Network-Level Spam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Alex Gray, Santosh Vempala.

Slides:



Advertisements
Similar presentations
Variations of the Turing Machine
Advertisements

AP STUDY SESSION 2.
1
STATISTICS INTERVAL ESTIMATION Professor Ke-Sheng Cheng Department of Bioenvironmental Systems Engineering National Taiwan University.
STATISTICS POINT ESTIMATION Professor Ke-Sheng Cheng Department of Bioenvironmental Systems Engineering National Taiwan University.
Nick Feamster Georgia Tech
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Dynamics of Online Scam Hosting Infrastructure
Network-Level Spam and Scam Defenses
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Level Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte, Nadeem Syed, Alex Gray, Santosh Vempala, Jaeyeon.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
Network Security Highlights Nick Feamster Georgia Tech.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Network Operations Research Nick Feamster
Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.
David Burdett May 11, 2004 Package Binding for WS CDL.
Add Governors Discretionary (1G) Grants Chapter 6.
CALENDAR.
The 5S numbers game..
© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.
Welcome. © 2008 ADP, Inc. 2 Overview A Look at the Web Site Question and Answer Session Agenda.
Break Time Remaining 10:00.
The basics for simulations
Turing Machines.
PP Test Review Sections 6-1 to 6-6
Dynamic Access Control the file server, reimagined Presented by Mark on twitter 1 contents copyright 2013 Mark Minasi.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
Adding Up In Chunks.
MaK_Full ahead loaded 1 Alarm Page Directory (F11)
Facebook Pages 101: Your Organization’s Foothold on the Social Web A Volunteer Leader Webinar Sponsored by CACO December 1, 2010 Andrew Gossen, Senior.
1 Joseph Ghafari Artificial Neural Networks Botnet detection for Stéphane Sénécal, Emmanuel Herbert.
Before Between After.
2004 EBSCO Publishing Presentation on EBSCOadmin.
: 3 00.
5 minutes.
Static Equilibrium; Elasticity and Fracture
Converting a Fraction to %
Numerical Analysis 1 EE, NCKU Tien-Hao Chang (Darby Chang)
Clock will move after 1 minute
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 9 TCP/IP Protocol Suite and IP Addressing.
Physics for Scientists & Engineers, 3rd Edition
Select a time to count down from the clock above
A Data Warehouse Mining Tool Stephen Turner Chris Frala
1 Non Deterministic Automata. 2 Alphabet = Nondeterministic Finite Accepter (NFA)
Schutzvermerk nach DIN 34 beachten 05/04/15 Seite 1 Training EPAM and CANopen Basic Solution: Password * * Level 1 Level 2 * Level 3 Password2 IP-Adr.
Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:
Fighting Spam, Phishing and Online Scams at the Network Level Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Nadeem Syed, Alex Gray,
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,
Network-Level Spam and Scam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte Alex Gray, Jaeyeon Jung, Santosh Vempala.
Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
1 Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Speaker: Jun-Yi Zheng 2010/01/18.
Presentation transcript:

Network-Level Spam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Alex Gray, Santosh Vempala

2 Spam: More than Just a Nuisance 95% of all traffic –Image and PDF Spam (PDF spam ~12%) As of August 2007, one in every 87 s constituted a phishing attack Targeted attacks on the rise –20k-30k unique phishing attacks per month Source: CNET (January 2008), APWG

3 Approach: Filter Prevent unwanted traffic from reaching a users inbox by distinguishing spam from ham Question: What features best differentiate spam from legitimate mail? –Content-based filtering: What is in the mail? –IP address of sender: Who is the sender? –Behavioral features: How the mail is sent?

