ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Spamming botnets: signatures and characteristics
Full text PdfPdf (753 KB)
Source
Applications, Technologies, Architectures, and Protocols for Computer Communication archive
Proceedings of the ACM SIGCOMM 2008 conference on Data communication table of contents
Seattle, WA, USA
SESSION: Security I table of contents
Pages 171-182  
Year of Publication: 2008
ISBN:978-1-60558-175-0
Also published in ...
Authors
Yinglian Xie  Microsoft Research, Silicon Valley, Mountain View, CA, USA
Fang Yu  Microsoft Research, Silicon Valley, Mountain View, CA, USA
Kannan Achan  Microsoft Research, Silicon Valley, Mountain View, CA, USA
Rina Panigrahy  Microsoft Research, Silicon Valley, Mountain View, CA, USA
Geoff Hulten  Microsoft Corporation, Redmond, WA, USA
Ivan Osipkov  Microsoft Corporation, Redmond, WA, USA
Sponsors
ACM: Association for Computing Machinery
SIGCOMM: ACM Special Interest Group on Data Communication
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 72,   Downloads (12 Months): 591,   Citation Count: 5
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1402958.1402979
What is a DOI?

ABSTRACT

In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and botnet membership. AutoRE does not require pre-classified training data or white lists. Moreover, it outputs high quality regular expression signatures that can detect botnet spam with a low false positive rate. Using a three-month sample of emails from Hotmail, AutoRE successfully identified 7,721 botnet-based spam campaigns together with 340,050 unique botnet host IP addresses.

Our in-depth analysis of the identified botnets revealed several interesting findings regarding the degree of email obfuscation, properties of botnet IP addresses, sending patterns, and their correlation with network scanning traffic. We believe these observations are useful information in the design of botnet detection schemes.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Mohamed Ibrahim Abouelhoda , Stefan Kurtz , Enno Ohlebusch, Replacing suffix trees with enhanced suffix arrays, Journal of Discrete Algorithms, v.2 n.1, p.53-86, March 2004  [doi>10.1016/S1570-8667(03)00065-0]
 
2
David S. Anderson , Chris Fleizach , Stefan Savage , Geoffrey M. Voelker, Spamscatter: characterizing internet scam hosting infrastructure, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-14, August 06-10, 2007, Boston, MA
 
3
T. Berners-Lee , R. Fielding , L. Masinter, Uniform Resource Identifiers (URI): Generic Syntax, RFC Editor, 1998
 
4
Ken Chiang , Levi Lloyd, A case study of the rustock rootkit and spam bot, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.10-10, April 10, 2007, Cambridge, MA
 
5
D. Dagon, C. Zou, and W. Lee. Modeling botnet propagation using time zones. In Proc. of the 13th Annual Network and Distributed System Security Symposium (NDSS), 2006.
 
6
Neil Daswani , Michael Stoppelman, The anatomy of Clickbot.A, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.11-11, April 10, 2007, Cambridge, MA
 
7
Dshield: Cooperative network security community. Dynablock dynamic IP list. http://www.njabl.org/, recently aquired by spamhaus, http://www.spamhaus.org/pbl/index.lasso, 2007.
 
8
Dennis Fetterly , Mark Manasse , Marc Najork , Janet L. Wiener, A large-scale study of the evolution of web pages, Software—Practice & Experience, v.34 n.2, p.213-237, February 2004  [doi>10.1002/spe.577]
 
9
Thorsten Holz , Moritz Steiner , Frederic Dahl , Ernst Biersack , Felix Freiling, Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
 
10
Chris Kanich , Kirill Levchenko , Brandon Enright , Geoffrey M. Voelker , Stefan Savage, The heisenbot uncertainty problem: challenges in separating bots from chaff, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
 
11
Hyang-Ah Kim , Brad Karp, Autograph: toward automated, distributed worm signature detection, Proceedings of the 13th conference on USENIX Security Symposium, p.19-19, August 09-13, 2004, San Diego, CA
 
12
C. Kreibich and J. Crowcroft. Honeycomb: Creating intrusion detection signatures using honeypots. In 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003.
 
