Detecting Spam Zombies by Monitoring Outgoing Messages

Detecting Spam Zombies by Monitoring Outgoing Messages

ABSTRACT:

Compromised machines are one of the key security threats on the Internet; they are often used to launch various security attacks such as spamming and spreading malware, DDoS, and identity theft. Given that spamming provides a key economic incentive for attackers to recruit the large number of compromised machines, we focus on the detection of the compromised machines in a network that are involved in the spamming activities, commonly known as spam zombies. We develop an effective spam zombie detection system named SPOT by monitoring outgoing messages of a network. SPOT is designed based on a powerful statistical tool called Sequential Probability Ratio Test, which has bounded false positive and false negative error rates. In addition, we also evaluate the performance of the developed SPOT system using a two-month e-mail trace collected in a large US campus network. Our evaluation studies show that SPOT is an effective and efficient system in automatically detecting compromised machines in a network.

For example, among the 440 internal IP addresses observed in the e-mail trace, SPOT identifies 132 of them as being associated with compromised machines. Out of the 132 IP addresses identified by SPOT, 126 can be either independently confirmed (110) or highly likely (16) to be compromised. Moreover, only seven internal IP addresses associated with compromised machines in the trace are missed by SPOT. In addition, we also compare the performance of SPOT with two other spam zombie detection algorithms based on the number and percentage of spam messages originated or forwarded by internal machines, respectively, and show that SPOT outperforms these two detection algorithms.

NETWORK MODEL:

SYSTEM ARCHITECTURE:

EXISTING SYSTEM:

Major security challenge on the Internet is the existence of the large number of compromised machines. Such machines have been increasingly used to launch various security attacks including spamming and spreading malware, DDoS, and identity theft

DISADVANTAGES OF EXISTING SYSTEM:

They are often used to launch various security attacks such as spamming and spreading malware, DDoS, and identity theft.

A major security challenge on the Internet is the existence of the large number of compromised machines.

Their approaches are better suited for large e-mail service providers to understand the aggregate global characteristics of spamming botnets instead of being deployed by individual networks to detect internal compromised machines. Moreover, their approaches cannot support the online detection requirement in the network environment considered in this paper.

The existing algorithm is less effective.

Identifying and cleaning compromised machines in a network remain a significant challenge for system administrators of networks of all sizes.

PROPOSED SYSTEM:

In this paper, we focus on the detection of the compromised machines in a network that are used for sending spam messages, which are commonly referred to as spam zombies.

The nature of sequentially observing outgoing messages gives rise to the sequential detection problem. In this paper, we will develop a spam zombie detection system, named SPOT, by monitoring outgoing messages. SPOT is designed based on a statistical method called Sequential Probability Ratio Test (SPRT), As a simple and powerful statistical method, SPRT has a number of desirable features. It minimizes the expected number of observations required to reach a decision among all the sequential and non-sequential statistical tests with no greater error rates. This means that the SPOT detection system can identify a compromised machine quickly.

In proposed system to develop an effective spam zombie detection system named SPOT.

SPOT is used to monitoring outgoing messages of a network.

SPOT is designed based on a statistical method called sequential probability ratio test (SPRT).

SPOT can be used to test between two hypotheses whether the machine is compromised or not.

ADVANTAGES OF PROPOSED SYSEM:

SPOT is an effective and efficient system in automatically detecting compromised machines in a network. For example, among the 440 internal IP addresses observed in the e-mail trace, SPOT identifies 132 of them as being associated with compromised machines. Out of the 132 IP addresses identified by SPOT, 126 can be either independently confirmed (110) or are highly likely (16) to be compromised.

SPOT has bounded false positive and false negative error rates.

It also minimizes the number of required observations to detect a spam zombie.

LIST OF MODULES:

1)    Account authentication

2)    Sending mails

3)    SPOT detection

                                                       i.            capture IP

                                                     ii.            SPOT filter

                                                  iii.            SPOT results

4)    CT detection.

5)    PT detection

MODULES DESCRIPTION:

1.      Account authentication

§  In this module to check the mail id and password.

§  If these two fields are valid, the account is authenticated.

§  Otherwise is not valid.

   2.  Sending mails

§  In this module a single person to send one or more mails to other person.

§  This mails either spam or non spam.

§  Spam means the more copies of the single message are send.

§  And it contains more than 20 lines.

3.  SPOT detection

§  In this module to capture the IP address of the system.

§  That system mails are applied to filtering process.

§  In this process, the mail content is filtered.

§  Finally to produce the result of filter. 

4. CT detection

§  In this module to set the threshold value C_s .

§  C_s denotes the fixed length of spam mail.

§  Also to count the number of lines in each mail.

§  If the each mail, counts are greater than equal to threshold value.

§  So, these mails are spam mail.

5.  PT detection

§  In this module to set two threshold values.

§  1) C_a- specifies the minimum number of mail that machine must send. 2) P- specifies the maximum spam mail percentage of a normal machine.

§  This algorithm is used to compute the count of total mails and the count of spam mails of machine.

§  To check this count of total mails are greater than equal to Cs and the count of spam mails are greater than equal to P.

§  If it’s true these mails are spam mail.

SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

•         System                 : Pentium IV 2.4 GHz.

•         Hard Disk            : 40 GB.

•         Floppy Drive       : 1.44 Mb.

•         Monitor                : 15 VGA Colour.

•         Mouse                  : Logitech.

•         Ram                     : 512 Mb.

SOFTWARE REQUIREMENTS:

•         Operating system           : - Windows XP.

•         Coding Language :  JAVA

•         DATABASE        : MYSQL

CONCLUSION:

v SPOT can work extremely well in the environment of dynamic IP address.

v SPOT is an effective and efficient system in automatically detecting compromised machines in a network.

REFERENCE:

Zhenhai Duan, Senior Member, IEEE, Peng Chen, Fernando Sanchez, Yingfei Dong, Member, IEEE, Mary Stephenson, and James Michael Barker,” Detecting Spam Zombies by Monitoring Outgoing Messages”, IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012.