Automating analysis of large-scale botnet probing events

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Automating analysis of large-scale botnet probing events

Full text

Pdf (839 KB)

Source

ASIAN ACM Symposium on Information, Computer and Communications Security archive
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security table of contents

Sydney, Australia

SESSION: Network security-I table of contents

Pages 11-22

Year of Publication: 2009

ISBN:978-1-60558-394-5

Authors

Zhichun Li	Northwestern University, Evanston, IL
Anup Goyal	Northwestern University, Evanston, IL
Yan Chen	Northwestern University, Evanston, IL
Vern Paxson	UC Berkeley & ICSI, Berkeley, CA

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 44, Downloads (12 Months): 179, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1533057.1533063 What is a DOI?

ABSTRACT

Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer---using purely local observation---information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack?

Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	AP Market Sharing. http://news.com.com/Microsofts+Wi-Fi+ups+and+downs/2100--1039_3--994518.
	2	HoneyBow Sensor. http://honeybow.mwcollect.org.
	3	Honeysnap. http://www.honeynet.org/tools/honeysnap/index.html.
	4	Net-Worm.Win32.Allaple.a. http://www.viruslist.com/en/viruses/encyclopedia?virusid=145521.
	5	OS Platform Statistics by W3school. http://www.w3schools.com/browsers/browsers_stats.asp.
	6	Bacher, P., Holz, T., Kotter, M., and Wicherski, G. Know your Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots.
	7	Barford, P., et al. An inside look at botnets. In Series: Advances in Information Security. Springer, 2006.
	8	Steven M. Bellovin, A technique for counting natted hosts, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637243]
	9	John Bethencourt , Jason Franklin , Mary Vernon, Mapping internet sensors with probe response attacks, Proceedings of the 14th conference on USENIX Security Symposium, p.13-13, July 31-August 05, 2005, Baltimore, MD
	10	Cai, J., et al. Honeynets and honeygames: A game theoretic approach to defending network monitors. Tech. Rep. TR1577, University of Wiscconsin, 2006.
	11	Ken Chiang , Levi Lloyd, A case study of the rustock rootkit and spam bot, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.10-10, April 10, 2007, Cambridge, MA
	12	Guofei Gu , Phillip Porras , Vinod Yegneswaran , Martin Fong , Wenke Lee, BotHunter: detecting malware infection through IDS-driven dialog correlation, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	13	Gu, G., Zhang, J., and Lee, W. Botsniffer: Detecting botnet command and control channels in network traffic. In Proc. of NDSS (2008).
	14	Jayanthkumar Kannan , Jaeyeon Jung , Vern Paxson , Can Emre Koksal, Semi-automated discovery of application session structure, Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil [doi>10.1145/1177080.1177096]
	15	Kendall, M. G. Rank Correlation Methods. Griffin., 1976.
	16	Abhishek Kumar , Vern Paxson , Nicholas Weaver, Exploiting underlying structure for detailed reconstruction of an internet-scale event, Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, p.33-33, October 19-21, 2005, Berkeley, CA
	17	Li, Z., Goyal, A., Chen, Y., and Kuzmanovic, A. P2p doctor: Measurement and diagnosis of misconfigured peer-to-peer traffic. Tech. Rep. NWU-EECS-07-06, Northwestern University, 2007.
	18	Li, Z., Goyal, A., Chen, Y., and Paxson, V. Towards situational awareness of large-scale botnet events using honeynets. Tech. Rep. NWU-EECS-08-08, Northwestern University, 2008.
	19	Manna, P., Chen, S., and Ranka, S. Exact modeling of propagation for permutation-scanning worms. In IEEE INFOCOM (2008).
	20	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003 [doi>10.1109/MSECP.2003.1219056]
	21	Ruoming Pang , Vinod Yegneswaran , Paul Barford , Vern Paxson , Larry Peterson, Characteristics of internet background radiation, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy [doi>10.1145/1028788.1028794]
	22	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999 [doi>10.1016/S1389-1286(99)00112-7]
	23	Niels Provos, A virtual honeypot framework, Proceedings of the 13th conference on USENIX Security Symposium, p.1-1, August 09-13, 2004, San Diego, CA
	24	Moheeb Abu Rajab , Jay Zarfoss , Fabian Monrose , Andreas Terzis, A multifaceted approach to understanding the botnet phenomenon, Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil [doi>10.1145/1177080.1177086]
	25	Anirudh Ramachandran , Nick Feamster, Understanding the network-level behavior of spammers, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
	26	Rice, J. A. Mathematical Statistics and Data Analysis. Duxbury Press, 1994.
	27	SANS Institute. Dshield. org: Distributed intrusion detection system. http://www.dshield.org/.
	28	Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
	29	Weisstein, W. E. Stirling Number of the Second Kind. http://mathworld.wolfram.com/StirlingNumberoftheSecondKind.html.
	30	Yegneswaran, V., Barford, P., and Paxson, V. Using honeynets for internet situational awareness. In In Proc. of ACM Hotnets IV (2005).
	31	Cliff Changchun Zou , Lixin Gao , Weibo Gong , Don Towsley, Monitoring and early warning for internet worms, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948136]