Detecting Spam Zombies by Monitoring Outgoing Messages

Compromised machines are one of the key security threats on the Internet; they are often used to launch various security attacks such as spamming and spreading malware, DDoS, and identity theft. Given that spamming provides a key economic incentive for attackers to recruit the large number of compromised machines, we focus on the detection of the compromised machines in a network that are involved in the spamming activities, commonly known as spam zombies. We develop an effective spam zombie detection system named SPOT by monitoring outgoing messages of a network. SPOT is designed based on a powerful statistical tool called Sequential Probability Ratio Test, which has bounded false positive and false negative error rates. In addition, we also evaluate the performance of the developed SPOT system using a two-month e-mail trace collected in a large US campus network. Our evaluation studies show that SPOT is an effective and efficient system in automatically detecting compromised machines in a network. For example, among the 440 internal IP addresses observed in the e-mail trace, SPOT identifies 132 of them as being associated with compromised machines. Out of the 132 IP addresses identified by SPOT, 126 can be either independently confirmed (110) or highly likely (16) to be compromised. Moreover, only seven internal IP addresses associated with compromised machines in the trace are missed by SPOT. In addition, we also compare the performance of SPOT with two other spam zombie detection algorithms based on the number and percentage of spam messages originated or forwarded by internal machines, respectively, and show that SPOT outperforms these two detection algorithms.

[1]  J. Andel Sequential Analysis , 2022, The SAGE Encyclopedia of Research Design.

[2]  J. Pedoe,et al.  Sequential Methods in Statistics , 1966 .

[3]  Kartik Gopalan,et al.  DMTP: Controlling Spam Through Message Delivery Differentiation , 2006, Networking.

[4]  Aaron Hackworth,et al.  Botnets as a Vehicle for Online Crimes , 2006 .

[5]  Nicolas Ianelli,et al.  Botnets as a Vehicle for Online Crime , 2007 .

[6]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[7]  Geoff Hulten,et al.  Spamming botnets: signatures and characteristics , 2008, SIGCOMM '08.

[8]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[9]  Peter W. Resnick,et al.  Internet Message Format , 2001, RFC.

[10]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[11]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[12]  Helen J. Wang,et al.  Characterizing Botnets from Email Spam Records , 2008, LEET.

[13]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[14]  John S. Baras,et al.  A framework for MAC protocol misbehavior detection in wireless networks , 2005, WiSe '05.

[15]  Xin Yuan,et al.  Behavioral Characteristics of Spammers and Their Network Reachability Properties , 2007, 2007 IEEE International Conference on Communications.

[16]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[17]  Heng Yin,et al.  An effective defense against email spam laundering , 2006, CCS '06.

[18]  Fang Yu,et al.  How dynamic are IP addresses? , 2007, SIGCOMM '07.

[19]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[20]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[21]  Chuanyi Ji,et al.  Understanding Localized-Scanning Worms , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[22]  Zhenhai Duan,et al.  Understanding Forgery Properties of Spam Delivery Paths , 2010 .

[23]  Jonathan Schmidt Dynamic Port 25 Blocking to Control SPAM Zombies , 2006, CEAS.