botmagnifier locating spambots on the internet
play

BotMagnifier : Locating Spambots on the Internet Gianluca Stringhini - PowerPoint PPT Presentation

Nov 19, 2023 •217 likes •550 views

BotMagnifier : Locating Spambots on the Internet Gianluca Stringhini Thorsten Holz Brett Stone-Gross Christopher Kruegel Giovanni Vigna USENIX Security Symposium August 12, 2011 Spam is a big problem Spam is sneaky Spam is sneaky Tracking

  1. BotMagnifier : Locating Spambots on the Internet Gianluca Stringhini Thorsten Holz Brett Stone-Gross Christopher Kruegel Giovanni Vigna USENIX Security Symposium August 12, 2011

  2. Spam is a big problem

  3. Spam is sneaky

  4. Spam is sneaky

  5. Tracking Spambots is important Botnets are responsible for 85% of worldwide spam � ISPs and organizations can clean up their networks � Existing blacklists (DNSBL) can be improved � Mitigation efforts can be directed to the most aggressive botnets

  6. Tracking Spambots is challenging � The IP addresses of infected machines change frequently � It is easy to recruit “new members” into a botnet e An approach is to set up spam traps . However, a few problems arise: � Only a subset of the bots will send emails to the spam trap addresses � Some botnets target only users located in certain countries

  7. Basic Insight Bots that belong to the same botnet share similarities As a result, they will follow a similar behavior when sending spam Commoditized botnets could appear as multiple botnets By observing a portion of a botnet, it is possible to identify more bots that belong to it

  8. Our Approach

  9. Our Approach

  10. Our Approach

  11. Our Approach

  12. Our Approach

  13. Our Approach

  14. Our Approach

  15. Input Datasets How can we achieve this? Our approach takes two datasets as input: � The IP addresses of known spamming bots, grouped by spam campaign ( seed pools ) � A log of email transactions carried out on the Internet, both legitimate and malicious ( transaction log )

  16. Our System We implemented our approach in a tool, called BotMagnifier We used a large spam trap to populate seed pools We used the logs of a Spamhaus mirror as transaction log � Each query to the Spamhaus mirror corresponds to an email � We show how BotMagnifier also works when using other datasets as transaction logs

  17. Our System BotMagnifier is executed periodically It takes as input a set of seed pools At the end of each observation period, it outputs: � The IP addresses of the bots in the magnified pools � The name of the botnet that carried out each campaign

  18. Phase I: Building Seed Pools Set of IP addresses that participated in a specific spam campaign Built using the data of a spam trap set up by a large US ISP ≈ 1M messages / day We consider messages with similar subject lines as part of the same campaign Design decisions: � Minimum seed pool size: 1,000 IP addresses � Observation period: 1 day

  19. Phase II: Characterizing Bot Behavior For each seed pool: � We query the transaction log to find all the events that are associated with the IP addresses in it � We analyze the set of destinations targeted and build a target set Problem The target sets of two botnets might have substantial overlaps We extract the set of destinations that are unique to each seed pool ( characterizing set )

  20. Phase III: Bot Magnification Goal : find the IP addresses of previously-unknown bots BotMagnifier considers an IP address x as behaving similarly to the bots in a seed pool if: � x sent emails to at least N destinations in the target set � x never sent an email to a destination outside the target set � x has contacted at least one destination in the characterizing set How large should N be?

  21. Threshold Computation N should be greater for campaigns targeting a larger number of destinations N = k · | T ( p i ) | , 0 < k ≤ 1 where | T ( p i ) | is the size of the target set, and k is a parameter Precision vs. Recall analysis on ten campaigns for which we had ground truth (coming from Cutwail C&C servers) | T ( p i ) | → k b = 8 · 10 − 4 , α = 10 k = k b + α

  22. Phase IV: Spam Attribution We want to “label” spam campaigns based on the botnet that carried them out Running Malware Samples We match the subject lines observed in the wild with the ones of the bots we ran Botnet Clustering � IP overlap � Destination distance � Bot distance

  23. Validation of the Approach To validate our approach, we studied Cutwail , for which we had direct data about the IP addresses of the infected machines The C&C servers we analyzed accounted for approximately 30% of the botnet We ran the validation experiment for the period between July 28 and August 16, 2010 For each of the 18 days: � We selected a subset of the IP addresses referenced by the C&C servers � With the help of the spam trap, we identified the campaigns carried out � We generated the seed and magnified pools BotMagnifier identified 144,317 IP addresses as bots. Of these, 33,550 were actually listed in the C&C databases ( ≈ 23%).

