[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/1177080.1177086acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
Article

A multifaceted approach to understanding the botnet phenomenon

Published: 25 October 2006 Publication History

Abstract

The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic - 27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnet-related spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.

References

[1]
Paul Baecher, Thorsten Holz, Markus Kötter, and Georg Wicherski. The Malware Collection Tool (mwcollect). Available at http://www.mwcollect.org/.
[2]
Paul Baecher, Markus Kötter, Thorsten Holz, Maximillian Dornseif, and Felix Freiling. The Nepenthes Platform: An Efficient Approach to Collect Malware. In Proceedings of the 9th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2006.
[3]
Paul Barford and Vinod Yagneswaran. An Inside Look at Botnets. To appear in Series: Advances in Information Security, Springer, 2006.
[4]
Clam AntiVirus. Available at http://www.clamav.net/.
[5]
Evan Cooke, Farnam Jahanian, and Danny McPherson. The Zombie Roundup: Understanding, Detecting, and Disturbing Botnets. In Proceedings of the first Workshop on Steps to Reducing Unwanted Traffic on the Internet (STRUTI), pages 39--44, July 2005.
[6]
David Dagon, Cliff Zou, and Wenke Lee. Modeling Botnet Propagation Using Time Zones. In Proceedings of the 13th Network and Distributed System Security Symposium NDSS, February 2006.
[7]
Edward W. Felten and Michael A. Schneider. Timing attacks on web privacy. In CCS '00: Proceedings of the 7th ACM conference on Computer and communications security, pages 25--32, New York, NY, USA, 2000. ACM Press.
[8]
Felix Freiling, Thorsten Holz, and Georg Wicherski. Botnet Tracking: Exploring a root-cause methodology to prevent denial-of-service attaks. In Proceedings of 10th European Symposium on Research in Computer Security, ESORICS, pages 319--335, September 2005.
[9]
Luis Grangeia. DNS Cache Snooping or Snooping the Cache for Fun and Profit, Available at http:www.//sysvalue.com/papers/DNS-Cache-Snooping/files/DNS_Cache_Snooping_1.1.pdf, 2004.
[10]
Honeyd Virtual Honeypot Framework, http://www.honeyd.org/.
[11]
IP2LOCATION, Bringing Geography to the Internet. Available at http://www.ip2location.com/.
[12]
M. St. Johns. RFC 1413: Identification protocol, January 1993.
[13]
C. Kalt. Internet Relay Chat: Client Protocol. RFC 2812 (Informational), April 2000.
[14]
Dan Kaminsky. Welcome to Planet Sony, http://www.doxpara.com/.
[15]
Eddie Kohler, Robert Morris, Benjie Chen, John Jannotti, and M. Frans Kaashoek. The Click Modular Router. ACM Transactions on Computer Systems, 18(3):263--297, 2000.
[16]
Willaim Metcalf. Snort In-line. Available at http://snort-inline.sourceforge.net/.
[17]
Alexandros Ntoulas, Junghoo Cho, and Christopher Olston. What's New on the Web? The Evolution of the Web from a Search Engine Perspective. In Proceedings of the 13th International World Wide Web (WWW) Conference, pages 1--12, 2004.
[18]
Larry Peterson, Tom Anderson, David Culler, and Timothy Roscoe. A Blueprint for Introducing Disruptive Technology into the Internet. SIGCOMM Computer Communication Reviews, 33(1):59--64, 2003.
[19]
Honeynet Project and Research Alliance. Know your enemy: Tracking Botnets, March 2005. See http://www.honeynet.org/papers/bots/.
[20]
Niels Provos. A virtual honeypot framework. In Proceedings of the USENIX Security Symposium, pages 1--14, August 2004.
[21]
Jeremy Sugerman, Ganesh Venkitachalam, and Beng-Hong Lim. Virtualizing IO Devices on VMware Workstation's Hosted Virtual Machine Monitor. In USENIX Annual Technical Conference, 2001. Available at http://www.vmware.com/.
[22]
The UnrealIRC Team. Unrealircd. See http://www.unrealircd.com/.
[23]
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage. Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm. Proceedings of ACM SIGOPS Operating System Review, 39(5):148--162, 2005.
[24]
Nick Weaver Weidong Cui, Vern Paxson and Randy H. Katz. Protocol-Independent Adaptive Replay of Application Dialog. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb 2006.

