auto learning of smtp tcp transport layer features for
play

Auto-learning of SMTP TCP Transport-Layer Features for Spam and - PowerPoint PPT Presentation

Sep 10, 2023 •196 likes •597 views

Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection Georgios Kakavelakis, Robert Beverly, Joel Young Center for Measurement and Analysis of Network Data Naval Postgraduate School, Dept. Computer Science

  1. Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection Georgios Kakavelakis, Robert Beverly, Joel Young Center for Measurement and Analysis of Network Data Naval Postgraduate School, Dept. Computer Science {gkakavel,rbeverly,jdyoung}@cmand.org December 8, 2011 USENIX LISA 2011 Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 1 / 39

  2. Motivation Outline Motivation 1 Detecting Bot-Generated Spam 2 SpamFlow Architecture 3 SpamFlow Results 4 Conclusions 5 Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 2 / 39

  3. Motivation Background Background 2011Q3 MAAWG email metrics: 89% of email is abusive. Huge volumes of spam, spammers quickly adapt to defenses. Whether user, provider, or vendor, spam is still a problem! Our Prior SpamFlow Work Asked: What is the transport (TCP/IP packet stream) character of spam? Are there differences between spam and ham flows? How to exploit differences in a way which spammers cannot easily evade? Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 3 / 39

  4. Motivation Background Understanding SpamFlow } SMTP Content Not looking at IP header (reputation) data Filtering Not looking at data (conent) SpamFlow: TCP stream, incl timing FINs, RSTs, Duplicates, OOO pkts, } 3WHS timing, packet jitter, receive TCP SpamFlow window, maximum idle time, etc. (20 features in total) } Reputation IP Analysis Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 4 / 39

  5. Motivation Background SpamFlow, previous work “ Exploiting Transport-Level Characteristics of Spam ” [BS08]: Utilize statistical machine learning methods Offline analysis Demonstrate > 90% accuracy, precision, recall (w/o content or reputation!) Correctly identify ≃ 78% of false negatives from content filtering alone Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 5 / 39

  6. Motivation Background Obstacles to Deployment But ... Obstacles to Deployment: Lots of “plumbing,” i.e. exposing transport-features to higher layers Must be real-time Must be on-line Training a supervised learner USENIX LISA 2011 Contributions: Tackle these deployment issues, did the “hard” work Built an opensource SpamFlow plugin for SpamAssassin (And show performance numbers – it really works!) Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 6 / 39

  7. Detecting Bot-Generated Spam Outline Motivation 1 Detecting Bot-Generated Spam 2 SpamFlow Architecture 3 SpamFlow Results 4 Conclusions 5 Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 7 / 39

  8. Detecting Bot-Generated Spam Transport Behavior Transport-Level Characteristics of Spam Why does SpamFlow work? Two Observations on Spam Low Penetration: 1 due to existing filters, user ambivalence → huge volumes of spam Sending Method: 2 Botnets, dialup, etc. → Low asymmetric bandwidth, widely distributed Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 8 / 39

  9. Detecting Bot-Generated Spam Transport Behavior Transport-Level Characteristics of Spam Combining Observations: Low Penetration + Sending Methods Volume + Methods + Economics → link/host resource contention MX MX MX aDSL BOT MX MX Congestion/Loss/Reordering MX MX Contention: Contention manifests as TCP/IP loss, retransmission, reordering, jitter, flow control, etc. Particularly with the large buffers in consumer cable/DSL modems. Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 9 / 39

  10. Detecting Bot-Generated Spam TCP and SMTP Transport SMTP and TCP Transmission Control Protocol: mx.alice.com mx.bob.com EHLO mx.alice.com 200 Hellow Alice MAIL FROM: alice@alice.com 200 OK DATA: Simple Mail Transport Protocol (SMTP) uses TCP for transport Sequence of SMTP commands between Mail Transport Agents (MTAs) Mail contents are packetized How do Spam Connections Behave? Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 10 / 39