Conventional: Content Filters Trying to hit a moving target......and even mp3s! PDFsExcel sheets Images

5 Problems with Content Filtering Customized s are easy to generate: Content- based filters need fuzzy hashes over content, etc. Low cost to evasion: Spammers can easily alter features of an s content can be easily adjusted and changed High cost to filter maintainers: Filters must be continually updated as content-changing techniques become more sophisticated

6 Another Approach: IP Addresses Problem: IP addresses are ephemeral Every day, 10% of senders are from previously unseen IP addresses Possible causes –Dynamic addressing –New infections

7 Our Idea: Network-Based Filtering Filter based on how it is sent, in addition to simply what is sent. Network-level properties are less malleable –Network/geographic location of sender and receiver –Set of target recipients –Hosting or upstream ISP (AS number) –Membership in a botnet (spammer, hosting infrastructure)

8 Why Network-Level Features? Lightweight: Dont require inspecting details of packet streams –Can be done at high speeds –Can be done in the middle of the network Robust: Perhaps more difficult to change some network-level features than message contents

9 Challenges (Talk Outline) Understanding network-level behavior –What network-level behaviors do spammers have? –How well do existing techniques work? Building classifiers using network-level features –Key challenge: Which features to use? –Two Algorithms: SNARE and SpamTracker Building the system –Dynamism: Behavior itself can change –Scale: Lots of messages (and spam!) out there

10 Some Questions of Study Where (in IP space, in geography) does spam originate from? What OSes are used to send spam? What techniques are used to send spam?

11 Data: Spam and BGP Spam Traps: Domains that receive only spam BGP Monitors: Watch network-level reachability Domain 1 Domain 2 17-Month Study: August 2004 to December 2005

12 Data Collection: MailAvenger Configurable SMTP server Collects many useful statistics

13 Finding: BGP Spectrum Agility Hijack IP address space using BGP Send spam Withdraw IP address A small club of persistent players appears to be using this technique. Common short-lived prefixes and ASes / / / ~ 10 minutes Somewhere between 1-10% of all spam (some clearly intentional, others might be flapping)

14 Spectrum Agility: Big Prefixes? Flexibility: Client IPs can be scattered throughout dark space within a large /8 –Same sender usually returns with different IP addresses Visibility: Route typically wont be filtered (nice and short)

15 Other Findings Top senders: Korea, China, Japan –Still about 40% of spam coming from U.S. More than half of sender IP addresses appear less than twice ~90% of spam sent to traps from Windows

16 How Well do IP Blacklists Work? Completeness: The fraction of spamming IP addresses that are listed in the blacklist Responsiveness: The time for the blacklist to list the IP address after the first occurrence of spam

17 Completeness and Responsiveness 10-35% of spam is unlisted at the time of receipt % of these IP addresses remain unlisted even after one month Data: Trap data from March 2007, Spamhaus from March and April 2007

18 Whats Wrong with IP Blacklists? Based on ephemeral identifier (IP address) –More than 10% of all spam comes from IP addresses not seen within the past two months Dynamic renumbering of IP addresses Stealing of IP addresses and IP address space Compromised machines IP addresses of senders have considerable churn Often require a human to notice/validate the behavior –Spamming is compartmentalized by domain and not analyzed across domains

19 Are There Other Approaches? Option 1: Stronger sender identity [AIP, Pedigree] –Stronger sender identity/authentication may make reputation systems more effective –May require changes to hosts, routers, etc. Option 2: Behavior-based filtering [SNARE, SpamTracker] –Can be done on todays network –Identifying features may be tricky, and some may require network-wide monitoring capabilities

20 Outline Understanding the network-level behavior –What behaviors do spammers have? –How well do existing techniques work? Classifiers using network-level features –Key challenge: Which features to use? –Two algorithms: SNARE and SpamTracker The System: SpamSpotter –Dynamism: Behavior itself can change –Scale: Lots of messages (and spam!) out there

21 Finding the Right Features Goal: Sender reputation from a single packet? –Low overhead –Fast classification –In-network –Perhaps more evasion resistant Key challenge –What features satisfy these properties and can distinguish spammers from legitimate senders?

