Research Detects Spamming Attacks

10 2,009

By Grace V. Jean and Sandra I. Erwin

Researchers at Microsoft have developed a system to detect botnet attacks on Web email providers.

Botnets are composed of computers that have been taken over by an entity without the owner’s knowledge. These “zombie” computers are then commandeered to attack other computers and servers. Spamming botnets sign up for numerous Web site-based email accounts and then log in to send spam.

New software called BotGraph harnesses cloud-computing models and a graph-based approach to detect malicious activity spawned by spamming botnets. To catch them, BotGraph examines user activity logs of email accounts and produces large-scale graphs that assist in differentiating legitimate users from fake users.

“We looked at the graphs to analyze the similarities between the users. Each botnet-created fake user account in this graph will look very connected to each other,” says Fang Yu, one of the researchers on the Silicon Valley-based Microsoft team.

Legitimate account holders’ activities are spontaneous and usually are not correlated with other accounts.

“You would very rarely find a large number of users who at the same time would all log in from the same computer,” explains researcher Yinglian Xie. Botnet-created accounts, however, sign in simultaneously from the same IP address.

The team applied BotGraph to two months of Hotmail logs containing more than 500 million users and 440 gigabytes of data. The system identified more than 26 million botnet-created user accounts with a false-positive rate of 0.44 percent.

Email this article

Print this article

Submit Your Reader's Comment Below

*Name
*eMail	The content of this field is kept private and will not be shown publicly.
*Comments
	Please enter the text displayed in the image. The picture contains 6 characters. *Characters
*Legal Notice	NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820. I have read the Legal Notice.