Towards Situational Awareness of Large-Scale Botnet Probing Events
Title | Towards Situational Awareness of Large-Scale Botnet Probing Events |
Publication Type | Journal Article |
Year of Publication | 2011 |
Authors | Li, Z., Goyal A., Chen Y., & Paxson V. |
Published in | IEEE Transactions on Information Forensics and Security |
Volume | 6 |
Issue | 1 |
Page(s) | 175-188 |
Other Numbers | 3183 |
Abstract | Botnets dominate todays attack landscape. Inthis work, we investigate ways to analyze collections of maliciousprobing traffic in order to understand the significance oflarge-scale botnet probes. In such events, an entire collectionof remote hosts together probes the address space monitoredby a sensor in some sort of coordinated fashion. Our goal is todevelop methodologies by which sites receiving such probes caninferusing purely local observationinformation about theprobing activity: What scanning strategies does the probing employ?Is this an attack that specifically targets the site, or is the siteonly incidentally probed as part of a larger, indiscriminant attack?Our analysis draws upon extensive honeynet data to explore theprevalence of different types of scanning, including properties,such as trend, uniformity, coordination, and darknet avoidance. Inaddition, we design schemes to extrapolate the global properties ofscanning events (e.g., total population and target scope) as inferredfrom the limited local view of a honeynet. Cross-validating withdata from DShield shows that our inferences exhibit promisingaccuracy.Index TermsBotnet, computer network security, global propertyextrapolation, honeynet, scan strategy inference, site securitymonitoring, situational awareness, statistical inference. |
Acknowledgment | This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS: 0433702 (Center for Internet Epidemiology and Defenses [CCIED]) and CNS: 0905631 ("Invigorating Empirical Network Research via Mediated trace Analysis"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation. |
URL | http://www.icsi.berkeley.edu/pubs/networking/largescalebotnet11.pdf |
Bibliographic Notes | IEEE Transactions on Information Forensics and Security, Vol. 6, No. 1, pp. 175-188 |
Abbreviated Authors | Z. Li, A. Goyal, Y. Chen, and V. Paxson |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Article in journal or magazine |