Spam Mitigation using Spatio temporal Reputations from Blacklist History*

Similar documents
PreSTA: Preventing Malicious Behavior Using Spatio-Temporal Reputation. Andrew G. West November 4, 2009 ONR-MURI Presentation

PreSTA: Preventing Malicious Behavior Using Spatio-Temporal Reputation. Andrew G. West November 4, 2009 ONR-MURI Presentation

Detecting Wikipedia Vandalism via Spatio- Temporal Analysis of Revision Metadata. Andrew G. West June 10, 2010 ONR-MURI Presentation

Mitigating Spam Using Spatio-Temporal Reputation

Spam Mitigation Using Spatio-Temporal Reputations From Blacklist History

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine

Revealing Botnet Membership Using DNSBL Counter-Intelligence

MATT JONES HOW WHATSAPP REDUCED SPAM WHILE LAUNCHING END-TO-END ENCRYPTION

AS-CRED: Reputation Service for Trustworthy Inter-domain Routing

MEASURING AND FINGERPRINTING CLICK-SPAM IN AD NETWORKS

VisTracer: A Visual Analytics Tool to Investigate Routing Anomalies in Traceroutes

arxiv: v1 [cs.cr] 7 May 2012

Machine-Powered Learning for People-Centered Security

Security Whitepaper. DNS Resource Exhaustion

Twi$er s Trending Topics exploita4on pa$erns

Multidimensional Aggregation for DNS monitoring

Big Data Analytics CSCI 4030

An Empirical Study of Behavioral Characteristics of Spammers: Findings and Implications

Detecting Malicious Web Links and Identifying Their Attack Types

Major Project Part II. Isolating Suspicious BGP Updates To Detect Prefix Hijacks

NeighborWatcher: A Content-Agnostic Comment Spam Inference System

Outline. Motivation. Our System. Conclusion

Fighting Spam, Phishing and Malware With Recurrent Pattern Detection

Aiding the Detection of Fake Accounts in Large Scale Social Online Services

A Sampling of Internetwork Security Issues Involving IPv6

Cell Spotting: Studying the Role of Cellular Networks in the Internet. John Rula. Fabián E. Bustamante Moritz Steiner 2017 AKAMAI FASTER FORWARD TM

Detecting Internet Traffic Interception based on Route Hijacking

Detecting Malicious Hosts Using Traffic Flows

Analyzing Dshield Logs Using Fully Automatic Cross-Associations

Re-wiring Activity of Malicious Networks

Detecting and Quantifying Abusive IPv6 SMTP!

War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Trust in the Internet of Things From Personal Experience to Global Reputation. 1 Nguyen Truong PhD student, Liverpool John Moores University

StrobeLight: Lightweight Availability Mapping and Anomaly Detection. James Mickens, John Douceur, Bill Bolosky Brian Noble

Big Data Analytics for Host Misbehavior Detection

Network Security Detection With Data Analytics (PREDATOR)

Network Security - ISA 656 Routing Security

CSE 124: CONTENT-DISTRIBUTION NETWORKS. George Porter December 4, 2017

AS-CRED: Reputation and Alert Service for Inter- Domain Routing

IPv4. Christian Grothoff.

Stochastic Analysis of Horizontal IP Scanning

Mapping Internet Sensors with Probe Response Attacks

icast / TRUST Collaboration Year 2 - Kickoff Meeting

CCRMA MIR Workshop 2014 Evaluating Information Retrieval Systems. Leigh M. Smith Humtap Inc.

