Download presentation
Presentation is loading. Please wait.
1
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering An Effective Defense Against Spam Laundering Mengjun Xie, Heng Yin, Haining Wang Presented by Dustin Christmann March 4, 2009
2
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Outline Introduction Spam Laundering Anti-Spam Techniques Proxy-Based Spam Behavior DBSpam DBSpam Evaluation Potential Evasions
3
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction What is spam? Classic definition: a canned precooked meat product made by the Hormel Foods Corporation, introduced in 1937. “SPAM” stands for “SPiced hAM” Modern definition: the abuse of electronic messaging systems to send unsolicited bulk messages indiscriminately.
4
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction So how did we get from one definition to the other? A 1970 Monty Python sketch, entitled “Spam.”
5
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Spam Laundering MTA Email relay ProxyMTA
6
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Anti-Spam Techniques Three main categories: 1.Recipient-oriented techniques 2.Sender-oriented techniques 3.HoneySpam
7
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Recipient-oriented Techniques Two main categories: 1.Content-based techniques 2.Non-content-based techniques
8
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Content-Based Techniques Email address filters Heuristic filters Machine-learning based filters
9
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Non-content-based Techniques DNSBLs MARID Challenge-Response Tempfailing Delaying Sender Behavior Analysis
10
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Sender-oriented Techniques Usage regulation Cost-based approaches
11
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering HoneySpam Based on honeyd Set up –Fake web servers –Fake open proxies –Fake relays Log the users of these fake servers as spam sources
12
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Proxy-based Spam Behavior Normal email transmission MTA Router Corporate / campus / home network
13
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Proxy-based Spam Behavior Proxy-based Spam MTA Router Corporate / campus / home network
14
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Connection Correlation One-to-one mapping between upstream and downstream connections In normal email transmission, there’s only one. Problems –Upstream encryption –Overhead –Timing
15
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Packet Symmetry Message symmetry –SMTP message from downstream connection results in TCP message to upstream connection Packet symmetry –One packet from downstream connection results in one packet to upstream connection –Exceptions
16
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering TCP Correlation Example
17
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Goals: 1.Fast detection of spam laundering with high accuracy 2.Breaking spam laundering via throttling or blocking after detection 3.Support for spammer tracking and law enforcement 4.Support for spam message fingerprinting 5.Support for global forensic analysis
18
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Deployment of DBSpam At a network vantage point where it can monitor the bi-directional traffic Single-homed network:
19
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Deployment of DBSpam Multi-homed network
20
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Design of Spam Laundering Detection With proxy-based spam transmission, number of incoming SMTP reply packets = number of outgoing TCP packets Possible for this to occur with normal traffic, but very seldom Sequential Probability Ratio Test (SPRT) is used
21
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Can be viewed as a one-dimensional “random walk” starting between two boundaries –One boundary defines “spam connection” –Other boundary defines “not a spam connection”
22
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Each observation pushes the walk in one direction or the other –Observation of correlated SMTP-TCP packets pushes walk toward “spam connection” –Observation of no correlation pushes walk toward “no spam connection” When the walk hits either boundary, test ends
23
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Average number of required observations to reach a determination depends on four variables: 1.α* (the desired probability of false positives) 2.β* (the desired probability of false negatives) 3.θ 1 (the distribution of positive correlation) 4.θ 0 (the distribution of negative correlation)
24
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT E[N|H 1 ] vs. θ 0 and α* ( θ 1 = 0.99, β* = 0.01)
25
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Detection Algorithm
26
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Noise Reduction Maintain a set of external IP addresses that appear for each time In the consecutive M time windows, single out the external IP addresses that appear at least K times Can further reduce the incidence of false positives dramatically, depending on the selection of M and K
27
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Noise reduction
28
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Evaluation at College of William & Mary Two off-campus PCs as spam sources Two PCs in different campus subnets running SOCKS and HTTP proxies Spam “sink” in dark net Traces run in two different months N-* includes no spam traffic S-*-C encrypted spam, S-*-A and S-*-B unencrypted spam
29
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation SPRT Detection Time TraceN = 6N = 11N ≥ 16 S-1-A970 (100%)00 S-1-B5019 (96.9%)139 (2.7%)21 (0.4%) S-1-C2245 (92.8%)169 (7.0%)6 (0.2%) S-2-A433 (99.1%)3 (0.7%)1 (0.2%) S-2-B4298 (94.7%)198 (4.4%)40 (0.9%) S-2-C1758 (98.9%)16 (1.0%)3 (0.1%)
30
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Distribution of N|H 0
31
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation CDF of Detection Time for SPRT
32
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Accuracy of SPRT AttributeS-1-AS-1-BS-1-CS-2-AS-2-BS-2-CN-1N-2 Detection 9705179242043745361777662368 True Positives 9665108236932035101558-- False Positives 471511171026219662368 True Negatives 290889115608559697916343078895993426610068739015941150 FP/(FP+TN) 0.0014%0.0061%0.0085%0.0072%0.012%0.0051%0.0096%0.015% Spam Connections 9585703243291351969-- Missed Connections 82062713-- Missed Conn. Ratio 0.8%0.4%01.8%2.0%1.3%--
33
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Accuracy of SPRT after noise reduction Trace (M,K) (3,2)(4,3)(5,3)(5,4) S-1-A0/1880/1380/1240/110 S-1-B0/1620/1260/103 S-1-C0/1940/1500/1240/123 S-2-A0/650/360/520/27 S-2-B13/3353/2434/2160/186 S-2-C0/1930/1240/1350/94 N-10/0 N-27/71/12/20/0
34
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Resource Consumption TraceCPU UtilCPU TimePpsPeak Mem S-1-A36.3%9.0s4302832.2 MB S-1-B37.7%9.8s4263841.6 MB S-1-C24.0%9.3s4848751.2 MB S-2-A58.0%36.8s32707611.9 MB S-2-B84.3%109.2s24196510.5 MB S-2-C57.1%78.6s3329892.8 MB N-121.7%51.1s4781715.6 MB N-232.1%789.9s3769258.4 MB
35
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Potential Evasions Fragmenting SMTP replies at the proxy –Change the 1:1 packet symmetry into 1:2 or 1:3 Inserting random delays at the proxy –Randomly change the 1:1 packet symmetry into 1:0 or 1:2
36
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Strengths Simple to implement Moves spam detection closer to source, reducing network traffic Thwarts encryption Detects proxy-based spam quickly Few false positives
37
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Weaknesses Easy to evade by breaking packet symmetry Can be thwarted by short SMTP dialogs Must be installed at ISP edge Too resource intensive for imbedded systems
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.