botgraph large scale spamming botnet detec5on
play

BotGraph: Large Scale Spamming Botnet Detec5on Yao Zhao Yinglian - PowerPoint PPT Presentation

Jan 14, 2023 •644 likes •923 views

BotGraph: Large Scale Spamming Botnet Detec5on Yao Zhao Yinglian Xie * , Fang Yu * , Qifa Ke * , Yuan Yu * , Yan Chen and Eliot Gillum EECS Department, Northwestern University MicrosoK Research Silicon Valley * MicrosoK Coopera5on 1

  1. BotGraph: Large Scale Spamming Botnet Detec5on Yao Zhao Yinglian Xie * , Fang Yu * , Qifa Ke * , Yuan Yu * , Yan Chen and Eliot Gillum ‡ EECS Department, Northwestern University MicrosoK Research Silicon Valley * MicrosoK Coopera5on ‡ 1

  2. Web‐Account Abuse ARack Zombie Spammer’s (Compromised host) Server User/Pwd Captcha solver RDSXXTD3 2

  3. Problems and Challenges • Detect Web‐account Abuse with Hotmail Logs – Input: user ac5vity traces (signup, login, email‐sending records) – Goal: stop aggressive account signup, limit outgoing spam • Algorithmic challenge: – ARack is stealthy: individual account detec5on difficult – ARack is large scale: finding correlated ac5vi5es – Low false posi5ve and false nega5ve rate • Engineering challenge: – Large user popula5on: >500 million accounts – Large data volume: 300GB‐400GB data per month 3

  4. The BotGraph System • A graph‐based approach to a@ack detecBon – A large user‐user graph to capture bot‐account correla5ons – Iden5fy 26M bot‐accounts with a low false posi5ve rate in two months • Efficient implementaBon using Dryad/DryadLINQ – Graph construc5on/analysis is not easily parallelizable – hundreds of millions of nodes, hundreds of billions of edges – Process 200GB‐300GB data in 1.5 hours with a 240‐machine cluster The first to provide a systemaBc soluBon to the new a@ack 4

  5. System Architecture 1. History based algorithm to detect aggressive signups EWMA based change detection Aggressive Signup Signup signups botnets data Verification (ID, IP, time) & prune Sendmail (ID, time, # of recipients) data 2. Graph-based algorithm to find correlations Verification & prune Random graph Graph (ID, IP, time) generation based clustering Login Spamming Suspicious Login graph botnets clusters data 3. Parallel algorithm on 5 DryadLINQ clusters

  6. Detect Aggressive Signups Large 25 predic5on Number of Signup Accounts Signup Count error 20 EWMA Prediction 15 Back to normal 10 5 Date 1-Jul 2-Jul 3-Jul 4-Jul 5-Jul 6-Jul 7-Jul 8-Jul 9-Jul • Simple and efficient • Detect 20 million malicious accounts in 2 months 6

  7. System Architecture 1. History based algorithm on Signup detection EWMA based change detection Aggressive Signup Signup signups botnets data Verification (ID, IP, time) & prune Sendmail (ID, time, # of recipients) data 2. Graph-based algorithm on login detection Verification & prune Random graph Graph (ID, IP, time) generation based clustering Login Spamming Suspicious Login graph botnets clusters data 3. Parallelel Algorithm 7 on DryadLinq clusters

  8. Detect Stealthy Accounts by Graphs • Observa5on: bot‐accounts work collabora5vely A user‐user graph to model behavior similariBes • Normal Users – Share IP addresses in one AS with DHCP assignment • Bot‐users 8

  9. Detect Stealthy Accounts by Graphs • Observa5on: bot‐accounts work collabora5vely A user‐user graph to model behavior similariBes • Normal Users – Share IP addresses in one AS with DHCP assignment • Bot‐users – Likely to share different IPs across ASes 9

  10. User‐user Graph User3 • Node: Hotmail account 2 ASes User1 • Edge weight: # of ASes of the shared IP addresses 4 ASes 5 ASes – Consider edges with weight>1 3 ASes User4 • Key Observa5ons User2 – Bot‐users form a giant connected‐component while User5 normal users do not 1 AS – Interpreted by the random User6 graph theory 10

  11. Random Graph Theory • Random Graph G ( n , p ) – n nodes and each pair of nodes has an edge with probability p and average degree d = ( n ‐1) ∙ p • Theorem – If d < 1 , then with high probability the largest component in the graph has size less than O(log n ) No large connected subgraph – If d > 1, with high probability the graph will contain a giant component with size at the order of O( n ) Most nodes are in one connected subgraph 11