Author(s): Rahul Sami, 2009

Secure Routing with RPKI. APNIC44 Security Workshop

Mavenir Spam and Fraud Control

Alberto Dainotti

Towards the Effective Temporal Association Mining of Spam Blacklists

SentinelOne Technical Brief

with Advanced Protection

APNIC Update TWNIC OPM 1 JUL George Kuo Manager, Member Services, APNIC

Online Bad Data Detection for Synchrophasor Systems via Spatio-temporal Correlations

Multidimensional Investigation of Source Port 0 Probing

Automating Security Response based on Internet Reputation

Network Security - ISA 656 Routing Security

Foundational and Systems Support for Quantitative Trust Management (QTM)

BIG-IP Application Security Manager : Implementations. Version 13.0

Marketing 201. March, Craig Stouffer, Pinpointe Marketing (408) x125

Mapping Internet Sensors with Probe Response Attacks

A brief Incursion into Botnet Detection

Fast and Evasive Attacks: Highlighting the Challenges Ahead

BotDigger: A Fuzzy Inference System for Botnet Detection

August 2009 Report #22

Credit-based Network Management

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

SNARE: Spatio-temporal Network-level Automatic Reputation Engine

Illegitimate Source IP Addresses At Internet Exchange Points

Spatial-Temporal Characteristics of Internet Malicious Sources

arxiv: v1 [cs.cr] 30 May 2014

Tatiana Braescu Seminar Visual Analytics Autumn, Supervisor Prof. Dr. Andreas Kerren. Purpose of the presentation

Measuring the Global Routing Table

CSE 124: Networked Services Lecture-17

Business Club. Decision Trees

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Real-Time Model-Free Detection of Low-Quality Synchrophasor Data

Simply Top Talkers Jeroen Massar, Andreas Kind and Marc Ph. Stoecklin

AdaptiveMobile Security Practice

Problems in Reputation based Methods in P2P Networks

Stream Mode Algorithms and. Analysis

Securing the Internet at the Exchange Point Fernando M. V. Ramos

The Challenge of Spam An Internet Society Public Policy Briefing

BGP Configuration for a Transit ISP

Spam Protection Guide

VEWS: A Wikipedia Vandal Early Warning System. Srijan Kumar, Francesca Spezzano, V.S. Subrahmanian University of Maryland, College Park

understanding media metrics WEB METRICS Basics for Journalists FIRST IN A SERIES

Reducing the Cost of Incident Response

NIGHTs-WATCH. A Cache-Based Side-Channel Intrusion Detector using Hardware Performance Counters

A quick guide to the Internet. David Clark 6.978J/ESD.68J Lecture 1 V1.0 Spring 2006

Sybil Attack Detection and Prevention Using AODV in VANET

Cisco s Appliance-based Content Security: IronPort and Web Security

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Web Honeypots for Spies

Symantec Endpoint Protection 14

Advanced Filtering. Tobias Eggendorfer

Why do Internet services fail, and what can be done about it?

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Annotating Spatio-Temporal Information in Documents

CONTENT-DISTRIBUTION NETWORKS

Transcription:

Spam Mitigation using Spatio temporal Reputations from Blacklist History* A.G. West, A.J. Aviv, J. Chang, and I. Lee ACSAC `10 December 9, 2010 * Note that for conciseness, this version omits the animation and graph annotations that existed in the actual conference version

Motivation IP spam blacklists Reactively compiled from major email providers Single IPs can be listed, de listed, re listed De listing policy? Blacklist/spam properties d d High re listing rates Spam IPs are spatially clustered [5 12] Just 20 ASes account for 42% of all spam [7] Spam sent BL time BL 2

PreSTA: Preventative Spatio Temporal Aggregation PROBLEM Traditional punishment mechanisms are reactive ASSUM PTIONS: GIVEN: Consistent behaviors (temporal) and spatial clustering User feedback and spatial grouping functions PRODUCE: An extended list of principals thought to be bad now OUTPUT The preventative identification of malicious users 3

PreSTA Model & Reputation Fundamentals 4

Reputation Algs. Reputation systems: EBay, EigenTrust [1], Subjective Logic [2] Use cases: P2P networks, access control, anti spam [3] Enum. feedbacks; distributed calculation (transitivity) Recommendations: Voting, product suggestions B Pos: 5 Neg: 5 Pos: 2 Neg: 2 S C Pos: 1 Neg: 0 Pos: 6 Neg: 2 U Users A B + + Objects 1 2 5

PreSTA Reputation PreSTA style reputation: No positive feedback time decay to heal. Centralized and trusted feedback provider Quantify binary observations into reputations maliciousness maliciousness time time 6

