Time Zone Correlation Analysis of Malware/Bot Downloads
Summary :
A botnet attacks any Victim Hosts via the multiple Command and Control (C&C) Servers, which are controlled by a botmaster. This makes it more difficult to detect the botnet attacks and harder to trace the source country of the botmaster due to the lack of the logged data about the attacks. To locate the C&C Servers during malware/bot downloading phase, we have analyzed the source IP addresses of downloads to more than 90 independent Honeypots in Japan in the CCC (Cyber Clean Center) dataset 2010 comprising over 1 million data records and almost 1 thousand malware names. Based on GeoIP services, a Time Zone Correlation model has been proposed to determine the correlation coefficient between bot downloads from Japan and other source countries. We found a strong correlation between active malware/bot downloads and time zone of the C&C Servers. As a result, our model confirms that malware/bot downloads are synchronized with time zone (country) of the corresponding C&C Servers so that the botmaster can be possibly traced.
- Publication
- IEICE TRANSACTIONS on Communications Vol.E96-B No.7 pp.1753-1763
- Publication Date
- 2013/07/01
- Publicized
- Online ISSN
- 1745-1345
- DOI
- 10.1587/transcom.E96.B.1753
- Type of Manuscript
- Special Section PAPER (Special Section on Internet Architectures, Protocols, and Management Methods that Enable Sustainable Development)
- Category
Authors
Khamphao SISAAT
King Mongkut's Institute of Technology Ladkrabang
Hiroaki KIKUCHI
Meiji University
Shunji MATSUO
Fujitsu, Ltd.
Masato TERADA
Hitachi, Ltd.
Masashi FUJIWARA
Hitachi, Ltd.
Surin KITTITORNKUN
King Mongkut's Institute of Technology Ladkrabang
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Khamphao SISAAT, Hiroaki KIKUCHI, Shunji MATSUO, Masato TERADA, Masashi FUJIWARA, Surin KITTITORNKUN, "Time Zone Correlation Analysis of Malware/Bot Downloads" in IEICE TRANSACTIONS on Communications,
vol. E96-B, no. 7, pp. 1753-1763, July 2013, doi: 10.1587/transcom.E96.B.1753.
Abstract: A botnet attacks any Victim Hosts via the multiple Command and Control (C&C) Servers, which are controlled by a botmaster. This makes it more difficult to detect the botnet attacks and harder to trace the source country of the botmaster due to the lack of the logged data about the attacks. To locate the C&C Servers during malware/bot downloading phase, we have analyzed the source IP addresses of downloads to more than 90 independent Honeypots in Japan in the CCC (Cyber Clean Center) dataset 2010 comprising over 1 million data records and almost 1 thousand malware names. Based on GeoIP services, a Time Zone Correlation model has been proposed to determine the correlation coefficient between bot downloads from Japan and other source countries. We found a strong correlation between active malware/bot downloads and time zone of the C&C Servers. As a result, our model confirms that malware/bot downloads are synchronized with time zone (country) of the corresponding C&C Servers so that the botmaster can be possibly traced.
URL: https://global.ieice.org/en_transactions/communications/10.1587/transcom.E96.B.1753/_p
Copy
@ARTICLE{e96-b_7_1753,
author={Khamphao SISAAT, Hiroaki KIKUCHI, Shunji MATSUO, Masato TERADA, Masashi FUJIWARA, Surin KITTITORNKUN, },
journal={IEICE TRANSACTIONS on Communications},
title={Time Zone Correlation Analysis of Malware/Bot Downloads},
year={2013},
volume={E96-B},
number={7},
pages={1753-1763},
abstract={A botnet attacks any Victim Hosts via the multiple Command and Control (C&C) Servers, which are controlled by a botmaster. This makes it more difficult to detect the botnet attacks and harder to trace the source country of the botmaster due to the lack of the logged data about the attacks. To locate the C&C Servers during malware/bot downloading phase, we have analyzed the source IP addresses of downloads to more than 90 independent Honeypots in Japan in the CCC (Cyber Clean Center) dataset 2010 comprising over 1 million data records and almost 1 thousand malware names. Based on GeoIP services, a Time Zone Correlation model has been proposed to determine the correlation coefficient between bot downloads from Japan and other source countries. We found a strong correlation between active malware/bot downloads and time zone of the C&C Servers. As a result, our model confirms that malware/bot downloads are synchronized with time zone (country) of the corresponding C&C Servers so that the botmaster can be possibly traced.},
keywords={},
doi={10.1587/transcom.E96.B.1753},
ISSN={1745-1345},
month={July},}
Copy
TY - JOUR
TI - Time Zone Correlation Analysis of Malware/Bot Downloads
T2 - IEICE TRANSACTIONS on Communications
SP - 1753
EP - 1763
AU - Khamphao SISAAT
AU - Hiroaki KIKUCHI
AU - Shunji MATSUO
AU - Masato TERADA
AU - Masashi FUJIWARA
AU - Surin KITTITORNKUN
PY - 2013
DO - 10.1587/transcom.E96.B.1753
JO - IEICE TRANSACTIONS on Communications
SN - 1745-1345
VL - E96-B
IS - 7
JA - IEICE TRANSACTIONS on Communications
Y1 - July 2013
AB - A botnet attacks any Victim Hosts via the multiple Command and Control (C&C) Servers, which are controlled by a botmaster. This makes it more difficult to detect the botnet attacks and harder to trace the source country of the botmaster due to the lack of the logged data about the attacks. To locate the C&C Servers during malware/bot downloading phase, we have analyzed the source IP addresses of downloads to more than 90 independent Honeypots in Japan in the CCC (Cyber Clean Center) dataset 2010 comprising over 1 million data records and almost 1 thousand malware names. Based on GeoIP services, a Time Zone Correlation model has been proposed to determine the correlation coefficient between bot downloads from Japan and other source countries. We found a strong correlation between active malware/bot downloads and time zone of the C&C Servers. As a result, our model confirms that malware/bot downloads are synchronized with time zone (country) of the corresponding C&C Servers so that the botmaster can be possibly traced.
ER -
English
