Yingfei Dong

Detecting Spam Zombies by Monitoring Outgoing Messages

Compromised machines are one of the key security threats on the Internet; they are often used to launch various security attacks such as spamming and spreading malware, DDoS, and identity theft. Given that spamming provides a key economic incentive for attackers to recruit the large number of compromised machines, we focus on the detection of the compromised machines in a network that are involved in the spamming activities, commonly known as spam zombies. We develop an effective spam zombie detection system named SPOT by monitoring outgoing messages of a network. SPOT is designed based on a powerful statistical tool called Sequential Probability Ratio Test, which has bounded false positive and false negative error rates. In addition, we also evaluate the performance of the developed SPOT system using a two-month e-mail trace collected in a large US campus network. Our evaluation studies show that SPOT is an effective and efficient system in automatically detecting compromised machines in a network. For example, among the 440 internal IP addresses observed in the e-mail trace, SPOT identifies 132 of them as being associated with compromised machines. Out of the 132 IP addresses identified by SPOT, 126 can be either independently confirmed (110) or highly likely (16) to be compromised. Moreover, only seven internal IP addresses associated with compromised machines in the trace are missed by SPOT. In addition, we also compare the performance of SPOT with two other spam zombie detection algorithms based on the number and percentage of spam messages originated or forwarded by internal machines, respectively, and show that SPOT outperforms these two detection algorithms.

DMTP: Controlling spam through message delivery differentiation

Unsolicited commercial email, commonly known as spam, has become a pressing problem in todays Internet. In this paper, we re-examine the architectural foundations of the current email delivery system that are responsible for the proliferation of email spam. We argue that the difficulties in controlling spam stem from the fact that the current email system is fundamentally sender-driven and distinctly lacks receiver control over email delivery. Based on these observations we propose a Differentiated Mail Transfer Protocol (DMTP), which grants receivers greater control over how messages from different senders should be delivered on the Internet. In addition, we also develop a simple mathematical model to study the effectiveness of DMTP in controlling spam. Through numerical experiments we demonstrate that DMTP can effectively reduce the maximum revenue that a spammer can gather. Moreover, compared to the current SMTP-based email system, the proposed email system can force spammers to stay online for longer periods of time, which may significantly improve the performance of various real-time blacklists of spammers. In addition, DMTP provides an incremental deployment path from the current SMTP-based system in todays Internet.

Loopback: exploiting collaborative caches for large-scale streaming

In this paper, we propose a Loopback approach in a two-level streaming architecture to exploit collaborative client/proxy buffers for improving the quality and efficiency of large-scale streaming applications. At the upper level we use a content delivery network (CDN) to deliver video from a central server to proxy servers. At the lower level a proxy server delivers video with the help of collaborative client caches. In particular, a proxy server and its clients in a local domain cache different portions of a video and form delivery loops. In each loop, a single video stream originates at the proxy, passes through a number of clients, and finally is passed back to the proxy. As a result, with limited bandwidth and storage space contributed by collaborative clients, we are able to significantly reduce the required network bandwidth, I/O bandwidth, and cache space of a proxy. Furthermore, we develop a local repair scheme to address the client failure issue for enhancing service quality and eliminating most required repairing load at the central server. For popular videos, our local repair scheme is able to handle most of single-client failures without service disruption and retransmissions from the central server. Our analysis and simulations have shown the effectiveness of the proposed scheme.

A traceback attack on Freenet

Freenet is a popular peer to peer anonymous network, with the objective to provide the anonymity of both content publishers and retrievers. Despite more than a decade of active development and deployment and the adoption of well-established cryptographic algorithms in Freenet, it remains unanswered how well the anonymity objective of the initial Freenet design has been met. In this paper we develop a traceback attack on Freenet, and show that the originating machine of a content request message in Freenet can be identified; that is, the anonymity of a content retriever can be broken, even if a single request message has been issued by the retriever. We present the design of the traceback attack, and perform Emulab-based experiments to confirm the feasibility and effectiveness of the attack. With randomly chosen content requesters (and random contents stored in the Freenet testbed), the experiments show that, for 24% to 43% of the content request messages, we can identify their originating machines. We also briefly discuss potential solutions to address the developed traceback attack. Despite being developed specifically on Freenet, the basic principles of the traceback attack and solutions have important security implications for similar anonymous content sharing systems.

A Routing Table Insertion (RTI) Attack on Freenet

Very little work has been conducted on quantitatively evaluating the basic design and implementation choices in common p2p anonymous systems. In this paper, we focus on this issue and use Freenet as an example to investigate quantitative measures for anonymous systems. We have conducted extensive analysis of Freenet, and identified several practical attacks that seriously damage the anonymity strength of Freenet. These attacks exploit several fundamental performance improvement schemes in p2p systems, and can be easily extended to other popular DHT-like p2p anonymous systems using similar mechanisms. In particular, we are able to find the network topology, perform a routing table insertion (RTI) attack, and trace back queries. In this paper, we focus on the RTI attack to make a malicious node a direct peer of a victim node. As a result, many other attacks can be launched to break the anonymity promise. To facilitate the RTI attack, we have also developed a route prediction model based on Freenet routing mechanisms. Our experimental results show the effectiveness of the proposed attack. Our goal is not to attack Freenet. Instead, we hope that the lessons learned here help us improve Freenet, develop new design guidelines for p2p anonymous systems, and generalize quantitative measures to evaluate their strength.