  11. Detecting Bot-Generated Spam Building intuition How do Spam Connections Behave? ...or, a quick look at netstat RcvQ SndQ Local Foreign Addr State 0 0 srv:25 92.47.129.89:49014 SYN_RECV 0 0 srv:25 ppp83-237-106-114.:29081 SYN_RECV 0 0 srv:25 88.200.227.123:25068 SYN_RECV 0 0 srv:25 92.47.129.89:49014 SYN_RECV 0 0 srv:25 ppp83-237-106-114.:29084 SYN_RECV 0 0 srv:25 88.200.227.123:25068 SYN_RECV 0 0 srv:25 88.200.227.123:25069 SYN_RECV 0 0 srv:25 88.200.227.123:25070 SYN_RECV 0 0 srv:25 88.200.227.123:25074 SYN_RECV 0 0 srv:25 84.255.150.15:4232 SYN_RECV 0 25 srv:25 222.123.147.41:50282 LAST_ACK 0 28 srv:25 adsl-pool-222.123.:1720 LAST_ACK 0 31 srv:25 222.123.147.41:50152 LAST_ACK 0 15 srv:25 222.123.147.41:50889 LAST_ACK 0 9 srv:25 88.245.3.19:venus LAST_ACK 0 25 srv:25 78.184.155.70:1854 FIN_WAIT1 0 23 srv:25 190-48-30-225.spe:50920 FIN_WAIT1 0 23 srv:25 dsl.dynamic812132:48154 FIN_WAIT1 0 23 srv:25 ip-85-160-91-16.e:48093 FIN_WAIT1 0 23 srv:25 88.234.141.158:48389 FIN_WAIT1 0 23 srv:25 p5B0FBB5D.dip.t-d:11965 FIN_WAIT1 ... Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 11 / 39

  12. Detecting Bot-Generated Spam Building intuition How do Spam Connections Behave? ...or, a quick look at netstat RcvQ SndQ Local Foreign Addr State 0 0 srv:25 92.47.129.89:49014 SYN_RECV 0 0 srv:25 ppp83-237-106-114.:29081 SYN_RECV 0 0 srv:25 88.200.227.123:25068 SYN_RECV TCP Stuck in States 0 0 srv:25 92.47.129.89:49014 SYN_RECV 0 0 srv:25 ppp83-237-106-114.:29084 SYN_RECV Stays in these states for 0 0 srv:25 88.200.227.123:25068 SYN_RECV 0 0 srv:25 88.200.227.123:25069 SYN_RECV minutes 0 0 srv:25 88.200.227.123:25070 SYN_RECV 0 0 srv:25 88.200.227.123:25074 SYN_RECV Half-open connections 0 0 srv:25 84.255.150.15:4232 SYN_RECV 0 25 srv:25 222.123.147.41:50282 LAST_ACK 0 28 srv:25 adsl-pool-222.123.:1720 LAST_ACK Remote MTAs that 0 31 srv:25 222.123.147.41:50152 LAST_ACK 0 15 srv:25 222.123.147.41:50889 “disappear” mid-connection LAST_ACK 0 9 srv:25 88.245.3.19:venus LAST_ACK 0 25 srv:25 78.184.155.70:1854 FIN_WAIT1 Remote MTAs that send 0 23 srv:25 190-48-30-225.spe:50920 FIN_WAIT1 0 23 srv:25 dsl.dynamic812132:48154 FIN and disappear FIN_WAIT1 0 23 srv:25 ip-85-160-91-16.e:48093 FIN_WAIT1 0 23 srv:25 88.234.141.158:48389 FIN_WAIT1 0 23 srv:25 p5B0FBB5D.dip.t-d:11965 FIN_WAIT1 ... Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 11 / 39

  13. Detecting Bot-Generated Spam Building intuition What about RTT? ...building more intuition Received: from vms044pub.verizon.net Received: from unknown (59.9.86.75) From: "Dr. Beverly, MD" < b@ex.com > From: Erich Shoemaker < ried@ex.com > Subject: thoughts Subject: Repl1ca for you Dear Robert, A T4g Heuer w4tch is a luxury statement I hope you have had a great week! on its own. In Prest1ge Repl1cas, any T4g Heuer... Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 12 / 39

  14. SpamFlow Architecture Outline Motivation 1 Detecting Bot-Generated Spam 2 SpamFlow Architecture 3 SpamFlow Results 4 Conclusions 5 Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 13 / 39

  15. SpamFlow Architecture Plugin SpamAssassin Plugin So... we built it. Moving from research to production: MTA email Spam (postfix) Assassin msgid score SMTP features Traffic Classifier SF Plugin prediction msgid features pcap SpamFlow Model packets Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 14 / 39

  16. SpamFlow Architecture Entering Traffic SpamAssassin Plugin Architecture: MTA email Spam (postfix) Assassin Email traffic enters the system, MTA passes to SMTP SpamAssassin. Traffic Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 15 / 39

