[Legacy Report] CSS Seminar: Detection of Spam Hosts and Spam Bots Using Network Flow Traffic Modeling

---

We continue to see the proliferation and persistence of cyber-threats which are now in the top 3 priorities of the FBI among terrorism. Botnets provide the platform for online organized crime and occasionally for pressing national agendas such as espionage. Some of the recent corporate espionage attacks (e.g., to Google) come from well targeted emails with disguised links to malware that once embedded to an end-user electronic device (desktop, laptop, smart phone etc.) it quietly leaks out information to layered foreign repositories. We will present techniques for detecting spam bots, i.e., hosts that send unsolicited email that are remotely controlled by a malicious entity. A Bayesian classification approach is used to identify spam hosts and an entropy significant component extraction technique is used to identify hosts that are likely compromised. Flows from these hosts are further analyzed to fit botnet control models. In addition, DNS transient domain analysis is used to increase confidence on the detection of remote controllers. We will describe examples of large botnet controller detection using our prototype tools.

---

---

---

---