TY - GEN
T1 - Automating analysis of large-scale botnet probing events
AU - Li, Zhichun
AU - Goyal, Anup
AU - Chen, Yan
AU - Paxson, Vern
PY - 2009/12/1
Y1 - 2009/12/1
N2 - Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer - -using purely local observation - -information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.
AB - Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer - -using purely local observation - -information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.
KW - Botnet
KW - Global property extrapolation
KW - Honeynet
KW - Scan strategy inference
KW - Situational awareness
KW - Statistical inference
UR - http://www.scopus.com/inward/record.url?scp=77952395048&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77952395048&partnerID=8YFLogxK
U2 - 10.1145/1533057.1533063
DO - 10.1145/1533057.1533063
M3 - Conference contribution
AN - SCOPUS:77952395048
SN - 9781605583945
T3 - Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09
SP - 11
EP - 22
BT - Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09
T2 - 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09
Y2 - 10 March 2009 through 12 March 2009
ER -