combating snowshoe spam with fire
play

Combating Snowshoe Spam with Fire Olivier van der Toorn - PowerPoint PPT Presentation

Nov 19, 2022 •483 likes •1.05k views

Combating Snowshoe Spam with Fire Olivier van der Toorn <o.i.vandertoorn@utwente.nl> November 13, 2018 University of Twente, Design and Analysis of Communication Systems ICT OPEN 2018 Overview Introduction Methodology Results

  1. Combating Snowshoe Spam with Fire Olivier van der Toorn <o.i.vandertoorn@utwente.nl> November 13, 2018 University of Twente, Design and Analysis of Communication Systems ICT OPEN 2018

  2. Overview Introduction Methodology Results Conclusions 1

  3. Introduction

  4. • Snowshoe Spam Background Info • Active DNS Measurements 2

  5. • Snowshoe Spam Background Info • Active DNS Measurements 2

  6. Background Info • Active DNS Measurements • Snowshoe Spam 2

  7. • Sender Policy Framework (SPF) • DNS domain Starting Point • Snowshoe spam is hard to detect 3

  8. • DNS domain Starting Point • Snowshoe spam is hard to detect • Sender Policy Framework (SPF) 3

  9. Starting Point • Snowshoe spam is hard to detect • Sender Policy Framework (SPF) • DNS domain 3

  10. Research Question How can we detect snowshoe spam through active DNS measurements? 4

  11. Methodology

  12. Methodology 5

  13. • Queries more than 60% of registered domain names OpenINTEL • Active DNS Measurement Platform 6

  14. OpenINTEL • Active DNS Measurement Platform • Queries more than 60% of registered domain names 6

  15. • 37 Features • Long Tail Analysis Datasets & Features • Two types of datasets • Labeled • Unlabeled 7

  16. • Long Tail Analysis Datasets & Features • Two types of datasets • Labeled • Unlabeled • 37 Features 7

  17. Datasets & Features • Two types of datasets • Labeled • Unlabeled • 37 Features • Long Tail Analysis 7

  18. Long Tail Analysis The long tail of the DNS 8

  19. Long Tail Analysis long The tail of the DNS 8

  20. • Ranked performance based on ‘precision’ metric Machine Learning • Trained and evaluated many classifier algorithms 9

  21. Machine Learning • Trained and evaluated many classifier algorithms • Ranked performance based on ‘precision’ metric 9

  22. Precision True Positives Precision = True Positives + False Positives 10

  23. Machine Learning • Trained and evaluated many classifier algorithms • Ranked performance based on ‘precision’ metric • Selected AdaBoost Classifier as classifier of choice (110 false positives out of 10851 ham domains) 11

  24. • Daily detections • Compared to other blacklists Realtime Blackhole List • DNS based way of hosting a blacklist 12

  25. • Compared to other blacklists Realtime Blackhole List • DNS based way of hosting a blacklist • Daily detections 12

  26. Realtime Blackhole List • DNS based way of hosting a blacklist • Daily detections • Compared to other blacklists 12

  27. • Initially in evaluation mode SURF • SURFmailfilter 13

  28. SURF • SURFmailfilter • Initially in evaluation mode 13

  29. Results

  30. Comparison training data 100% 16.6 11.2 80% CDF 60% blacklisted 40% benign 0 10 20 30 40 50 Number of A records 14

  31. Comparison training data 100% 100% 16.6 77.0 98% 11.2 80% 96% CDF CDF 60% 94% blacklisted blacklisted 92% 40% benign benign 90% 0 10 20 30 40 50 0 20 40 60 80 100 Number of A records Number of MX records 15

  32. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 16

  33. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 28984 16

  34. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 28984 1961 16

  35. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 1144 28984 1961 16

  36. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 1095 1144 28984 1961 16

  37. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 968 1095 1144 28984 1961 16

  38. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 928 968 1095 1144 28984 1961 16

  39. Early Detection (update) 17

  40. SURF Results daadzgam.com Domain names realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates 18

  41. SURF Results daadzgam.com Domain names realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates 18

  42. SURF Results daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates 18

  43. • 1080 emails • 447 (41.39%) emails with a score of five or higher SURF Results daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates 19

