Clustering botnet behavior using parameterized models

摘要

Identification and prevention of email spam that originates from botnets may be performed by finding similarity in their host property and behavior patterns using a set of labeled data. Clustering models of host properties pertaining to previously identified and appropriately tagged botnet hosts may be learned. Given labeled data, each botnet may be examined individually and a clustering model learned to reflect upon a set of selected host properties. Once a model has been learned for every botnet, clustering behavior may be used to look for host properties that fit into a profile. Such traffic can be either discarded or tagged for subsequent analysis and can also be used to profile botnets preventing them from launching other attacks. In addition, models of individual botnets can be further clustered to form superclusters, which can help understand botnet behavior and detect future attacks.

主权项

1. A computer-implemented method of spammer detection, comprising:
configuring at least one processor to perform the functions of:
receiving, at an email server, email data related to a plurality of hosts;analyzing a plurality of features within the email data as received at the email server, the features including at least one of email contents, a sending time of the email, or an email sending behavior;computing a plurality of distances between a plurality of vectors in a three-dimensional space based on the features;determining a plurality of clusters of hosts based on the distances;using the plurality of clusters of hosts to characterize botnet activities for spammer detection, the characterizing comprising:
determining that a set of botnets belongs to a set of hosts in the plurality of clusters of hosts;determining a total number of botnets that share a sending pattern; andusing the sending pattern to determine a similarity of sending patterns across botnets.