Title :
Visualizing and Modeling the Scanning Behavior of the Conficker Botnet in the Presence of User and Network Activity
Author :
Weaver, Rhiannon
Author_Institution :
CERT Divison, Carnegie Mellon Univ., Pittsburgh, PA, USA
Abstract :
Translating behavioral information learned from analysis of a botnet´s software in controlled environments, to a model of how the botnet behaves in the wild is complicated by the fact that controlled environments do not account for a wide variety of user behavior, and that machines are not associated one-to-one with IP addresses. This paper presents a case study using published reports and pertinent visualizations to develop and evaluate a single-machine model of scanning behavior of the Conficker-C botnet, with a goal of understanding the global population of infected machines in light of user activity and IP address allocation.
Keywords :
IP networks; data visualisation; invasive software; Conficker-C botnet; IP address allocation; IP addresses; behavioral information translation; botnet software; network activity; scanning behavior modeling; scanning behavior visualization; single-machine model; user activity; Estimation; IP networks; Malware; Monitoring; Reverse engineering; Sociology; Statistics; Malware; Markov Chain Monte Carlo; Model Evaluation; Population Estimation; model evaluation; population estimation;
Journal_Title :
Information Forensics and Security, IEEE Transactions on
DOI :
10.1109/TIFS.2015.2396478
