Network Behavior Analysis Of The Spamming Botnet And The Design And Implementation Of Spamming Botnet Detection Algorithms

Botnet is considered the main source of the spam. Destroy spamming botnet is aneffective method to prevent spam attacks.By using the honeypot to capture and analysis the network behavior of these botnets，we found many special abnormal behaviors include: scanning for open mail proxy,sending large amounts of spam in high speed, connecting multiple mail serverssimultaneously and MX queries abnormal. These abnormalities is relatively common inthe botnet which can be used to filter bots. We also found that the discrete degree of botnetsmessage size is smaller than the mail server，using which we can distinguish the zombie host and mailserver.Considering the advantages and weaknesses of the existing detection algorithms, wepropose a detection algorithm which combine behavioral-based spam detection method andcontent-based spam detection method. The detection system is divided into two modules:abnormal behavior alarm module and content clustering module. First of all we need toanalyze the network traffic of the campus to find out the computers whose networkbehavior are relatively unusual，by the mean time we will restore the email content theysent. And then, we will analyze the content of the email they sent to make sure if theywere spamming and which botnet they belong to.This detection system use Libpcap to capture the the network traffic of the campus.Unlike the traditional content-based detection method, it does not require anycharacteristics of training, and can be deployed in the network outlet. The research resultsshow that the detection algorithm can not only detect spam host in the campus, but alsoable to detect spam hosts who sent spam into the campus from outside. It is effective andeffcient in automatically detecting compromised machines in a network with a falsepositive of10%.Thought the final spam content clustering, we can find many large-scalespam campaigns having many infected computers.