« The Nyxem Email Virus: Analysis and Inferences | Main | Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network »
Modeling Botnet Propagation Using Time Zones
I read this paper the other night while traveling, it's pretty good. It's an early stage analysis, but an interesting finding nonetheless.Time zones play an important and unexplored role in malware epidemics. To understand how time and location affect malware spread dynamics, we studied botnets, or large coordinated collections of victim machines (zombies) controlled by attackers. Over a six month period we observed dozens of botnets representing millions of victims. We noted diurnal properties in botnet activity, which we suspect occurs because victims turn their computers off at night. Through binary analysis, we also con rmed that some botnets demonstrated a bias in infecting regional populations.Modeling Botnet Propagation Using Time Zones, David Dagon, Cliff Zou, Wenke Lee.Clearly, computers that are of ine are not infectious, and any regional bias in infections will affect the overall growth of the botnet. We therefore created a diurnal propagation model. The model uses diurnal shaping functions to capture regional variations in online vulnerable populations.
The diurnal model also lets one compare propagation rates for different botnets, and prioritize response. Because of variations in release times and diurnal shaping functions particular to an infection, botnets released later in time may actually surpass other botnets that have an advanced start. Since response times for malware outbreaks is now measured in hours, being able to predict short-term propagation dynamics lets us allocate resources more intelligently. We used empirical data from botnets to evaluate the analytical model.
February 8, 2006 in modeling, papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
The comments to this entry are closed.
