The Heisenbot uncertainty problem: Challenges in separating bots from chaff

Chris Kanich; Kirill Levchenko; Brandon Enright; Geoffrey M. Voelker; Stefan Savage

The Heisenbot uncertainty problem: Challenges in separating bots from chaff

Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Stefan Savage

Research output: Contribution to conference › Paper › peer-review

Abstract

In this paper we highlight a number of challenges that arise in using crawling to measure the size, topology, and dynamism of distributed botnets. These challenges include traffic due to unrelated applications, address aliasing, and other active participants on the network such as poisoners. Based upon experience developing a crawler for the Storm botnet, we describe each of the issues we encountered in practice, our approach for managing the underlying ambiguity, and the kind of errors we believe it introduces into our estimates.

Original language	English (US)
State	Published - 2008
Externally published	Yes
Event	1st USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2008 - San Francisco, United States Duration: Apr 15 2008 → …

Conference

Conference	1st USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2008
Country	United States
City	San Francisco
Period	4/15/08 → …

ASJC Scopus subject areas

Information Systems
Artificial Intelligence
Computer Science Applications

Fingerprint Dive into the research topics of 'The Heisenbot uncertainty problem: Challenges in separating bots from chaff'. Together they form a unique fingerprint.

Cite this

The Heisenbot uncertainty problem : Challenges in separating bots from chaff. / Kanich, Chris; Levchenko, Kirill; Enright, Brandon; Voelker, Geoffrey M.; Savage, Stefan.

2008. Paper presented at 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2008, San Francisco, United States.

Research output: Contribution to conference › Paper › peer-review

@conference{07f75aef279d4ccca700bb92fdd4760d,

title = "The Heisenbot uncertainty problem: Challenges in separating bots from chaff",

abstract = "In this paper we highlight a number of challenges that arise in using crawling to measure the size, topology, and dynamism of distributed botnets. These challenges include traffic due to unrelated applications, address aliasing, and other active participants on the network such as poisoners. Based upon experience developing a crawler for the Storm botnet, we describe each of the issues we encountered in practice, our approach for managing the underlying ambiguity, and the kind of errors we believe it introduces into our estimates.",

author = "Chris Kanich and Kirill Levchenko and Brandon Enright and Voelker, {Geoffrey M.} and Stefan Savage",

note = "Funding Information: Our thanks to Vern Paxson and Christian Kreibich for detailed discussions and feedback on investigating the Storm botnet, Joe Stewart of Secureworks for offering his insight into the workings of Storm, Erin Kenneally for advising us on legal issues, and to Gabriel Lawrence and Jim Madden for supporting this activity on UCSD{\textquoteright}s systems and networks. Our data collection was made possible by generous support from Cisco, Microsoft Research, Intel and UCSD{\textquoteright}s Center for Networked Systems, for which we are very grateful. This work was made possible by the National Science Foundation grant NSF-0433668. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.; 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2008 ; Conference date: 15-04-2008",

year = "2008",

language = "English (US)",

}

TY - CONF

T1 - The Heisenbot uncertainty problem

T2 - 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2008

AU - Kanich, Chris

AU - Levchenko, Kirill

AU - Enright, Brandon

AU - Voelker, Geoffrey M.

AU - Savage, Stefan

N1 - Funding Information: Our thanks to Vern Paxson and Christian Kreibich for detailed discussions and feedback on investigating the Storm botnet, Joe Stewart of Secureworks for offering his insight into the workings of Storm, Erin Kenneally for advising us on legal issues, and to Gabriel Lawrence and Jim Madden for supporting this activity on UCSD’s systems and networks. Our data collection was made possible by generous support from Cisco, Microsoft Research, Intel and UCSD’s Center for Networked Systems, for which we are very grateful. This work was made possible by the National Science Foundation grant NSF-0433668. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.

PY - 2008

Y1 - 2008

N2 - In this paper we highlight a number of challenges that arise in using crawling to measure the size, topology, and dynamism of distributed botnets. These challenges include traffic due to unrelated applications, address aliasing, and other active participants on the network such as poisoners. Based upon experience developing a crawler for the Storm botnet, we describe each of the issues we encountered in practice, our approach for managing the underlying ambiguity, and the kind of errors we believe it introduces into our estimates.

AB - In this paper we highlight a number of challenges that arise in using crawling to measure the size, topology, and dynamism of distributed botnets. These challenges include traffic due to unrelated applications, address aliasing, and other active participants on the network such as poisoners. Based upon experience developing a crawler for the Storm botnet, we describe each of the issues we encountered in practice, our approach for managing the underlying ambiguity, and the kind of errors we believe it introduces into our estimates.

UR - http://www.scopus.com/inward/record.url?scp=85084096724&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85084096724&partnerID=8YFLogxK

M3 - Paper

AN - SCOPUS:85084096724

Y2 - 15 April 2008

ER -