|
I graduated in May 2011 and now work at an early-stage
startup in the Bay Area.
I was a Ph. D. student at the
College of Computing,
Georgia Tech. I work with
Prof. Nick Feamster and am affiliated with the
NTG and GTISC. Previously, I was an undergrad in Computer Science and Engineering at IIT Madras.
Research Interests I am interested in
Networking and Systems Security. My current
research focuses on preventing data breaches using
secure systems design. Other research interests
include high-speed traffic monitoring and
techniques to detect and mitigate malicious
activity on the Internet such as spam, botnets,
and phishing.
Publications
Spam or Ham? Characterizing and Detecting
Fraudulent "Not Spam" Reports in Web Mail
Systems
Anirudh Ramachandran, Anirban Dasgupta, Nick
Feamster, and Kilian Weinberger
8th Annual Collaboration, Electronic messaging,
Anti-Abuse and Spam Conference (CEAS).
Perth, Australia, September 2011.
Mitigating Spam Using Network-level
Features
Anirudh Ramachandran
Ph.D. Dissertation, Georgia Tech, August 2011
SilverLine:
Data and Network Isolation for Cloud Services
Yogesh Mundada, Anirudh Ramachandran, and Nick Feamster
3rd Usenix Workshop on Hot Topics in Cloud
Computing, Portland, OR, June 2011.
Practical
Data-Leak Prevention for Legacy Applications in
Enterprise Networks
Yogesh Mundada, Anirudh Ramachandran, Mukarram Bin Tariq, and Nick Feamster
Georgia Tech Technical Report GT-CS-11-01, Jan 2011.
[Earlier versions:
1,
2],
[Poster at SIGCOMM 2008]
(Toggle abstract)
Organizations must control where private information
spreads; this problem is referred to in the industry as
data leak prevention. Commercial solutions for DLP
are based on scanning content; these impose high overhead
and are easily evaded. Research solutions for this
problem, information flow control, require rewriting applications
or running a custom operating system, which
makes these approaches difficult to deploy. They also
typically enforce information flow control on a single
host, not across a network, making it difficult to implement
an information flow control policy for a network of
machines. This paper presents Pedigree, which enforces
information flow control across a network for legacy
applications. Pedigree allows enterprise administrators
and users to associate a label with each file and process;
a small, trusted module on the host uses these labels to
determine whether two processes on the same host can
communicate. When a process attempts to communicate
across the network, Pedigree tracks these information
flows and enforces information flow control either
at end-hosts or at a network switch. Pedigree allows
users and operators to specify network-wide information
flow policies rather than having to specify and implement
policies for each host. Enforcing information
flow policies in the network allows Pedigree to operate
in networks with heterogeneous devices and operating
systems. We present the design and implementation of
Pedigree, show that it can prevent data leaks, and investigate
its feasibility and usability in common environments.
Spotting Spammers with a Dynamic Reputation System
Anirudh Ramachandran, Hitesh Khandelwal, Shuang
Hao, Nick Feamster, and Santosh Vempala
Work in Progress, February 2009.
(Toggle abstract)
This paper presents the design, implementation, evaluation, and
initial deployment of SpamSpotter, the first open, large-scale,
real-time reputation system for filtering spam. Existing blacklists
(e.g., SpamHaus) are based on static lists; they have trouble keeping
pace with spammers' ability to send spam from "fresh" IP addresses. In
contrast, SpamSpotter tracks and classifies email senders in real time
using network-level features that distinguish spammers from legitimate
senders. Previous work has proposed various algorithms for classifying
email senders; in this paper, we focus on the design and deployment of a
system that can incorporate these algorithms into a single working
system. SpamSpotter currently incorporates three network-level spam
filtering techniques: SpamTracker [38], SNARE [20], and Trinity [7].
SpamSpotter's framework allows combining various spam-filtering
algorithms and deploying and testing new email classification
algorithms. We tackle significant design challenges involving
scalability, speed, and accuracy. We have evaluated the performance and
accuracy of SpamSpotter using traces from a spam-appliance vendor and a
large email-hosting provider, and we have deployed SpamSpotter for
operational use. SpamSpotter is deployed today, and network
administrators can easily incorporate SpamSpotter's blacklist into their
spam filtering systems in the same way that they would use any other
static blacklist, with only minor configuration changes.
Fast Monitoring of Traffic Subpopulations
Anirudh Ramachandran, Srinivasan Seetharaman, Nick Feamster, and Vijay Vazirani
Proceedings of the Internet Measurement Conference (IMC)
Vouliagmeni, Greece, October 2008.
(Toggle abstract)
Network accounting, forensics, security, and
performance monitoring applications often
need to examine detailed traces from subsets
of flows ("subpopulations"), where the
application requires flexibility in
specifying the subpopulation (e.g., to detect
a portscan, the application must observe many
packets between a source and a destination
with one packet to each port). Unfortunately,
the dynamism and volume of network traffic
on many high-speed links requires traffic
sampling, which adversely affects
subpopulation monitoring: because many
subpopulations of interest to operators are
low-volume flows, conventional sampling
schemes (e.g., uniform random sampling) can
miss much of the subpopulation's traffic.
