Predicting future botnet addresses with uncleanliness

The increased use of botnets as an attack tool and the awareness attackers have of blocking lists leads to the question of whether we can effectively predict future bot locations. To that end, we introduce a network quality that we term uncleanliness: an indicator of the propensity for hosts in a network to be compromised by outside parties. We hypothesize that unclean networks will demonstrate two properties: spatial and temporal uncleanliness. Spatial uncleanliness is the tendency for compromised hosts to cluster more densely within unclean networks. Temporal uncleanliness is the tendency for unclean networks to contain compromised hosts for extended periods. We test for these properties by collating data from multiple indicators (spamming, phishing, scanning and botnet IRC log monitoring). We demonstrate evidence for both spatial and temporal uncleanliness. We further show evidence for cross-relationship between the various datasets, showing that botnet activity predicts spamming and scanning, while phishing activity appears to be unrelated to the other indicators.

[1]  Michael K. Reiter,et al.  An empirical analysis of target-resident DoS filters , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[2]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[3]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[4]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[5]  Eddie Kohler,et al.  Observed Structure of Addresses in IP Traffic , 2002, IEEE/ACM Transactions on Networking.

[6]  Ben Laurie,et al.  \Proof-of-Work" Proves Not to Work , 2004 .

[7]  Elias Levy The Making of a Spam Zombie Army: Dissecting the Sobig Worms , 2003, IEEE Secur. Priv..

[8]  Emil Sit,et al.  An empirical study of spam traffic and the use of DNS black lists , 2004, IMC '04.

[9]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[10]  John McHugh,et al.  Locality: a new paradigm for thinking about normal behavior and outsider threat , 2003, NSPW '03.

[11]  Carrie Gates,et al.  A Model for Opportunistic Network Exploits: The Case of P2P Worms , 2006, WEIS.

[12]  Joseph B. Kadane,et al.  Scan Detection on Very Large Networks Using Logistic Regression Modeling , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[13]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[14]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[15]  Thorsten Holz Learning More About Attack Patterns With Honeypots , 2006, Sicherheit.

[16]  Joel Scanlan,et al.  Catching spam before it arrives: domain specific dynamic blacklists , 2006, ACSW.

[17]  Joseph B. Kadane,et al.  Detecting Scans at the ISP Level , 2006 .

[18]  Hannes Federrath,et al.  Protection Mechanisms Against Phishing Attacks , 2005, TrustBus.

[19]  Frédéric Raynal,et al.  New threats and attacks on the World Wide Web , 2006, IEEE Security & Privacy.

[20]  Balachander Krishnamurthy,et al.  On network-aware clustering of Web clients , 2000, SIGCOMM.