html5-img
1 / 22

Botnet Judo: Fighting Spam with Itself

Botnet Judo: Fighting Spam with Itself. Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao E-mail:m9815058@mail.ntust.edu.tw. Conference. Botnet Judo: Fighting Spam with Itself

cascata-firbis
Télécharger la présentation

Botnet Judo: Fighting Spam with Itself

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnet Judo: Fighting Spam with Itself Reporter :鄭志欣 Advisor:Hsing-Kuo Pao E-mail:m9815058@mail.ntust.edu.tw

  2. Conference Botnet Judo: Fighting Spam with Itself Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.

  3. Outline • Introduction • Template-based Spam • Judo system • The Signature Generator • Leveraging Domain Knowledge • Signature Update • Evaluation • Single Template Inference • Multiple Template Inference • Real-world Deployment • Conclusion

  4. Introduction • Reactive Defenses • Reversed engineering • Black-box • stream of All messages -> Regular expression • Quickly producing precise mail filters

  5. Template-based Spam

  6. Storm’s template Language

  7. Judo system • Judo system consists of three components. • Bot farm : running instances of spamming botnets in a contained environment. • Signature generator : maintains a set of regular expression signatures for spam sent by each botnet. • Spam filter : Updating the system

  8. Judo spam filtermodel

  9. System Assumptions • First and foremost , we assume that bots compose spam using a template system.

  10. The Signature Generator • Anchors • Macros • Dictionary Macros. • Micro-Anchors. • Noise Macros. • Leveraging Domain Knowledge • Header Filtering • Special Tokens • Signature Update • Second Chance Mechanism • Pre-Clustering.

  11. Step of algorithm

  12. Anchors • Extracting the longest ordered set of substrings have length at least q that are common to every messages.

  13. Macros • Dictionary Macros. • Hypothesis test (Dictionary Test ) • Micro-Anchors. • a substring that consists of non-alphanumeric . • Using LCS (q don’t limit) again to find Micro-Anchors. • Once micro-anchors partition the text, the algorithm performs the dictionary test on each set of strings delimited by the micro-anchors. • Noise Macros. • generates random characters from some character set • POSIX character classes or Arbitary repetition “*” or “+”

  14. POSIX character classes http://www.regular-expressions.info/posixbrackets.html

  15. Leveraging Domain Knowledge • Improve the performance of the algorithm. • Header Filtering • Headers ignore all but the following headers: • A message must match all header for a signature to be considered a match. • Special Tokens • Like dates,IP addresses … etc. • “expire” after it was generated • pre- and post- processing as anchor

  16. Signature Update • We would like to use a training buffer as small as necessary to generate good signatures. • Train buffer is controlled by k. • Second Chance Mechanism. • solving the train buffer is too small. • Pre-Clustering • Mitigate the effects of a large training buffer.

  17. Second Chance Mechanism

  18. Evaluation • Judo is indeed safe and effective for filtering botnet-originated spam. • first, spam generated synthetically from actual templates used by the Storm botnet • Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot. • Last, deployment scenario , training and testing on different instances of the same bot.

  19. Single Template Inference

  20. Multiple Template Inference

  21. Real-world Deployment

  22. Conclusion • We have shown that it is practical to generate high-quality spam content signatures simply by observing the output of bot instances and inferring the likely conten of their underlying template.

More Related