Presentation is loading. Please wait.

Presentation is loading. Please wait.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,"— Presentation transcript:

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department, Northwestern University Microsoft Research Silicon Valley * Microsoft Cooperation ‡ 1

2 2 Web-Account Abuse Attack Zombie (Compromised host) Spammer’s Server Captcha solver RDSXXTD3 User/Pwd

3 Problems and Challenges Detect Web-account Abuse with Hotmail Logs – Input: user activity traces (signup, login, email- sending records) – Goal: stop aggressive account signup, limit outgoing spam Challenges – Attack is stealthy: individual account detection difficult – Attack is large scale: finding correlated activities >500 million accounts 300GB-400GB data per month – Low false positive and false negative rate 3

4 4 The BotGraph System A graph-based approach to attack detection – A large user-user graph to capture bot-account correlations – Identify 26M bot-accounts with a low false positive rate in two months Efficient implementation using Dryad/DryadLINQ – Graph construction/analysis is not easily parallelizable – Hundreds of millions of nodes, hundreds of billions of edges – Process 200GB-300GB data in 1.5 hours with a 240-machine cluster The first to provide a systematic solution to the new botnet-based web-account abuse attack

5 System Architecture 5 Login data Login graph Graph generation Random graph based clustering Verification & prune Sendmail data Spamming botnets Suspicious clusters Signup data EWMA based change detection Aggressive signups Verification & prune Signup botnets 3. Parallel algorithm on DryadLINQ clusters (ID, IP, time) (ID, time, # of recipients) (ID, IP, time) 1. History based algorithm to detect aggressive signups 2. Graph-based algorithm to find correlations

6 6 Detect Aggressive Signups Large prediction error Back to normal Date Number of Signup Accounts 25 20 15 10 5 1-Jul2-Jul 3-Jul4-Jul 5-Jul6-Jul 7-Jul8-Jul 9-Jul Signup Count EWMA Prediction Simple and efficient Detect 20 million malicious accounts in 2 months Simple and efficient Detect 20 million malicious accounts in 2 months

7 System Architecture 7 Login data Login graph Graph generation Random graph based clustering Verification & prune Sendmail data Spamming botnets Suspicious clusters Signup data EWMA based change detection Aggressive signups Verification & prune Signup botnets 3. Parallelel Algorithm on DryadLinq clusters (ID, IP, time) (ID, time, # of recipients) (ID, IP, time) 1. History based algorithm on Signup detection 2. Graph-based algorithm on login detection

8 8 Observation: bot-accounts work collaboratively Normal Users – Share IP addresses in one AS with DHCP assignment Bot-users Detect Stealthy Accounts by Graphs A user-user graph to model behavior similarities

9 9 Observation: bot-accounts work collaboratively Normal Users – Share IP addresses in one AS with DHCP assignment Bot-users – Likely to share different IPs across ASes Detect Stealthy Accounts by Graphs A user-user graph to model behavior similarities

10 User-user Graph Node: Hotmail account Edge weight: # of ASes of the shared IP addresses – Consider edges with weight>1 Key Observations – Bot-users form a giant connected-component while normal users do not – Interpreted by the random graph theory 10 2 ASes 3 ASes 5 ASes 1 AS 4 ASes User1 User2 User3 User4 User5 User6

11 Random Graph Theory Random Graph G(n,p) – n nodes and each pair of nodes has an edge with probability p and average degree d = (n-1) · p Theorem – If d < 1, then with high probability the largest component in the graph has size less than O(log n) No large connected subgraph – If d > 1, with high probability the graph will contain a giant component with size at the order of O(n) Most nodes are in one connected subgraph 11

12 Graph-based Bot-user Detection Step 1: detect giant connected-components from the user-user graph Step 2: hierarchical algorithm to identify the correct groupings – Different bot-user groups may be mixed – Easier validation with correct group statistics – Difficult to choose a fixed edge-threshold Step 3: prune normal-user groups – Due to national proxies, cell phone users, facebook applications, etc. 12

13 Graph-based Bot-user Detection Step 1: detect giant connected-components from the user-user graph Step 2: hierarchical algorithm to identify the correct groupings – Different bot-user groups may be mixed – Easier validation with correct group statistics – Difficult to choose a fixed edge-threshold Step 3: prune normal-user groups – Due to national proxies, cell phone users, facebook applications, etc. 13

14 Hierarchical Bot-Group Extraction A B T=2 CD T=3 T=4 14 A

15 System Architecture 15 Login data Login graph Graph generation Random graph based clustering Verification & prune Sendmail data Spamming botnets Suspicious clusters Signup data EWMA based change detection Aggressive signups Verification & prune Signup botnets 3. Parallelel Algorithm on DryadLINQ clusters (ID, IP, time) (ID, time, # of recipients) (ID, IP, time) 1. History based algorithm on Signup detection 2. Graph-based algorithm on login detection

16 Parallel Implementation on DryadLINQ EWMA-based Signup Abuse Detection – Partition data by IP – Can achieve real-time detection User-User Graph Construction – Two algorithms and optimizations – Process 200GB-300GB data in 1.5 hours with 240 machines Connected Component Extraction – Divide and conquer – Process a graph of 8.6 billion edges in 7 minutes

