Abstract
We estimate the number of active machines per hour infected with the Conficker-C worm, using a probability model of Conficker-C’s UDP P2P scanning behavior. For an observer with access to a proportion δ of monitored IPv4 space, we derive the distribution of the number of times a single infected host is observed scanning the monitored space, based on a study of the P2P protocol, and on network and behavioral variability by relative hour of the day. We use these distributional results in conjunction with the Lévy form of the Central Limit Theorem to estimate the total number of active hosts in a single hour. We apply the model to observed data from Conficker-C scans sent over a 51-day period (March 5th through April 24th, 2009) to a large private network.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. In: Proceedings of the First Annual Workshop on Hot Topics in Botnets (March 2007)
Casella, G., Berger, R.: Statistical Inference. Duxbury Press, Boston (1990)
Chan, M., Hamdi, M.: An active queue management scheme based on a capture-recapture model. IEEE Journal on Selected Areas in Communications 21(4), 572–583 (2003)
Dupuis, J., Schwarz, C.: A Bayesian approach to the multistate Jolly-Seber capture-recapture model. Biometrics 63, 1015–1022 (2007)
Faber, S.: Silk Conficker. C Plug-in (2009), CERT Code release, http://tools.netsa.cert.org/wiki/display/tt/SiLK+Conficker.C+Plugin
Fienberg, S., Johnson, M., Junker, B.: Classical multilevel and bayesian approaches to population size estimation using multiple lists. Journal of the Royal Statistical Society: Series A 162(3), 383–405 (1999)
Fitzgibbon, N., Wood, M.: Conficker.C: A technical analysis (March 2009), Sophos white paper, http://www.sophos.com/sophos/docs/eng/marketing_material/conficker-analysis.pdf
Horowitz, K., Malkhi, D.: Estimating network size from local information. Information Processing Letters 88, 237–243 (2003)
Li, Z., Goyal, A., Chen, Y., Paxson, V.: Automating analysis of large-scale botnet probing events. In: ASAICCS 2009 (March 2009)
Mane, S., Mopuru, S., Mehra, K., Srivastava, J.: Network size estimation in a peer-to-peer network. Tech. Rep. TR 05-030, University of Minnesota Department of Computer Science and Engineering (2005)
McAfee: Conficker.C over the wire. McAfee Network Security blog publication (March 2009), http://www.avertlabs.com/research/blog/index.php/2009/04/01/confickerc-on-the-wire-2
Paxson, V., Floyd, S.: Wide-area traffic: The failure of poisson modeling. IEEE/ACM Transactions on Networking 3(3), 226–244 (1995)
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C Actived P2P scanner. SRI international Code release/document (2009), http://www.mtc.sri.com/Conficker/contrib/scanner.html
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C analysis. Tech. rep., SRI International (2009)
Porras, P., Saidi, H., Yegneswaran, V.: Conficker C P2P protocol and implementation. Tech. rep., SRI International (2009)
Psaltoulis, D., Kostoulas, D., Gupta, I., Briman, K., Demers, A.: Decentralized schemes for size estimation in large and dynamic groups. Tech. Rep. UIUCDCS-R-2005-2524, University of Illinois Department of Computer Science (2005)
Schwarz, C., Arnason, A.: A general methodology for the analysis of capture-recapture experiments in open populations. Biometrics 52(3), 860–873 (1996)
Taylor, H., Karlin, S.: An Introduction to Stochastic Modeling. Academic Press, London (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Weaver, R. (2010). A Probabilistic Population Study of the Conficker-C Botnet. In: Krishnamurthy, A., Plattner, B. (eds) Passive and Active Measurement. PAM 2010. Lecture Notes in Computer Science, vol 6032. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12334-4_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-12334-4_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12333-7
Online ISBN: 978-3-642-12334-4
eBook Packages: Computer ScienceComputer Science (R0)