This talk introduces a new class of methods called "behavioral
blacklisting", which identify spammers based on their network-level behavior. Rather than attempting to blacklist individual spam messages based on what the message contains, behavioral blacklisting classifies a message based on how the message itself was sent (spatial and temporal traffic patterns of the email traffic itself). Behavioral blacklisting tracks the sending behavior of an email sender from a wide variety of vantage points and establishes "fingerprints" that are indicative of spamming behavior. Behavioral blacklisting can apply not only to email traffic, but also to the network-level behavior of hosting
infrastructure for scam or phishing attacks. First, I will present a
brief overview of our study of the network-level behavior of spammers. Second, I will describe two behavioral blacklisting algorithms that are based on insights from our study of the network-level behavior of spammers. Finally, I will describe our ongoing work applying similar behavioral detection techniques to detecting both online scam hosting infrastructure and phishing attacks.
Nick Feamster is an assistant professor in the College of Computing at Georgia Tech. He received his Ph.D. in Computer science from MIT in 2005, and his S.B. and M.Eng. degrees in Electrical Engineering and Computer Science from MIT in 2000 and 2001, respectively. His research focuses on many aspects of computer networking and networked systems, including the design, measurement, and analysis of network routing protocols, network operations and security, and anonymous communication systems. He recently
received the Presidential Early Career Award for Scientists and Engineers
(PECASE) for his contributions to cybersecurity, notably spam filtering.
His honors include a Sloan Research Fellowship, the NSF CAREER award,
the IBM Faculty Fellowship, and award papers at SIGCOMM 2006 (network-level
behavior of spammers), the NSDI 2005 conference (fault detection in router
configuration), Usenix Security 2002 (circumventing web censorship using
Infranet), and Usenix Security 2001 (web cookie analysis).