Reporter : 鄭志欣Advisor: Hsing-Kuo PaoE-mail:m9815058@mail.ntust.edu.tw

Botnet Judo: Fighting Spam with Itself

Conference

112/04/192

Botnet Judo: Fighting Spam with Itself Andreas Pitsillidis, Kirill Levchenko,

Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.

Outline

112/04/193

Introduction Template-based Spam Judo system

The Signature GeneratorLeveraging Domain Knowledge Signature Update

EvaluationSingle Template InferenceMultiple Template InferenceReal-world Deployment

Conclusion

Introduction

112/04/194

Reactive Defenses

Reversed engineering

Black-boxstream of All messages -> Regular

expressionQuickly producing precise mail filters

Template-based Spam

112/04/195

Storm’s template Language

112/04/196

Judo system

112/04/197

Judo system consists of three components.Bot farm : running instances of spamming

botnets in a contained environment.

Signature generator : maintains a set of regular expression signatures for spam sent by each botnet.

Spam filter : Updating the system

Judo spam filter model

112/04/198

System Assumptions

112/04/199

First and foremost , we assume that bots compose spam using a template system.

The Signature Generator

112/04/1910

AnchorsMacros

Dictionary Macros.Micro-Anchors.Noise Macros.

Leveraging Domain KnowledgeHeader FilteringSpecial Tokens

Signature UpdateSecond Chance MechanismPre-Clustering.

Step of algorithm

112/04/1911

Anchors

112/04/1912

Extracting the longest ordered set of substrings have length at least q that are common to every messages.

Macros

112/04/1913

Dictionary Macros.Hypothesis test (Dictionary Test )

Micro-Anchors. a substring that consists of non-alphanumeric . Using LCS (q don’t limit) again to find Micro-

Anchors. Once micro-anchors partition the text, the

algorithm performs the dictionary test on each set of strings delimited by the micro-anchors.

Noise Macros. generates random characters from some character

set POSIX character classes or Arbitary repetition “*” or

“+”

POSIX character classes

112/04/1914http://www.regular-expressions.info/posixbrackets.html

Leveraging Domain Knowledge

112/04/1915

Improve the performance of the algorithm. Header Filtering

Headers ignore all but the following headers:

A message must match all header for a signature to be considered a match.

Special TokensLike dates,IP addresses … etc.“expire” after it was generated pre- and post- processing as anchor

Signature Update

112/04/1916

We would like to use a training buffer as small as necessary to generate good signatures.

Train buffer is controlled by k.

Second Chance Mechanism. solving the train buffer is too small.

Pre-ClusteringMitigate the effects of a large training buffer.

Second Chance Mechanism

112/04/1917

Evaluation

112/04/1918

Judo is indeed safe and effective for filtering botnet-originated spam.

first, spam generated synthetically from actual templates used by the Storm botnet

Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot.

Last, deployment scenario , training and testing on different instances of the same bot.

Single Template Inference

112/04/1919

Multiple Template Inference

112/04/1920

Real-world Deployment

112/04/1921

Conclusion

112/04/1922

We have shown that it is practical to generate high-quality spam content signatures simply by observing the output of bot instances and inferring the likely conten of their underlying template.