Using uncleanliness to predict future botnet addresses

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Using uncleanliness to predict future botnet addresses

Full text

Pdf (364 KB)

Source

Internet Measurement Conference archive
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement table of contents

San Diego, California, USA

SESSION: Security and anomaly detection table of contents

Pages: 93 - 104

Year of Publication: 2007

ISBN:978-1-59593-908-1

Authors

M. Patrick Collins	CERT, Pittsburgh, PA
Timothy J. Shimeall	CERT, Pittsburgh, PA
Sidney Faber	CERT, Pittsburgh, PA
Jeff Janies	CERT, Pittsburgh, PA
Rhiannon Weaver	CERT, Pittsburgh, PA
Markus De Shon	CERT, Pittsburgh, PA
Joseph Kadane	Carnegie Mellon University, Pittsburgh, PA

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 28, Downloads (12 Months): 320, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1298306.1298319 What is a DOI?

ABSTRACT

The increased use of botnets as an attack tool and the awareness attackers have of blocking lists leads to the question of whether we can effectively predict future bot locations. To that end, we introduce a network quality that we term uncleanliness: an indicator of the propensity for hosts in a network to be compromised by outside parties.

We hypothesize that unclean networks will demonstrate two properties: spatial and temporal uncleanliness. Spatial uncleanliness is the tendency for compromised hosts to cluster within unclean networks. Temporal uncleanliness is the tendency for unclean networks to contain compromised hosts for extended periods.

We test for these properties by collating data from multiple indicators (spamming, phishing, scanning and botnet IRC log monitoring). We demonstrate evidence for both spatial and temporal uncleanliness. We further show evidence for cross-relationship between the various datasets, showing that botnet activity predicts spamming and scanning, while phishing activity appears to be unrelated to the other indicators.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	CastleCops. Castlecops phishing incident reporting & termination (PIRT) squad. Accessible at http://www.castlecops.com/pirt, fetched on January 29th, 2007.
	2	M. Collins, C. Gates, and G. Kataria. A model for opportunistic network exploits: The case of P2P worms. In Proceedings of the 2006 Workshop on Economics and Information Security, 2006.
	3	M. Collins and M. Reiter. An empirical analysis of target-resident DoS filters. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, 2004. May 9-12, 2004.
	4	Duncan Cook , Jacky Hartnett , Kevin Manderson , Joel Scanlan, Catching spam before it arrives: domain specific dynamic blacklists, Proceedings of the 2006 Australasian workshops on Grid computing and e-research, p.193-202, January 16-19, 2006, Hobart, Tasmania, Australia
	5	F. Freiling, T. Holz, and G. Wicherski. Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In Proceedings of the 2005 European Symposium on Research in Computer Security, 2005.
	6	C. Gates, J. McNutt, J. Kadane, and M. Kellner. Detecting scans at the ISP level. Technical Report CMU/SEI-2006-TR-005, Software Engineering Institute, 2006.
	7	Carrie Gates , Joshua J. McNutt , Joseph B. Kadane , Marc I. Kellner, Scan Detection on Very Large Networks Using Logistic Regression Modeling, Proceedings of the 11th IEEE Symposium on Computers and Communications, p.402-408, June 26-29, 2006 [doi>10.1109/ISCC.2006.142]
	8	T. Holz. Learning more about attack patterns with honeypots. In Sicherheit 2006: Sicherheit - Schutz und Zuverlässigkeit, Beiträge der 3. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.v. (GI), 20.--22. Februar 2006 in Magdeburg, 2006.
	9	Thorsten Holz , Simon Marechal , Frederic Raynal, New Threats and Attacks on the World Wide Web, IEEE Security and Privacy, v.4 n.2, p.72-75, March 2006 [doi>10.1109/MSP.2006.46]
	10	Jaeyeon Jung , Balachander Krishnamurthy , Michael Rabinovich, Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA [doi>10.1145/511446.511485]
	11	J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In IEEE Symposium on Security and Privacy 2004, Oakland, CA, May 2004.
	12	Jaeyeon Jung , Emil Sit, An empirical study of spam traffic and the use of DNS black lists, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy [doi>10.1145/1028788.1028838]
	13	Eddie Kohler , Jinyang Li , Vern Paxson , Scott Shenker, Observed structure of addresses in IP traffic, IEEE/ACM Transactions on Networking (TON), v.14 n.6, p.1207-1218, December 2006 [doi>10.1109/TNET.2006.886288]
	14	Balachander Krishnamurthy , Jia Wang, On network-aware clustering of Web clients, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.97-110, August 28-September 01, 2000, Stockholm, Sweden
	15	B. Laurie and R. Clayton. Proof-of-work proves not to work. In Proceedings of the 2004 Workshop on Economics and Information Security, 2004.
	16	Elias Levy, The Making of a Spam Zombie Army: Dissecting the Sobig Worms, IEEE Security and Privacy, v.1 n.4, p.58-59, July 2003 [doi>10.1109/MSECP.2003.1219071]
	17	John McHugh , Carrie Gates, Locality: a new paradigm for thinking about normal behavior and outsider threat, Proceedings of the 2003 workshop on New security paradigms, August 18-21, 2003, Ascona, Switzerland [doi>10.1145/986655.986657]
	18	Jelena Mirkovic , Gregory Prier , Peter L. Reiher, Attacking DDoS at the Source, Proceedings of the 10th IEEE International Conference on Network Protocols, p.312-321, November 12-15, 2002
	19	K. Plößl, H. Federrath, and T. Nowey. Protection mechanisms against phishing attacks. In Proceedings of the second annual conference on Trust, Privacy and Security in Digital Business, volume 3592 of Lecture Notes in Computer Science, August 2005.
	20	The Spamhaus Project. Zen blocklist. Available at http://www.spamhaus.org/zen, Fetched on January 29th,2007.
	21	Moheeb Abu Rajab , Jay Zarfoss , Fabian Monrose , Andreas Terzis, A multifaceted approach to understanding the botnet phenomenon, Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil [doi>10.1145/1177080.1177086]
	22	Anirudh Ramachandran , Nick Feamster , David Dagon, Revealing botnet membership using DNSBL counter-intelligence, Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, p.8-8, July 07, 2006, San Jose, CA
	23	Bleeding Edge Threats. Bleeding snort ruleset. Available at http://www.bleedingsnort.com/index.php/about-bleeding-edge-threats/all-bleeding-edge-threats-signatures/, Fetched on January 29th, 2007.
	24	P. Walt. Agencies feel botnets' light footprint. Government Computer News, January 2007.