Remember Me
Or use your Academic/Social account:


Or use your Academic/Social account:


You have just completed your registration at OpenAire.

Before you can login to the site, you will need to activate your account. An e-mail will be sent to you with the proper instructions.


Please note that this site is currently undergoing Beta testing.
Any new content you create is not guaranteed to be present to the final version of the site upon release.

Thank you for your patience,
OpenAire Dev Team.

Close This Message


Verify Password:
Verify E-mail:
*All Fields Are Required.
Please Verify You Are Human:
fbtwitterlinkedinvimeoflicker grey 14rssslideshare1
Marnerides, A; Mauthe, A
Publisher: IEEE
Languages: English
Types: Unknown
Subjects: QA75, QA76
Botnets compose a major source of malicious activity over a network and their early identification and detection is considered as a top priority by security experts. The majority of botmasters rely heavily on a scan procedure in order to detect vulnerable hosts and establish their botnets via a command and control (C&C) server. In this paper we examine the statistical characteristics of the scan process invoked by the Mariposa and Zeus botnets and demonstrate the applicability of conditional entropy as a robust metric for profiling it using real pre-captured operational data. Our analysis conducted on real datasets demonstrates that the distributional behaviour of conditional entropy for Mariposa and Zeus-related scan flows differs significantly from flows manifested by the commonly used NMAP scans. In contrast with the typically used by attackers Stealth and Connect NMAP scans, we show that consecutive scanning flows initiated by the C&C servers of the examined botnets exhibit a high dependency between themselves in regards of their conditional entropy. Thus, we argue that the observation of such scan flows under our proposed scheme can sufficiently aid network security experts towards the adequate profiling and early identification of botnet activity.
  • The results below are discovered through our pilot algorithms. Let us know how we are doing!

    • [1] Barford, P., Blodgett, M., Toward Botnet Mesocosms. In Proceedings of the USENIX First Workshop on Hot Topics in Understanding Botnets (HotBots I), April, 2007
    • [2] Karasaridis, A., Rexroad, B., Hoeflin, D., Wide-scale Botnet Detection and characterisation, in Proceedings of the USENIX First Workshop on Hot Topics in Understanding Botnets, HotBots' 07, 2007
    • [3] Li, Z., Goyal, A., Chen, Y., , Honeynet-based Botnet Scan Traffic Analysis, in Journal Advances in Information Security, Springer, 2008
    • [4] Panjwani, S.; Tan, S.; Jarrin, K.M.; Cukier, Michel, "An experimental evaluation to determine if port scans are precursors to an attack," Dependable Systems and Networks, 2005. DSN 2005
    • [5] Defence Intelligence LTD, Technical Report : Mariposa Botnet Analysis , http://defintel.com/docs/Mariposa_Analysis.pdf
    • [6] Sinha, P., Boukhtouta, A., Belarde, V., H., Debbabi, M., Insights from the Analysis of the Mariposa Botnet, in Proceedings of the 5th International Conference on Risks and Security of Internet and Systems (CRiSIS) 2010
    • [7] Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L., "On the analysis of the Zeus botnet crimeware toolkit," Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on , vol., no., pp.31,38, 17-19 Aug. 2010
    • [8] FBI Report on the GameOver Zeus botnet, FBI.gov, http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnetdisrupted, 2014
    • [9] Lu, C. and Brooks, R., Botnet traffic detection using hidden Markov models. In the 7th Annual CSIIRW, Oak Ridge, TN, USA, 2011, Article 31,
    • [10] The Mawi working group : http://mawi.wide.ad.jp/mawi/
    • [11] SNORT Sourcefire Vulnerability Research Labs: http://labs.snort.org/
    • [12] The CAIDA UCSD Network Telescope “Patch Tuesday” Dataset 21-11-2008: http://www.caida.org/data/passive/telescope-patchtuesday_dataset.xml
  • No related research data.
  • Discovered through pilot similarity algorithms. Send us your feedback.

Share - Bookmark

Download from

Cite this article