Replacing suffix trees with enhanced suffix arrays
Journal of Discrete Algorithms - SPIRE 2002
A large-scale study of the evolution of web pages
Software—Practice & Experience - Special issue: Web technologies
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Understanding the network-level behavior of spammers
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Filtering spam with behavioral blacklisting
Proceedings of the 14th ACM conference on Computer and communications security
A case study of the rustock rootkit and spam bot
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Spamscatter: characterizing internet scam hosting infrastructure
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Characterizing botnets from email spam records
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
The heisenbot uncertainty problem: challenges in separating bots from chaff
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Hardening Botnet by a Rational Botmaster
Information Security and Cryptology
Botnet spam campaigns can be long lasting: evidence, implications, and analysis
Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Studying spamming botnets using Botlab
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
BotGraph: large scale spamming botnet detection
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Detecting spammers and content promoters in online video social networks
Proceedings of the 32nd international ACM SIGIR conference on Research and development in information retrieval
A Case Study on Asprox Infection Dynamics
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Towards Proactive Spam Filtering (Extended Abstract)
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
De-anonymizing the internet using unreliable IDs
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
SBotMiner: large scale search bot detection
Proceedings of the third ACM international conference on Web search and data mining
Botnet: classification, attacks, detection, tracing, and preventive measures
ICICIC '09 Proceedings of the 2009 Fourth International Conference on Innovative Computing, Information and Control
Information theoretic approach for characterizing spam botnets based on traffic properties
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
On the effectiveness of IP reputation for spam filtering
COMSNETS'10 Proceedings of the 2nd international conference on COMmunication systems and NETworks
Using whitelisting to mitigate DDoS attacks on critical internet sites
IEEE Communications Magazine
Suppressing bot traffic with accurate human attestation
Proceedings of the first ACM asia-pacific workshop on Workshop on systems
Outsourcing home network security
Proceedings of the 2010 ACM SIGCOMM workshop on Home networks
Detection of spam hosts and spam bots using network flow traffic modeling
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Behavioral clustering of HTTP-based malware and signature generation using malicious network traces
NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
Detecting spammers with SNARE: spatio-temporal network-level automatic reputation engine
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Advantages and vulnerabilities of pull-based email-delivery
AISC '10 Proceedings of the Eighth Australasian Conference on Information Security - Volume 105
@spam: the underground on 140 characters or less
Proceedings of the 17th ACM conference on Computer and communications security
Using social networks to harvest email addresses
Proceedings of the 9th annual ACM workshop on Privacy in the electronic society
Detecting and characterizing social spam campaigns
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Detecting algorithmically generated malicious domain names
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
What happened in my network: mining network events from router syslogs
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Social network-based botnet command-and-control: emerging threats and countermeasures
ACNS'10 Proceedings of the 8th international conference on Applied cryptography and network security
Conficker and beyond: a large-scale empirical study
Proceedings of the 26th Annual Computer Security Applications Conference
SocialFilter: introducing social trust to collaborative spam mitigation
CollSec'10 Proceedings of the 2010 international conference on Collaborative methods for security and privacy
Searching the searchers with searchaudit
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
A heuristic-based feature selection method for clustering spam emails
ICONIP'10 Proceedings of the 17th international conference on Neural information processing: theory and algorithms - Volume Part I
ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
Proceedings of the 20th international conference on World wide web
Heat-seeking honeypots: design and experience
Proceedings of the 20th international conference on World wide web
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
AntBot: Anti-pollution peer-to-peer botnets
Computer Networks: The International Journal of Computer and Telecommunications Networking
Detecting malicious web links and identifying their attack types
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
BotTrack: tracking botnets using NetFlow and PageRank
NETWORKING'11 Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I
Cleaning your house first: shifting the paradigm on how to secure networks
