Automating analysis of large-scale botnet probing events

Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer---using purely local observation---information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

[1]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[2]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[3]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[4]  M. Kendall,et al.  Rank Correlation Methods , 1949 .

[5]  Vern Paxson,et al.  Semi-automated discovery of application session structure , 2006, IMC '06.

[6]  Vern Paxson,et al.  Exploiting underlying structure for detailed reconstruction of an internet-scale event , 2005, IMC '05.

[7]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[8]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[9]  Ken Chiang,et al.  A Case Study of the Rustock Rootkit and Spam Bot , 2007, HotBots.

[10]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[11]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[12]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[13]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[14]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[15]  M. Kendall Rank Correlation Methods , 1949 .

[16]  Sanjay Ranka,et al.  Exact Modeling of Propagation for Permutation-Scanning Worms , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[17]  R. Forthofer,et al.  Rank Correlation Methods , 1981 .

[18]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[19]  J. Rice Mathematical Statistics and Data Analysis , 1988 .

[20]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[21]  Li Miaoshan Some Identities of Stirling Number of the Second Kind , 2009 .

[22]  Vinod Yegneswaran,et al.  Using Honeynets for Internet Situational Awareness , 2005 .

[23]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.