  17. SpamFlow Architecture Collecting Features SpamAssassin Plugin Architecture: MTA email Spam (postfix) Assassin Concurrently, SpamFlow daemon collects packets and SMTP produces per-flow Traffic features. pcap SpamFlow packets Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 16 / 39

  18. SpamFlow Architecture Matching Emails and Flows SpamAssassin Plugin Architecture: MTA email Spam (postfix) Assassin SpamFlow plugin takes msgid a msg ID. SMTP Traffic SF Plugin pcap SpamFlow packets Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 17 / 39

  19. SpamFlow Architecture Matching Emails and Flows SpamAssassin Plugin Architecture: MTA email Spam (postfix) Assassin Plugin communicates with SpamFlow msgid daemon via XML-RPC SMTP to query for msg ID. Traffic SF Plugin msgid pcap SpamFlow packets Kakavelakis, Beverly, Young (NPS) Auto-learning SMTP TCP Features for Spam LISA 2011 18 / 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

Transport Layer Transport Layer Chapter 3: Transport Layer Mobile network Our goals: Global ISP understand principles learn about transport Chapter 3 behind transport layer protocols in the Transport Layer Internet: layer

678 views • 5 slides
11 Application Layer Application Layer DNS: Domain Name System Most commonly used names

11 Application Layer Application Layer DNS: Domain Name System Most commonly used names

Application Layer Application Layer SMTP: final words Mail message format SMTP uses persistent Comparison with HTTP: SMTP: protocol for connections exchanging email msgs header HTTP: pull blank SMTP requires message RFC 822:

453 views • 4 slides
1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

Transport Layer Transport Layer Outline Mobile network Transport-layer Connection-oriented Global ISP services transport: TCP Transport Layer Multiplexing and segment structure Home network demultiplexing reliable data

264 views • 5 slides
Introduction : Transport layer objectives Introduction : Transport layer objectives Introduction

Introduction : Transport layer objectives Introduction : Transport layer objectives Introduction

Wireless Ad Hoc and Sensor Networks Out Outline e (Transport Layer) Introduction and challenges (self learning) Which transport layer protocols? (self learning) Application Traditional TCP (self learning) A Brief Revisit to

311 views • 17 slides
THE TRANSPORT LAYER Outline Transport layer in the Internet Multiplexing and

THE TRANSPORT LAYER Outline Transport layer in the Internet Multiplexing and

THE TRANSPORT LAYER Outline Transport layer in the Internet Multiplexing and demultiplexing UDP: User Datagram Protocol TCP: Transport Control Protocol General features TRANSPORT LAYER IN THE INTERNET In the

563 views • 29 slides
Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Recall Transport layer provides end-to-end connectivity across

1.96k views • 165 slides
Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Recall Transport layer provides end-to-end connectivity across

528 views • 31 slides
Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Recall Transport layer provides end-to-end connectivity across

1.91k views • 168 slides
Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Three-Way Handshake (3) Suppose delayed, duplicate Active

709 views • 50 slides
Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities and Services Overall: message delivery End-to-end&quot; communications between processes ( i.e. running programs) Communicating

467 views • 17 slides
Introduction to the Transport Layer CSC 249 Feb 13, 2018 1 Transport Layer Overview q Tasks

Introduction to the Transport Layer CSC 249 Feb 13, 2018 1 Transport Layer Overview q Tasks

Introduction to the Transport Layer CSC 249 Feb 13, 2018 1 Transport Layer Overview q Tasks performed by the transport layer v Services provided to the application layer v Services expected from the network layer q Multiplexing and

437 views • 8 slides
1 Chapter 3 outline Multiplexing/demultiplexing Multiplexing at send host: Demultiplexing at

1 Chapter 3 outline Multiplexing/demultiplexing Multiplexing at send host: Demultiplexing at

Chapter 3: Transport Layer Our goals: Transport Layer understand learn about transport principles behind layer protocols in the transport layer Internet: services: UDP: connectionless multiplexing/ transport

479 views • 10 slides
Chapter 3 Transport Layer Chapter 3: Transport Layer Our goals: learn about transport l

Chapter 3 Transport Layer Chapter 3: Transport Layer Our goals: learn about transport l

Chapter 3 Transport Layer Chapter 3: Transport Layer Our goals: learn about transport l n b t t nsp t understand principles d t d i i l layer protocols in the behind transport Internet: layer services: y UDP:

1.18k views • 90 slides
Transport Layer Understand Learn about transport layer protocols in the principles behind

Transport Layer Understand Learn about transport layer protocols in the principles behind

Chapter 3: Transport Layer Goals: Transport Layer Understand Learn about transport layer protocols in the principles behind transport layer Internet: services: UDP: connectionless CS 3516 Computer Networks CS 3516 Computer

286 views • 18 slides
Chapter 3: Transport Layer Our goals: learn about transport understand principles layer

Chapter 3: Transport Layer Our goals: learn about transport understand principles layer

Chapter 3: Transport Layer Our goals: learn about transport understand principles layer protocols in the behind transport Internet: layer services: UDP: connectionless multiplexing/ transport demultiplexing TCP:

1.27k views • 105 slides
Chapter 3 Transport Layer 1 Chapter 3 outline 3.1 Transport-layer services 3.2 Multiplexing

Chapter 3 Transport Layer 1 Chapter 3 outline 3.1 Transport-layer services 3.2 Multiplexing

Chapter 3 Transport Layer 1 Chapter 3 outline 3.1 Transport-layer services 3.2 Multiplexing and demultiplexing 3.3 Connectionless transport: UDP 3.4 Principles of reliable data transfer 3.5 Connection-oriented transport: TCP segment

714 views • 27 slides
Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why should you care? How to detect Spam? 2 What is Spam? What is Spam? All forms of malicious manipulation of user generated data so as to

943 views • 56 slides
for Microsoft Office 365 Agenda Product introduction Features and benefits How it works

for Microsoft Office 365 Agenda Product introduction Features and benefits How it works

Kaspersky Security for Microsoft Office 365 Agenda Product introduction Features and benefits How it works Licensing 2 Kaspersky Lab | Kaspersky Security for Microsoft Office 365 What is Kaspersky Security for Microsoft Office 365

592 views • 22 slides
Webs of Trust in Distributed Environments Bringing Trust to Email Communication BSc.

Webs of Trust in Distributed Environments Bringing Trust to Email Communication BSc.

Webs of Trust in Distributed Environments Bringing Trust to Email Communication BSc. Presentation - Info-Lunch, 03.11.2004 Fighting Spam Hmmm, tasty!! Spamassassin Program for filtering unwanted Email messages Classifies Emails with

424 views • 30 slides
Exploiting Gnther Bayler, Christopher Kruegel, Redundancy in &amp; Engin Kirda Natural

Exploiting Gnther Bayler, Christopher Kruegel, Redundancy in &amp; Engin Kirda Natural

Christoph Karlberger, Exploiting Gnther Bayler, Christopher Kruegel, Redundancy in &amp; Engin Kirda Natural Language to Penetrate WOOT '07: Proceedings of the first Bayesian Spam USENIX workshop on Chris Li, Filters Offensive Amy

446 views • 30 slides
Economics of Abuse Operations: Application to Hosting Matthew C. Stith September 28, 2016 San

Economics of Abuse Operations: Application to Hosting Matthew C. Stith September 28, 2016 San

Economics of Abuse Operations: Application to Hosting Matthew C. Stith September 28, 2016 San Jose, Costa Rica LACNIC 26 | San Jose | September 2016 About the presenter 8 Years at Rackspace Rackspaces Acceptable Use Team and

444 views • 20 slides
Guidance for Macros in PowerPoints We use macros within PowerPoints to increase the interactivity

Guidance for Macros in PowerPoints We use macros within PowerPoints to increase the interactivity

Guidance for Macros in PowerPoints We use macros within PowerPoints to increase the interactivity of our presentations. Follow this simple process to get the most out of this resource. What to do: Open the PowerPoint file and enable editing. A

211 views • 17 slides
Disclaimer This presentation has been prepared by Commission staff to provide general information

Disclaimer This presentation has been prepared by Commission staff to provide general information

Canadas Anti -Spam Legislation Information Session 2014 Disclaimer This presentation has been prepared by Commission staff to provide general information with respect to Canadas Anti -spam Legislation. This material is not to

494 views • 38 slides
Privacy and your business: An introduction to the Personal Information Protection and Electronic

Privacy and your business: An introduction to the Personal Information Protection and Electronic

Privacy and your business: An introduction to the Personal Information Protection and Electronic Documents Act SLIDE (1) Title Slide PRIVACY AND YOUR BUSINESS: An introduction to the Personal Information Protection and Electronic Documents Act.

294 views • 26 slides

More recommend