17 Parallel Implementation on DryadLINQ EWMA-based Signup Abuse Detection – Partition data by IP – Can achieve real-time detection User-User Graph Construction – Two algorithms and optimizations – Process 200GB-300GB data in 1.5 hours with 240 machines Connected Component Extraction – Divide and conquer – Process a graph of 8.6 billion edges in 7 minutes

18 Graph Construction 1: Simple Data Parallelism Potential Edges – Select ID group by IP (Map) – Generate potential edges ( ID i, ID j, IP k ) (Reduce) Edge Weights – Select IP group by ID pair (Map) – Calculate edge weight (Reduce) Problem – Weight 1 edge is two orders of magnitude more than others – Their computation/communication is unnecessary

19 Graph Construction 2: Selective Filtering 19

20 Comparison of Two Algorithms Method 1 – Simple and scalable Method 2 – Optimized to filter out weight 1 edges – Utilize Join functionality, data compression and broadcast optimization 20

21 Detection Results Data description – Two datasets Jun 2007 and Jan 2008 – Three types of data Signup log (IP, ID, Time) Login log (IP, ID, Time) – 500M users and 200~300GB data per month Sendmail log (ID, time, # of recipients) – About 100GB per month 21

22 Detection of Signup Abuse 22

23 Detection by User-user Graph 23

24 Validations Manual Check – Sampled groups verified by the Hotmail team – Almost no false positives Comparison with Known Spamming Users – Detect 86% of complained accounts – Up to 54% of detected accounts are our new findings Email Sending Sizes per Group – Most groups have a sharp peak – The remaining contain several peaks False Positive Estimation – Naming pattern (0.44%) – Signup time (0.13%) 24

25 Possible to Evade BotGraph? Evade signup detection: Be stealthy Evade graph-based detection – Fixed IP/AS binding Low utilization rate Bot-accounts bound to one host are easy to be grouped – Be stealthy (sending as few emails as normal user) 25 Severely limit attackers’ spam throughput

26 Conclusions A graph-based approach to attack detection – Identify 26M bot-accounts with a low false positive rate in two months Efficient implementation using Dryad/DryadLINQ – Process 200GB-300GB data in 1.5 hours with a 240- machine cluster 26 Large-scale data-mining for network security is effective and practical

27 Q & A? Thanks! 27

Download ppt "BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Zhiyun Qian, Z. Morley Mao (University of Michigan)

Zhiyun Qian, Z. Morley Mao (University of Michigan)
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Alex Cheung and Hans-Arno Jacobsen August, 14 th 2009 MIDDLEWARE SYSTEMS RESEARCH GROUP.

Alex Cheung and Hans-Arno Jacobsen August, 14 th 2009 MIDDLEWARE SYSTEMS RESEARCH GROUP.
DECISION TREES. Decision trees  One possible representation for hypotheses.

DECISION TREES. Decision trees  One possible representation for hypotheses.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Analysis and Modeling of Social Networks Foudalis Ilias.

Analysis and Modeling of Social Networks Foudalis Ilias.
Indian Statistical Institute Kolkata

Indian Statistical Institute Kolkata
Error Tolerant Address Configuration for Data Center Networks with Malfunctioning Devices Xingyu Ma, Chengchen Hu, Kai Chen, Che Zhang, Hongtao Zhang,

Error Tolerant Address Configuration for Data Center Networks with Malfunctioning Devices Xingyu Ma, Chengchen Hu, Kai Chen, Che Zhang, Hongtao Zhang,
Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.

Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.
Mutual Information Mathematical Biology Seminar 23.5.2005.

Mutual Information Mathematical Biology Seminar
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Predicting the Semantic Orientation of Adjective Vasileios Hatzivassiloglou and Kathleen R. McKeown Presented By Yash Satsangi.

Predicting the Semantic Orientation of Adjective Vasileios Hatzivassiloglou and Kathleen R. McKeown Presented By Yash Satsangi.
1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.
Leveraging Personal Knowledge for Robust Authentication Systems Mentor: Danfeng Yao Anitra Babic Chestnut Hill College Computer Science Department.

Leveraging Personal Knowledge for Robust Authentication Systems Mentor: Danfeng Yao Anitra Babic Chestnut Hill College Computer Science Department.
Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.
CBLOCK: An Automatic Blocking Mechanism for Large-Scale Deduplication Tasks Ashwin Machanavajjhala Duke University with Anish Das Sarma, Ankur Jain, Philip.

CBLOCK: An Automatic Blocking Mechanism for Large-Scale Deduplication Tasks Ashwin Machanavajjhala Duke University with Anish Das Sarma, Ankur Jain, Philip.
Towards Online Spam Filtering in Social Networks Hongyu Gao, Yan Chen, Kathy Lee, Diana Palsetia and Alok Choudhary Lab for Internet and Security Technology.

Towards Online Spam Filtering in Social Networks Hongyu Gao, Yan Chen, Kathy Lee, Diana Palsetia and Alok Choudhary Lab for Internet and Security Technology.

Similar presentations

Ads by Google