The Community for Technology Leaders
RSS Icon
Issue No.02 - March/April (2012 vol.9)
pp: 198-210
Zhenhai Duan , Florida State University, Tallahassee
Peng Chen , Juniper Networks, Sunnyvale and Florida State University, Tallahassee
Fernando Sanchez , Florida State University, Tallahassee
Yingfei Dong , University of Hawaii, Honolulu
Mary Stephenson , Florida State University, Tallahassee
James Michael Barker , University of North Carolina at Chapel Hill, Chapel Hill
Compromised machines are one of the key security threats on the Internet; they are often used to launch various security attacks such as spamming and spreading malware, DDoS, and identity theft. Given that spamming provides a key economic incentive for attackers to recruit the large number of compromised machines, we focus on the detection of the compromised machines in a network that are involved in the spamming activities, commonly known as spam zombies. We develop an effective spam zombie detection system named SPOT by monitoring outgoing messages of a network. SPOT is designed based on a powerful statistical tool called Sequential Probability Ratio Test, which has bounded false positive and false negative error rates. In addition, we also evaluate the performance of the developed SPOT system using a two-month e-mail trace collected in a large US campus network. Our evaluation studies show that SPOT is an effective and efficient system in automatically detecting compromised machines in a network. For example, among the 440 internal IP addresses observed in the e-mail trace, SPOT identifies 132 of them as being associated with compromised machines. Out of the 132 IP addresses identified by SPOT, 126 can be either independently confirmed (110) or highly likely (16) to be compromised. Moreover, only seven internal IP addresses associated with compromised machines in the trace are missed by SPOT. In addition, we also compare the performance of SPOT with two other spam zombie detection algorithms based on the number and percentage of spam messages originated or forwarded by internal machines, respectively, and show that SPOT outperforms these two detection algorithms.
Compromised machines, spam zombies, compromised machine detection algorithms.
Zhenhai Duan, Peng Chen, Fernando Sanchez, Yingfei Dong, Mary Stephenson, James Michael Barker, "Detecting Spam Zombies by Monitoring Outgoing Messages", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 2, pp. 198-210, March/April 2012, doi:10.1109/TDSC.2011.49
[1] P. Bacher, T. Holz, M. Kotter, and G. Wicherski, “Know Your Enemy: Tracking Botnets,”, 2011.
[2] Z. Chen, C. Chen, and C. Ji, “Understanding Localized-Scanning Worms,” Proc. IEEE Int'l Performance, Computing, and Comm. Conf. (IPCCC '07), 2007.
[3] R. Droms, “Dynamic Host Configuration Protocol,” IETF RFC 2131, Mar. 1997.
[4] Z. Duan, Y. Dong, and K. Gopalan, “DMTP: Controlling Spam through Message Delivery Differentiation,” Computer Networks, vol. 51, pp. 2616-2630, July 2007.
[5] Z. Duan, K. Gopalan, and X. Yuan, “Behavioral Characteristics of Spammers and Their Network Reachability Properties,” Technical Report TR-060602, Dept. of Computer Science, Florida State Univ., June 2006.
[6] Z. Duan, K. Gopalan, and X. Yuan, “Behavioral Characteristics of Spammers and Their Network Reachability Properties,” Proc. IEEE Int'l Conf. Comm. (ICC '07), June 2007.
[7] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection,” Proc. 17th USENIX Security Symp., July 2008.
[8] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “BotHunter: Detecting Malware Infection through Ids-Driven Dialog Correlation,” Proc. 16th USENIX Security Symp., Aug. 2007.
[9] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” Proc. 15th Ann. Network and Distributed System Security Symp. (NDSS '08), Feb. 2008.
[10] N. Ianelli and A. Hackworth, “Botnets as a Vehicle for Online Crime,” Proc. First Int'l Conf. Forensic Computer Science, 2006.
[11] J.P. John, A. Moshchuk, S.D. Gribble, and A. Krishnamurthy, “Studying Spamming Botnets Using Botlab,” Proc. Sixth Symp. Networked Systems Design and Implementation (NSDI '09), Apr. 2009.
[12] J. Jung, V. Paxson, A. Berger, and H. Balakrishnan, “Fast Portscan Detection Using Sequential Hypothesis Testing,” Proc. IEEE Symp. Security and Privacy, May 2004.
[13] J. Klensin, “Simple Mail Transfer Protocol,” IETF RFC 2821, Apr. 2001.
[14] J. Markoff, “Russian Gang Hijacking PCs in Vast Scheme,” The New York Times, 06hack.html, Aug. 2008.
[15] P. Wood et al., “MessageLabs Intelligence: 2010 Annual Security Report,” 2010.
[16] S. Radosavac, J.S. Baras, and I. Koutsopoulos, “A Framework for MAC Protocol Misbehavior Detection in Wireless Networks,” Proc. Fourth ACM Workshop Wireless Security, Sept. 2005.
[17] A. Ramachandran and N. Feamster, “Understanding the Network-Level Behavior of Spammers,” Proc. ACM SIGCOMM, pp. 291-302, Sept. 2006.
[18] P. Resnick, “Internet Message Format,” IETF RFC 2822, Apr. 2001.
[19] F. Sanchez, Z. Duan, and Y. Dong, “Understanding Forgery Properties of Spam Delivery Paths,” Proc. Seventh Ann. Collaboration, Electronic Messaging, Anti-Abuse and Spam Conf. (CEAS '10), July 2010.
[20] SpamAssassin, “The Apache SpamAssassin Project,” http:/, 2011.
[21] A. Wald, Sequential Analysis. John Wiley & Sons, 1947.
[22] G.B. Wetherill and K.D. Glazebrook, Sequential Methods in Statistics. Chapman and Hall, 1986.
[23] M. Xie, H. Yin, and H. Wang, “An Effective Defense against Email Spam Laundering,” Proc. ACM Conf. Computer and Comm. Security, Oct./Nov. 2006.
[24] Y. Xie, F. Xu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber, “How Dynamic Are IP Addresses?” Proc. ACM SIGCOMM, Aug. 2007.
[25] Y. Xie, F. Xu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov, “Spamming Botnets: Signatures and Characteristics,” Proc. ACM SIGCOMM, Aug. 2008.
[26] L. Zhuang, J. Dunagan, D.R. Simon, H.J. Wang, I. Osipkov, G. Hulten, and J.D. Tygar, “Characterizing Botnets from Email Spam Records,” Proc. First Usenix Workshop Large-Scale Exploits and Emergent Threats, Apr. 2008.
6 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool