Skip to main content
Article thumbnail
Location of Repository

A Probabilistic Population Study of the

By Conficker-c Botnet and Rhiannon Weaver

Abstract

Abstract. We estimate the number of active machines per hour infected with the Conficker-C worm, using a probability model of Conficker-C’s UDP P2P scanning behavior. For an observer with access to a proportion δ of monitored IPv4 space, we derive the distribution of the number of times a single infected host is observed scanning the monitored space, based on a study of the P2P protocol, and on network and behavioral variability by relative hour of the day. We use these distributional results in conjunction with the Lévy form of the Central Limit Theorem to estimate the total number of active hosts in a single hour. We apply the model to observed data from Conficker-C scans sent over a 51-day period (March 5th through April 24th, 2009) to a large private network

Topics: Key words, Botnets, Conficker, Population Estimation, Probability Models, Central Limit Theorem
Year: 2010
OAI identifier: oai:CiteSeerX.psu:10.1.1.180.4953
Provided by: CiteSeerX
Download PDF:
Sorry, we are unable to provide the full text but you may find it at the following location(s):
  • http://citeseerx.ist.psu.edu/v... (external link)
  • http://www.cert.org/netsa/publ... (external link)
  • Suggested articles


    To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.