On Wed, Mar 04, 2009 at 10:20:06AM +0100, Florian Weimer wrote:
* Alexander K. Seewald:
The gist: Based on a darknet (i.e. unused IP addresses), we analyze incoming packets and classify them into (currently eight) different spambot types based on learned idiosyncrasies of packet and protocol, and reference data (currently by Marshall). Why do you expect bots to touch dark address space? Sorry, I did not mean dark address space, but unused IP adresses. Bots touch this for proliferation purposes.
Or put differently, I think any approach based on darkspace monitoring signficantly restricts the types of bots you can detect. In last year's project with a small 256 IP darknet, we were able to detect about half of the spambot types from our reference data very well. Paper should be ready in a few weeks.
The advantage is that it is a purely passive approach which cannot be detected (i.e. the unused IP address looks exactly like an unused IP address - we don't even send out SYN packets like other darknet approaches), and it tracks the bot's proliferation function which is primary to their functionality (at least for those parts of the bot population which proliferate - there might be parts with specialized functions outside which we would be unable to detect with our system) Best, Alex -- Dr. Alexander K. Seewald Seewald Solutions www.seewald.at Tel. +43(664)1106886 Fax. +43(1)2533033/2764