Using failure information analysis to detect enterprise zombies

Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering

Volumn 19 LNICST, Issue , 2009, Pages 185-206

  Zhu, Zhaosheng ^a   Yegneswaran, Vinod ^b   Chen, Yan ^a  

^a Northwestern University   (United States)

^b SRI INTERNATIONAL   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

APPLICATION FAILURE; BOTNETS; EMPIRICAL STUDIES; ENTERPRISE NETWORKS; FAILURE ACTIVITY; FAILURE INFORMATION; FAILURE PATTERNS; MALWARES; NOVEL STRATEGIES; PROTOTYPE SYSTEM; REAL-WORLD APPLICATION; SELF-PROPAGATING; SYSTEM USE;

COMPUTER WORMS; FATIGUE OF MATERIALS; INDUSTRY; INFORMATION ANALYSIS; TELECOMMUNICATION NETWORKS;

FAILURE ANALYSIS;

EID: 84869596416     PISSN: 18678211     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-3-642-05284-2_11     Document Type: Conference Paper

References (44)

1. Data clustering, http://www.let.rug.nl/~kleiweg/clustering/
2. Entropy, http://en.wikipedia.org/wiki/Information-entropy
3. Gnu wget, http://www.gnu.org/software/wget/
4. Kademlia, http://en.wikipedia.org/wiki/Kademlia
5. L7-filter: Application Layer Packet Classifier for Linux, http://l7-filter.sourceforge.net/
6. Offensive Computing, Community Malicious code research and analysis, http://www.offensivecomputing.net/
7. Simple Exponential Smoothing, http://en.wikipedia.org/wiki/Exponential- smoothing
8. Wireshark: The World's Most Popular Network Protocol Analyzer, http://www.wireshark.org/
9. WEKA-Machine Learning Software in Java (2008), http://weka.wiki. sourceforge.net/Primer-?token=2b7a093d07966047b281eeec0da1b9fd
10. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178-197. Springer, Heidelberg (2007)
11. Bayer, U., Comparetti, P.M., Hlauscheck, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Network and Distributed System Security Symposium, NDSS (2009)
12. Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Network and Distributed System Security Symposium, NDSS (2006)
13. Moore, D., Shannon, C., Brown, J.: Code-Red: A case study on the spread and victims of an Internet worm. In: Proceedings of the Internet Measurement Workshop (2002)
14. Debar, H.: An Introduction to Intrusion Detection Systems. In: Proceedings of Connect (2000)
15. Estan, C., Savage, S., Varghese, G.: Automatically Inferring Patterns of Resource Consumption in Network Traffic. In: Proceedings of ACM SIGCOMM (2003)
16. F-Secure. Kapersky Security Bulletin 2008: Malware Evolution January - June 2008 (2008), http://www.viruslist.com/analysis?pubid=204792034
17. F-Secure. Calculating the Size of the Downadup Outbreak (2009), http://www.f-secure.com/weblog/archives/00001584.html
18. Fitzgerald, P.: Downadup: Geolocation, Fingerprinting and Piracy (2009), https://forums.symantec.com/t5/Malicious-Code/Downadup-Geo-location- Fingerprinting-and-Piracy/ba-p/380993
19. Gianvecchio, S., Xie, M., Wu, Z., Wang, H.: Measurement and classification of humans and bots in internet. In: USENIX Security (2008)
20. Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by irc nickname evaluation. In: Hot Topics in Understanding Botnets (HotBots) (2007)
21. Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B.: Peer-to-peer botnets: Overview and case study. In: Hot Topics in Understanding Botnets (HotBots) (2007)
22. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (2008)
23. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of 16th USENIX Security Symposium (2007)
24. Gu, G., Zhang, J., Lee, W.: Botsniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS 2008 (2008)
25. Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS (2008)
26. SRI International. Malware Threat Center (2008), http://mtc.sri.org
27. Javitz, H., Valdes, A.: The SRI IDES statistical anomaly detector. In: Proceedings of IEEE Symposium on Research in Security and Privacy (1991)
28. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)
29. Kandula, S., Chandra, R., Katabi, D.: What's going on? Learning communication rules in edge networks. In: Sigcomm (2008)
30. Livadas, C., Walsh, R., Lapsley, D., Strayer, W.T.: Using machine learning techniques to identify botnet traffic. In: Proc. IEEE LCN Workshop on Network Security, WoNS 2006 (2006)
31. Trend Micro. Trend Micro Threat Roundup and Forecast - 1H 2008 (2008), http://us.trendmicro.com/us/threats/enterprise/security-library/threat-reports/ index.html
32. Microsoft. Microsoft Security Bulletin MS08-067 - Critical (2008), http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
33. Moore, D., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. In: Proceedings of the 10th Usenix Security Symposium (2001)
34. Pang, R., Allman, M., Bennett, M., Lee, J., Paxson, V., Tierney, B.: A first look at modern enterprise traffic. In: IMC (2005)
35. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference (2004)
36. Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the 7th USENIX Security Symposium, San Antonio, TX (January 1998)
37. Rousseeuw, P.: Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. Journal of Computational and Applied Mathematics 20 (1987)
38. Plonka, D., Barford, P.: Context-aware clustering of dns query traffic. In: Proceedings of ACM Internet Measurement Conference (2008)
39. Plonka, D., Barford, P.: Context-aware Clustering of DNS Query Traffic. In: Proceedings of the 8th ACM SIGCOMM Internet Measurement Conference (2008)
40. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Internet Measurement Conference (2006)
41. Roesch, M.: The SNORT Network Intrusion Detection System (2002), http://www.snort.org
42. Vogt, R., Aycock, J., Jacobson Jr., M.J.: Army of botnets. In: Network and Distributed System Security Symposium, NDSS (2008)
43. Yegneswaran, V., Porras, P., Saidi, H., Sharif, M., Narayanan, A.: SRI's Multiper-spective Malware Infection Analysis Page (2009), http://www.cyber-ta. org/releases/malware-analysis/public/
44. Zdrnja, B., Brownlee, N., Wessels, D.: Passive Monitoring of DNS Anomalies (2007)