EMBER: a global perspective on extreme malicious behavior

Geographical displays are commonly used for visualizing wide-spread malicious behavior of Internet hosts. Placing dots on a world map or coloring regions by the magnitude of activity often results in cluttered maps that invariably emphasize population-dense metropolitan areas in developed countries where Internet connectivity is highest. To uncover atypical regions, it is necessary to normalize activity by the local computer population. This paper presents EMBER (Extreme Malicious Behavior viewER), an analysis and display of malicious activity at the city level. EMBER uses a metric called Standardized Incidence Rate (SIR) that is the number of hosts exhibiting malicious behavior per 100,000 available hosts. This metric relies on available data that (1) Maps IP addresses to geographic locations, (2) Provides current city populations, and (3) Provides computer usage penetration rates. Analysis of several months of suspicious source IP addresses from DShield identifies cities with extremely high and low malicious activity rates on a day-by-day basis. In general, cities in a few Eastern European countries have the highest SIRs whereas cities in Japan and South Korea have the lowest. Many of these results are consistent with news reports describing local cyber security policies. A simulation that models how malware spreads preferentially within cities to local IP addresses replicates the long-tailed distribution of city SIRs that was found in the data. This simulation result agrees with past analyses in suggesting that malware often preferentially spreads to local regions with already high levels of malicious activity.

[1]  Michael Mitzenmacher,et al.  A Brief History of Generative Models for Power Law and Lognormal Distributions , 2004, Internet Math..

[2]  Kevin C. Almeroth,et al.  FIRE: FInding Rogue nEtworks , 2009, 2009 Annual Computer Security Applications Conference.

[3]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[4]  Michael R Hamblin,et al.  CA : A Cancer Journal for Clinicians , 2011 .

[5]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[6]  Kang G. Shin,et al.  On capturing malware dynamics in mobile power-law networks , 2008, SecureComm.

[7]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[8]  Saurabh Bagchi,et al.  Modeling and automated containment of worms , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[9]  Mark E. J. Newman,et al.  Power-Law Distributions in Empirical Data , 2007, SIAM Rev..

[10]  A. Jemal,et al.  Cancer Statistics, 2009 , 2009, CA: a cancer journal for clinicians.

[11]  Gang Zheng,et al.  Confidence interval estimating procedures for standardized incidence rates , 2008, Comput. Stat. Data Anal..

[12]  Hideki Koike,et al.  STARMINE: a visualization system for cyber attacks , 2006, APVIS.

[13]  Nir Kshetri,et al.  Positive externality, increasing returns, and the rise in cybercrimes , 2009, Commun. ACM.

[14]  Paul Sturges,et al.  Access Denied: The Practice and Policy of Global Internet Filtering , 2008 .

[15]  Daniel A. Keim,et al.  Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats , 2007, IEEE Transactions on Visualization and Computer Graphics.

[16]  Paul Barford,et al.  Spatial-Temporal Characteristics of Internet Malicious Sources , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[17]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[18]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[19]  Ronald J. Deibert,et al.  Access Denied: The Practice and Policy of Global Internet Filtering (Information Revolution and Global Politics) , 2008 .