Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Botnet Judo: Fighting Spam with Itself.

Published byJemima McDonald Modified over 8 years ago

Similar presentations

Presentation on theme: "Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Botnet Judo: Fighting Spam with Itself."— Presentation transcript:

1 Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao E-mail:m9815058@mail.ntust.edu.tw Botnet Judo: Fighting Spam with Itself

2 Conference 2015/12/4 2 Botnet Judo: Fighting Spam with Itself Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.

3 Outline 2015/12/4 3 Introduction Template-based Spam Judo system The Signature Generator Leveraging Domain Knowledge Signature Update Evaluation Single Template Inference Multiple Template Inference Real-world Deployment Conclusion

4 Introduction 2015/12/4 4 Reactive Defenses Reversed engineering Black-box stream of All messages -> Regular expression Quickly producing precise mail filters

5 Template-based Spam 2015/12/4 5

6 Storm’s template Language 2015/12/4 6

7 Judo system 2015/12/4 7 Judo system consists of three components. Bot farm : running instances of spamming botnets in a contained environment. Signature generator : maintains a set of regular expression signatures for spam sent by each botnet. Spam filter : Updating the system

8 Judo spam filter model 2015/12/4 8

9 System Assumptions 2015/12/4 9 First and foremost, we assume that bots compose spam using a template system.

10 The Signature Generator 2015/12/4 10 Anchors Macros Dictionary Macros. Micro-Anchors. Noise Macros. Leveraging Domain Knowledge Header Filtering Special Tokens Signature Update Second Chance Mechanism Pre-Clustering.

11 Step of algorithm 2015/12/4 11

12 Anchors 2015/12/4 12 Extracting the longest ordered set of substrings have length at least q that are common to every messages.

13 Macros 2015/12/4 13 Dictionary Macros. Hypothesis test (Dictionary Test ) Micro-Anchors. a substring that consists of non-alphanumeric. Using LCS (q don’t limit) again to find Micro-Anchors. Once micro-anchors partition the text, the algorithm performs the dictionary test on each set of strings delimited by the micro- anchors. Noise Macros. generates random characters from some character set POSIX character classes or Arbitary repetition “*” or “+”

14 POSIX character classes 2015/12/4 14 http://www.regular-expressions.info/posixbrackets.html

15 Leveraging Domain Knowledge 2015/12/4 15 Improve the performance of the algorithm. Header Filtering Headers ignore all but the following headers: A message must match all header for a signature to be considered a match. Special Tokens Like dates,IP addresses … etc. “expire” after it was generated pre- and post- processing as anchor

16 Signature Update 2015/12/4 16 We would like to use a training buffer as small as necessary to generate good signatures. Train buffer is controlled by k. Second Chance Mechanism. solving the train buffer is too small. Pre-Clustering Mitigate the effects of a large training buffer.

17 Second Chance Mechanism 2015/12/4 17

18 Evaluation 2015/12/4 18 Judo is indeed safe and effective for filtering botnet- originated spam. first, spam generated synthetically from actual templates used by the Storm botnet Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot. Last, deployment scenario, training and testing on different instances of the same bot.

19 Single Template Inference 2015/12/4 19

20 Multiple Template Inference 2015/12/4 20

21 Real-world Deployment 2015/12/4 21

22 Conclusion 2015/12/4 22 We have shown that it is practical to generate high-quality spam content signatures simply by observing the output of bot instances and inferring the likely conten of their underlying template.

Download ppt "Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Botnet Judo: Fighting Spam with Itself."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Liang, Introduction to Java Programming, Ninth Edition, (c) 2013 Pearson Education, Inc. All rights reserved. 1 Chapter 9 Strings.

Liang, Introduction to Java Programming, Ninth Edition, (c) 2013 Pearson Education, Inc. All rights reserved. 1 Chapter 9 Strings.
Click Trajectories: End-to-End Analysis of the Spam Value Chain Author : Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, M’ark F’elegyh’azi,

Click Trajectories: End-to-End Analysis of the Spam Value Chain Author : Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, M’ark F’elegyh’azi,
Overview What is Dynamic Programming? A Sequence of 4 Steps

Overview What is Dynamic Programming? A Sequence of 4 Steps
All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.

All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.
Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing s. In Proceedings.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.

DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.
A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang, 2008-12-9.

A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang,
LEDIR : An Unsupervised Algorithm for Learning Directionality of Inference Rules Advisor: Hsin-His Chen Reporter: Chi-Hsin Yu Date: 2007.12.11 From EMNLP.

LEDIR : An Unsupervised Algorithm for Learning Directionality of Inference Rules Advisor: Hsin-His Chen Reporter: Chi-Hsin Yu Date: From EMNLP.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Aki Hecht Seminar in Databases (236826) January 2009

Aki Hecht Seminar in Databases (236826) January 2009
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
An Introduction to Machine Learning In the area of AI (earlier) machine learning took a back seat to Expert Systems Expert system development usually consists.

An Introduction to Machine Learning In the area of AI (earlier) machine learning took a back seat to Expert Systems Expert system development usually consists.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Spam May 15 2006 CS239. Taxonomy E-mail (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:

Spam May CS239. Taxonomy (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Similar presentations

Ads by Google