A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：9

、訪客IP：3.145.59.187

姓名

顏志豪(Chih-Hao Yan) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
(A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ Shark: Phishing Information Recycling from Spam Mails
★ FFRTD: Beat Fast-Flux by Response Time Differences	★ Antivirus Software Shield against Antivirus Terminators
★ MAC-YURI : My ACcount, YoUr ResponsIbility	★ KKBB: Kernel Keylogger Bye-Bye
★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment	★ PrivacyGuard：A Kernel-based Solution to Enhance the User Privacy When Using Private Browsing

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

研究顯示，超過 80% 的垃圾郵件是由 bot 發出的，這些發送垃圾郵件的。這些垃圾郵件不只傳送像釣魚網站 URL 的惡意內容，也浪費掉了巨大的網路頻寬。除此之外，這些發送垃圾郵件的 bot 也會發動其它的攻擊，例如 DoS / DDoS 攻擊以及個人資料的竊取。所以，上述問題的解決是關鍵且緊急的議題。因為多數發送垃圾郵件的 bot 並不是電子郵件伺服器，而且它們通常只送信而不收信。在這篇論文中我們基於這個觀察，提出了一個以垃圾郵件為出發點的解決方案，來做 botnet 的偵測以及節省網路頻寬，取名為 SpamFinder。SpamFinder 觀察經過 router 的電子郵件相關網路流量，來辨認只送信而不收信的主機。並對它們做進一步的檢查，以過濾掉電子郵件伺服器，如此可以準確地辨認出發送垃圾郵件的 bot。最後 SpamFinder 禁止傳播垃圾郵件，藉由阻斷這些發送垃圾郵件 bot 的電子郵件相關網路流量，來節省網路頻寬的浪費。我們己在 Linux router 上實作出 Spamfinder 而且實驗結果顯示 Spamfinder 沒有誤判且在最差的情況下只有 4％的效能開銷。

摘要(英)

Research shows that more than 80% spam mails are sent by the bots, called spam bots hereafter, of botnets. These spam mails not only are used to deliver malicious contents, such as the URLs of phishing sites, but also eat up tremendous precious network bandwidth. Besides, spam bots are also frequently used to launch various other attacks, such as DoS/DDoS attacks and identity theft. Hence, solving the above problems soon becomes a critical and emergent issue. Because the majority of spam bots are not e-mail servers, spam bots usually only send mails but do not receive mails. Based on this observation, in this paper we propose a spam mail-based solution, called SpamFinder, for botnet detection and network bandwidth protection. SpamFinder observes e-mail related traffic passing through a router to identify the hosts that only send e-mails but do not receive e-mails. Then by making further examinations to filter out e-mail servers, SpamFinder can identify spam bots with high accuracy. Finally by blocking e-mail related traffic originating from spam bots, SpamFinder prohibits the transmission of spam mails which in turn can save the bandwidth. We have implemented SpamFinder on a Linux router and experimental results show that with zero false positives SpamFinder only introduces 4% overhead in the worst case.

關鍵字(中)

★ 垃圾郵件
★ 殭屍網路
★ 垃圾信
★ 肉雞
★ 垃圾信件

關鍵字(英)

★ spam
★ bot
★ botnet
★ zombie
★ spam bot
★ spammer
★ spam mail

論文目次

Abstract i
Chinese Abstract ii
Table of Contents iii
List of Figures v
1. Introduction 1
2. Background 3
2.1. Botnet 3
2.2. E-mail Architecture 4
2.2.1. SMTP 5
2.2.2. Open Mail Relay 6
2.2.3. POP3 6
2.2.4. IMAP 7
2.2.5. Web Mail 7
3. System Overview 9
3.1. Packet Analyzer 9
3.1.1. IP Threat Level Table 10
3.1.2. Credit Number 10
3.1.3. Reduce Performance Overhead 11
3.1.4. Filter Action 12
3.1.5. NAT detection 12
3.2. Confirmer 13
4. Implementation 14
4.1. Packet Analyzer 14
4.2. Confirmer 16
5. Evaluation 17
5.1. Performance Evaluation 17
5.2. Effective Test 18
5.2.1. NBL 19
5.2.2. Real World Traffic Evaluation 19
6. Related Work 22
7. Limitation 23
9. Conclusion 25
Reference 26