Today's routers and network devices provide
scant support for monitoring specific traffic
subpopulations. This paper presents the
design, implementation, and evaluation of
FlexSample, a traffic monitoring framework
that dynamically extracts traffic from
subpopulations that operators define using
con- ditions on packet header fields.
FlexSample uses a fast, flexible counter array
to provide rough estimates of packets'
membership in respective subpopulations. Based
on these coarse estimates, FlexSample then
makes per-packet sampling decisions to sample
proportionately from each subpopulation (as
specified by a network operator), subject to
an overall sampling constraint. We apply
FlexSample to extract subpopulations such as
port scans and traffic to high-degree nodes
and find that it can capture significantly
more packets from these subpopulations than
conventional approaches.
Authenticated Out-of-Band Communication Over Social Links
Anirudh Ramachandran and Nick Feamster
Proceedings of First
ACM SIGCOMM Workshop on Online Social Networks Seattle, WA, August 2008.
(Toggle abstract)
Many existing host-based applications rely on
their own authentication mechanisms and peer discovery
services. Although social networking sites already provide
mechanisms for users both to discover other users (e.g.,
by logging on to the social network Web site) and to
communicate securely with each other (e.g., using instant messages
within the social networking site), today's applications
have no way to exploit the relationships and trust that are
inherent in these networks. This paper proposes Authenticatr, a
framework that allows applications to use the authentication and peer
discovery mechanisms inherent in social networking sites to
bootstrap their own authenticated communication channels.
We describe motivating applications, detail the interface
that Authenticatr exposes to applications, and
discuss practical considerations and security threats.
Fishing for Phishing from the Network Stream
Anirudh Ramachandran, Nick Feamster, Balachander Krishnamurthy, Oliver Spatscheck, and Jacobus van der Merwe
Technical Report GT-CS-08-08, February 2008.
(Toggle abstract)
Phishing is an increasingly prevalent social-engineering attack that
attempts identity theft using spoofed Web pages of legitimate
organizations. Financial organizations and users may lose billions of
dollars as phishers perfect schemes such as internationalized domain
name spoofing, open URL redirectors, and embedded frames, all of which
can make a phishing site visually indistinguishable from a legitimate
one. Current phishing prevention methods are neither complete nor
responsive enough because they rely on user reports and manual updates.
Many also require client-side software, which implicitly assumes that
users are aware of the dangers of phishing. To be effective,
anti-phishing techniques should be proactive, and independent of
end-users. This paper proposes Fish4Phish, which takes an alternate
approach: detecting phishing attacks from the network traffic itself.
We analyze typical phishing scenarios and create a model to identify the
stages where in-network phishing detection is feasible and the data
sources that can be analyzed to provide relevant information at each
stage. Using our model as the basis for data gathering and heuristics,
we develop a detection method based on features that can be detected
from the network traffic itself and are correlated with real phishing
attacks. Fish4Phish combines these features to realize phishing
detection. Our evaluation on both a campus network and a transit
network shows that Fish4Phish is effective for early phishing detection
in a variety of environments. For example, compared with the Google
antiphishing blacklist, Fish4Phish detected 27 additional phishing
domains and detected 7 phishing domains listed by Google at least 48
hours before they appeared in the Google blacklist.
Filtering Spam with Behavioral Blacklisting
Anirudh Ramachandran, Nick Feamster, and Santosh Vempala
Proceedings of 14th ACM Conference on Computer
and Communications Security (CCS)
Alexandria, VA, October 2007. [pdf talk slides]
(Toggle abstract)
Spam filters often use the reputation of an IP
address (or IP address range) to classify
email senders. This approach worked well when
most spam originated from senders with fixed
IP addresses, but spam today is also sent from
IP addresses for which blacklist maintainers
have outdated or inaccurate information (or no
information at all). Spam campaigns also
involve many senders, reducing the amount of
spam any particular IP address sends to a
single domain; this method allows spammers to
stay "under the radar". The dynamism of any
particular IP address begs for blacklisting
techniques that automatically adapt as the
senders of spam change. This paper presents
SpamTracker, a spam filtering system that uses
a new technique called behavioral blacklisting
to classify email senders based on their
sending behavior rather than their identity.
Spammers cannot evade SpamTracker merely by
using "fresh" IP addresses because
blacklisting decisions are based on sending
patterns, which tend to remain more invariant.
SpamTracker uses fast clustering algorithms
that react quickly to changes in sending
patterns. We evaluate SpamTracker's ability to
classify spammers using email logs for over
115 email domains; we find that SpamTracker
can correctly classify many spammers missed by
current filtering techniques. Although our
current datasets prevent us from confirming
SpamTracker's ability to completely
distinguish spammers from legitimate senders,
our evaluation shows that SpamTracker can
identify a significant fraction of spammers
that current IP-based blacklists miss.