22 Set of Network-Level Features Single-Packet –AS of senders IP –Distance to k nearest senders –Status of service ports –Geodesic distance –Time of day Single-Message –Number of recipients –Length of message Aggregate (Multiple Message/Recipient)

23 Sender-Receiver Geodesic Distance 90% of legitimate messages travel 2,200 miles or less

24 Density of Senders in IP Space For spammers, k nearest senders are much closer in IP space

25 Local Time of Day at Sender Spammers peak at different local times of day

26 Combining Features: RuleFit Put features into the RuleFit classifier 10-fold cross validation on one day of query logs from a large spam filtering appliance provider Comparable performance to SpamHaus –Incorporating into the system can further reduce FPs Using only network-level features Completely automated

27 SNARE: Putting it Together arrival Whitelisting –Top 10 ASes responsible for 43% of misclassified IP addresses Greylisting Retraining

28 Benefits of Whitelisting Whitelisting top 50 ASes: False positives reduced to 0.14%

29 Outline Understanding the network-level behavior –What behaviors do spammers have? –How well do existing techniques work? Classifiers using network-level features –Key challenge: Which features to use? –Algorithms: SNARE and SpamTracker Building the system (SpamSpotter) –Dynamism: Behavior itself can change –Scale: Lots of messages (and spam!) out there

30 SpamTracker Idea: Blacklist sending behavior (Behavioral Blacklisting) –Identify sending patterns commonly used by spammers Intuition: Much more difficult for a spammer to change the technique by which mail is sent than it is to change the content

31 SpamTracker: Clustering Approach Construct a behavioral fingerprint for each sender Cluster senders with similar fingerprints Filter new senders that map to existing clusters

32 SpamTracker: Identify Invariant domain1.com domain2.com domain3.com spam IP Address: xxx Known Spammer DHCP Reassignment Behavioral fingerprint domain1.com domain2.com domain3.com spam IP Address: xxx Unknown sender Cluster on sending behavior Similar fingerprint! Cluster on sending behavior Infection

33 Building the Classifier: Clustering Feature: Distribution of sending volumes across recipient domains Clustering Approach –Build initial seed list of bad IP addresses –For each IP address, compute feature vector: volume per domain per time interval –Collapse into a single IP x domain matrix: –Compute clusters

34 Clustering: Output and Fingerprint For each cluster, compute fingerprint vector: New IPs will be compared to this fingerprint IP x IP Matrix: Intensity indicates pairwise similarity

35 Evaluation Emulate the performance of a system that could observe sending patterns across many domains –Build clusters/train on given time interval Evaluate classification –Relative to labeled logs –Relative to IP addresses that were eventually listed

36 Data 30 days of Postfix logs from hosting service –Time, remote IP, receiving domain, accept/reject –Allows us to observe sending behavior over a large number of domains –Problem: About 15% of accepted mail is also spam Creates problems with validating SpamTracker 30 days of SpamHaus database in the month following the Postfix logs –Allows us to determine whether SpamTracker detects some sending IPs earlier than SpamHaus

37 Clustering Results Ham Spam SpamTracker Score Separation may not be sufficient alone, but could be a useful feature

38 Outline Understanding the network-level behavior –What behaviors do spammers have? –How well do existing techniques work? Building classifiers using network-level features –Key challenge: Which features to use? –Algorithms: SpamTracker and SNARE Building the system (SpamSpotter) –Dynamism: Behavior itself can change –Scale: Lots of messages (and spam!) out there

39 Deployment: Real-Time Blacklist As mail arrives, lookups received at BL Queries provide proxy for sending behavior Train based on received data Return score Approach

40 Challenges Scalability: How to collect and aggregate data, and form the signatures without imposing too much overhead? Dynamism: When to retrain the classifier, given that sender behavior changes? Reliability: How should the system be replicated to better defend against attack or failure? Evasion resistance: Can the system still detect spammers when they are actively trying to evade?