PreSTA Reputation User Space AUS TEXAS AMERICA Single entity calculation and rep. Entity Behavior History Broad Behavior History Broader Behavior History values are Rep. Rep. Rep. status quo Combination (temporal) Reputation Value for AUS 7

Sample calc. (1) Time Behavior Rep. TS 1 Calculate TS 2 User misbehaves Calculate 1 TS 3 TS 4 reputation TS 5 Calculate 0 TS 6 User misbehaves Calculate time 8

Sample calc. (2) Time Behavior Rep. TS 1 Calculate TS 2 User misbehaves Calculate 1 TS 3 TS 4 reputation TS 5 Calculate 0 TS 6 User misbehaves Calculate time 9

Sample calc. (3) Time Behavior Rep. TS 1 Calculate TS 2 User misbehaves Calculate 1 TS 3 TS 4 reputation TS 5 Calculate 0 TS 6 User misbehaves Calculate time 10

Sample calc. (4) Time Behavior Rep. TS 1 Calculate TS 2 User misbehaves Calculate 1 TS 3 TS 4 reputation TS 5 Calculate 0 TS 6 User misbehaves Calculate time 11

PreSTA (spatial) User Space AUS TEXAS AMERICA Why spatial reputation: Exploit homophily Overcome the coldstart problem (Sybil [4]) Entity Behavior History Rep. Broad Behavior History Rep. Combination Broader Behavior History Rep. Grouping functions define group membership Multiple groups/dims. Geo based/abstract Reputation Value for AUS 12

PreSTA (spatial) User Space TEXAS AUS TEXAS AMERICA Houston Austin.. Dallas Entity Behavior History Rep. Broad Behavior History Rep. Combination Broader Behavior History Rep. Reputation Value for AUS rep(group) = Σ all member rep. group size 13

PreSTA + Wikipedia[19] PURPOSE: Detect vandalism edits to Wikipedia TEMPORAL SPATIAL Vandal editors are probably repeat offenders Frequently vandalized articles may be future targets Group editors by country (geographical space) Group articles by category (topical space) FEEDBACK Gleamed from administrative undo function SUCCESS Live tool STiki [20] 25,000 vandalisms undone 14

Applying PreSTA to spam mitigation Spatio temporal props. of spam email 15

Temporal Props. Of IPs removed from a popular blacklist, 26% are re listed within 10 days, and 47% are relisted within ten weeks. Consistent listing length permits normalization 16

Spatial Props. 17

Applying PreSTA to spam mitigation Implementing the model 18

Grouping Functions IANA /RIR The IANA and RIR granularity are too broad to be of relevant use AS 1000's IPs AS BLOCK IP What AS(es) are broadcasting IP? An IP may have 0, 1, or 2+ homes What is /24 (256 IP) membership? Estimation of subnet Static IP addresses Due to DHCP; multiple inhabitants Subnet BLK Heuristic 768 IPs IP level 1 IP 19

PreSTA Workflow AS Behavior Histories AS REP Source IP BLOCK REP ALG BLK REP Mail Body IP Spatial Mapping Time Decay FN IP REP SPAM or HAM Classify (SVM) Plot into 3 D Space 20

Data Sources FEEDBACK Subscribe to Spamhaus [13] provider Process diff between versions into DB AS MAP Use RouteViews [14] data to map IP AS EMAIL 5 months: 31 mil. UPenn mail headers Proofpoint [15] for ground truth 21

Applying PreSTA to spam mitigation Results 22

Big Picture Result PreSTA + Blacklist: 94% avg. Blacklist alone: 91% avg. 23

Big Picture Result Captures up to 50% of spam mails not caught by blacklist Would have blocked an addl. 650k spam emails 24

Case Studies (1) Temporal (single IP) example. Offender sent 150 spam emails and likely monitored own BL status [16]. 25

Case Studies (2) Temporal and spatial example (AS granularity). Spam campaign involving 4,500 IP addresses 26

Other Results (1) 27

Other Results (2) 28

Scalability Intended Purpose NLP is superior, but computationally expensive Initial and lightweight filter Scalability Heavy caching All AS level reputations are cached offline 43% cache hit rate for IPS, 57% for blocks Handles 500,000+ emails/hour (commodity) One month s BL history = 1 GB 29

