TY - GEN
T1 - Behavioral analysis of zombie armies
AU - Thonnard, Olivier
AU - Mees, Wim
AU - Dacier, Marc
PY - 2009
Y1 - 2009
N2 - Zombie armies-or botnets, i.e., large groups of compromised machines controlled remotely by a same entity-pose today a significant threat to national security. Recent cyber-conficts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the longterm behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of "unclean networks", and iv) the large proportion of home users' machines with high-speed Internet connexions among the bot population.
AB - Zombie armies-or botnets, i.e., large groups of compromised machines controlled remotely by a same entity-pose today a significant threat to national security. Recent cyber-conficts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the longterm behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of "unclean networks", and iv) the large proportion of home users' machines with high-speed Internet connexions among the bot population.
KW - Intelligence monitoring
KW - Threat analysis
KW - Zombie armies
UR - http://www.scopus.com/inward/record.url?scp=78249290109&partnerID=8YFLogxK
U2 - 10.3233/978-1-60750-060-5-191
DO - 10.3233/978-1-60750-060-5-191
M3 - Conference contribution
AN - SCOPUS:78249290109
SN - 9781607500605
T3 - Cryptology and Information Security Series
SP - 191
EP - 210
BT - The Virtual Battlefield
PB - IOS Press
ER -