Behavioral analysis of zombie armies

Olivier Thonnard, Wim Mees, Marc Dacier

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Zombie armies-or botnets, i.e., large groups of compromised machines controlled remotely by a same entity-pose today a significant threat to national security. Recent cyber-conficts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the longterm behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of "unclean networks", and iv) the large proportion of home users' machines with high-speed Internet connexions among the bot population.

Original languageEnglish
Title of host publicationCryptology and Information Security Series
Pages191-210
Number of pages20
Volume3
DOIs
Publication statusPublished - 2009
Externally publishedYes

Publication series

NameCryptology and Information Security Series
Volume3
ISSN (Print)18716431
ISSN (Electronic)18798101

Fingerprint

Internet
National security
Web services
Spatial distribution
Data mining
Servers
Botnet
Denial-of-service attack

Keywords

  • Intelligence monitoring
  • Threat analysis
  • Zombie armies

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Electrical and Electronic Engineering

Cite this

Thonnard, O., Mees, W., & Dacier, M. (2009). Behavioral analysis of zombie armies. In Cryptology and Information Security Series (Vol. 3, pp. 191-210). (Cryptology and Information Security Series; Vol. 3). https://doi.org/10.3233/978-1-60750-060-5-191

Behavioral analysis of zombie armies. / Thonnard, Olivier; Mees, Wim; Dacier, Marc.

Cryptology and Information Security Series. Vol. 3 2009. p. 191-210 (Cryptology and Information Security Series; Vol. 3).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Thonnard, O, Mees, W & Dacier, M 2009, Behavioral analysis of zombie armies. in Cryptology and Information Security Series. vol. 3, Cryptology and Information Security Series, vol. 3, pp. 191-210. https://doi.org/10.3233/978-1-60750-060-5-191
Thonnard O, Mees W, Dacier M. Behavioral analysis of zombie armies. In Cryptology and Information Security Series. Vol. 3. 2009. p. 191-210. (Cryptology and Information Security Series). https://doi.org/10.3233/978-1-60750-060-5-191
Thonnard, Olivier ; Mees, Wim ; Dacier, Marc. / Behavioral analysis of zombie armies. Cryptology and Information Security Series. Vol. 3 2009. pp. 191-210 (Cryptology and Information Security Series).
@inproceedings{92e74ae0ace24b5bbdf8e149352535c6,
title = "Behavioral analysis of zombie armies",
abstract = "Zombie armies-or botnets, i.e., large groups of compromised machines controlled remotely by a same entity-pose today a significant threat to national security. Recent cyber-conficts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the longterm behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of {"}unclean networks{"}, and iv) the large proportion of home users' machines with high-speed Internet connexions among the bot population.",
keywords = "Intelligence monitoring, Threat analysis, Zombie armies",
author = "Olivier Thonnard and Wim Mees and Marc Dacier",
year = "2009",
doi = "10.3233/978-1-60750-060-5-191",
language = "English",
isbn = "9781607500605",
volume = "3",
series = "Cryptology and Information Security Series",
pages = "191--210",
booktitle = "Cryptology and Information Security Series",

}

TY - GEN

T1 - Behavioral analysis of zombie armies

AU - Thonnard, Olivier

AU - Mees, Wim

AU - Dacier, Marc

PY - 2009

Y1 - 2009

N2 - Zombie armies-or botnets, i.e., large groups of compromised machines controlled remotely by a same entity-pose today a significant threat to national security. Recent cyber-conficts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the longterm behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of "unclean networks", and iv) the large proportion of home users' machines with high-speed Internet connexions among the bot population.

AB - Zombie armies-or botnets, i.e., large groups of compromised machines controlled remotely by a same entity-pose today a significant threat to national security. Recent cyber-conficts have indeed demonstrated that botnets can be easily turned into digital weapons, which can be used by cybercriminals to attack the network resources of a country by performing simple Distributed Denial-of Service (DDoS) attacks against critical web services. A deep understanding of the longterm behavior of botnet armies, and their strategic evolution, is thus a vital requirement to combat effectively those latent threats. In this paper, we show how to enable such a long-term, strategic analysis, and how to study the dynamic behaviors and the global characteristics of these complex, large-scale phenomena by applying different techniques from the area of knowledge discovery on attack traces collected on the Internet. We illustrate our method with some experimental results obtained from a set of worldwide distributed server honeypots, which have monitored attack activity in 18 different IP subnets for more than 640 days. Our preliminary results highlight several interesting findings, such as i) the strong resilience of zombie armies on the Internet, with survival times going up to several months; ii) the high degree of coordination among zombies; iii) the highly uneven spatial distribution of bots in a limited number of "unclean networks", and iv) the large proportion of home users' machines with high-speed Internet connexions among the bot population.

KW - Intelligence monitoring

KW - Threat analysis

KW - Zombie armies

UR - http://www.scopus.com/inward/record.url?scp=78249290109&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78249290109&partnerID=8YFLogxK

U2 - 10.3233/978-1-60750-060-5-191

DO - 10.3233/978-1-60750-060-5-191

M3 - Conference contribution

SN - 9781607500605

VL - 3

T3 - Cryptology and Information Security Series

SP - 191

EP - 210

BT - Cryptology and Information Security Series

ER -