13
F. Li and M.-H. Hsieh. An empirical study of clustering behavior of spammers and group-based anti-spam strategies. In CEAS 2006: Proceedings of the 3rd conference on email and anti-spam, 2006.
 
14
Zhichun Li , Manan Sanghi , Yan Chen , Ming-Yang Kao , Brian Chavez, Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.32-47, May 21-24, 2006  [doi>10.1109/SP.2006.18]
 
15
James Newsome , Brad Karp , Dawn Song, Polygraph: Automatically Generating Signatures for Polymorphic Worms, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.226-241, May 08-11, 2005  [doi>10.1109/SP.2005.15]
16
Moheeb Abu Rajab , Jay Zarfoss , Fabian Monrose , Andreas Terzis, A multifaceted approach to understanding the botnet phenomenon, Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil  [doi>10.1145/1177080.1177086]
 
17
A. Ramachandran, D. Dagon, and N. Feamster. Can DNS based blacklists keep up with bots? In Conference on Email and Anti-Spam, 2006.
18
Anirudh Ramachandran , Nick Feamster, Understanding the network-level behavior of spammers, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
19
Anirudh Ramachandran , Nick Feamster , Santosh Vempala, Filtering spam with behavioral blacklisting, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315288]
 
20
Sumeet Singh , Cristian Estan , George Varghese , Stefan Savage, Automated worm fingerprinting, Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation, p.4-4, December 06-08, 2004, San Francisco, CA
 
21
Spamhaus policy block list (PBL). http://www.spamhaus.org/pbl/, Jan 2007.
 
22
S. Webb, J. Caverlee, and C. Pu. Introducing the web spam corpus: Using email spam to identify web spam automatically. In Proceedings of the Third Conference on Email and Anti-Spam (CEAS), 2006.
23
Yinglian Xie , Fang Yu , Kannan Achan , Eliot Gillum , Moises Goldszmidt , Ted Wobber, How dynamic are IP addresses?, Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, August 27-31, 2007, Kyoto, Japan
 
24
Li Zhuang , John Dunagan , Daniel R. Simon , Helen J. Wang , J. D. Tygar, Characterizing botnets from email spam records, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California

CITED BY  5
Fabrício Benevenuto , Tiago Rodrigues , Virgílio Almeida , Jussara Almeida , Marcos Gonçalves, Detecting spammers and content promoters in online video social networks, Proceedings of the 32nd international ACM SIGIR conference on Research and development in information retrieval, July 19-23, 2009, Boston, MA, USA
Yao Zhao , Yinglian Xie , Fang Yu , Qifa Ke , Yuan Yu , Yan Chen , Eliot Gillum, BotGraph: large scale spamming botnet detection, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.321-334, April 22-24, 2009, Boston, Massachusetts
John P. John , Alexander Moshchuk , Steven D. Gribble , Arvind Krishnamurthy, Studying spamming botnets using Botlab, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.291-306, April 22-24, 2009, Boston, Massachusetts
Abhinav Pathak , Feng Qian , Y. Charlie Hu , Z. Morley Mao , Supranamaya Ranjan, Botnet spam campaigns can be long lasting: evidence, implications, and analysis, Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems, June 15-19, 2009, Seattle, WA, USA
Yinglian Xie , Fang Yu , Martin Abadi, De-anonymizing the internet using unreliable IDs, ACM SIGCOMM Computer Communication Review, v.39 n.4, October 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network management


General Terms:
Algorithms, Measurement, Security


Keywords:
botnet, regular expression, signature generation, spam

Collaborative Colleagues:
Yinglian Xie: colleagues
Fang Yu: colleagues
Kannan Achan: colleagues
Rina Panigrahy: colleagues
Geoff Hulten: colleagues
Ivan Osipkov: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player