TY - JOUR
T1 - Towards situational awareness of large-scale botnet probing events
AU - Li, Zhichun
AU - Goyal, Anup
AU - Chen, Yan
AU - Paxson, Vern
N1 - Funding Information:
Manuscript received July 22, 2009; revised May 28, 2010; accepted September 11, 2010. Date of publication October 11, 2010; date of current version February 16, 2011. This work was supported in part by NSF Awards 0433702 and 0905631, in part by the DoD Young Investigator Award FA9550-07-1-0074, and in part by DoE Career award DE-FG02-05ER25692/A001. Opinions, findings, and conclusions or recommendations are those of the authors and do not necessarily reflect the views of the funding sources. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. R. Sekar.
PY - 2011/3
Y1 - 2011/3
N2 - Botnets dominate today's attack landscape. In this work, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale botnet probes. In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can inferusing purely local observationinformation about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.
AB - Botnets dominate today's attack landscape. In this work, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale botnet probes. In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can inferusing purely local observationinformation about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.
KW - Botnet
KW - computer network security
KW - global property extrapolation
KW - honeynet
KW - scan strategy inference
KW - site security monitoring
KW - situational awareness
KW - statistical inference
UR - http://www.scopus.com/inward/record.url?scp=79951817047&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=79951817047&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2010.2086445
DO - 10.1109/TIFS.2010.2086445
M3 - Article
AN - SCOPUS:79951817047
SN - 1556-6013
VL - 6
SP - 175
EP - 188
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
IS - 1
M1 - 5599296
ER -