A Probabilistic Population Study of the Conficker-C Botnet

Abstract

We estimate the number of active machines per hour infected with the Conficker-C worm, using a probability model of Conficker-Cs UDP P2P scanning behavior. For an observer with access to a proportion of monitored IPv4 space, we derive the distribution of the number of times a single infected host is observed scanning the monitored space, based on a study of the P2P protocol, and on network and behavior alvariability by relative hour of the day. We use these distributional results in conjunction with the Levy form of the Central Limit Theorem to estimate the total number of active hosts in a single hour. We apply the model to observed data from Conficker-C scans sent over a 51-dayperiod (March 5th through April 24th, 2009) to a large private network.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2010
Accession Number
AD1145892

Entities

People

  • Rhiannon Weaver

Organizations

  • Carnegie Mellon University

Tags

DTIC Thesaurus Topics

  • Bayesian Networks
  • Computational Science
  • Computer Science
  • Data Science
  • Engineering
  • Estimators
  • High Reliability
  • Infection
  • Information Science
  • Intervals
  • Models
  • Network Protocols
  • Networks
  • Probability
  • Probability Distributions
  • Simulations
  • Software Development
  • Statistical Algorithms
  • Statistical Inference
  • Theorems

Fields of Study

  • Mathematics

Readers

  • Cybersecurity.
  • Statistical inference.
  • Urban Planning and Geography.

Technology Areas

  • Space