參考文獻

[1] E. Cooke, F. Jahanian, D. McPherson, “The zombie roudup: Understanding, detecting, and disrupting botnets,” in Proc, USENIX Conf, SRUTI’05, Cambridge, MA, Jul. 2005.
[2] A. Ramachandran, N. Feamster, “Understanding the Network-Level Behavior of Spammers,” ACM Conf, SIGCOMM’06, Pisa, Italy, Sep. 2006.
[3] J. R. Binkley, S. Singh, “An algorithm for anomaly-based botnet detection,” in Proc, USENIX Conf, SRUTI’06, San Jose, CA, Jul. 2006.
[4] A. Karasaridis, B. Rexroad, D. Hoeflin, “Wide-scale botnet detection and characterization, ” in Proc, USENIX Conf, HotBots’07, Cambridge, MA, Apr. 2007.
[5] G. Gu, R. Perdisci, J. Zhang, W. Lee, “BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection,” in Proc, USENIX Conf, SEC’08, San Jose, CA, Jul. 2008.
[6] S. Hao, N. A. Syed, N. Feamster, G. Gray, S. Krasser, “Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine,” in Proc, USENIX Conf, Oct. 2009
[7] Wikipedia. (Upgrading). Spam (electronic) [Online]. Available: http://en.wikipedia.org/wiki/Spam_(electronic)
[8] Wikipedia. (Upgrading). Simple Mail Transfer Protocol [Online]. Available: http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
[9] Wikipedia. (Upgrading). Post Office Protocol [Online]. Available: http://en.wikipedia.org/wiki/Post_Office_Protocol
[10] Wikipedia. (Upgrading). Internet Message Access Protocol [Online]. Available: http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
[11] J Mann. (2007, Dec 12). Spam is 95% of email traffic, says Barracuda [Online]. Available: http://www.techspot.com/news/28226-spam-is-95-of-email-traffic-says-barracuda.html
[12] p0f, 2006. http://freshmeat.net/projects/p0f/
[13] MailAvenger, 2005. http://www.mailavenger.org/
[14] SpamAssassin, 2005. http://www.spamassassin.org/
[15] Honeynet Project. Known Your Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots/botnet-commands.html, 2006
[16] K. Chiang, L. Lloyd, “A case study of the restock rootkit and spam bot,” in First workshop on hot topics in understanding botnets, 2007.
[17] Network Benchmarking Lab (NBL), http://betasite.nctu.edu.tw/betasite/
[18] Wikipedia. (Upgrading). Network Address Translation [Online], Available: http://en.wikipedia.org/wiki/Network_address_translation
[19] Wikipedia. (Upgrading). Webmail [Online], Available: http://en.wikipedia.org/wiki/Webmail
[20] P. J. Salzman, M. Burian, O. Pomerantz (May. 2007). The Linux Kernel Module Programming Guide [Online], Available: http://en.tldp.org/LDP/lkmpg/2.6/html/index.html
[21] NMAP.ORG, TCP/IP Reference [Online], Available: http://nmap.org/book/tcpip-ref.html
[22] netfilter, http://www.netfilter.org/
[23] iptables, http://www.netfilter.org/projects/iptables/index.html
[24] Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, E. Gillum, “BotGraph: Large Scale Spamming Botnet Detection,” in Proc, USENIX Symposium on Networked Systems Design and Implementation, Boston MA, 2009.
[25] Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, I. Osipkov, “Spamming Botnets: Signatures and Characteristics,” in Proc, ACM Conf., SIGCOMM’08, Washington USA, Aug. 2008
[26] G. Gu, J. Zhang, W. Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” In NDSS, 2008
[27] Wikipedia. Open Mail Relay [Online], Availible: http://en.wikipedia.org/wiki/Open_mail_relay
[28] Message Labs Intelligence, Symantec Corp., “Spam Surges in February while message Size Shrinks,” Feb. 2010.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2010-7-5

推文