Categorizing Blog Spam

The internet has matured into the focal point of our era. Its ecosystem is vast, complex, and in many regards unaccounted for. One of the most prevalent aspects of the internet is spam. Similar to the rest of the internet, spam has evolved from simply meaning ‘unwanted emails’ to a blanket term that encompasses any unsolicited or illegitimate content that appears in the wide range of media that exists on the internet. Many forms of spam permeate the internet, and spam architects continue to develop tools and methods to avoid detection. On the other side, cyber security engineers continue to develop more sophisticated detection tools to curb the harmful effects that come with spam. This virtual arms race has no end in sight. Most efforts thus far have been toward accurately detecting spam from ham, and rightfully so since initial detection is essential. However, research is lacking in understanding the current ecosystem of spam, spam campaigns, and the behavior of the botnets that drive the majority of spam traffic. This thesis focuses on characterizing spam, particularly the spam that appears in forums, where the spam is delivered by bots posing as legitimate users. Forum spam is used primarily to push advertisements or to boost other websites’ perceived popularity by including HTTP links in the content of the post. We conduct an experiment to collect a sample of the blog posts and network activity of the spambots that exist in the internet. We then present a corpora available to conduct analysis on and proceed with our own analysis. We cluster associated groups of users and IP addresses into entities, which we accept as a model of the underlying botnets that interact with our honeypots. We use Natural Language Processing (NLP) and Machine Learning (ML) to determine that creating semantic-based models of botnets are sufficient for distinguishing them from one another. We also find that the syntactic structure of posts has little variation from botnet to botnet. Finally we confirm that to a large degree botnet behavior and content hold across different domains

Between Hype and Understatement: Reassessing Cyber Risks as a Security Strategy

Most of the actions that fall under the trilogy of cyber crime, terrorism,and war exploit pre-existing weaknesses in the underlying technology.Because these vulnerabilities that exist in the network are not themselvesillegal, they tend to be overlooked in the debate on cyber security. A UKreport on the cost of cyber crime illustrates this approach. Its authors chose to exclude from their analysis the costs in anticipation of cyber crime, such as insurance costs and the costs of purchasing anti-virus software on the basis that "these are likely to be factored into normal day-to-day expenditures for the Government, businesses, and individuals. This article contends if these costs had been quantified and integrated into the cost of cyber crime, then the analysis would have revealed that what matters is not so much cyber crime, but the fertile terrain of vulnerabilities that unleash a range of possibilities to whomever wishes to exploit them. By downplaying the vulnerabilities, the threats represented by cyber war, cyber terrorism, and cyber crime are conversely inflated. Therefore, reassessing risk as a strategy for security in cyberspace must include acknowledgment of understated vulnerabilities, as well as a better distributed knowledge about the nature and character of the overhyped threats of cyber crime, cyber terrorism, and cyber war

Flooding attacks to internet threat monitors (ITM): Modeling and counter measures using botnet and honeypots

The Internet Threat Monitoring (ITM),is a globally scoped Internet monitoring system whose goal is to measure, detect, characterize, and track threats such as distribute denial of service(DDoS) attacks and worms. To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address flooding attack against ITM system in which the attacker attempt to exhaust the network and ITM's resources, such as network bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flooding attacks using Botnet on ITM. Based on this model we generalize the flooding attacks and propose an effective attack detection using Honeypots