ABSTRACT

A botnet is a collection of computers, connected to the internet, that interact to

accomplish some distributed task. Although such a collection of computers can be used for
useful and constructive applications, the term botnet typically refers to such a system designed
and used for illegal purposes. Such systems are composed of compromised machines that are
assimilated without their owner's knowlege. The compromised machines are referred to as drones
or zombies, the malicious software running on them as 'bot'.

Botnets dominate today’s attack landscape. In this project, we investigate ways to

analyze collections of malicious probing traffic in order to understand the significance of large-
scale “botnet probes.” In such events, an entire collection of remote hosts together probes the
address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop
methodologies by which sites receiving such probes can infer using purely local observation
information about the probing activity: What scanning strategies does the probing employ?

Is this an attack that specifically targets the site, or is the site only incidentally probed as
part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to
explore the prevalence of different types of scanning, including properties, such as trend,
uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate
the global properties of scanning events (e.g., total population and target scope) as inferred from
the limited local view of a honeynet. Cross-validating with data from DShield shows that our
inferences exhibit promising accuracy.