How Many Malicious Scanners Are in the Internet?
Given independent multiple access-logs, we try to identify how many malicious hosts in the Internet. Our model of number of malicious hosts is a formalized as a function taking two inputs, a duration of sensing and a number of sensors. Under some assumptions for simplifying our model, by fitting the function into the experimental data observed for three sensors, in 13 weeks, we identify the size of the set of malicious hosts and the average number of scans they perform routinely. Main results of our study are as follows; the total number of malicious hosts that periodically performs port-scans is from 4,900 to 96,000, the malicious hosts density is about 1 out of 15,000 hosts, and an average malicious host performs 78 port-scans per second.
Unable to display preview. Download preview PDF.
- 1.Sugiyama, et al.: The analysis of the number of the unauthorized computer be decentralized observation of the Internet (in Japanese). IPSJ, FIT 2005, (2005)Google Scholar
- 2.Terada, M., Takada, S., Doi, N.: Proposal for the Experimental Environment for Network Worm Infection ((in Japanese)). Trans. of IPSJ 46(8), 2014–2024 (2005)Google Scholar
- 3.Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proc. of the 2004 IEEE Symposium on Security and Privacy (S&P’04),, IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
- 4.Number of Hosts advertised in the DNS. Internet Domain Survey (July 2005), http://www.isc.org/index.pl?/ops/ds/reports/2005-07/
- 5.Kumar, A., Paxson, V., Weaver, N.: Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In: ACM Internet Measurement Conference, ACM Press, New York (2005)Google Scholar