Diurnal models in botnet propagation
As introduced in the precious entry about the paper "Modeling Botnet Propagation Using Time Zones" by Dagon et al., there are diurnal patterns in botnet propagation. I also examined this phenomenon back in August last year. My data set is by no means as comprehensive as theirs and my analysis is rather unsophisticated, but the results are similar.
One of my nepenthes sensors is running within a Class B network (/16 in CIDR notation) of a university. It is only reachable by hosts within this network and has no real connectivity to the Internet. It just serves as a kind of early-warning system to detect infected hosts within this network. Within the period of July 6 and August 15, 2005, the sensor observed 580 suspicious connections, i.e., infection attempts by other machines. The following figure shows the distribution of number of infection attempts per time of day.
As you can see, there are periods with less and periods with more connections attempts. Since the sensor is only reachable from machines within the same network, only those machines can cause infection attempts. This is important since all infection attempts are caused by computers in the same timezone, thus we do not have to take timeshifts into account. The distribution follows the sleep-wake rhythm of humans: during night (especially between 3 and 5:30 am), the sensor receives almost no infection attempts. In the morning (7 until 9 am), people turn on their computers and the malware begins to spread. There is a spike during the working hours between 2 and 6 pm – presumably corresponding to people who use their infected computer. Between 6 and 9 pm, we see again a period with rather low activity, in which only several people apparently use the computer. And before going to bed (around 10 pm), seemingly many people turn on their computer and connect to the Internet. The malware benefits from this situation and tries to spread further...
I also plotted the distribution over time, i.e., the number of infection attempts received per minute for the whole period:
There are days in which the sensor did not receive any suspicious traffic at all (e.g., July 17 and 18), but there are also periods in which we clearly see that a bot tries to spread aggressively since the sensor receives many infection attempts in a short amount of time. Especially the time between July 23 and July 31 is noticeable since several pieces of malware propagate within the network in this period of time. This is something that is hard to model since predicting the propagation attempts over time is hard - a new vulnerability can quickly lead to increased botnet propagation...
One of my nepenthes sensors is running within a Class B network (/16 in CIDR notation) of a university. It is only reachable by hosts within this network and has no real connectivity to the Internet. It just serves as a kind of early-warning system to detect infected hosts within this network. Within the period of July 6 and August 15, 2005, the sensor observed 580 suspicious connections, i.e., infection attempts by other machines. The following figure shows the distribution of number of infection attempts per time of day.
Infection attempts per hour
As you can see, there are periods with less and periods with more connections attempts. Since the sensor is only reachable from machines within the same network, only those machines can cause infection attempts. This is important since all infection attempts are caused by computers in the same timezone, thus we do not have to take timeshifts into account. The distribution follows the sleep-wake rhythm of humans: during night (especially between 3 and 5:30 am), the sensor receives almost no infection attempts. In the morning (7 until 9 am), people turn on their computers and the malware begins to spread. There is a spike during the working hours between 2 and 6 pm – presumably corresponding to people who use their infected computer. Between 6 and 9 pm, we see again a period with rather low activity, in which only several people apparently use the computer. And before going to bed (around 10 pm), seemingly many people turn on their computer and connect to the Internet. The malware benefits from this situation and tries to spread further...
I also plotted the distribution over time, i.e., the number of infection attempts received per minute for the whole period:
Distribution over time
There are days in which the sensor did not receive any suspicious traffic at all (e.g., July 17 and 18), but there are also periods in which we clearly see that a bot tries to spread aggressively since the sensor receives many infection attempts in a short amount of time. Especially the time between July 23 and July 31 is noticeable since several pieces of malware propagate within the network in this period of time. This is something that is hard to model since predicting the propagation attempts over time is hard - a new vulnerability can quickly lead to increased botnet propagation...
".
