Presentation is loading. Please wait.

Presentation is loading. Please wait.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering An Effective Defense Against Spam Laundering Mengjun Xie, Heng Yin, Haining.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering An Effective Defense Against Spam Laundering Mengjun Xie, Heng Yin, Haining."— Presentation transcript:

1 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering An Effective Defense Against Spam Laundering Mengjun Xie, Heng Yin, Haining Wang Presented by Dustin Christmann March 4, 2009

2 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Outline Introduction Spam Laundering Anti-Spam Techniques Proxy-Based Spam Behavior DBSpam DBSpam Evaluation Potential Evasions

3 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction What is spam? Classic definition: a canned precooked meat product made by the Hormel Foods Corporation, introduced in 1937. “SPAM” stands for “SPiced hAM” Modern definition: the abuse of electronic messaging systems to send unsolicited bulk messages indiscriminately.

4 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction So how did we get from one definition to the other? A 1970 Monty Python sketch, entitled “Spam.”

5 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Spam Laundering MTA Email relay ProxyMTA

6 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Anti-Spam Techniques Three main categories: 1.Recipient-oriented techniques 2.Sender-oriented techniques 3.HoneySpam

7 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Recipient-oriented Techniques Two main categories: 1.Content-based techniques 2.Non-content-based techniques

8 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Content-Based Techniques Email address filters Heuristic filters Machine-learning based filters

9 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Non-content-based Techniques DNSBLs MARID Challenge-Response Tempfailing Delaying Sender Behavior Analysis

10 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Sender-oriented Techniques Usage regulation Cost-based approaches

11 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering HoneySpam Based on honeyd Set up –Fake web servers –Fake open proxies –Fake relays Log the users of these fake servers as spam sources

12 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Proxy-based Spam Behavior Normal email transmission MTA Router Corporate / campus / home network

13 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Proxy-based Spam Behavior Proxy-based Spam MTA Router Corporate / campus / home network

14 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Connection Correlation One-to-one mapping between upstream and downstream connections In normal email transmission, there’s only one. Problems –Upstream encryption –Overhead –Timing

15 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Packet Symmetry Message symmetry –SMTP message from downstream connection results in TCP message to upstream connection Packet symmetry –One packet from downstream connection results in one packet to upstream connection –Exceptions

16 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering TCP Correlation Example

17 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Goals: 1.Fast detection of spam laundering with high accuracy 2.Breaking spam laundering via throttling or blocking after detection 3.Support for spammer tracking and law enforcement 4.Support for spam message fingerprinting 5.Support for global forensic analysis

18 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Deployment of DBSpam At a network vantage point where it can monitor the bi-directional traffic Single-homed network:

19 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Deployment of DBSpam Multi-homed network

20 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Design of Spam Laundering Detection With proxy-based spam transmission, number of incoming SMTP reply packets = number of outgoing TCP packets Possible for this to occur with normal traffic, but very seldom Sequential Probability Ratio Test (SPRT) is used

21 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Can be viewed as a one-dimensional “random walk” starting between two boundaries –One boundary defines “spam connection” –Other boundary defines “not a spam connection”

22 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Each observation pushes the walk in one direction or the other –Observation of correlated SMTP-TCP packets pushes walk toward “spam connection” –Observation of no correlation pushes walk toward “no spam connection” When the walk hits either boundary, test ends

23 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Average number of required observations to reach a determination depends on four variables: 1.α* (the desired probability of false positives) 2.β* (the desired probability of false negatives) 3.θ 1 (the distribution of positive correlation) 4.θ 0 (the distribution of negative correlation)

24 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT E[N|H 1 ] vs. θ 0 and α* ( θ 1 = 0.99, β* = 0.01)

25 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Detection Algorithm

26 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Noise Reduction Maintain a set of external IP addresses that appear for each time In the consecutive M time windows, single out the external IP addresses that appear at least K times Can further reduce the incidence of false positives dramatically, depending on the selection of M and K

27 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Noise reduction

28 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Evaluation at College of William & Mary Two off-campus PCs as spam sources Two PCs in different campus subnets running SOCKS and HTTP proxies Spam “sink” in dark net Traces run in two different months N-* includes no spam traffic S-*-C encrypted spam, S-*-A and S-*-B unencrypted spam

29 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation SPRT Detection Time TraceN = 6N = 11N ≥ 16 S-1-A970 (100%)00 S-1-B5019 (96.9%)139 (2.7%)21 (0.4%) S-1-C2245 (92.8%)169 (7.0%)6 (0.2%) S-2-A433 (99.1%)3 (0.7%)1 (0.2%) S-2-B4298 (94.7%)198 (4.4%)40 (0.9%) S-2-C1758 (98.9%)16 (1.0%)3 (0.1%)

30 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Distribution of N|H 0

31 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation CDF of Detection Time for SPRT

32 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Accuracy of SPRT AttributeS-1-AS-1-BS-1-CS-2-AS-2-BS-2-CN-1N-2 Detection 9705179242043745361777662368 True Positives 9665108236932035101558-- False Positives 471511171026219662368 True Negatives 290889115608559697916343078895993426610068739015941150 FP/(FP+TN) 0.0014%0.0061%0.0085%0.0072%0.012%0.0051%0.0096%0.015% Spam Connections 9585703243291351969-- Missed Connections 82062713-- Missed Conn. Ratio 0.8%0.4%01.8%2.0%1.3%--

33 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Accuracy of SPRT after noise reduction Trace (M,K) (3,2)(4,3)(5,3)(5,4) S-1-A0/1880/1380/1240/110 S-1-B0/1620/1260/103 S-1-C0/1940/1500/1240/123 S-2-A0/650/360/520/27 S-2-B13/3353/2434/2160/186 S-2-C0/1930/1240/1350/94 N-10/0 N-27/71/12/20/0

34 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Resource Consumption TraceCPU UtilCPU TimePpsPeak Mem S-1-A36.3%9.0s4302832.2 MB S-1-B37.7%9.8s4263841.6 MB S-1-C24.0%9.3s4848751.2 MB S-2-A58.0%36.8s32707611.9 MB S-2-B84.3%109.2s24196510.5 MB S-2-C57.1%78.6s3329892.8 MB N-121.7%51.1s4781715.6 MB N-232.1%789.9s3769258.4 MB

35 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Potential Evasions Fragmenting SMTP replies at the proxy –Change the 1:1 packet symmetry into 1:2 or 1:3 Inserting random delays at the proxy –Randomly change the 1:1 packet symmetry into 1:0 or 1:2

36 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Strengths Simple to implement Moves spam detection closer to source, reducing network traffic Thwarts encryption Detects proxy-based spam quickly Few false positives

37 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Weaknesses Easy to evade by breaking packet symmetry Can be thwarted by short SMTP dialogs Must be installed at ISP edge Too resource intensive for imbedded systems

Download ppt "UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering An Effective Defense Against Spam Laundering Mengjun Xie, Heng Yin, Haining."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Zhiyun Qian, Z. Morley Mao (University of Michigan)

Zhiyun Qian, Z. Morley Mao (University of Michigan)
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.
Basic Communication on the Internet:

Basic Communication on the Internet:
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.

Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Similar presentations

Ads by Google