  44. SURF Results daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates • 1080 emails • 447 (41.39%) emails with a score of five or higher 19

  45. SURF Results daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates • 633 (58.61%) emails have a score below five • 52 unique domains in the body • of which 13 domains have never appeared in an email classified as spam • these 13 domains appeared in 31 emails (2.87%) 20

  46. Additional email blocked 700 Emails marked as spam 600 500 400 300 200 100 0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 21

  47. Additional email blocked 700 Emails marked as spam 600 500 335 400 320 300 200 120 100 22 0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 21

  48. Additional email blocked 700 Emails marked as spam 554 600 497 441 500 352 335 400 320 300 200 120 100 22 0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 21

  49. Additional email blocked 626 629 700 Emails marked as spam 554 600 497 441 500 352 335 400 320 300 200 120 100 22 0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 21

  50. Additional email blocked (update) 22

  51. Conclusions

  52. • Early detection • Additional spam blocked Conclusions • Hard to detect spam is detectable 23

  53. • Additional spam blocked Conclusions • Hard to detect spam is detectable • Early detection 23

  54. Conclusions • Hard to detect spam is detectable • Early detection • Additional spam blocked 23

  55. Questions 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements Introduction 1

Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements Introduction 1

Olivier van der Toorn &lt;o.i.vandertoorn@utwente.nl&gt; November 13, 2018 University of Twente, Design and Analysis of Communication Systems NOMS 2018 Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements

784 views • 75 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn November 13, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

825 views • 71 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn February 1, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

1.46k views • 90 slides
Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a highly evolved form of information warfare. Fascinating socioeconomic study with many players - users, ISPs, spammers, technologists, legal

322 views • 17 slides
Combating Spam Server-side Purpose : to provide insight into the steps an organization can take

Combating Spam Server-side Purpose : to provide insight into the steps an organization can take

Combating Spam Server-side Purpose : to provide insight into the steps an organization can take to close the Spam Floodgates. Presented by Ben Serebin May 22, 2003 @ eWin www.reefsolutions.com 1 Introduction Working in the IT sector

382 views • 12 slides
Combating Friend Spam Using Social Rejections Michael Sirivianos Cyprus University of Technology

Combating Friend Spam Using Social Rejections Michael Sirivianos Cyprus University of Technology

Dagstuhl: Cybersafety in Modern Online Social Networks Combating Friend Spam Using Social Rejections Michael Sirivianos Cyprus University of Technology Joint work with Q. Cao, Xiaowei Yang and 1 K. Munagala at Duke University Friend Spam in

439 views • 27 slides
Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam is the friendly name given to unsolicited mail everyone receives in the mailbox. Comes from a Monty Python sketch, where in a caf everything

505 views • 13 slides
Opinion Spam and Analysis NITIN JINDAL &amp; BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL &amp; BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL &amp; BING LIU, WSDM 08 UIUC Opinion/Review Spam All spam is spam but some spam is more spam than others Opinion spam similar to web spam or email spam in intent, but different in form / content Web

912 views • 38 slides
The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation When Congress returns from recess on December 8, 2003, it will finish its work on the CAN-SPAM Act of 2003 (Controlling the Assault of

323 views • 4 slides
Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to web spam Spam 221 Spamming PageRank Spam farm model Optimal farm structure Alliances of two farms Larger alliances Spam

876 views • 30 slides
Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Dynamics Web Spam Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0710-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy

669 views • 49 slides
Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Dynamics Web Spam Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0709-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy Overview

806 views • 49 slides
Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why should you care? How to detect Spam? 2 What is Spam? What is Spam? All forms of malicious manipulation of user generated data so as to

943 views • 56 slides
Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Seminar: Future Of Web Search University of Saarland Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood Tutor : Klaus Berberich Date : 17-Jan-2008 The Agenda Focus of the First Paper

1.22k views • 53 slides
spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian Developer since 2003 Listmaster Alioth Admin Maintainer of packages like iproute, icinga, nagios and a lot of other useless stu ff

219 views • 20 slides
Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee

Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee

Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee Institute of Computer Science, University of Tartu Overview Spam is Evil ML for Spam Filtering: General Idea, Problems. Some Algorithms Nave Bayesian

