Automating analysis of large-scale botnet probing events

Zhichun Li*, Anup Goyal, Yan Chen, Vern Paxson

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

39 Scopus citations

Abstract

Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer - -using purely local observation - -information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Original languageEnglish (US)
Title of host publicationProceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09
Pages11-22
Number of pages12
DOIs
StatePublished - Dec 1 2009
Event4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09 - Sydney, NSW, Australia
Duration: Mar 10 2009Mar 12 2009

Publication series

NameProceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09

Other

Other4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09
Country/TerritoryAustralia
CitySydney, NSW
Period3/10/093/12/09

Keywords

  • Botnet
  • Global property extrapolation
  • Honeynet
  • Scan strategy inference
  • Situational awareness
  • Statistical inference

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Computer Networks and Communications
  • Computer Science Applications

Fingerprint

Dive into the research topics of 'Automating analysis of large-scale botnet probing events'. Together they form a unique fingerprint.

Cite this