41 Design Choice: Augment DNSBL Expressive queries –SpamHaus: $ dig zen.spamhaus.org Ans: (=> listed in exploits block list) –SpamSpotter: $ dig \ receiver_ip.receiver_domain.sender_ip.rbl.gtnoise.net e.g., dig gmail.com rbl.gtnoise.net Ans: (SpamSpotter score = -3.97) Also a source of data –Unsupervised algorithms work with unlabeled data

42 Latency Performance overhead is negligible.

43 Design Choice: Sampling Relatively small samples can achieve low false positive rates

44 Possible Improvements Accuracy –Synthesizing multiple classifiers –Incorporating user feedback –Learning algorithms with bounded false positives Performance –Caching/Sharing –Streaming Security –Learning in adversarial environments

45 Summary: Network-Based Behavioral Reputation Spam increasing, spammers becoming agile –Content filters are falling behind –IP-Based blacklists are evadable Up to 30% of spam not listed in common blacklists at receipt. ~20% remains unlisted after a month Complementary approach: behavioral blacklisting based on network-level features –Key idea: Blacklist based on how messages are sent –SNARE: Automated sender reputation ~90% accuracy of existing with lightweight features –SpamTracker: Spectral clustering catches significant amounts faster than existing blacklists –SpamSpotter: Putting it together in an RBL system

46 Next Steps: Phishing and Scams Scammers host Web sites on dynamic scam hosting infrastructure –Use DNS to redirect users to different sites when the location of the sites move State of the art: Blacklist URL Our approach: Blacklist based on network-level fingerprints Konte et al., Dynamics of Online Scam Hosting Infrastructure, PAM 2009

47 References Anirudh Ramachandran and Nick Feamster, Understanding the Network-Level Behavior of Spammers, ACM SIGCOMM, 2006 Anirudh Ramachandran, Nick Feamster, and Santosh Vempala, Filtering Spam with Behavioral Blacklisting, ACM CCS, 2007 Nadeem Syed, Shuang Hao, Nick Feamster, Alex Gray and Sven Krasser, SNARE: Spatio-temporal Network- level Automatic Reputation Engine, GT-CSE Anirudh Ramachandran, Shuang Hao, Hitesh Khandelwal, Nick Feamster, Santosh Vempala, A Dynamic Reputation Service for Spotting Spammers, GT-CS (In submission)

48 Time Between Record Changes Fast-flux Domains tend to change much more frequently than legitimately hosted sites

49

50 Classifying IP Addresses Given new IP address, build a feature vector based on its sending pattern across domains Compute the similarity of this sending pattern to that of each known spam cluster –Normalized dot product of the two feature vectors –Spam score is maximum similarity to any cluster

51 Sampling: Training Time

52 Additional History: Message Size Variance Senders of legitimate mail have a much higher variance in sizes of messages they send Message Size Range Certain Spam Likely Spam Likely Ham Certain Ham Surprising: Including this feature (and others with more history) can actually decrease the accuracy of the classifier

53 Completeness of IP Blacklists ~80% listed on average ~95% of bots listed in one or more blacklists Number of DNSBLs listing this spammer Only about half of the IPs spamming from short-lived BGP are listed in any blacklist Fraction of all spam received Spam from IP-agile senders tend to be listed in fewer blacklists

54 Low Volume to Each Domain Lifetime (seconds) Amount of Spam Most spammers send very little spam, regardless of how long they have been spamming.

55 Some Patterns of Sending are Invariant domain1.comdomain2.com domain3.com spam IP Address: xxx DHCP Reassignment domain1.comdomain2.com domain3.com spam IP Address: xxx Spammer's sending pattern has not changed IP Blacklists cannot make this connection

56 Characteristics of Agile Senders IP addresses are widely distributed across the /8 space IP addresses typically appear only once at our sinkhole Depending on which /8, 60-80% of these IP addresses were not reachable by traceroute when we spot- checked Some IP addresses were in allocated, albeit unannounced space Some AS paths associated with the routes contained reserved AS numbers

57 Early Detection Results Compare SpamTracker scores on accepted mail to the SpamHaus database –About 15% of accepted mail was later determined to be spam –Can SpamTracker catch this? Of 620 s that were accepted, but sent from IPs that were blacklisted within one month –65 s had a score larger than 5 (85 th percentile)

58 Evasion Problem: Malicious senders could add noise –Solution: Use smaller number of trusted domains Problem: Malicious senders could change sending behavior to emulate normal senders –Need a more robust set of features…