391 views • 35 slides
CS 403X Mobile and Ubiquitous Computing Lecture 15: Making Apps Intelligent/Machine Learning

CS 403X Mobile and Ubiquitous Computing Lecture 15: Making Apps Intelligent/Machine Learning

CS 403X Mobile and Ubiquitous Computing Lecture 15: Making Apps Intelligent/Machine Learning Emmanuel Agu Making Apps Intelligent (Sensors Inference &amp; Machine Learning) My Goals in this Section If you know machine learning Set off light

586 views • 33 slides
Spark Machine Learning Amir H. Payberah amir@sics.se SICS Swedish ICT June 30, 2016 Amir H.

Spark Machine Learning Amir H. Payberah amir@sics.se SICS Swedish ICT June 30, 2016 Amir H.

Spark Machine Learning Amir H. Payberah amir@sics.se SICS Swedish ICT June 30, 2016 Amir H. Payberah (SICS) MLLib June 30, 2016 1 / 1 Data Amir H. Payberah (SICS) MLLib June 30, 2016 2 / 1 Data Actionable Knowledge Amir H. Payberah

799 views • 78 slides
Link Spam Detection Based on Mass Estimation Zoltn Gyngyi , Pavel Berkhin, Hector

Link Spam Detection Based on Mass Estimation Zoltn Gyngyi , Pavel Berkhin, Hector

Link Spam Detection Based on Mass Estimation Zoltn Gyngyi , Pavel Berkhin, Hector Garcia-Molina, Jan Pedersen Roadmap Search engine spamming Link spamming PageRank contribution Spam mass Definition Estimation

618 views • 35 slides
Fighting spam for fun and profit the long road to SpamAssassin 4.0 Giovanni Bechis

Fighting spam for fun and profit the long road to SpamAssassin 4.0 Giovanni Bechis

Fighting spam for fun and profit the long road to SpamAssassin 4.0 Giovanni Bechis &lt;gbechis@apache.org&gt; Fosdem 2019, Brussels SA as a framework SpamAssassin should be seen as a framework, not as plug &amp; play software if you

424 views • 18 slides
Lecture 1.2: Linear independence and spanning sets Matthew Macauley Department of Mathematical

Lecture 1.2: Linear independence and spanning sets Matthew Macauley Department of Mathematical

Lecture 1.2: Linear independence and spanning sets Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4340, Advanced Engineering Mathematics M. Macauley (Clemson) Lecture 1.2:

234 views • 9 slides
End-to-end Neural Coreference Resolution Kenton Lee Luheng He Mike Lewis Luke

End-to-end Neural Coreference Resolution Kenton Lee Luheng He Mike Lewis Luke

End-to-end Neural Coreference Resolution Kenton Lee Luheng He Mike Lewis Luke Zettlemoyer UWNLP Allen Institute for University of Washington Facebook AI Research Artificial Intelligence 1 Coreference Resolution Input document

1.35k views • 87 slides
S 3 D: S ingle S hot multi- S pan D etector via Fully 3D Convolutional Network Da Zhang 1 ,

S 3 D: S ingle S hot multi- S pan D etector via Fully 3D Convolutional Network Da Zhang 1 ,

S 3 D: S ingle S hot multi- S pan D etector via Fully 3D Convolutional Network Da Zhang 1 , Xiyang Dai 2 , Xin Wang 1 , and Yuan-Fang Wang 1 dazhang@cs.ucsb.edu 1 UC Santa Barbara &amp; 2 University of Maryland Task: Temporal Activity Detection

391 views • 21 slides
Span-based Localizing Network for Natural Language Video Localization Hao Zhang 1,2 , Aixin Sun 1

Span-based Localizing Network for Natural Language Video Localization Hao Zhang 1,2 , Aixin Sun 1

Span-based Localizing Network for Natural Language Video Localization Hao Zhang 1,2 , Aixin Sun 1 , Wei Jing 3 , Joey Tianyi Zhou 2 1 School of Computer Science and Engineering, Nanyang Technological University, Singapore 2 Institute of High

943 views • 18 slides

More recommend