AIMS'11 Proceedings of the 5th international conference on Autonomous infrastructure, management, and security: managing the dynamics of networks and services
No plan survives contact: experience with cybercrime measurement
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade
SEC'11 Proceedings of the 20th USENIX conference on Security
deSEO: combating search-result poisoning
SEC'11 Proceedings of the 20th USENIX conference on Security
BOTMAGNIFIER: locating spambots on the internet
SEC'11 Proceedings of the 20th USENIX conference on Security
Towards the effective temporal association mining of spam blacklists
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Blocking spam by separating end-user machines from legitimate mail server machines
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
A strategic analysis of spam botnets operations
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
A survey of emerging approaches to spam filtering
ACM Computing Surveys (CSUR)
Poster: online spam filtering in social networks
Proceedings of the 18th ACM conference on Computer and communications security
User-Assisted host-based detection of outbound malware traffic
ICICS'09 Proceedings of the 11th international conference on Information and Communications Security
ICCSA'10 Proceedings of the 2010 international conference on Computational Science and Its Applications - Volume Part II
Auto-learning of SMTP TCP transport-layer features for spam and abusive message detection
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
Re-wiring activity of malicious networks
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
EigenBot: foiling spamming botnets with matrix algebra
Proceedings of the ACM SIGKDD Workshop on Intelligence and Security Informatics
B@bel: leveraging email delivery for spam mitigation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Robust detection of comment spam using entropy rate
Proceedings of the 5th ACM workshop on Security and artificial intelligence
Populated IP addresses: classification and applications
Proceedings of the 2012 ACM conference on Computer and communications security
Innocent by association: early recognition of legitimate users
Proceedings of the 2012 ACM conference on Computer and communications security
Knowing your enemy: understanding and detecting malicious web advertising
Proceedings of the 2012 ACM conference on Computer and communications security
Security and Communication Networks
Analysis of a "/0" stealth scan from a botnet
Proceedings of the 2012 ACM conference on Internet measurement conference
Taster's choice: a comparative analysis of spam feeds
Proceedings of the 2012 ACM conference on Internet measurement conference
Longtime behavior of harvesting spam bots
Proceedings of the 2012 ACM conference on Internet measurement conference
Observing common spam in Twitter and email
Proceedings of the 2012 ACM conference on Internet measurement conference
Proactive discovery of phishing related domain names
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Detecting algorithmically generated domain-flux attacks with DNS traffic analysis
IEEE/ACM Transactions on Networking (TON)
Approximate regular expression matching with multi-strings
Journal of Discrete Algorithms
Peri-Watchdog: Hunting for hidden botnets in the periphery of online social networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
SpaDeS: Detecting spammers at the source network
Computer Networks: The International Journal of Computer and Telecommunications Networking
Proceedings of the ACM International Conference on Computing Frontiers
SocialWatch: detection of online service abuse via large-scale social graphs
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Cost-sensitive online active learning with application to malicious URL detection
Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining
An analysis of socware cascades in online social networks
Proceedings of the 22nd international conference on World Wide Web
Community-based features for identifying spammers in online social networks
Proceedings of the 2013 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
UNIK: unsupervised social network spam detection
Proceedings of the 22nd ACM international conference on Conference on information & knowledge management
Shady paths: leveraging surfing crowds to detect malicious web pages
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Leveraging honest users: stealth command-and-control of botnets
WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies
SEC'13 Proceedings of the 22nd USENIX conference on Security
Trafficking fraudulent accounts: the role of the underground market in Twitter spam and abuse
SEC'13 Proceedings of the 22nd USENIX conference on Security
ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and botnet membership. AutoRE does not require pre-classified training data or white lists. Moreover, it outputs high quality regular expression signatures that can detect botnet spam with a low false positive rate. Using a three-month sample of emails from Hotmail, AutoRE successfully identified 7,721 botnet-based spam campaigns together with 340,050 unique botnet host IP addresses. Our in-depth analysis of the identified botnets revealed several interesting findings regarding the degree of email obfuscation, properties of botnet IP addresses, sending patterns, and their correlation with network scanning traffic. We believe these observations are useful information in the design of botnet detection schemes.