• DocumentCode
    39051
  • Title

    Visualizing and Modeling the Scanning Behavior of the Conficker Botnet in the Presence of User and Network Activity

  • Author

    Weaver, Rhiannon

  • Author_Institution
    CERT Divison, Carnegie Mellon Univ., Pittsburgh, PA, USA
  • Volume
    10
  • Issue
    5
  • fYear
    2015
  • fDate
    May-15
  • Firstpage
    1039
  • Lastpage
    1051
  • Abstract
    Translating behavioral information learned from analysis of a botnet´s software in controlled environments, to a model of how the botnet behaves in the wild is complicated by the fact that controlled environments do not account for a wide variety of user behavior, and that machines are not associated one-to-one with IP addresses. This paper presents a case study using published reports and pertinent visualizations to develop and evaluate a single-machine model of scanning behavior of the Conficker-C botnet, with a goal of understanding the global population of infected machines in light of user activity and IP address allocation.
  • Keywords
    IP networks; data visualisation; invasive software; Conficker-C botnet; IP address allocation; IP addresses; behavioral information translation; botnet software; network activity; scanning behavior modeling; scanning behavior visualization; single-machine model; user activity; Estimation; IP networks; Malware; Monitoring; Reverse engineering; Sociology; Statistics; Malware; Markov Chain Monte Carlo; Model Evaluation; Population Estimation; model evaluation; population estimation;
  • fLanguage
    English
  • Journal_Title
    Information Forensics and Security, IEEE Transactions on
  • Publisher
    ieee
  • ISSN
    1556-6013
  • Type

    jour

  • DOI
    10.1109/TIFS.2015.2396478
  • Filename
    7024149
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=39051