  12. Graph‐based Bot‐user Detec5on • Step 1: detect giant connected‐components from the user‐user graph • Step 2: hierarchical algorithm to iden5fy the correct groupings – Different bot‐user groups may be mixed – Difficult to choose a fixed edge‐threshold – Easier valida5on with correct group sta5s5cs • Step 3: prune normal‐user groups – Due to na5onal proxies, cell phone users, facebook applica5ons, etc. 12

  13. Hierarchical Bot‐Group Extrac5on G T=2 1st group 3rd group A B T=3 C D T=4 2nd E group 13

  14. System Architecture 1. History based algorithm on Signup detection EWMA based change detection Aggressive Signup Signup signups botnets data Verification (ID, IP, time) & prune Sendmail (ID, time, # of recipients) data 2. Graph-based algorithm on login detection Verification & prune Random graph Graph (ID, IP, time) generation based clustering Login Spamming Suspicious Login graph botnets clusters data 3. Parallelel Algorithm 14 on DryadLINQ clusters

  15. Parallel Implementa5on on DryadLINQ • EWMA‐based Signup Abuse Detec5on – Par55on data by IP – Can achieve real‐Bme detecBon • User‐User Graph Construc5on – Two algorithms and op5miza5ons – Process 200GB‐300GB data in 1.5 hours with 240 machines • Connected Component Extrac5on – Divide and conquer – Process a graph of 8.6 billion edges in 7 minutes

  16. Graph Construc5on 1: Simple Data Parallelism � • Poten5al Edges – Select ID group by IP (Map) – Generate poten5al edges ( ID i , ID j , IP k ) (Reduce) • Edge Weights – Select IP group by ID pair (Map) – Calculate edge weight (Reduce) • Problem – Weight 1 edge is two orders of magnitude more than others – Their computaBon/communicaBon is unnecessary �

  17. Graph Construc5on 2: Selec5ve Filtering 17

  18. Comparison of Two Algorithms • Method 1 – Simple and scalable • Method 2 – Op5mized to filter out weight 1 edges – U5lize Join func5onality, data compression and broadcast op5miza5on 18

  19. Detec5on Results • Data descrip5on – Two datasets • Jun 2007 and Jan 2008 – Three types of data • Signup log (IP, ID, Time) • Login log (IP, ID, Time) – 500M users and 200~300GB data per month • Sendmail log (ID, 5me, # of recipients) 19

  20. Detec5on of Signup Abuse 20

  21. Detec5on by User‐user Graph 21

  22. Valida5ons • Manual Check – Sampled groups verified by the Hotmail team – Almost no false posi5ves • Comparison with Known Spamming Users – Detect 86% of complained accounts – Up to 54% of detected accounts are our new findings • Email Sending Sizes per Group – Most groups have a sharp peak – The remaining contain several peaks • False Posi5ve Es5ma5on – Naming paRern (0.44%) – Signup 5me (0.13%) 22

  23. Possible to Evade BotGraph? • Evade signup detec5on: Be stealthy • Evade graph‐based detec5on – Fixed IP/AS binding • Low u5liza5on rate • Bot‐accounts bound to one host are easy to be grouped – Be stealthy (sending as few emails as normal user) Severely limit a@ackers’ spam throughput 23

  24. Conclusions • A graph‐based approach to a@ack detecBon – Iden5fy 26M bot‐accounts with a low false posi5ve rate in two months • Efficient implementaBon using Dryad/DryadLINQ – Process 200GB‐300GB data in 1.5 hours with a 240‐ machine cluster Large‐scale data‐mining for network security is effecBve and pracBcal 24

  25. Q & A? Thanks! 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto

&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto

&amp; 1st large scale oauth stealing botnet &amp; Secure delegation mechanism De-facto authentication standard &amp; &amp; Exploit server Play store fake install/comments Ads injection Repacked (non-google) app Registration

717 views • 55 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
Jeffrey D. Ullman Stanford University Spamming = any deliberate action intended solely to

Jeffrey D. Ullman Stanford University Spamming = any deliberate action intended solely to

Jeffrey D. Ullman Stanford University Spamming = any deliberate action intended solely to boost a Web pages position in search- engine results. Web Spam = Web pages that are the result of spamming. SEO industry might disagree!

907 views • 44 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of U.S. Government Employees DC-AAPOR Summer Conference Preview/Review Bureau of Labor Statistics Conference Center Washington DC Washington, DC

1.17k views • 25 slides
Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E. Santos-Neto, L. Costa, M. Ripeanu. IEEE TPC, 2014 Sami (sa894) - R244: Large-scale data processing and optimization Efficient Large-Scale Graph Processing on

381 views • 25 slides
Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Census: Location-Aware Membership Management for Large-Scale Distributed Systems James Cowling Dan R. K. Ports Barbara Liskov Raluca Ada Popa Abhijeet Gaikwad* MIT CSAIL *cole Centrale Paris Motivation Large-scale distributed systems