SpamTracker's ability to identify spammers
before existing blacklists suggests that it
can be used in conjunction with existing
techniques (e.g., as an input to greylisting).
SpamTracker is inherently distributed and can
be easily replicated; incorporating it into
existing email filtering infrastructures
requires
BitStore: An Incentive-Compatible Solution for Blocked Downloads in
BitTorrent
Anirudh Ramachandran, Atish Das Sarma, and Nick Feamster
Proceedings of 2nd Joint Workshop on
Economics of Networked Systems and Incentive-Based Computing
(NetEcon+IBC)
San Diego, CA, June 2007.
(Toggle abstract)
As many as 30% of all files shared on
public BitTorrent networks suffer from the
lack of "seeders" (peers that have complete
copies of the file being shared); peers
attempting to download such a file
("leechers") may have to wait indef-
initely to obtain certain file chunks that
are not distributed in the file's network
of peers (the "swarm"). We call this the
Blocked Leecher Problem (BLP). To
alleviate BLP, we propose BitStore, a
larger, secure network of BitTorrent users
(not necessarily all sharing the same
content) where nodes offer their resources
(such as disk space and bandwidth) for
public use. Peers sharing any file can use
the storage network to maintain replicas
for each chunk of the file. Any leecher
seeking chunks that are absent from in its
own swarm can query the public network,
locate the node storing the said chunks,
and retrieve them. BitStore also provides
robust incentives for nodes contributing
resources: In return for storing and
serving chunks, such nodes can negotiate
micropayments using a second-price auction.
Peers who receive these credits may later
use them to retrieve blocks they need
from the storage network. This paper
quantifies the BLP, presents an overview of
the BitStore design, and discusses various
challenges related to storage management
and incentives.
Understanding the Network-level Behavior of Spammers
(Best Student Paper Award)
Anirudh Ramachandran and Nick Feamster
Proceedings of ACM SIGCOMM
Pisa, Italy, September 2006. [pdf talk slides]
(Toggle abstract)
This paper studies the network-level behavior
of spammers, including: IP address ranges
that send the most spam, common spamming modes
(e.g., BGP route hijacking, bots), how
persistent across time each spamming host is,
and characteristics of spamming botnets. We
try to answer these questions by analyzing a
17-month trace of over 10 million spam
messages collected at an Internet "spam
sinkhole", and by correlating this data with
the results of IP-based blacklist lookups,
passive TCP fingerprinting information,
routing information, and botnet "command and
control" traces. We find that most spam is
being sent from a few regions of IP address
space, and that spammers appear to be using
transient "bots" that send only a few pieces
of email over very short periods of time.
Finally, a small, yet non-negligible, amount
of spam is received from IP addresses that
correspond to short-lived BGP routes,
typically for hijacked prefixes. These trends
suggest that developing algorithms to
identify botnet membership, filtering email
messages based on network-level properties
(which are less variable than email
content), and improving the security of the
Internet routing infrastructure, may prove to
be extremely effective for combating spam.
Revealing Botnet Membership using DNSBL Counter-Intelligence
Anirudh Ramachandran, Nick Feamster and David Dagon
USENIX 2nd Workshop on
Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06)
San Jose, CA, July 2006 [ppt talk slides].
(Toggle abstract)
Botnets--networks of (typically compromised)
machines--are often used for nefarious
activities (e.g., spam, click fraud,
denial-of-service attacks, etc.). Identifying
members of botnets could help stem these
attacks, but passively detecting botnet
membership (i.e., without disrupting the
operation of the botnet) proves to be
difficult. This paper studies the
effectiveness of monitoring lookups to a
DNS-based blackhole list (DNSBL) to expose
botnet membership. We perform
counter-intelligence based on the insight that
botmasters themselves perform DNSBL lookups to
determine whether their spamming bots are
blacklisted. Using heuristics to identify
which DNSBL lookups are perpetrated by a
botmaster performing such reconnaissance, we
are able to compile a list of likely bots.
This paper studies the prevalence of DNSBL
reconnaissance observed at a mirror of a
well-known blacklist for a 45day period,
identifies the means by which botmasters are
performing reconnaissance, and suggests the
possibility of using counter-intelligence to
discover likely bots. We find that bots are
performing reconnaissance on behalf of other
bots. Based on this finding, we suggest
counterintelligence techniques that may be
useful for early bot
Can DNS-Based Blacklists Keep Up With Bots? (Short Paper)
Anirudh Ramachandran, David Dagon and Nick Feamster
Proceedings of the 3rd Conference on Email and Anti-Spam (CEAS)
Mountain View, CA, July 2006 [ppt talk slides].
Contact
Email:
avr@gatech.edu (Public Key)
-- Work-related mail only, please
Mail at
anirudhvr@gmail.com
for everything else.
Post:
Office: Room 3337, Klaus Advanced Computing Building, 266 Ferst Dr., Atlanta, GA - 30332
Office Phone: 404-894-6849, 404-894-6737
|
News
|