Skip to main content
SpringerLink
Log in

Who Is Sending a Spam Email: Clustering and Characterizing Spamming Hosts

  • Conference paper
  • First Online:
Information Security and Cryptology -- ICISC 2013 (ICISC 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8565))

Included in the following conference series:

  • 1185 Accesses

Abstract

In this work, we propose a spam analyzing system that clusters the spamming hosts, characterizes and visualizes the spammers’ behaviors, and detects malicious clusters. The proposed system integrates behavior profiling in IP address level, IP address based clustering, characterizing spammer clusters, examining the maliciousness of embedded URLs, and deriving visual signatures for future detection of malicious spammers. We classify spamming hosts into botnet, worm, or individual spammers and derive their characteristics. We then design a clustering scheme to automatically classify the host IP addresses and to identify malicious groups according to known characteristics of each type of host. For rapid decision making in identifying botnets, we derive visual signatures using a parallel coordinates. We validate the proposed system using these spam email data collected by the spam trap system operated by the Korea Internet and Security Agency.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Tricaud, S., Saadé, P.: Applied parallel coordinates for logs and network traffic attack analysis. J. Comput. Virol. 6, 1–29 (2010)

    Article  Google Scholar 

  2. Choi, H., Lee, H., Kim, H.: Fast detection and visualization of network attacks on parallel coordinates. Comput. Secur. 28, 276–288 (2009)

    Article  Google Scholar 

  3. Itoh, T., Takakura, H., Sawada, A., Koyamada, K.: Hierarchical visualization of network intrusion detection data. Comput. Graph. Appl. IEEE 26, 40–47 (2006)

    Article  Google Scholar 

  4. Yin, X., Yurcik, W., Treaster, M., Li, Y., Lakkaraju, K.: VisFlowConnect: netflow visualizations of link relationships for security situational awareness. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 26–34 (2004)

    Google Scholar 

  5. Conti, G., Abdullah, K.: Passive visual fingerprinting of network attack tools. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 45–54 (2004)

    Google Scholar 

  6. Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming botnets: signatures and characteristics. ACM SIGCOMM Comput. Commun. Rev. 38, 171–182 (2008)

    Article  Google Scholar 

  7. John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using botlab. In: NSDI’09 Proceedings of the 6th USENIX Symposium on Netwoked Systems Design and Implementation, vol. 9, pp. 291–306 (2009)

    Google Scholar 

  8. Li, F., Hsieh, M.-h.: An empirical study of clustering behavior of spammers and groupbased anti-spam strategies. In: CEAS 2006 Third Conference on Email and AntiSpam (2006)

    Google Scholar 

  9. Zhuang, L., Dunagan, J., Simon, D.R., Wang, H.J., Tygar, J.: Characterizing botnets from email spam records. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (2008)

    Google Scholar 

  10. Zhao, Y., Xie, Y., Yu, F., Ke, Q., Yu, Y., Chen, Y., Gillum, E.: BotGraph: large scale spamming botnet detection. In: NSDI’09 Proceedings of the 6th USENIX Symposium on Netwoked Systems Design and Implementation, vol. 9, pp. 321–334 (2009)

    Google Scholar 

  11. Sroufe, P., Phithakkitnukoon, S., Dantu, R., Cangussu, J.: Email shape analysis for spam botnet detection. In: Proceedings of IEEE Consumer Communications and Networking Conference, 2009 (2009)

    Google Scholar 

  12. Pathak, A., Qian, F., Hu, Y.C., Mao, Z.M., Ranjan, S.: Botnet spam campaigns can be long lasting: evidence, implications, and analysis. In: Proceedings of the Eleventh International Joint Conference on Measurement and Modeling of Computer Systems, pp. 13–24 (2009)

    Google Scholar 

  13. Jeong, H., Kim, H.K., Lee, S., Kim, E.: Detection of Zombie PCs based on email spam analysis. KSII Trans. Internet Inf. Syst. (TIIS) 6, 1445–1462 (2012)

    Google Scholar 

  14. Calinski, T., Harabasz, J.: A dendrite method for cluster analysis. Commun. Stat.-Theor. Methods 3, 1–27 (1974)

    Article  MathSciNet  MATH  Google Scholar 

  15. Sarle, W.: SAS Technical Report A-108 (1983)

    Google Scholar 

  16. Symantec Corporation: Internet Security Threat Report 2013, vol. 18 (2013)

    Google Scholar 

  17. Berkhin, P.: A survey of clustering data mining techniques. In: Kogan, J., Nicholas, C., Teboulle, M. (eds.) Grouping Multidimensional Data, pp. 25–71. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

Download references

Acknowledgement

This research was supported by the MKE (The Ministry of Knowledge Economy), Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2013-H0301-13-1003) supervised by the NIPA (National IT Industry Promotion Agency). This research was supported by Korean Ministry of Environment as the Eco-Innovation project (Global Top project). (GT-SWS-11-02-007-3).

Author information

Authors and Affiliations

  1. Graduate School of Information Security, Korea University, Seoul, Korea

    Jiyoung Woo, Hyun Jae Kang, Ah Reum Kang, Hyukmin Kwon & Huy Kang Kim

Authors
  1. Jiyoung Woo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyun Jae Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ah Reum Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hyukmin Kwon
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Huy Kang Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Huy Kang Kim .

Editor information

Editors and Affiliations

  1. EWHA Womans University, Seoul, Korea, Republic of (South Korea)

    Hyang-Sook Lee

  2. Kookmin University, Seoul, Korea, Republic of (South Korea)

    Dong-Guk Han

Appendix

Appendix

Table 5. Statistics of important features according to host species
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Woo, J., Kang, H.J., Kang, A.R., Kwon, H., Kim, H.K. (2014). Who Is Sending a Spam Email: Clustering and Characterizing Spamming Hosts. In: Lee, HS., Han, DG. (eds) Information Security and Cryptology -- ICISC 2013. ICISC 2013. Lecture Notes in Computer Science(), vol 8565. Springer, Cham. https://doi.org/10.1007/978-3-319-12160-4_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12160-4_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12159-8

  • Online ISBN: 978-3-319-12160-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation