Post on 30-Dec-2015
description
Reporter : 鄭志欣Advisor: Hsing-Kuo PaoE-mail:m9815058@mail.ntust.edu.tw
Botnet Judo: Fighting Spam with Itself
Conference
112/04/192
Botnet Judo: Fighting Spam with Itself Andreas Pitsillidis, Kirill Levchenko,
Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.
Outline
112/04/193
Introduction Template-based Spam Judo system
The Signature GeneratorLeveraging Domain Knowledge Signature Update
EvaluationSingle Template InferenceMultiple Template InferenceReal-world Deployment
Conclusion
Introduction
112/04/194
Reactive Defenses
Reversed engineering
Black-boxstream of All messages -> Regular
expressionQuickly producing precise mail filters
Judo system
112/04/197
Judo system consists of three components.Bot farm : running instances of spamming
botnets in a contained environment.
Signature generator : maintains a set of regular expression signatures for spam sent by each botnet.
Spam filter : Updating the system
System Assumptions
112/04/199
First and foremost , we assume that bots compose spam using a template system.
The Signature Generator
112/04/1910
AnchorsMacros
Dictionary Macros.Micro-Anchors.Noise Macros.
Leveraging Domain KnowledgeHeader FilteringSpecial Tokens
Signature UpdateSecond Chance MechanismPre-Clustering.
Anchors
112/04/1912
Extracting the longest ordered set of substrings have length at least q that are common to every messages.
Macros
112/04/1913
Dictionary Macros.Hypothesis test (Dictionary Test )
Micro-Anchors. a substring that consists of non-alphanumeric . Using LCS (q don’t limit) again to find Micro-
Anchors. Once micro-anchors partition the text, the
algorithm performs the dictionary test on each set of strings delimited by the micro-anchors.
Noise Macros. generates random characters from some character
set POSIX character classes or Arbitary repetition “*” or
“+”
Leveraging Domain Knowledge
112/04/1915
Improve the performance of the algorithm. Header Filtering
Headers ignore all but the following headers:
A message must match all header for a signature to be considered a match.
Special TokensLike dates,IP addresses … etc.“expire” after it was generated pre- and post- processing as anchor
Signature Update
112/04/1916
We would like to use a training buffer as small as necessary to generate good signatures.
Train buffer is controlled by k.
Second Chance Mechanism. solving the train buffer is too small.
Pre-ClusteringMitigate the effects of a large training buffer.
Evaluation
112/04/1918
Judo is indeed safe and effective for filtering botnet-originated spam.
first, spam generated synthetically from actual templates used by the Storm botnet
Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot.
Last, deployment scenario , training and testing on different instances of the same bot.