Time Zone Correlation Analysis of Malware/Bot Downloads
-
- SISAAT Khamphao
- Faculty of Engineering, King Mongkut's Institute of Technology Ladkrabang
-
- KIKUCHI Hiroaki
- Department of Frontier Media Science, School of Interdisciplinary Mathematical Sciences, Meiji University
-
- MATSUO Shunji
- Fujitsu, Ltd.
-
- TERADA Masato
- Hitachi Incident Response Team (HIRT), Hitachi, Ltd.
-
- FUJIWARA Masashi
- Hitachi Incident Response Team (HIRT), Hitachi, Ltd.
-
- KITTITORNKUN Surin
- Faculty of Engineering, King Mongkut's Institute of Technology Ladkrabang
Description
A botnet attacks any Victim Hosts via the multiple Command and Control (C&C) Servers, which are controlled by a botmaster. This makes it more difficult to detect the botnet attacks and harder to trace the source country of the botmaster due to the lack of the logged data about the attacks. To locate the C&C Servers during malware/bot downloading phase, we have analyzed the source IP addresses of downloads to more than 90 independent Honeypots in Japan in the CCC (Cyber Clean Center) dataset 2010 comprising over 1 million data records and almost 1 thousand malware names. Based on GeoIP services, a Time Zone Correlation model has been proposed to determine the correlation coefficient between bot downloads from Japan and other source countries. We found a strong correlation between active malware/bot downloads and time zone of the C&C Servers. As a result, our model confirms that malware/bot downloads are synchronized with time zone (country) of the corresponding C&C Servers so that the botmaster can be possibly traced.
Journal
-
- IEICE Transactions on Communications
-
IEICE Transactions on Communications E96.B (7), 1753-1763, 2013
The Institute of Electronics, Information and Communication Engineers
- Tweet
Details 詳細情報について
-
- CRID
- 1390282679351544576
-
- NII Article ID
- 130003370226
-
- ISSN
- 17451345
- 09168516
-
- Text Lang
- en
-
- Data Source
-
- JaLC
- Crossref
- CiNii Articles
-
- Abstract License Flag
- Disallowed