606 views • 48 slides
Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale

Large-Scale Electronic Voting Protocols Mike Carpenter Introduction What is meant by large-scale electronic voting protocol: Primarily Internet-based Users voting from their own devices (such as home PC/laptop) Aimed toward actual

721 views • 21 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame

Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame

Internet Topology Generation for Large Scale BGP Simulation Jean-Michel Fourneau - Houssame Yahiaoui Outlook BGP: Border Gateway Protocol Large Scale Simulation: motivations Large Scale BGP Simulation Model Realistic Topologies

550 views • 17 slides
E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale Information Access Technologies Evaluation and Testing Evaluation and Testing Noriko Kando Noriko Kando National Institute of Informatics, Japan

632 views • 61 slides
TSO-Atom icity: TSO Enforcem ent for A Aggressive Program Optim ization i P O ti i ti

TSO-Atom icity: TSO Enforcem ent for A Aggressive Program Optim ization i P O ti i ti

TSO-Atom icity: TSO Enforcem ent for A Aggressive Program Optim ization i P O ti i ti Cheng Wang, Youfeng Wu, Jaewoong Chung Programming Systems Lab / MPR Intel Labs Programming Systems Lab Motivation Two different usage models in

322 views • 16 slides
Monthly Webinar Series January 2020 Todays Agenda Announcements &amp; Trial

Monthly Webinar Series January 2020 Todays Agenda Announcements &amp; Trial

Monthly Webinar Series January 2020 Todays Agenda Announcements &amp; Trial Updates/Reminders Sandi Cassard Breakthrough Disease and DMT Change - Refresher Ellen Mowry, Scott Newsome Monthly Randomization Race Daniel Amirault Q&amp;A

462 views • 28 slides
Monthly Webinar Series July 2020 Todays Agenda Trial Updates/Reminders Sandi Cassard PCORI

Monthly Webinar Series July 2020 Todays Agenda Trial Updates/Reminders Sandi Cassard PCORI

Monthly Webinar Series July 2020 Todays Agenda Trial Updates/Reminders Sandi Cassard PCORI COVID-19-Related Enhancement for Existing Research Background Ellen Mowry &amp; Scott Newsome Specific Aims Ellen Mowry &amp; Scott Newsome

453 views • 27 slides
Hi. Im Michelle Rise UP Michelle Parise With Purpose Coaching s h i t s i s m t

Hi. Im Michelle Rise UP Michelle Parise With Purpose Coaching s h i t s i s m t

Hi. Im Michelle Rise UP Michelle Parise With Purpose Coaching s h i t s i s m t n d u l o c I e u s a e c B Now I do This Business Owner them so much I worked here West Hollywood, CA No joke DREAM job

270 views • 24 slides
UCL PRO/CON Debate: Aggressive versus progressive therapeutic approach Dr. Shahin Moledina -

UCL PRO/CON Debate: Aggressive versus progressive therapeutic approach Dr. Shahin Moledina -

3/10/2017 Great Ormond Street Hospital UCL UCL PRO/CON Debate: Aggressive versus progressive therapeutic approach Dr. Shahin Moledina - Director UK National Paediatric PH Program UCL Centre for Cardiovascular Imaging UCL UCL Past battles

357 views • 6 slides
GCC/Clang Optimizations for Embedded Linux Khem Raj, Comcast Embedded Linux Conference &amp;

GCC/Clang Optimizations for Embedded Linux Khem Raj, Comcast Embedded Linux Conference &amp;

GCC/Clang Optimizations for Embedded Linux Khem Raj, Comcast Embedded Linux Conference &amp; OpenIOT summit Portland, OR Introduction To Clang Native compiler FrontEnd to LLVM Infrastructure Supports C/C++ and Objective-C The

517 views • 20 slides
Preventa(ve)Measures)for)School)Bullying Roz)Myers,)JD,)MA IIRP)Conference) October)2013 1

Preventa(ve)Measures)for)School)Bullying Roz)Myers,)JD,)MA IIRP)Conference) October)2013 1

Preventa(ve)Measures)for)School)Bullying Roz)Myers,)JD,)MA IIRP)Conference) October)2013 1 Nature)and)Scope)of)the)Problem Rates)of)bullying)are)increasingnot)just)in)the)US)but ) around)the)world:

609 views • 34 slides
LOCKING CS 2550 / Spring 2006 Principles of Database Systems 10 Locking Alexandros

LOCKING CS 2550 / Spring 2006 Principles of Database Systems 10 Locking Alexandros

LOCKING CS 2550 / Spring 2006 Principles of Database Systems 10 Locking Alexandros Labrinidis University of Pittsburgh 2 Alexandros Labrinidis, Univ. of Pittsburgh CS 2550 / Spring 2006 Centralized DBMS Locking T 1 T 2 T n

400 views • 10 slides

More recommend