An analysis of BGP multiple origin AS (MOAS) conflicts
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Orange: from experimental machine learning to interactive data mining
PKDD '04 Proceedings of the 8th European Conference on Principles and Practice of Knowledge Discovery in Databases
Understanding the network-level behavior of spammers
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
The Zombie roundup: understanding, detecting, and disrupting botnets
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Spamming botnets: signatures and characteristics
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Autonomous security for autonomous systems
Computer Networks: The International Journal of Computer and Telecommunications Networking
Inferring Spammers in the Network Core
PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Botnet spam campaigns can be long lasting: evidence, implications, and analysis
Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Behavioral analysis of fast flux service networks
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Studying spamming botnets using Botlab
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
BotGraph: large scale spamming botnet detection
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Understanding the efficacy of deployed internet source address validation filtering
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
ACM SIGCOMM Computer Communication Review
Detecting spammers with SNARE: spatio-temporal network-level automatic reputation engine
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Attacks and design of image recognition CAPTCHAs
Proceedings of the 17th ACM conference on Computer and communications security
An experimental study of home gateway characteristics
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Can network characteristics detect spam effectively in a stand-alone enterprise?
PAM'11 Proceedings of the 12th international conference on Passive and active measurement
B@bel: leveraging email delivery for spam mitigation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Malicious PDF detection using metadata and structural features
Proceedings of the 28th Annual Computer Security Applications Conference
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
Botnets are a significant source of abusive messaging (spam, phishing, etc) and other types of malicious traffic. A promising approach to help mitigate botnet-generated traffic is signal analysis of transport-layer (i.e. TCP/IP) characteristics, e.g. timing, packet reordering, congestion, and flow-control. Prior work [4] shows that machine learning analysis of such traffic features on an SMTP MTA can accurately differentiate between botnet and legitimate sources. We make two contributions toward the real-world deployment of such techniques: i) an architecture for real-time on-line operation; and ii) auto-learning of the unsupervised model across different environments without human labeling (i.e. training). We present a "SpamFlow" SpamAssassin plugin and the requisite auxiliary daemons to integrate transport-layer signal analysis with a popular open-source spam filter. Using our system, we detail results from a production deployment where our auto-learning technique achieves better than 95 percent accuracy, precision, and recall after reception of ≈ 1,000 emails.