Blocking spam by separating end-user machines from legitimate mail server machines

Spamming botnets present a critical challenge in the control of spam messages due to the sheer volume and wide spread of the botnet members. In this paper we advocate the approach for recipient mail servers to filter messages directly delivered from remote end-user (EU) machines, given that the majority of spamming bots are EU machines. We develop a Support Vector Machine (SVM) based classifier to separate EU machines from legitimate mail server (LMS) machines, using a set of machine features that cannot be easily manipulated by spammers. We investigate the efficacy and performance of the SVM-based classifier using a number of real-world data sets. Our performance studies show that the SVM-based classifier is indeed a feasible and effective approach in distinguishing EU machines from LMS machines. For example, training and testing on an aggregated data set containing both EU machines and LMS machines, the SVM-based classifier can achieve a 99.27% detection accuracy, with very small false positive rate (0.44%) and false negative rate (1.1%), significantly outperforming eight DNS-based blacklists widely used today.

Proxy-Assisted Periodic Broadcast Architecture for Large-Scale Video Streaming

Many multimedia applications rely on video streaming techniques. However, large scale video delivery is still challenging since it requires a large amount of resources. In this paper we propose a proxy-assisted periodic broadcast architecture for video delivery to a large number of clients over the Internet. Our video delivery technique is based on a combination of periodic broadcast by central server and proxy server caching. A proxy server caches either part or the entire video based on the video popularity. A video stored in the central server is partitioned into two parts, a server prefix and a server suffix, based on the aggregated demand for the video from all communities. In principle, the server prefix is delivered by unicast and the server suffix is delivered by periodic broadcast. The combination of proxy prefix and server prefix defines a wide spectrum of different video delivery modes. The transmission of a video can be either partially unicast or partially period broadcast depending on the relationship between proxy prefix and server prefix. We further define and solve the optimization problems for proxy prefix selection and server prefix selection in order to minimize the total resource requirements. Performance of our system is evaluated through a number of tests.

Architectural Effects of Symmetric Multiprocessors on TPC-C Commercial Workload

Commercial transaction processing applications are an important workload running on symmetric multiprocessor systems (SMPs). They differ dramatically from scientific, numeric-intensive, and engineering applications because they are I/O bound, and they contain more system software activities. Most SMP servers available in the market have been designed and optimized for scientific and engineering workloads. A major challenge of studying architectural effects on the performance of a commercial workload is the lack of easy access to large-scale and complex database engines running on a multiprocessor system with powerful I/O facilities. Experiments involving case studies have been shown to be highly time-consuming and expensive. In this paper, we investigate the feasibility of using queuing network models with the support of simulation to study the SMP architectural impacts on the performance of commercial workloads. We use the commercial benchmark TPC-C as the workload. A bus-based SMP machine is used as the target platform. Queueing network modeling is employed to characterize the TPC-C workload on the SMP. The system components such as processors, memory, the memory bus, I/O buses, and disks are modeled as service centers, and their effects on performance are analyzed. Simulations are conducted as well to collect the workload-specific parameters (model parameterization) and to verify the accuracy of the model. Our studies find that among disk-related parameters, the disk rotation latency affects the performance of TPC-C most significantly. Among I/O buses and number of disks, the number of I/O buses has the deepest impact on performance. This study also demonstrates that our modeling approach is feasible, cost-effective, and accurate for evaluating the performance of commercial workloads on SMPs, and it is complementary to the measurement-based experimental approaches.

Exploiting Artificial Immune systems to detect unknown DoS attacks in real-time

DoS is still one of the most serious attacks on the Internet. Payload-based approaches are effective to known DOS attacks but are unable to be deployed on high-speed networks. To address this issue, flow-based DOS detection schemes have been proposed for highspeed networks as an effective supplement of payload-based solutions. However, existing flow-based solutions have serious limitations in detecting unknown attacks and efficiently identifying real attack flows buried in the background traffic. In addition, existing solutions also have difficulty to adapt to attack dynamics. To address these issues, this paper proposes a flow-based DOS detection scheme based on Artificial Immune systems. We adopt a tree structure to store flow information such that we can effectively extract useful features from flow information for better detecting DoS attacks. We employ Neighborhood Negative Selection (NNS) as the detection algorithm to detect unknown DoS attacks, and identify attack flows from massive traffic. Because the strong tolerance of NNS, the proposed solution is able to quickly adapt attack dynamics. The experimental results show that this solution is able to effectively detect unknown DoS attack flows and identify attack flows from background traffic. Meanwhile, the theoretical analysis demonstrates that this system can extract flow features more effectively.

A Novel Comprehensive Network Security Assessment Approach

Network security assessment is critical to the survivability and reliability of distributed systems. In this paper, we propose a novel assessment approach that supports automatic vulnerability assessment utilizing Bayesian attack graphs. We also integrate several major vulnerability database into a comprehensive database and build a customized vulnerability scanner to assist attack graph generation. Different from existing solutions that manually assign probabilities to a Bayesian attack graph, we design a set of quantitative metrics to automatically analyze vulnerability and evaluate the proposed approach with real-world examples. Our results show the promising capability of the proposed approach in further improving assessment quality.