1 / 26

Characterizing Botnet from Email Spam Records

Characterizing Botnet from Email Spam Records. Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten, and J. Tygar. USENIX LEET 2008. Outline. Introduction Overview Methodology Metrics and Findings Conclusion. Introduction.

riona
Download Presentation

Characterizing Botnet from Email Spam Records

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Characterizing Botnetfrom Email Spam Records Presenter: Yi-Ren Yeh (葉倚任) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten, and J. Tygar. USENIX LEET 2008

  2. Outline • Introduction • Overview • Methodology • Metrics and Findings • Conclusion

  3. Introduction • Spam is a driving force in the economics of botnets • This work map botnet membership and other characteristics of botnets using spam traces • By grouping similar email messages and related spam campaigns, the authors identify a set of botnets • A large trace of spam email from Hotmail Web mail service is used

  4. Pros and Cons of using Spam • The analysis can be done on an existing email trace from one of the small number of large Web mail providers • Directly related to the economic motivation behind many botnets • Potentially a less ad-hoc and easier task than analyzing IRC/DNS logs • Unable to uncover botnets not involved in email spamming

  5. Contributions • The first one to analyze entire botnets (in contrast to individual bot) behavior from spam email messages • The first to study botnet traces based on economic motivation and monetizing activities • New findings about botnets involved in email spamming

  6. Overview The major steps in the proposed method • Cluster email messages into spam campaigns • Spam email messages with identical or similar content are sent from the same controlling entity • Use fingerprints to cluster email message • Assess IP dynamics • Extract the average time until an IP address gets reassigned • The IP reassignment range (both are under each C-subset) • Merge spam campaigns into botnets • Via the overlapping of the sending hosts

  7. Methodology • Datasets and initial processing • Identifying spam campaigns • Skipping spam from non-bots • Assessing IP dynamics • Identifying botnets • Estimating botnet Size

  8. Datasets and Initial Processing • Collected from the Hotmail Web mail service (Junk Mail) • Randomly sample 5 million spam messages collected over a 9-day period from May 21, 2007 to May 29, 2007 • Extract a reliable sender IP address heuristically for each message • Parse the body parts to get both HTML and text from each email message

  9. Identifying Spam Campaigns • Use ad hoc approaches to pre-clean the raw content and get only the rendered content • Use the shingling algorithm to cluster near-duplicate content together • Associate each spam campaign with the list {(IPi, ti)} of IP events consisting of the IP address IPi and sending time ti

  10. Skipping Spam from Non-bots • Exclude an email if the sender IP address is on the white list • Remove campaigns whose senders are all within a single C-subnet • Removes campaigns with senders from less than three geographic locations (cities)

  11. Assessing IP Dynamics • Assume that IP address reassignment is a Poisson process • Measure two IP address reassignment parameters in each C-subnet (via MSN) • The average lifetime Jt of an IP address on a particular host • The maximum distance Jr between IP addresses assigned to the same host

  12. Assessing IP Dynamics • Rule of Aggregation • Among all IP address in the same C-subset • Given (IP1, t1) and (IP2, t2) • Either IP1 or IP2 is out of the distance range (Jr) of another, we regard these two events as from two different machines • If both IP1 and IP2 are within the distance range (Jr) of each other • Keep the same IP address after an interval of duration t2 - t1 • An IP reassignment happens during an interval of duration t2 - t1

  13. Assessing IP Dynamics

  14. Identifying Botnets • Given two spam campaigns SC1 and SC2, how do we know whether they share the same controller • For all events in a spam campaign SC1, we use to measure the fraction of events in SC1 that are connected to some events in SC2, where i and j represents IP events in SC1 and SC2. • W, called as connectivity degree, ranges from 0 to 1 • Select 0.2 as a reasonable threshold

  15. Identifying Botnets

  16. Estimating Botnet Size • Assumption: Each bot sends approximately equal number of spam messages • Some quantities in hand • r: downsample rate of the dataset • N: number of spam email messages observed • N1: number of bots observed with only one spam email in the dataset • The goal is to estimate • s: the mean number of spam messages sent per bot • b: number of bots (i.e. botnet size)

  17. Estimating Botnet Size • The estimated number of spam email messages from a botnet is N/r = sb • The expected number of bots observed with only one spam email message is • The average number of spam email messages sent per bot (s) and botnet size (b):

  18. Metrics and Findings • Spam campaign duration • Botnet sizes • Per-day aspect: life span of botnets and spam campaigns • Geographic distribution of botnets

  19. Spam campaign duration • Spam campaigns duration: the time between the first email and the last email seen from a campaign • Over 50% of spam campaigns actually finish within 12 hours

  20. Spam campaign duration • Short-lived spam campaigns actually have larger volume • More than 70% of spam messages are sent by spam campaigns lasting less than 8 hours

  21. Botnet Sizes

  22. Botnet Sizes

  23. Botnet Sizes

  24. Per-day aspect: life span of botnets and spam campaigns • 60% of spam received from botnets each day are sent from long-lived botnets

  25. Geographic Distribution of Botnets • About half of botnets detected from the JMS dataset control machines in over 30 countries • The total number of bots during the 9-day observation period of the JMS dataset is about 460,000 machines

  26. Conclusion • This work is a first step to study botnets from their economic motivations • Get a picture of bot activity by directly tracing the actual operation of bots using one of their primary revenue sources (spam email) • Make estimating about the size of a botnet, behavioral characteristics, and the geographical distribution of botnets

More Related