research-article

Automating analysis of large-scale botnet probing events

Authors:

Vern PaxsonAuthors Info & Claims

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

Pages 11 - 22

https://doi.org/10.1145/1533057.1533063

Published: 10 March 2009 Publication History

Abstract

Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer---using purely local observation---information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack?

Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

References

[1]

AP Market Sharing. http://news.com.com/Microsofts+Wi-Fi+ups+and+downs/2100--1039_3--994518.

[2]

HoneyBow Sensor. http://honeybow.mwcollect.org.

[3]

Honeysnap. http://www.honeynet.org/tools/honeysnap/index.html.

[4]

Net-Worm.Win32.Allaple.a. http://www.viruslist.com/en/viruses/encyclopedia?virusid=145521.

[5]

OS Platform Statistics by W3school. http://www.w3schools.com/browsers/browsers_stats.asp.

[6]

Bacher, P., Holz, T., Kotter, M., and Wicherski, G. Know your Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots.

[7]

Barford, P., et al. An inside look at botnets. In Series: Advances in Information Security. Springer, 2006.

[8]

Bellovin, S., et al. A technique for counting NATted hosts. In Proc. of USENIX/ACM IMW (2002).

Digital Library

[9]

Bethencourt, J., et al. Mapping internet sensors with probe response attacks. In Proc. of the USENIX Security (2005).

Digital Library

[10]

Cai, J., et al. Honeynets and honeygames: A game theoretic approach to defending network monitors. Tech. Rep. TR1577, University of Wiscconsin, 2006.

[11]

Chiang, K., and Lloyd, L. A case study of the rustock rootkit and spam bot. In Proc. of USENIX HotBots (2007).

Digital Library

[12]

Gu, G., Porras, P., Yegneswaran, V., Fong, M., and Lee, W. Bothunter: Detecting malware infection through ids-driven dialog correlation. In Proc. of USENIX Security (2007).

Digital Library

[13]

Gu, G., Zhang, J., and Lee, W. Botsniffer: Detecting botnet command and control channels in network traffic. In Proc. of NDSS (2008).

[14]

Kannan, J., Jung, J., Paxson, V., and Koksal, C. Semi-automated discovery of application session structure. In Proc. of ACM IMC (2006).

Digital Library

[15]

Kendall, M. G. Rank Correlation Methods. Griffin., 1976.

[16]

Kumar, A., Paxson, V., and Weaver, N. Exploiting underlying structure for detailed reconstruction of an internet scale event. In Proc. of ACM IMC (2005).

Digital Library

[17]

Li, Z., Goyal, A., Chen, Y., and Kuzmanovic, A. P2p doctor: Measurement and diagnosis of misconfigured peer-to-peer traffic. Tech. Rep. NWU-EECS-07-06, Northwestern University, 2007.

[18]

Li, Z., Goyal, A., Chen, Y., and Paxson, V. Towards situational awareness of large-scale botnet events using honeynets. Tech. Rep. NWU-EECS-08-08, Northwestern University, 2008.

[19]

Manna, P., Chen, S., and Ranka, S. Exact modeling of propagation for permutation-scanning worms. In IEEE INFOCOM (2008).

[20]

Moore, D., Paxson, V., Savage, S., Shannon, C., Stanford, S., and Weaver, N. Inside the slammer worm. IEEE Security and Privacy (2003).

Digital Library

[21]

Pang, R., Yegneswaran, V., Barford, P., Paxson, V., and Peterson, L. Characteristics of Internet background radiation. In Proc. of ACM IMC (2004).

Digital Library

[22]

Paxson, V. Bro: A system for detecting network intruders in real-time. Computer Networks 31 (1999).

Digital Library

[23]

Provos, N. A virtual honeypot framework. In Proc. of USENIX Security (2004).

Digital Library

[24]

Rajab, M., Zarfoss, J., Monrose, F., and Terzis, A. A multifaceted approach to understanding the botnet phenomenon. In Proc. of ACM IMC (2006).

Digital Library

[25]

Ramachandran, A., and Feamster, N. Understanding the network-level behavior of spammers. In Proceedings of ACM SIGCOMM '06 (September 2006).

Digital Library

[26]

Rice, J. A. Mathematical Statistics and Data Analysis. Duxbury Press, 1994.

[27]

SANS Institute. Dshield. org: Distributed intrusion detection system. http://www.dshield.org/.

[28]

Staniford, S., Paxson, V., and Weaver, N. How to 0wn the Internet in your spare time. In Proc. of USENIX Security (2002).

Digital Library

[29]

Weisstein, W. E. Stirling Number of the Second Kind. http://mathworld.wolfram.com/StirlingNumberoftheSecondKind.html.

[30]

Yegneswaran, V., Barford, P., and Paxson, V. Using honeynets for internet situational awareness. In In Proc. of ACM Hotnets IV (2005).

[31]

Zou, C., Gao, L., Gong, W., and Towsley, D. Monitoring and early warning for internet worms. In Prof. of ACM CCS (2003).