Gamesmanship Avoid FEEDBACK in the first place Temporal evasion? Nothing but patience Spatial evasion Move around (reduces IP utility; increases cost) Prefix hijacking. Fortunately, mostly seen from bogon space [7]. Assign to a special bad AS Don t let individuals control group size (sizing attack) and maintain persistent IDs (Sybil [4]) 30

Contributions Formalization of a predictive spatio temporal reputation model (PreSTA) A dynamic access control solution for: email, Wikipedia, web service mash ups, BGP routing Implementation of PreSTA for use as a lightweight initial filter for spam email Blocking up to 50% of spam evading blacklists Extremely consistent blockage rates Scalability of 500k+ emails/hour 31

References [1] Kamvar, S.D. et al. The EigenTrust Algorithm for Reputation Management in P2P Systems. In WWW, 2003. [2] Jøsang, A. et al. Trust Network Analysis with Subjective Logic. In 29 th Australasian Computer Science Conference, 2006. [3] Alperovitch, D. et al. Taxonomy of Email Reputation Systems. In Distributed Computing Systems Workshops, 2007. [4] Douceur, J. The Sybil Attack. In 1 st IFTPS, March 2002. [5] Krebs, B. Host of Internet Spam Groups is Cut Off. [online] http://www.washingtonpost.com/wp dyn/content/article/ 2008/11/12/AR2008111200658.html, November 2008 (McColo shut down). [6] Krebs, B. FTC Sues, Shuts Down N. California Web Hosting Firm. [online] http://voices.washingtonpost.com/securityfix/ 2009/06/ftc_sues_shuts_down_n_calif_we.html, June 2009 (3FN shut down). [7] Hao, S. et al. Detecting Spammers with SNARE: Spatio temporal Network. In USENIX Security Symposium, 2009. [8] Ramachandran, A. et al. Understanding the Network level Behavior of Spammers. In SIGCOMM, 2006. [9] Ramachandran, A. et al. Filtering Spam with Behavioral Blacklisting. In CCS, 2007. [10] Qian, Z. et al. On Network level Clusters for Spam Detection. In NDSS, 2010. [11] Venkataraman, S. et al. Tracking Dynamic Sources of Malicious Activity at Internet Scale. In NIPS, 2009. [12] Venkataraman, S. et al. Exploiting Network Structure for Proactive Spam Mitigation. In USENIX Security Symposium, 2007. [13] Spamhaus Project. [online] http://www.spamhaus.org [14] Univ. of Oregon Route Views. [online] http://www.routeviews.org [15] Proofpoint, Inc. [online] http://www.proofpoint.com [16] Ramachandran, A. et al. Revealing bot net membership using DNSBL Counter Intelligence. In USENIX Security Workshops: Steps to Reducing Unwanted Traffic on the Internet, 2006. [17] IronPort Systems Inc.. Reputation based Mail Flow Control. White paper for the SenderBase system, 2002. [18] Symantec Corporation. IP Reputation Investigation. [online] http://ipremoval.sms.symantec.com [19] West, A. et al.. Detecting Wikipedia Vandalism via Spatio temporal Analysis of Revision Metadata. In EUROSEC, 2010. [20] West, A. STiki: An Anti vandalism Tool for Wikipedia. [online] http://en.wikipedia.org/wiki/wikipedia:stiki 32

Additional slides 33

Decay Function Half life function is straightforward exponential decay using 10 day half life. Half life was arrived at empirically (sum of CDF areas). TAKEAWAY: Long punishments lead to few false positives. Don t led bad guys off the hook too easily! 34

Related Work SNARE (GA Tech, Hao et al. [7]) Identifies 13 spatio temporal metrics ML classifier Temporally weak aggregation (i.e., mean and variance) Doesn t need blacklists Neither does PreSTA Not scalable. PreSTA uses just 1 metric. Similar commercial services Symantec [17] and Ironport SenderBase [18] Closed source, but binary APIs indicate correlation 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback