combating snowshoe spam with fire
play

Combating Snowshoe Spam with Fire Olivier van der Toorn - PowerPoint PPT Presentation

Nov 19, 2022 •483 likes •1.05k views

Combating Snowshoe Spam with Fire Olivier van der Toorn <o.i.vandertoorn@utwente.nl> November 13, 2018 University of Twente, Design and Analysis of Communication Systems ICT OPEN 2018 Overview Introduction Methodology Results

  1. Combating Snowshoe Spam with Fire Olivier van der Toorn <o.i.vandertoorn@utwente.nl> November 13, 2018 University of Twente, Design and Analysis of Communication Systems ICT OPEN 2018

  2. Overview Introduction Methodology Results Conclusions 1

  3. Introduction

  4. • Snowshoe Spam Background Info • Active DNS Measurements 2

  5. • Snowshoe Spam Background Info • Active DNS Measurements 2

  6. Background Info • Active DNS Measurements • Snowshoe Spam 2

  7. • Sender Policy Framework (SPF) • DNS domain Starting Point • Snowshoe spam is hard to detect 3

  8. • DNS domain Starting Point • Snowshoe spam is hard to detect • Sender Policy Framework (SPF) 3

  9. Starting Point • Snowshoe spam is hard to detect • Sender Policy Framework (SPF) • DNS domain 3

  10. Research Question How can we detect snowshoe spam through active DNS measurements? 4

  11. Methodology

  12. Methodology 5

  13. • Queries more than 60% of registered domain names OpenINTEL • Active DNS Measurement Platform 6

  14. OpenINTEL • Active DNS Measurement Platform • Queries more than 60% of registered domain names 6

  15. • 37 Features • Long Tail Analysis Datasets & Features • Two types of datasets • Labeled • Unlabeled 7

  16. • Long Tail Analysis Datasets & Features • Two types of datasets • Labeled • Unlabeled • 37 Features 7

  17. Datasets & Features • Two types of datasets • Labeled • Unlabeled • 37 Features • Long Tail Analysis 7

  18. Long Tail Analysis The long tail of the DNS 8

  19. Long Tail Analysis long The tail of the DNS 8

  20. • Ranked performance based on ‘precision’ metric Machine Learning • Trained and evaluated many classifier algorithms 9

  21. Machine Learning • Trained and evaluated many classifier algorithms • Ranked performance based on ‘precision’ metric 9

  22. Precision True Positives Precision = True Positives + False Positives 10

  23. Machine Learning • Trained and evaluated many classifier algorithms • Ranked performance based on ‘precision’ metric • Selected AdaBoost Classifier as classifier of choice (110 false positives out of 10851 ham domains) 11

  24. • Daily detections • Compared to other blacklists Realtime Blackhole List • DNS based way of hosting a blacklist 12

  25. • Compared to other blacklists Realtime Blackhole List • DNS based way of hosting a blacklist • Daily detections 12

  26. Realtime Blackhole List • DNS based way of hosting a blacklist • Daily detections • Compared to other blacklists 12

  27. • Initially in evaluation mode SURF • SURFmailfilter 13

  28. SURF • SURFmailfilter • Initially in evaluation mode 13

  29. Results

  30. Comparison training data 100% 16.6 11.2 80% CDF 60% blacklisted 40% benign 0 10 20 30 40 50 Number of A records 14

  31. Comparison training data 100% 100% 16.6 77.0 98% 11.2 80% 96% CDF CDF 60% 94% blacklisted blacklisted 92% 40% benign benign 90% 0 10 20 30 40 50 0 20 40 60 80 100 Number of A records Number of MX records 15

  32. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 16

  33. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 28984 16

  34. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 28984 1961 16

  35. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 1144 28984 1961 16

  36. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 1095 1144 28984 1961 16

  37. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 968 1095 1144 28984 1961 16

  38. Early Detection Number of detected domains 100000 10000 1000 100 10 1 0 10 20 30 40 50 60 70 80 Detection in advance (days) 928 968 1095 1144 28984 1961 16

  39. Early Detection (update) 17

  40. SURF Results daadzgam.com Domain names realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates 18

  41. SURF Results daadzgam.com Domain names realdrippy.com coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates 18

  42. SURF Results daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates 18

  43. • 1080 emails • 447 (41.39%) emails with a score of five or higher SURF Results daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates 19

  44. SURF Results daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates • 1080 emails • 447 (41.39%) emails with a score of five or higher 19

  45. SURF Results daadzgam.com Domain names Detected realdrippy.com Blacklisted coachspoke.com stillscratch.com homerope.com quittradition.com 2017-05-24 2017-06-23 2017-07-23 Observation dates • 633 (58.61%) emails have a score below five • 52 unique domains in the body • of which 13 domains have never appeared in an email classified as spam • these 13 domains appeared in 31 emails (2.87%) 20

  46. Additional email blocked 700 Emails marked as spam 600 500 400 300 200 100 0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 21

  47. Additional email blocked 700 Emails marked as spam 600 500 335 400 320 300 200 120 100 22 0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 21

  48. Additional email blocked 700 Emails marked as spam 554 600 497 441 500 352 335 400 320 300 200 120 100 22 0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 21

  49. Additional email blocked 626 629 700 Emails marked as spam 554 600 497 441 500 352 335 400 320 300 200 120 100 22 0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Additional score of the RBL 21

  50. Additional email blocked (update) 22

  51. Conclusions

  52. • Early detection • Additional spam blocked Conclusions • Hard to detect spam is detectable 23

  53. • Additional spam blocked Conclusions • Hard to detect spam is detectable • Early detection 23

  54. Conclusions • Hard to detect spam is detectable • Early detection • Additional spam blocked 23

  55. Questions 24

Recommend

Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements Introduction 1

Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements Introduction 1

Olivier van der Toorn &lt;o.i.vandertoorn@utwente.nl&gt; November 13, 2018 University of Twente, Design and Analysis of Communication Systems NOMS 2018 Melting the Snow: Detecting Snowshoe Spam Domains Using Active DNS Measurements

784 views • 75 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn November 13, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

825 views • 71 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn February 1, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

1.46k views • 90 slides
Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a highly evolved form of information warfare. Fascinating socioeconomic study with many players - users, ISPs, spammers, technologists, legal

322 views • 17 slides
Combating Spam Server-side Purpose : to provide insight into the steps an organization can take

Combating Spam Server-side Purpose : to provide insight into the steps an organization can take

Combating Spam Server-side Purpose : to provide insight into the steps an organization can take to close the Spam Floodgates. Presented by Ben Serebin May 22, 2003 @ eWin www.reefsolutions.com 1 Introduction Working in the IT sector

382 views • 12 slides
Combating Friend Spam Using Social Rejections Michael Sirivianos Cyprus University of Technology

Combating Friend Spam Using Social Rejections Michael Sirivianos Cyprus University of Technology

Dagstuhl: Cybersafety in Modern Online Social Networks Combating Friend Spam Using Social Rejections Michael Sirivianos Cyprus University of Technology Joint work with Q. Cao, Xiaowei Yang and 1 K. Munagala at Duke University Friend Spam in

439 views • 27 slides
Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam is the friendly name given to unsolicited mail everyone receives in the mailbox. Comes from a Monty Python sketch, where in a caf everything

505 views • 13 slides
Opinion Spam and Analysis NITIN JINDAL &amp; BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL &amp; BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL &amp; BING LIU, WSDM 08 UIUC Opinion/Review Spam All spam is spam but some spam is more spam than others Opinion spam similar to web spam or email spam in intent, but different in form / content Web

912 views • 38 slides
The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation When Congress returns from recess on December 8, 2003, it will finish its work on the CAN-SPAM Act of 2003 (Controlling the Assault of

323 views • 4 slides
Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to web spam Spam 221 Spamming PageRank Spam farm model Optimal farm structure Alliances of two farms Larger alliances Spam

876 views • 30 slides
Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Dynamics Web Spam Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0710-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy

669 views • 49 slides
Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Dynamics Web Spam Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0709-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy Overview

806 views • 49 slides
Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why should you care? How to detect Spam? 2 What is Spam? What is Spam? All forms of malicious manipulation of user generated data so as to

943 views • 56 slides
Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Seminar: Future Of Web Search University of Saarland Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood Tutor : Klaus Berberich Date : 17-Jan-2008 The Agenda Focus of the First Paper

1.22k views • 53 slides
spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian Developer since 2003 Listmaster Alioth Admin Maintainer of packages like iproute, icinga, nagios and a lot of other useless stu ff

219 views • 20 slides
Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee

Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee

Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee Institute of Computer Science, University of Tartu Overview Spam is Evil ML for Spam Filtering: General Idea, Problems. Some Algorithms Nave Bayesian

391 views • 35 slides
x 2 &gt; b w T x &gt; 0 SPAM!! x ( x , 1) w 3 x 3 w T x + b ( w , b ) T ( x , 1)

x 2 &gt; b w T x &gt; 0 SPAM!! x ( x , 1) w 3 x 3 w T x + b ( w , b ) T ( x , 1)

A neuron (or how our brains work) Linear models Subhransu Maji CMPSCI 670: Computer Vision November 3, 2016 Neuroscience 101 CMPSCI 670 Subhransu Maji (UMASS) 2 Perceptron Example: Spam Input are feature values Imagine 3 features (spam

682 views • 8 slides
Spam Filtering with Naive Bayes Classifier Yuriy Arabskyy June 6, 2017 Table of contents What

Spam Filtering with Naive Bayes Classifier Yuriy Arabskyy June 6, 2017 Table of contents What

Spam Filtering with Naive Bayes Classifier Yuriy Arabskyy June 6, 2017 Table of contents What is spam? Different spam types Anti-Spam Techniques Probability theory basics Conditional probability Bayes Theorem Naive Bayes Theorem Spam

1.04k views • 27 slides
Southern snowshoe hares: updates, questions, forecasts Karen Hodges University of British

Southern snowshoe hares: updates, questions, forecasts Karen Hodges University of British

Southern snowshoe hares: updates, questions, forecasts Karen Hodges University of British Columbia Okanagan MAJOR POINT #1. Northern hare cycles are highly variable. (iffy synchrony, variable peak heights and amplitudes) Krebs et al. 2013.

413 views • 25 slides
Spam-URL Detection via Redirects Heeyoung Kwon Mirza Basim Baig Leman Akoglu Era of Spam Era

Spam-URL Detection via Redirects Heeyoung Kwon Mirza Basim Baig Leman Akoglu Era of Spam Era

A Domain-Agnostic Approach to Spam-URL Detection via Redirects Heeyoung Kwon Mirza Basim Baig Leman Akoglu Era of Spam Era of Spams [1] [1] Social Media Spamming Grew By 658% Between 2013 And 2014: Entertainment, Financial And News

241 views • 20 slides
CA CAL F FIRE /Riverside County Fire Department CAL L FI FIRE /Riverside County Fire

CA CAL F FIRE /Riverside County Fire Department CAL L FI FIRE /Riverside County Fire

CA CAL F FIRE /Riverside County Fire Department CAL L FI FIRE /Riverside County Fire Preparedness Incident Management Team experienced managing incidents Personnel have water awareness and rescue training Department has multiple

374 views • 12 slides
Advanced Topics of Mail Service Deal with Malicious Mail, including Virus, Phishing, Spam,

Advanced Topics of Mail Service Deal with Malicious Mail, including Virus, Phishing, Spam,

Advanced Topics of Mail Service Deal with Malicious Mail, including Virus, Phishing, Spam, Computer Center, CS, NCTU Nature of Spam Spam Simultaneously Posted Advertising Message UBE Unsolicited Bulk Email UCE

915 views • 89 slides
Wall Fire District No. 3 Learn the reality of fire what a fire is really like Learn how

Wall Fire District No. 3 Learn the reality of fire what a fire is really like Learn how

John A. Sahatjian Wall Fire District No. 3 Learn the reality of fire what a fire is really like Learn how to survive and escape from a building on fire Learn how to prevent a fire VID IDEO EO PL PLAN AN TO TO GE GET T OU

174 views • 16 slides
Spam Is Bad John R. Levine Chair, IRTF ASRG Chair@asrg.sp.am http://asrg.sp.am Why is spam

Spam Is Bad John R. Levine Chair, IRTF ASRG Chair@asrg.sp.am http://asrg.sp.am Why is spam

Spam Is Bad John R. Levine Chair, IRTF ASRG Chair@asrg.sp.am http://asrg.sp.am Why is spam bad? Theres too much of it Its offensive Its fraudulent 2 Why is spam bad? Theres too much of it 98% More spam

655 views • 31 slides

More recommend