reporter : 鄭志欣 advisor: hsing-kuo pao e-mail:[email protected] botnet judo: fighting...
TRANSCRIPT
Conference
112/04/182
Botnet Judo: Fighting Spam with Itself Andreas Pitsillidis, Kirill Levchenko,
Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver and Stefan Savage - In Proceedings of the 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.
Outline
112/04/183
Introduction Template-based Spam Judo system
The Signature GeneratorLeveraging Domain Knowledge Signature Update
EvaluationSingle Template InferenceMultiple Template InferenceReal-world Deployment
Conclusion
Introduction
112/04/184
Reactive Defenses
Reversed engineering
Black-boxstream of All messages -> Regular
expressionQuickly producing precise mail filters
Judo system
112/04/187
Judo system consists of three components.Bot farm : running instances of spamming
botnets in a contained environment.
Signature generator : maintains a set of regular expression signatures for spam sent by each botnet.
Spam filter : Updating the system
System Assumptions
112/04/189
First and foremost , we assume that bots compose spam using a template system.
The Signature Generator
112/04/1810
AnchorsMacros
Dictionary Macros.Micro-Anchors.Noise Macros.
Leveraging Domain KnowledgeHeader FilteringSpecial Tokens
Signature UpdateSecond Chance MechanismPre-Clustering.
Anchors
112/04/1812
Extracting the longest ordered set of substrings have length at least q that are common to every messages.
Macros
112/04/1813
Dictionary Macros.Hypothesis test (Dictionary Test )
Micro-Anchors. a substring that consists of non-alphanumeric . Using LCS (q don’t limit) again to find Micro-
Anchors. Once micro-anchors partition the text, the
algorithm performs the dictionary test on each set of strings delimited by the micro-anchors.
Noise Macros. generates random characters from some character
set POSIX character classes or Arbitary repetition “*” or
“+”
Leveraging Domain Knowledge
112/04/1815
Improve the performance of the algorithm. Header Filtering
Headers ignore all but the following headers:
A message must match all header for a signature to be considered a match.
Special TokensLike dates,IP addresses … etc.“expire” after it was generated pre- and post- processing as anchor
Signature Update
112/04/1816
We would like to use a training buffer as small as necessary to generate good signatures.
Train buffer is controlled by k.
Second Chance Mechanism. solving the train buffer is too small.
Pre-ClusteringMitigate the effects of a large training buffer.
Evaluation
112/04/1818
Judo is indeed safe and effective for filtering botnet-originated spam.
first, spam generated synthetically from actual templates used by the Storm botnet
Next,we run the Judo system on actual spam sent by four different bots, measuring its effectiveness against spam generated by the same bot.
Last, deployment scenario , training and testing on different instances of the same bot.