@conference {18551, title = {Boosting the scalability of botnet detection using adaptive traffic sampling}, booktitle = {Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security}, series = {ASIACCS {\textquoteright}11}, year = {2011}, month = {2011///}, pages = {124 - 134}, publisher = {ACM}, organization = {ACM}, address = {New York, NY, USA}, abstract = {Botnets pose a serious threat to the health of the Internet. Most current network-based botnet detection systems require deep packet inspection (DPI) to detect bots. Because DPI is a computational costly process, such detection systems cannot handle large volumes of traffic typical of large enterprise and ISP networks. In this paper we propose a system that aims to efficiently and effectively identify a small number of suspicious hosts that are likely bots. Their traffic can then be forwarded to DPI-based botnet detection systems for fine-grained inspection and accurate botnet detection. By using a novel adaptive packet sampling algorithm and a scalable spatial-temporal flow correlation approach, our system is able to substantially reduce the volume of network traffic that goes through DPI, thereby boosting the scalability of existing botnet detection systems. We implemented a proof-of-concept version of our system, and evaluated it using real-world legitimate and botnet-related network traces. Our experimental results are very promising and suggest that our approach can enable the deployment of botnet-detection systems in large, high-speed networks.}, keywords = {adaptive sampling, botnet, intrusion detection, NETWORK SECURITY}, isbn = {978-1-4503-0564-8}, doi = {10.1145/1966913.1966930}, url = {http://doi.acm.org/10.1145/1966913.1966930}, author = {Zhang,Junjie and Luo,Xiapu and Perdisci,Roberto and Gu,Guofei and Lee,Wenke and Feamster, Nick} } @article {18686, title = {Prioritizing Vulnerability Remediation by Determining Attacker-Targeted Vulnerabilities}, journal = {Security Privacy, IEEE}, volume = {7}, year = {2009}, month = {2009/02//jan}, pages = {42 - 48}, abstract = {This article attempts to empirically analyze which vulnerabilities attackers tend to target in order to prioritize vulnerability remediation. This analysis focuses on the link between malicious connections and vulnerabilities, where each connection is considered malicious. Attacks requiring multiple connections are counted as multiple attacks. As the number of connections increases, so does the cost of recovering from the intrusion. The authors deployed four honey pots for four months, each running a different Windows service pack with its associated set of vulnerabilities. They then performed three empirical analyses to determine the relationship between the number of malicious connections and the total number of vulnerabilities, the number of malicious connections and the number of the vulnerabilities for different services, and the number of known successful attacks and the number of vulnerabilities for different services.}, keywords = {attacker-targeted vulnerabilities, intrusion detection, malicious connections, security of data, vulnerability remediation, Windows service pack}, isbn = {1540-7993}, doi = {10.1109/MSP.2009.13}, author = {Michel Cukier and Panjwani,S.} }