Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Estimating network size from local information
Information Processing Letters
My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Automating analysis of large-scale botnet probing events
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
An active queue management scheme based on a capture-recapture model
IEEE Journal on Selected Areas in Communications
An assessment of overt malicious activity manifest in residential networks
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Cross-Analysis of botnet victims: new insights and implications
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
The SIC botnet lifecycle model: A step beyond traditional epidemiological models
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
We estimate the number of active machines per hour infected with the Conficker-C worm, using a probability model of Conficker-C's UDP P2P scanning behavior. For an observer with access to a proportion δ of monitored IPv4 space, we derive the distribution of the number of times a single infected host is observed scanning the monitored space, based on a study of the P2P protocol, and on network and behavioral variability by relative hour of the day. We use these distributional results in conjunction with the Lévy form of the Central Limit Theorem to estimate the total number of active hosts in a single hour. We apply the model to observed data from Conficker-C scans sent over a 51-day period (March 5th through April 24th, 2009) to a large private network.