Issue No.02 - March/April (2012 vol.9)
Zhenhai Duan , Florida State University, Tallahassee
Peng Chen , Juniper Networks, Sunnyvale and Florida State University, Tallahassee
Fernando Sanchez , Florida State University, Tallahassee
Yingfei Dong , University of Hawaii, Honolulu
Mary Stephenson , Florida State University, Tallahassee
James Michael Barker , University of North Carolina at Chapel Hill, Chapel Hill
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.49
Compromised machines are one of the key security threats on the Internet; they are often used to launch various security attacks such as spamming and spreading malware, DDoS, and identity theft. Given that spamming provides a key economic incentive for attackers to recruit the large number of compromised machines, we focus on the detection of the compromised machines in a network that are involved in the spamming activities, commonly known as spam zombies. We develop an effective spam zombie detection system named SPOT by monitoring outgoing messages of a network. SPOT is designed based on a powerful statistical tool called Sequential Probability Ratio Test, which has bounded false positive and false negative error rates. In addition, we also evaluate the performance of the developed SPOT system using a two-month e-mail trace collected in a large US campus network. Our evaluation studies show that SPOT is an effective and efficient system in automatically detecting compromised machines in a network. For example, among the 440 internal IP addresses observed in the e-mail trace, SPOT identifies 132 of them as being associated with compromised machines. Out of the 132 IP addresses identified by SPOT, 126 can be either independently confirmed (110) or highly likely (16) to be compromised. Moreover, only seven internal IP addresses associated with compromised machines in the trace are missed by SPOT. In addition, we also compare the performance of SPOT with two other spam zombie detection algorithms based on the number and percentage of spam messages originated or forwarded by internal machines, respectively, and show that SPOT outperforms these two detection algorithms.
Compromised machines, spam zombies, compromised machine detection algorithms.
Zhenhai Duan, Peng Chen, Fernando Sanchez, Yingfei Dong, Mary Stephenson, James Michael Barker, "Detecting Spam Zombies by Monitoring Outgoing Messages", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 2, pp. 198-210, March/April 2012, doi:10.1109/TDSC.2011.49