Towards Situational Awareness of Large-Scale Botnet Probing Events

TitleTowards Situational Awareness of Large-Scale Botnet Probing Events
Publication TypeJournal Article
Year of Publication2011
AuthorsLi, Z., Goyal A., Chen Y., & Paxson V.
Published inIEEE Transactions on Information Forensics and Security
Other Numbers3183

Botnets dominate today’s attack landscape. Inthis work, we investigate ways to analyze collections of maliciousprobing traffic in order to understand the significance oflarge-scale “botnet probes.” In such events, an entire collectionof remote hosts together probes the address space monitoredby a sensor in some sort of coordinated fashion. Our goal is todevelop methodologies by which sites receiving such probes caninfer—using purely local observation—information about theprobing activity: What scanning strategies does the probing employ?Is this an attack that specifically targets the site, or is the siteonly incidentally probed as part of a larger, indiscriminant attack?Our analysis draws upon extensive honeynet data to explore theprevalence of different types of scanning, including properties,such as trend, uniformity, coordination, and darknet avoidance. Inaddition, we design schemes to extrapolate the global properties ofscanning events (e.g., total population and target scope) as inferredfrom the limited local view of a honeynet. Cross-validating withdata from DShield shows that our inferences exhibit promisingaccuracy.Index Terms—Botnet, computer network security, global propertyextrapolation, honeynet, scan strategy inference, site securitymonitoring, situational awareness, statistical inference.


This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS: 0433702 (“Center for Internet Epidemiology and Defenses [CCIED]”) and CNS: 0905631 ("Invigorating Empirical Network Research via Mediated trace Analysis"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.

Bibliographic Notes

IEEE Transactions on Information Forensics and Security, Vol. 6, No. 1, pp. 175-188

Abbreviated Authors

Z. Li, A. Goyal, Y. Chen, and V. Paxson

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in journal or magazine