anchors.
    • a substring that consists of non-alphanumeric .
    • Using LCS (q don’t limit) again to find Micro-Anchors.
    • Once micro-anchors partition the text, the algorithm performs the dictionary test on each set of strings delimited by the micro-anchors.
  • Noise Macros.
    • generates random characters from some character set
    • POSIX character classes or Arbitary repetition “*” or “+”
posix character classes
POSIX character classes

leveraging domain knowledge
Leveraging Domain Knowledge
  • Improve the performance of the algorithm.
  • Header Filtering
    • Headers ignore all but the following headers:
    • A message must match all header for a signature to be considered a match.
  • Special Tokens
    • Like dates,IP addresses … etc.
    • “expire” after it was generated
    • pre- and post- processing as anchor
signature update
Signature Update
  • We would like to use a training buffer as small as necessary to generate good signatures.
  • Train buffer is controlled by k.
  • Second Chance Mechanism.
    • solving the train buffer is too small.
  • Pre-Clustering
    • Mitigate the effects of a large training buffer.
  • Judo is indeed safe and effective for filtering botnet-originated spam.
  • first, spam generated synthetically from actual templates used by the Storm botnet
  • Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot.
  • Last, deployment scenario , training and testing on different instances of the same bot.
  • We have shown that it is practical to generate high-quality spam content signatures simply by observing the output of bot instances and inferring the likely conten of their underlying template.