Download
botnet judo fighting spam with itself n.
Skip this Video
Loading SlideShow in 5 Seconds..
Botnet Judo: Fighting Spam with Itself PowerPoint Presentation
Download Presentation
Botnet Judo: Fighting Spam with Itself

Botnet Judo: Fighting Spam with Itself

145 Views Download Presentation
Download Presentation

Botnet Judo: Fighting Spam with Itself

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Botnet Judo: Fighting Spam with Itself Reporter :鄭志欣 Advisor:Hsing-Kuo Pao E-mail:m9815058@mail.ntust.edu.tw

  2. Conference Botnet Judo: Fighting Spam with Itself Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.

  3. Outline • Introduction • Template-based Spam • Judo system • The Signature Generator • Leveraging Domain Knowledge • Signature Update • Evaluation • Single Template Inference • Multiple Template Inference • Real-world Deployment • Conclusion

  4. Introduction • Reactive Defenses • Reversed engineering • Black-box • stream of All messages -> Regular expression • Quickly producing precise mail filters

  5. Template-based Spam

  6. Storm’s template Language

  7. Judo system • Judo system consists of three components. • Bot farm : running instances of spamming botnets in a contained environment. • Signature generator : maintains a set of regular expression signatures for spam sent by each botnet. • Spam filter : Updating the system

  8. Judo spam filtermodel

  9. System Assumptions • First and foremost , we assume that bots compose spam using a template system.

  10. The Signature Generator • Anchors • Macros • Dictionary Macros. • Micro-Anchors. • Noise Macros. • Leveraging Domain Knowledge • Header Filtering • Special Tokens • Signature Update • Second Chance Mechanism • Pre-Clustering.

  11. Step of algorithm

  12. Anchors • Extracting the longest ordered set of substrings have length at least q that are common to every messages.

  13. Macros • Dictionary Macros. • Hypothesis test (Dictionary Test ) • Micro-Anchors. • a substring that consists of non-alphanumeric . • Using LCS (q don’t limit) again to find Micro-Anchors. • Once micro-anchors partition the text, the algorithm performs the dictionary test on each set of strings delimited by the micro-anchors. • Noise Macros. • generates random characters from some character set • POSIX character classes or Arbitary repetition “*” or “+”

  14. POSIX character classes http://www.regular-expressions.info/posixbrackets.html

  15. Leveraging Domain Knowledge • Improve the performance of the algorithm. • Header Filtering • Headers ignore all but the following headers: • A message must match all header for a signature to be considered a match. • Special Tokens • Like dates,IP addresses … etc. • “expire” after it was generated • pre- and post- processing as anchor

  16. Signature Update • We would like to use a training buffer as small as necessary to generate good signatures. • Train buffer is controlled by k. • Second Chance Mechanism. • solving the train buffer is too small. • Pre-Clustering • Mitigate the effects of a large training buffer.

  17. Second Chance Mechanism

  18. Evaluation • Judo is indeed safe and effective for filtering botnet-originated spam. • first, spam generated synthetically from actual templates used by the Storm botnet • Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot. • Last, deployment scenario , training and testing on different instances of the same bot.

  19. Single Template Inference

  20. Multiple Template Inference

  21. Real-world Deployment

  22. Conclusion • We have shown that it is practical to generate high-quality spam content signatures simply by observing the output of bot instances and inferring the likely conten of their underlying template.