KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

EMICS: E-mail based Malware Infected IP Collection System

  • Lee, Taejin (Department of Computer engineering, Hoseo University) ;
  • Kwak, Jin (Department of Cyber Security, College of Information Technology, Ajou University)
  • Received : 2017.07.29
  • Accepted : 2018.01.24
  • Published : 2018.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Cyber attacks are increasing continuously. On average about one million malicious codes appear every day, and attacks are expanding gradually to IT convergence services (e.g. vehicles and television) and social infrastructure (nuclear energy, power, water, etc.), as well as cyberspace. Analysis of large-scale cyber incidents has revealed that most attacks are started by PCs infected with malicious code. This paper proposes a method of detecting an attack IP automatically by analyzing the characteristics of the e-mail transfer path, which cannot be manipulated by the attacker. In particular, we developed a system based on the proposed model, and operated it for more than four months, and then detected 1,750,000 attack IPs by analyzing 22,570,000 spam e-mails in a commercial environment. A detected attack IP can be used to remove spam e-mails by linking it with the cyber removal system, or to block spam e-mails by linking it with the RBL(Real-time Blocking List) system. In addition, the developed system is expected to play a positive role in preventing cyber attacks, as it can detect a large number of attack IPs when linked with the portal site.

Keywords

References

  1. Markoff, John, "Attack of the zombie computers is a growing threat, experts say," New York Times, 157, 1-3, 2007.
  2. Zhuang, Li, et al, "Characterizing Botnets from Email Spam Records," LEET, 8, 1-9, 2008.
  3. John, John P., et al, "Studying Spamming Botnets Using Botlab," NSDI, Vol. 9, 2009.
  4. Zhao, Yao, et al, "BotGraph: Large Scale Spamming Botnet Detection," NSDI, Vol. 9, 2009.
  5. Xie, Yinglian, et al, "Spamming botnets: signatures and characteristics," ACM SIGCOMM Computer Communication Review, 38.4, 171-182, 2008. https://doi.org/10.1145/1402946.1402979
  6. Thomas, Kurt, et al, "Suspended accounts in retrospect: an analysis of twitter spam," in Proc. of Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM, 2011.
  7. Ramachandran, Anirudh, and Nick Feamster, "Understanding the network-level behavior of spammers," in Proc. of ACM SIGCOMM Computer Communication Review, Vol. 36, No. 4, ACM, 2006.
  8. Berkhin, Pavel, Zoltan Istvan Gyongyi, and Jan Pedersen, "Link-based spam detection," U.S. Patent, No. 7, 533,092. 12 May 2009.
  9. Becchetti, Luca, et al, "Link analysis for web spam detection," ACM Transactions.
  10. Han, K. S., Y. H. Shin, and E. G. Im, "A study of spam-spread malware analysis and countermeasure framework," Journal of Security Engineering, 7.4, 363-383, 2010.
  11. Lin, Kuan-Cheng, Sih-Yang Chen, and Jason C. Hung, "Botnet detection using support vector machines with artificial fish swarm algorithm," Journal of Applied Mathematics 2014, 2014.
  12. Akinyelu, Andronicus A., and Aderemi O. Adewumi, "Classification of phishing email using random forest machine learning technique," Journal of Applied Mathematics 2014, 2014.
  13. Chiang, Ken, and Levi Lloyd, "A Case Study of the Rustock Rootkit and Spam Bot," HotBots, 7, 10-10, 2007.
  14. Duan, Zhenhai, Kartik Gopalan, and Xin Yuan, "Behavioral Characteristics of Spammers and Their Network Reachability Properties," ICC, Vol. 7, 2007.
  15. Qaroush, Aziz, Ismail M. Khater, and Mahdi Washaha, "Identifying spam e-mail based-on statistical header features and sender behavior," in Proc. of Proceedings of the CUBE International Information Technology Conference. ACM, 2012.
  16. Al-Jarrah, Omar, Ismail Khater, and Basheer Al-Duwairi, "Identifying potentially useful email header features for email spam filtering," in Proc. of The Sixth International Conference on Digital Society (ICDS), 2012.
  17. A. C. Solutions. January 7, 2011 Statistics and Facts About Spam.Retrieved: July, 2011.
  18. Sanchez, Fernando, Zhenhai Duan, and Yingfei Dong, "Understanding forgery properties of spam delivery paths," in Proc. of Proceedings of 7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference (CEAS), 2010.
  19. Hu, Yong, et al, "A scalable intelligent non-content-based spam-filtering framework," Expert Systems with Applications, 37.12, 8557-8565, 2010. https://doi.org/10.1016/j.eswa.2010.05.020
  20. Duan, Zhenhai, et al. "Detecting spam zombies by monitoring outgoing messages," IEEE Transactions on dependable and secure computing, 9.2, 198-210, 2012. https://doi.org/10.1109/TDSC.2011.49
  21. Wang, Chih-Chien, and Sheng-Yi Chen, "Using header session messages to anti-spamming," Computers & Security, 26.5, 381-390, 2007. https://doi.org/10.1016/j.cose.2006.12.012
  22. Jeong, Hyun-Cheol, et al, "Study for tracing zombie pcs and botnet using an email spam trap," Journal of the Korea Institute of Information Security and Cryptology, 21.3, 101-115, 2011.
  23. Jeong, HyunCheol, et al, "Detection of Zombie PCs Based on Email Spam Analysis," KSII Transactions on Internet & Information Systems, 6.5, 2012.
  24. Huang, Lin, et al, "Using reputation measurement to defend mobile social networks against malicious feedback ratings," The Journal of Supercomputing, 71.6, 2190-2203, 2015. https://doi.org/10.1007/s11227-015-1432-x
  25. Lee, et al, "Detection of malware propagation in sensor Node and botnet group clustering based on e-mail spam analysis," International Journal of Distributed Sensor Networks 2015, 15, 2015.
  26. Kaspersky, http://www.kaspersky.com
  27. Symantec. http://www.symantec.com
  28. KISA. http://www.kisa.or.kr
  29. KISA RBL. https://www.kisarbl.or.kr/
  30. https://www.spamhaus.org/