An analysis of BGP multiple origin AS (MOAS) conflicts
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
A Tutorial on Support Vector Machines for Pattern Recognition
Data Mining and Knowledge Discovery
Machine Learning
Understanding the network-level behavior of spammers
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Spam and the ongoing battle for the inbox
Communications of the ACM - Spam and the ongoing battle for the inbox
Improving spam detection based on structural similarity
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Taxonomy of Email Reputation Systems
ICDCSW '07 Proceedings of the 27th International Conference on Distributed Computing Systems Workshops
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Filtering spam with behavioral blacklisting
Proceedings of the 14th ACM conference on Computer and communications security
A distributed content independent method for spam detection
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Peeking into spammer behavior from a unique vantage point
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Spamming botnets: signatures and characteristics
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Autonomous security for autonomous systems
Computer Networks: The International Journal of Computer and Telecommunications Networking
Spamalytics: an empirical analysis of spam marketing conversion
Proceedings of the 15th ACM conference on Computer and communications security
Detecting Wikipedia vandalism via spatio-temporal analysis of revision metadata?
Proceedings of the Third European Workshop on System Security
Predictive blacklisting as an implicit recommendation system
INFOCOM'10 Proceedings of the 29th conference on Information communications
Suppressing bot traffic with accurate human attestation
Proceedings of the first ACM asia-pacific workshop on Workshop on systems
Outsourcing home network security
Proceedings of the 2010 ACM SIGCOMM workshop on Home networks
Proceedings of the 2010 ACM SIGCOMM workshop on Home networks
Detection of spam hosts and spam bots using network flow traffic modeling
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
How to tell an airport from a home: techniques and applications
Hotnets-IX Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
Digging into HTTPS: flow-based classification of webmail traffic
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Spam mitigation using spatio-temporal reputations from blacklist history
Proceedings of the 26th Annual Computer Security Applications Conference
ACM SIGCOMM Computer Communication Review
Building a dynamic reputation system for DNS
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
A behavior-based SMS antispam system
IBM Journal of Research and Development
Can network characteristics detect spam effectively in a stand-alone enterprise?
PAM'11 Proceedings of the 12th international conference on Passive and active measurement
Proceedings of the 4th Workshop on Social Network Systems
An empirical study of behavioral characteristics of spammers: Findings and implications
Computer Communications
An assessment of overt malicious activity manifest in residential networks
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
BOTMAGNIFIER: locating spambots on the internet
SEC'11 Proceedings of the 20th USENIX conference on Security
Towards the effective temporal association mining of spam blacklists
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Blocking spam by separating end-user machines from legitimate mail server machines
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Autonomous link spam detection in purely collaborative environments
Proceedings of the 7th International Symposium on Wikis and Open Collaboration
Measurement and evaluation of a real world deployment of a challenge-response spam filter
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Trust extension as a mechanism for secure code execution on commodity computers
Trust extension as a mechanism for secure code execution on commodity computers
Identifying botnets by capturing group activities in DNS traffic
Computer Networks: The International Journal of Computer and Telecommunications Networking
Trust extension for commodity computers
Communications of the ACM
Auto-learning of SMTP TCP transport-layer features for spam and abusive message detection
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
Trust in collaborative web applications
Future Generation Computer Systems
B@bel: leveraging email delivery for spam mitigation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Populated IP addresses: classification and applications
Proceedings of the 2012 ACM conference on Computer and communications security
Innocent by association: early recognition of legitimate users
Proceedings of the 2012 ACM conference on Computer and communications security
Knowing your enemy: understanding and detecting malicious web advertising
Proceedings of the 2012 ACM conference on Computer and communications security
Using trustworthy host-based information in the network
Proceedings of the seventh ACM workshop on Scalable trusted computing
Longtime behavior of harvesting spam bots
Proceedings of the 2012 ACM conference on Internet measurement conference
Detecting spammers via aggregated historical data set
NSS'12 Proceedings of the 6th international conference on Network and System Security
SpaDeS: Detecting spammers at the source network
Computer Networks: The International Journal of Computer and Telecommunications Networking
SocialWatch: detection of online service abuse via large-scale social graphs
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
UNIK: unsupervised social network spam detection
Proceedings of the 22nd ACM international conference on Conference on information & knowledge management
SEC'13 Proceedings of the 22nd USENIX conference on Security
Detecting hidden enemy lines in IP address space
Proceedings of the 2013 workshop on New security paradigms workshop
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.02 |
Users and network administrators need ways to filter email messages based primarily on the reputation of the sender. Unfortunately, conventional mechanisms for sender reputation--notably, IP blacklists--are cumbersome to maintain and evadable. This paper investigates ways to infer the reputation of an email sender based solely on network-level features, without looking at the contents of a message. First, we study first-order properties of network-level features that may help distinguish spammers from legitimate senders. We examine features that can be ascertained without ever looking at a packet's contents, such as the distance in IP space to other email senders or the geographic distance between sender and receiver. We derive features that are lightweight, since they do not require seeing a large amount of email from a single IP address and can be gleaned without looking at an email's contents--many such features are apparent from even a single packet. Second, we incorporate these features into a classification algorithm and evaluate the classifier's ability to automatically classify email senders as spammers or legitimate senders. We build an automated reputation engine, SNARE, based on these features using labeled data from a deployed commercial spam-filtering system. We demonstrate that SNARE can achieve comparable accuracy to existing static IP blacklists: about a 70%detection rate for less than a 0.3%false positive rate. Third, we show how SNARE can be integrated into existing blacklists, essentially as a first-pass filter.