Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Proceedings of the 2003 ACM workshop on Rapid malcode
STARMINE: a visualization system for cyber attacks
APVis '06 Proceedings of the 2006 Asia-Pacific Symposium on Information Visualisation - Volume 60
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
IEEE Transactions on Visualization and Computer Graphics
Access Denied: The Practice and Policy of Global Internet Filtering (Information Revolution and Global Politics)
Confidence interval estimating procedures for standardized incidence rates
Computational Statistics & Data Analysis
Modeling and Automated Containment of Worms
IEEE Transactions on Dependable and Secure Computing
On capturing malware dynamics in mobile power-law networks
Proceedings of the 4th international conference on Security and privacy in communication netowrks
SS'08 Proceedings of the 17th conference on Security symposium
Positive externality, increasing returns, and the rise in cybercrimes
Communications of the ACM - Finding the Fun in Computer Science Education
Your botnet is my botnet: analysis of a botnet takeover
Proceedings of the 16th ACM conference on Computer and communications security
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
BURN: baring unknown rogue networks
Proceedings of the 8th International Symposium on Visualization for Cyber Security
Hi-index | 0.00 |
Geographical displays are commonly used for visualizing wide-spread malicious behavior of Internet hosts. Placing dots on a world map or coloring regions by the magnitude of activity often results in cluttered maps that invariably emphasize population-dense metropolitan areas in developed countries where Internet connectivity is highest. To uncover atypical regions, it is necessary to normalize activity by the local computer population. This paper presents EMBER (Extreme Malicious Behavior viewER), an analysis and display of malicious activity at the city level. EMBER uses a metric called Standardized Incidence Rate (SIR) that is the number of hosts exhibiting malicious behavior per 100,000 available hosts. This metric relies on available data that (1) Maps IP addresses to geographic locations, (2) Provides current city populations, and (3) Provides computer usage penetration rates. Analysis of several months of suspicious source IP addresses from DShield identifies cities with extremely high and low malicious activity rates on a day-by-day basis. In general, cities in a few Eastern European countries have the highest SIRs whereas cities in Japan and South Korea have the lowest. Many of these results are consistent with news reports describing local cyber security policies. A simulation that models how malware spreads preferentially within cities to local IP addresses replicates the long-tailed distribution of city SIRs that was found in the data. This simulation result agrees with past analyses in suggesting that malware often preferentially spreads to local regions with already high levels of malicious activity.