botnet_tzmodel_NDSS06 - Modeling Botnet Propagation Using...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Modeling Botnet Propagation Using Time Zones David Dagon 1 Cliff Zou 2 Wenke Lee 1 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Dr., Atlanta, Georgia, USA 30332-0280 { dagon, wenke } 2 School of Computer Science, University of Central Florida, 4000 Central Florida Blvd. Orlando, FL 32816-2362 [email protected] Abstract Time zones play an important and unexplored role in malware epidemics. To understand how time and loca- tion affect malware spread dynamics, we studied botnets, or large coordinated collections of victim machines (zom- bies) controlled by attackers. Over a six month period we observed dozens of botnets representing millions of vic- tims. We noted diurnal properties in botnet activity, which we suspect occurs because victims turn their computers off at night. Through binary analysis, we also confirmed that some botnets demonstrated a bias in infecting regional pop- ulations. Clearly, computers that are offline are not infectious, and any regional bias in infections will affect the overall growth of the botnet. We therefore created a diurnal propagation model. The model uses diurnal shaping functions to capture regional variations in online vulnerable populations. The diurnal model also lets one compare propagation rates for different botnets, and prioritize response. Because of variations in release times and diurnal shaping functions particular to an infection, botnets released later in time may actually surpass other botnets that have an advanced start. Since response times for malware outbreaks is now mea- sured in hours, being able to predict short-term propagation dynamics lets us allocate resources more intelligently. We used empirical data from botnets to evaluate the analytical model. 1 Introduction Epidemiological models of malware propagation are maturing. Earlier work used simple susceptible-infected (SI) models to measure the total infected population over time [ZGT02]. Follow-up work significantly expanded this analysis to include patching behavior (resistance) in susceptible-infected-recovered (SIR) models [KRD04]. Despite these many improvements, much of our under- standing of computer worm epidemiology still relies on models created by the public health community in the 1920s [DG99]. Continued improvements in worm models will come from two areas: an improved understanding of the prob- lem domain, and improved ability to respond, which makes new factors relevant to a model. Improvements belong- ing to the first category can be found in more recent anal- ysis such as [SM04], which traced significant worm out- breaks, and [ZTGC05,WPSC03,WSP04], which examined a specific type of routed worm, and [ZTG04], which ex- amines specific types of propagation (e.g., e-mail). Model enhancements belonging to the second category are far fewer. So far, quarantine-based analysis has been the pri- mary response-oriented improvement to malware propaga- tion models [ZGT03,PBS...
View Full Document

This note was uploaded on 08/25/2011 for the course EEL 5937 taught by Professor Staff during the Spring '08 term at University of Central Florida.

Page1 / 15

botnet_tzmodel_NDSS06 - Modeling Botnet Propagation Using...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online