Cited By

View all
  • (2024)Detection and Categorization of Conflict Flows Within SDN Environments using Machine Learning Approach2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE)10.1109/ic-ETITE58242.2024.10493381(1-6)Online publication date: 22-Feb-2024
  • (2024)C-Frame: Characterizing and measuring in-the-wild CAPTCHA attacks2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00200(277-295)Online publication date: 19-May-2024
  • (2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
  • Show More Cited By

Index Terms

  1. A multifaceted approach to understanding the botnet phenomenon

      Recommendations

      Comments

      Please enable JavaScript to view thecomments powered by Disqus.

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
      October 2006
      356 pages
      ISBN:1595935614
      DOI:10.1145/1177080
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 25 October 2006

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. botnets
      2. computer security
      3. malware
      4. network security

      Qualifiers

      • Article

      Conference

      IMC06
      Sponsor:
      IMC06: Internet Measurement Conference
      October 25 - 27, 2006
      Rio de Janeriro, Brazil

      Acceptance Rates

      Overall Acceptance Rate 277 of 1,083 submissions, 26%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)196
      • Downloads (Last 6 weeks)8
      Reflects downloads up to 11 Dec 2024

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Detection and Categorization of Conflict Flows Within SDN Environments using Machine Learning Approach2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE)10.1109/ic-ETITE58242.2024.10493381(1-6)Online publication date: 22-Feb-2024
      • (2024)C-Frame: Characterizing and measuring in-the-wild CAPTCHA attacks2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00200(277-295)Online publication date: 19-May-2024
      • (2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
      • (2024)Deep Learning Classification for Encrypted Botnet Traffic: Optimising Model Performance and Resource UtilisationSouth African Computer Science and Information Systems Research Trends10.1007/978-3-031-64881-6_1(3-29)Online publication date: 8-Jul-2024
      • (2023)EXPLORING THE LANDSCAPE OF SDN-BASED DDOS DEFENSE: A HOLISTIC EXAMINATION OF DETECTION AND MITIGATION APPROACHES, RESEARCH GAPS AND PROMISING AVENUES FOR FUTURE EXPLORATIONInternational Journal of Advanced Natural Sciences and Engineering Researches10.59287/ijanser.7267:4(327-349)Online publication date: 22-May-2023
      • (2023)Abuse of Cloud-Based and Public Legitimate Services as Command-and-Control (C&C) Infrastructure: A Systematic Literature ReviewJournal of Cybersecurity and Privacy10.3390/jcp30300273:3(558-590)Online publication date: 1-Sep-2023
      • (2023)Poster: P4DME: DNS Threat Mitigation with P4 In-Network Machine Learning OffloadProceedings of the 6th on European P4 Workshop10.1145/3630047.3630251(53-56)Online publication date: 8-Dec-2023
      • (2023)Towards Detecting Suspicious Features in IoT Botnet2023 7th International Conference on Trends in Electronics and Informatics (ICOEI)10.1109/ICOEI56765.2023.10125742(452-457)Online publication date: 11-Apr-2023
      • (2023)Detection of botnet in Machine Learning2023 International Conference on Disruptive Technologies (ICDT)10.1109/ICDT57929.2023.10151328(36-42)Online publication date: 11-May-2023
      • (2023)Feature Engineering Strategies in Machine Learning for Distinguishing Legitimate Traffic from Application Layer DDoS Attacks2023 2nd International Conference on Automation, Computing and Renewable Systems (ICACRS)10.1109/ICACRS58579.2023.10404755(1687-1693)Online publication date: 11-Dec-2023
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media