  24. Overview of Tracking Results We ran our system between September 28, 2010 and February 5, 2011 BotMagnifier tracked 2,031,110 bot IP addresses Of these, 925,978 belonged to magnified pools, while the others belonged to seed pools 1.6% estimated false positives Botnet Total # of IP addresses # of ”static“ IP addresses Lethic 887,852 117,335 Rustock 676,905 104,460 Cutwail 319,355 34,132 MegaD 68,117 3,055 Waledac 36,058 3,450

  25. Overview of Tracking Results

  26. Overview of Tracking Results

  27. Overview of Tracking Results

  28. Overview of Tracking Results

  29. Application of Results Can BotMagnifier improve existing blacklists? We analyzed the email logs from the UCSB CS mail server from November 30, 2010 to February 8, 2011 � If a mail got delivered, the IP address was not blacklisted at the time � The spam ratios computed by SpamAssassin provide us with ground truth 28,563 emails were marked as spam, 10,284 IP addresses involved. 295 of them were detected by BotMagnifier , for a total of 1,225 emails ( ≈ 4%) We then looked for false positives. BotMagnifier wrongly identified 12 out of 209,013 IP addresses as bots.

  30. Data Stream Independence We show how BotMagnifier can be used on alternative datasets, too We used the netflow logs from an ISP backbone routers 1.9M emails logged per day We had to use new values for k b and α The experiment lasted from January 20, 2011 to January 28, 2011. BotMagnifier identified 36,739 in magnified pools. This grew the seed pools by 38%.

  31. Conclusions We presented BotMagnifier , a tool for tracking and analyzing spamming botnets We showed that our approach is able to accurately identify and track botnets By using more comprehensive datasets, the magnification results would get better

  32. Thanks! email: gianluca@cs.ucsb.edu twitter: @gianlucaSB

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The rise of novel Twitter social spambots SoBigData day @EUI, Florence, 11-10-2017 Marinella

The rise of novel Twitter social spambots SoBigData day @EUI, Florence, 11-10-2017 Marinella

The rise of novel Twitter social spambots SoBigData day @EUI, Florence, 11-10-2017 Marinella Petrocchi IIT-CNR, Pisa, Italy SPAMBOTS &amp; SOCIAL NETWORKS spambot AN OPEN PROBLEM Spambots (Semi-)automated accounts with (often) harmful

317 views • 19 slides
Locating Local Extrema Definitions: Locations . . . Definitions: . . . under Interval

Locating Local Extrema Definitions: Locations . . . Definitions: . . . under Interval

Need to Take into . . . Need for Guaranteed . . . Locating Local . . . Locating Local Extrema Definitions: Locations . . . Definitions: . . . under Interval Uncertainty: Definitions: Locating . . . Definitions: Locating . . . Multi-D Case

591 views • 16 slides
Becoming a Restorative Practitioner Becoming a Restorative Practitioner Locating your practice

Becoming a Restorative Practitioner Becoming a Restorative Practitioner Locating your practice

Becoming a Restorative Practitioner Becoming a Restorative Practitioner Locating your practice Learning opportunities Being explicit Locating Your Practice Locating Your Practice Small group What is at the core of what you do?