Digital Library

Cited By

Di Paolo EBassetti ESpognardi A(2023)A New Model for Testing IPv6 Fragment HandlingComputer Security – ESORICS 202310.1007/978-3-031-51476-0_14(277-294)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51476-0_14
Shamsi ZCline DLoguinov D(2021)Faulds: A Non-Parametric Iterative Classifier for Internet-Wide OS FingerprintingIEEE/ACM Transactions on Networking10.1109/TNET.2021.308833329:5(2339-2352)Online publication date: Oct-2021
https://doi.org/10.1109/TNET.2021.3088333
Almazarqi HMarnerides AMursch TWoodyard MPezaros D(2021)Profiling IoT Botnet Activity in the Wild2021 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOBECOM46510.2021.9686012(1-6)Online publication date: Dec-2021
https://doi.org/10.1109/GLOBECOM46510.2021.9686012
Show More Cited By

Index Terms

Automating analysis of large-scale botnet probing events
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
Towards Situational Awareness of Large-Scale Botnet Probing Events

Botnets dominate today's attack landscape. In this work, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale “botnet probes.” In such events, an entire collection of remote hosts ...
Detecting and Defending against Worm Attacks Using Bot-honeynet
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01

We proposed a worm detection and defense system named bot-honeynet in this paper, which combines the best features of honeynet, anomaly detection and botnet. The combination of honeynet and anomaly detection system offers a tradeoff between false ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

March 2009

408 pages

ISBN:9781605583945

DOI:10.1145/1533057

General Chairs:
Wanqing Li
University of Wollongong, Australia
,
Willy Susilo
University of Wollongong, Australia
,
Udaya Tupakula
Macquarie University, Australia
,
Program Chairs:
Rei Safavi-Naini
University of Calgary, Canada
,
Vijay Varadharajan
Macquarie University, Australia

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 March 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

Asia CCS 09

Sponsor:

SIGSAC

Asia CCS 09: Asia CCS 2009 ACM Symposium on Information, Computer and Communications Security

March 10 - 12, 2009

Sydney, Australia

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
925
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)1

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Di Paolo EBassetti ESpognardi A(2023)A New Model for Testing IPv6 Fragment HandlingComputer Security – ESORICS 202310.1007/978-3-031-51476-0_14(277-294)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51476-0_14
Shamsi ZCline DLoguinov D(2021)Faulds: A Non-Parametric Iterative Classifier for Internet-Wide OS FingerprintingIEEE/ACM Transactions on Networking10.1109/TNET.2021.308833329:5(2339-2352)Online publication date: Oct-2021
https://doi.org/10.1109/TNET.2021.3088333
Almazarqi HMarnerides AMursch TWoodyard MPezaros D(2021)Profiling IoT Botnet Activity in the Wild2021 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOBECOM46510.2021.9686012(1-6)Online publication date: Dec-2021
https://doi.org/10.1109/GLOBECOM46510.2021.9686012
Safaei Pour MTorabi SBou-Harb EAssi CDebbabi M(2020)Stochastic Modeling, Analysis and Investigation of IoT-Generated Internet Scanning ActivitiesIEEE Networking Letters10.1109/LNET.2020.29980452:3(159-163)Online publication date: Sep-2020
https://doi.org/10.1109/LNET.2020.2998045
Bou-Harb EHusak MDebbabi MAssi C(2019)Big Data Sanitization and Cyber Situational Awareness: A Network Telescope PerspectiveIEEE Transactions on Big Data10.1109/TBDATA.2017.27233985:4(439-453)Online publication date: 1-Dec-2019
https://doi.org/10.1109/TBDATA.2017.2723398
Bou-Harb EAssi CDebbabi M(2018)CSC-Detector: A System to Infer Large-Scale Probing CampaignsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2016.259344115:3(364-377)Online publication date: 1-May-2018
https://doi.org/10.1109/TDSC.2016.2593441
Shamsi ZCline DLoguinov DThuraisingham BEvans DMalkin TXu D(2017)FauldsProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3133963(971-982)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3133963
Tajalizadehkhoob SGañán CNoroozian AEeten MKarri RSinanoglu OSadeghi AYi X(2017)The Role of Hosting Providers in Fighting Command and Control Infrastructure of Financial MalwareProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3053023(575-586)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3053023
Alieyan KAlmomani AManasrah AKadhum M(2017)A survey of botnet detection based on DNSNeural Computing and Applications10.1007/s00521-015-2128-028:7(1541-1558)Online publication date: 1-Jul-2017
https://dl.acm.org/doi/10.1007/s00521-015-2128-0
Fachkha CDebbabi M(2016)Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and CharacterizationIEEE Communications Surveys & Tutorials10.1109/COMST.2015.249769018:2(1197-1227)Online publication date: Oct-2017
https://doi.org/10.1109/COMST.2015.2497690
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents