1、BotGraph: Large Scale Spamming Botnet Detection,Yao ZhaoYinglian Xie*, Fang Yu*, Qifa Ke*, Yuan Yu*, Yan Chen and Eliot Gillum EECS Department, Northwestern University Microsoft Research Silicon Valley* Microsoft Cooperation ,1,2,Web-Account Abuse Attack,Zombie (Compromised host),Spammers Server,Cap
2、tcha solver,RDSXXTD3,User/Pwd,Problems and Challenges,Detect Web-account Abuse with Hotmail Logs Input: user activity traces (signup, login, email-sending records) Goal: stop aggressive account signup, limit outgoing spamChallenges Attack is stealthy: individual account detection difficult Attack is
3、 large scale: finding correlated activities 500 million accounts 300GB-400GB data per month Low false positive and false negative rate,3,4,The BotGraph System,A graph-based approach to attack detection A large user-user graph to capture bot-account correlations Identify 26M bot-accounts with a low f
4、alse positive rate in two months Efficient implementation using Dryad/DryadLINQ Graph construction/analysis is not easily parallelizable Hundreds of millions of nodes, hundreds of billions of edges Process 200GB-300GB data in 1.5 hours with a 240-machine clusterThe first to provide a systematic solu
5、tion to the new botnet-based web-account abuse attack,System Architecture,5,Login data,Login graph,Graph generation,Random graph based clustering,Verification & prune,EWMA based change detection,Verification & prune,3. Parallel algorithm on DryadLINQ clusters,(ID, IP, time),(ID, time, # of recipient
6、s),(ID, IP, time),1. History based algorithm to detect aggressive signups,2. Graph-based algorithm to find correlations,6,Detect Aggressive Signups,Large prediction error,Back to normal,Date,Number of Signup Accounts,25,20,15,10,5,1-Jul,2-Jul,3-Jul,4-Jul,5-Jul,6-Jul,7-Jul,8-Jul,9-Jul,Signup Count,EW
7、MA Prediction,Simple and efficientDetect 20 million malicious accounts in 2 months,System Architecture,7,Login data,Login graph,Graph generation,Random graph based clustering,Verification & prune,EWMA based change detection,Verification & prune,3. Parallelel Algorithm on DryadLinq clusters,(ID, IP,
8、time),(ID, time, # of recipients),(ID, IP, time),1. History based algorithm on Signup detection,2. Graph-based algorithm on login detection,8,Observation: bot-accounts work collaborativelyNormal Users Share IP addresses in one AS with DHCP assignment Bot-users,Detect Stealthy Accounts by Graphs,A us
9、er-user graph to model behavior similarities,9,Observation: bot-accounts work collaborativelyNormal Users Share IP addresses in one AS with DHCP assignment Bot-users Likely to share different IPs across ASes,Detect Stealthy Accounts by Graphs,A user-user graph to model behavior similarities,User-use
10、r Graph,Node: Hotmail account Edge weight: # of ASes of the shared IP addresses Consider edges with weight1Key Observations Bot-users form a giant connected-component while normal users do not Interpreted by the random graph theory,10,2 ASes,3 ASes,5 ASes,1 AS,4 ASes,User1,User2,User3,User4,User5,Us
11、er6,Random Graph Theory,Random Graph G(n,p) n nodes and each pair of nodes has an edge with probability p and average degree d = (n-1) p Theorem If d 1, with high probability the graph will contain a giant component with size at the order of O(n)Most nodes are in one connected subgraph,11,Graph-base
12、d Bot-user Detection,Step 1: detect giant connected-components from the user-user graph Step 2: hierarchical algorithm to identify the correct groupings Different bot-user groups may be mixed Easier validation with correct group statistics Difficult to choose a fixed edge-threshold Step 3: prune nor
13、mal-user groups Due to national proxies, cell phone users, facebook applications, etc.,12,Graph-based Bot-user Detection,Step 1: detect giant connected-components from the user-user graph Step 2: hierarchical algorithm to identify the correct groupings Different bot-user groups may be mixed Easier v
14、alidation with correct group statistics Difficult to choose a fixed edge-threshold Step 3: prune normal-user groups Due to national proxies, cell phone users, facebook applications, etc.,13,Hierarchical Bot-Group Extraction,T=2,T=3,T=4,14,System Architecture,15,Login data,Login graph,Graph generatio
15、n,Random graph based clustering,Verification & prune,EWMA based change detection,Verification & prune,3. Parallelel Algorithm on DryadLINQ clusters,(ID, IP, time),(ID, time, # of recipients),(ID, IP, time),1. History based algorithm on Signup detection,2. Graph-based algorithm on login detection,Par
16、allel Implementation on DryadLINQ,EWMA-based Signup Abuse Detection Partition data by IP Can achieve real-time detectionUser-User Graph Construction Two algorithms and optimizations Process 200GB-300GB data in 1.5 hours with 240 machinesConnected Component Extraction Divide and conquer Process a gra
17、ph of 8.6 billion edges in 7 minutes,Parallel Implementation on DryadLINQ,EWMA-based Signup Abuse Detection Partition data by IP Can achieve real-time detectionUser-User Graph Construction Two algorithms and optimizations Process 200GB-300GB data in 1.5 hours with 240 machinesConnected Component Ext
18、raction Divide and conquer Process a graph of 8.6 billion edges in 7 minutes,Graph Construction 1: Simple Data Parallelism,Potential Edges Select ID group by IP (Map) Generate potential edges (IDi, IDj, IPk) (Reduce) Edge Weights Select IP group by ID pair (Map) Calculate edge weight (Reduce) Proble
19、m Weight 1 edge is two orders of magnitude more than others Their computation/communication is unnecessary,Graph Construction 2: Selective Filtering,19,Comparison of Two Algorithms,Method 1 Simple and scalable Method 2 Optimized to filter out weight 1 edges Utilize Join functionality, data compressi
20、on and broadcast optimization,20,Detection Results,Data description Two datasets Jun 2007 and Jan 2008 Three types of data Signup log (IP, ID, Time) Login log (IP, ID, Time) 500M users and 200300GB data per month Sendmail log (ID, time, # of recipients) About 100GB per month,21,Detection of Signup A
21、buse,22,Detection by User-user Graph,23,Validations,Manual Check Sampled groups verified by the Hotmail team Almost no false positivesComparison with Known Spamming Users Detect 86% of complained accounts Up to 54% of detected accounts are our new findingsEmail Sending Sizes per Group Most groups ha
22、ve a sharp peak The remaining contain several peaksFalse Positive Estimation Naming pattern (0.44%) Signup time (0.13%),24,Possible to Evade BotGraph?,Evade signup detection: Be stealthy Evade graph-based detection Fixed IP/AS binding Low utilization rate Bot-accounts bound to one host are easy to b
23、e grouped Be stealthy (sending as few emails as normal user),25,Severely limit attackers spam throughput,Conclusions,A graph-based approach to attack detection Identify 26M bot-accounts with a low false positive rate in two months Efficient implementation using Dryad/DryadLINQ Process 200GB-300GB data in 1.5 hours with a 240-machine cluster,26,Large-scale data-mining for network security is effective and practical,Q & A?,Thanks!,27,