279 views • 13 slides
Mobile Samples and Movers: Locating Respondents in the 2014 SIPP Panel Locating Respondents in

Mobile Samples and Movers: Locating Respondents in the 2014 SIPP Panel Locating Respondents in

Mobile Samples and Movers: Locating Respondents in the 2014 SIPP Panel Locating Respondents in the 2014 SIPP Panel A Amber Phillips b Philli Bennett Adelman D Daniel Doyle i l D l Jason Fields U.S. Census Bureau 1 The SIPP Mission

342 views • 16 slides
WTF? Locating Problems in Home Networks Srikanth Sundaresan Nick Feamster Georgia Tech Renata

WTF? Locating Problems in Home Networks Srikanth Sundaresan Nick Feamster Georgia Tech Renata

WTF? Locating Problems in Home Networks Srikanth Sundaresan Nick Feamster Georgia Tech Renata Teixeira, INRIA Ongoing work with Federal Communications Commission. BISmark: A platform to study home networks BISmark Gateway ISP Network Internet

531 views • 23 slides
Four Projects Simplifying Comparing Locating Input Coverage Causes 3 weeks 3 weeks 4 weeks

Four Projects Simplifying Comparing Locating Input Coverage Causes 3 weeks 3 weeks 4 weeks

About the Course Andreas Zeller 1 Course Topics Tracking and Reproducing Problems The Scientific Method Making Programs Fail Isolating Failure Causes (automatically) Locating and Fixing Defects Why does my Program Fail?

66 views • 5 slides
LOCATING THE ARCHITECTURAL ROOTS OF TECHNICAL DEBT R. K AZ M AN , Y. CAI , R. M O, Q. FEN G, L.

LOCATING THE ARCHITECTURAL ROOTS OF TECHNICAL DEBT R. K AZ M AN , Y. CAI , R. M O, Q. FEN G, L.

LOCATING THE ARCHITECTURAL ROOTS OF TECHNICAL DEBT R. K AZ M AN , Y. CAI , R. M O, Q. FEN G, L. X I AO, S. H AZ I Y EV, V. FEDAK , A. SH APOCH K A YOUR TYPICAL SOFTWARE PROJECT The boat is leaking but you keep paddling! Why? 1. The

888 views • 32 slides
No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your

No Yes Do you use the Internet to do homework? Do you use the Internet to follow your favourite team? Do you use the internet to watch music videos? Do you use the Internet to read the news? Do you use the Internet to play games? Shared

997 views • 51 slides
LOCATING CLIMATE INSECURITY LOCATING CLIMATE INSECURITY Where Are the Vulnerable Places in Where

LOCATING CLIMATE INSECURITY LOCATING CLIMATE INSECURITY Where Are the Vulnerable Places in Where

LOCATING CLIMATE INSECURITY LOCATING CLIMATE INSECURITY Where Are the Vulnerable Places in Where Are the Vulnerable Places in Africa? Africa? Joshua W. Busby, Assistant Professor Joshua W. Busby, Assistant Professor Climate Change and African

260 views • 15 slides
Locating arrays with error correcting ability Masakazu Jimbo joint work with Xiao-Nan Lu

Locating arrays with error correcting ability Masakazu Jimbo joint work with Xiao-Nan Lu

Locating arrays with error correcting ability

475 views • 35 slides
Dr. David Boutt UMassAmherst, Geosciences Department Your tasked with locating

Dr. David Boutt UMassAmherst, Geosciences Department Your tasked with locating

Ground Water and Wells Basic (Geo)Science for Sustainable a Future Dr. David Boutt UMassAmherst, Geosciences Department Your tasked with locating properties/land to purchase for a high yield (1000 gpm) well for the town of Sunderland, MA

1.38k views • 81 slides
Locating ourselves amidst the wealth: Creative approaches to intersectionality for personal and

Locating ourselves amidst the wealth: Creative approaches to intersectionality for personal and

Locating ourselves amidst the wealth: Creative approaches to intersectionality for personal and social transformation Susan Abdul Rahman, M.A. Robert Jackson-Paton, Ph.D. White Privilege Conference Seattle, WA 11 April 2013 Saturday, April

394 views • 15 slides
Your tasked with locating properties/land to purchase for a high yield (1000 gpm) well for the

Your tasked with locating properties/land to purchase for a high yield (1000 gpm) well for the

9/26/2017 Ground Water and Wells Basic (Geo)Science for Sustainable a Future Dr. David Boutt UMassAmherst, Geosciences Department Your tasked with locating properties/land to purchase for a high yield (1000 gpm) well for the town of

550 views • 41 slides
Divorce and E-Discovery: Locating, Obtaining, Introducing and Restricting Admission of Electronic

Divorce and E-Discovery: Locating, Obtaining, Introducing and Restricting Admission of Electronic

Presenting a live 90-minute webinar with interactive Q&amp;A Divorce and E-Discovery: Locating, Obtaining, Introducing and Restricting Admission of Electronic Evidence WEDNESDAY, APRIL 9, 2014 1pm Eastern | 12pm Central | 11am Mountain

1.14k views • 88 slides
Divorce Cases and E-Discovery Locating, Obtaining, Introducing and Restricting Admission of

Divorce Cases and E-Discovery Locating, Obtaining, Introducing and Restricting Admission of

Presenting a live 90-minute webinar with interactive Q&amp;A Divorce Cases and E-Discovery Locating, Obtaining, Introducing and Restricting Admission of Electronic Evidence WEDNESDAY, FEBRUARY 27, 2013 1pm Eastern | 12pm Central | 11am

855 views • 82 slides
On logic programming and locating errors in programs W lodzimierz Drabent Institute of

On logic programming and locating errors in programs W lodzimierz Drabent Institute of

Outline 2 LP Correctness DD Summary On logic programming and locating errors in programs W lodzimierz Drabent Institute of Computer Science, Polish Academy of Sciences (IPI PAN); IDA, Link opings universitet, Sweden SaS seminar

742 views • 37 slides
Information Hiding in Email Services Based on Confused Document Encrypting Schemes Wei-Shyun Pan

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Wei-Shyun Pan

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Wei-Shyun Pan Quincy Wu Graduate Institute of Communication Graduate Institute of Communication Engineering Engineering National Chi Nan University, Nantou

297 views • 4 slides
Advanced MPI Programming Latest slides and code examples are available

Advanced MPI Programming Latest slides and code examples are available

Advanced MPI Programming Latest slides and code examples are available at www.mcs.anl.gov/~thakur/sc13-mpi-tutorial Pavan Balaji James Dinan Argonne Na*onal Laboratory

2.33k views • 185 slides
Inefficiencies 1 Ad Tech Value Chain Evolution Aggregation 2 Ad Tech Value Chain Evolution

Inefficiencies 1 Ad Tech Value Chain Evolution Aggregation 2 Ad Tech Value Chain Evolution

Ad Tech Value Chain Evolution Inefficiencies 1 Ad Tech Value Chain Evolution Aggregation 2 Ad Tech Value Chain Evolution Automation 3 Data Matching Across Websites &amp; Apps Third-Party Data 4 Understanding Ad Effectiveness 5 Offline

859 views • 7 slides
Regexp Lecture 26: Regular Expressions Regular Expressions Regular expressions are a small

Regexp Lecture 26: Regular Expressions Regular Expressions Regular expressions are a small

Regexp Lecture 26: Regular Expressions Regular Expressions Regular expressions are a small programming language over strings Regex or regexp are not unique to Python They let us to succinctly and compactly represent classes of strings In this

739 views • 29 slides
CS136 Fall 2012 - Tutorial 1 CS136 Tutors cs136@student.cs.uwaterloo.ca September 14, 2012

CS136 Fall 2012 - Tutorial 1 CS136 Tutors cs136@student.cs.uwaterloo.ca September 14, 2012

CS136 Fall 2012 - Tutorial 1 CS136 Tutors cs136@student.cs.uwaterloo.ca September 14, 2012 CS136 Tutorscs136@student.cs.uwaterloo.ca CS136 Fall 2012 - Tutorial 1 RunC Environment We will use gedit under Ubuntu for both C and Racket coding.

502 views • 14 slides
Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks Usually those requiring lots of power Lecture 12 Page 1 CS

753 views • 16 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
CS 3700 Networks and Distributed Systems Logistics (a.k.a. The boring slides) Revised

CS 3700 Networks and Distributed Systems Logistics (a.k.a. The boring slides) Revised

CS 3700 Networks and Distributed Systems Logistics (a.k.a. The boring slides) Revised 1/5/2020 Hello! 2 Welcome to CS 3700 Are you in the right classroom? Okay, good. Who am I? Professor Alden Jackson

861 views • 29 slides

More recommend