andthatthosecompromisedhostswouldberestoredtoanuncompromisedstatequick - PDF document

andthatthosecompromisedhostswouldberestoredtoanuncompromisedstatequickly.Conversely,machinesinin-stitutionBwouldbereachedbyalargernumberofattacks,andcompromisedhostsmaynotbenoticedorrepaireduntillongafterthecompromisehastakenplace.InstitutionB'snetworkisunclean.Wecanobservetheuncleanlinessofanetworkbyexamin-ingitsresult.Ifahostiscompromised,weexpectthattheattackerwilluseitto,amongotheractivities,spam,scanandDDoSotherhosts.Ifuncleanlinessisanetwork-specicproperty,weexpectthatcompromisedhostswillclusterinspecicnetworks,whichwecanidentifyviathephenomenaofspatialandtemporaluncleanliness.Weemphasizethatuncleanlinessisanetworkproperty:hostsarecompromised,networksareunclean.Wedenespatialuncleanlinessasthetendencyforcom-promisedhoststoclusterinuncleannetworks.Spatialun-cleanlinessimpliesthatifweseeahostengagedinhostileactivity(suchasscanning),wehaveagoodchanceofnd-inganotherIPaddressinthesamenetworkengagedinhos-tileactivity.Wewilltestforspatialuncleanlinessbyex-aminingtheclusteringofaddresseswithinnetworks.Ifourhypothesisaboutspatialuncleanlinessiscorrect,thenwewouldexpectasetofcompromisedaddressestoberesideinfewerequallysizednetworksthanaddresseschosenatrandomfromapopulationre ectingthestructureoftheInternet.Wedenetemporaluncleanlinessasthetendencyforcom-promisedhoststorepeatedlyappearinthesamenetworksovertime.Temporaluncleanlinessimpliesthatifahostiscompromised,thenotherhostswithinthatnetworkwillbecompromisedinthefuture.Wewilltestfortemporalun-cleanlinessbyexaminingtheabilityofuncleannetworkstopredictfuturehostcompromises.Ifourhypothesisabouttemporaluncleanlinessiscorrect,thennetworkscontainingcompromisedhostswillpredictfuturecompromisedhostsmoreaccuratelythanequallysizednetworkschosenatran-dom.Figure1explainsourintuitionforspatialandtemporaluncleanliness.Thisgureshowstwoplots:theuppercountsthenumberofuniquehostsscanningalargenetworkfromJanuarytoApril,2006.ThelowerplotisaplotshowinghowmanyofthesescanningaddresseswerealsopresentinabotnetreportedduringtherstweekofMarch,2006.Thisplotcontainstwolines:onecountsthenumberofuniqueaddressesfromthebotreportthatwerealsoidentiedscan-ning;thesecondcountsthenumberofuniqueaddressesfromthebotreportthatwerepresentina24-bitCIDRblockwhereatleastoneaddresswasalsoscanning.Firstnotethatthesereportsresultedfromtwodierentdetectionmethods:thebotdatawascollectedbyobserv-ingIPaddressescommunicatingonIRCchannels,whilethescanningdatawascollectedusingabehavioralscandetec-tionmethoddeployedonanobservednetwork[6].Thereisastrongintersectionbetweenthetwosets:atitspeak,35%oftheaddressesreportedasbelongingtothebotnetarescanningtheobservednetwork.Second,weobservethatusingthe/24'scomprisingthebotnetidentiesmorescannersthanthebotnetaddressesalone.Wedemonstrateinx4thatthisresultissignicant.Finally,asthisgureshows,abnormalscanning(andthere-forebotnetcompromise)occursoverseveralweeks.Ifbotstakeseveralweekstobeidentiedandremoved,weexpectthatanuncleannetworkwillremainuncleanforsometime,andthereforewecanpredictfuturehostileactivityfromthesamenetworkoverthetermofthelifetimeofaparticularcompromise.Theprimarycontributionofthispaperisastudyofthepropertiesofuncleanlinessandwhethertheycanbeusedef-fectivelytopredictfutureactivity.Todoso,wetestfortheexistenceofspatialandtemporaluncleanlinessbycompar-ingthetracfromvariousreportsofhostileactivity.Wedemonstratethatcompromisedhostsarebothmoredenselyclusteredthannormaltracandpredictfutureuncleanac-tivity.Inaddition,weshowthatscanning,spammingandbotsshowevidenceofcrossrelationship,suchasthescan-ningobservedinFigure1.Wealsoshowthatthesephe-nomenadonotpredictfuturephishingsites,butthatpastphishingsitesdo.Wethereforedemonstratethattemporaluncleanlinessholdsforallfourindicators.Wethentestthestrengthofthispredictivemechanismbyevaluatingitssuit-abilitytoblocktraccrossingalargenetwork.Wedemon-stratethatlimitedpredictiveblockingisfeasible,duetotheimpactoflocality[17]evidentinnetworktrac.Theremainderofthispaperisstructuredasfollows:x2outlinesrelevantpreviousworkinreputationmanagementandidentifyinghostilegroupsbypasthistory.Inx3,de-scribeandclassifythedatasourcesthatweuseinthispaper.x4examinesthespatialuncleanlinesshypothesis,andx5ex-aminesthetemporaluncleanlinesshypothesis.x6examinestheimpactofblockinguncleannetworksandx7discussestheresults.2.PREVIOUSWORKResearchersinitiallystudiedbotnetsduetotheiruseinDDoSattacks.Mirkovicetal.[18]identiedDDoSattackswhichusedtwodistinctphases:acquiringhoststousefortheDDoSandusingthosehoststoconductanattack.Freilingetal.[5]identifyavarietyofotherattacksthatbotnetscanconducteciently.Collinsetal.[2]examinedattacksasconductedbyopportunisticattackers:thatis,theattackerhasnointerestorknowledgeofthetargetexceptthatthetargetisexploitable.Ourworkusestheseconceptstostudytheimpactoflargelyautomatedacquisitionanditsimpactonnetworkdefense.BotnetdemographicshavebeenstudiedusingHoneypotsandbyactivelyprobingbotnetworks[8,9,21].Rajandetal.'s[21]analysisisparticularlyrelevantduetotheextendedperiodduringwhichtheyobservednetworktrac,allowingthemtoidentifynotonlybotnetdemographicsbutactivity.Ourworkdiersfromtheseanalysesbycomparingmultipleobservedphenomenaandusingthisinformationtopredictfutureactivity.Inoperationalsecurity,blacklistsarecommonlyusedtoidentifyandblockhoststhatarealreadyassumedtobehos-tile.ExamplesofsuchblacklistsincludeSpamhaus'ZENlist[20]andtheBleedingSnortruleset[23].ResearcherssuchasLevy[16]notethatspammersincreasinglyrelyontheuseofoccupiedhoststogeneratespammessages-theseapproachesaremoreattractivetospammersbecausetheyooadprocessingrequirementsfromthespammer(asnotedbyLaurieetal.[15])andbecausetheyhidetheattacker'sidentity[4].Inaddition,researchershavestudiedtheimpactofblack-listsonspammingandotherhostileactivity.Jungetal.[12]comparespammingblacklistsagainstspamtractoMIT Uncleanreports Tag Type Class ValidDates Size Reportingmethod bot Provided Bots 2006/10/01-2006/10/14 621,861 Botaddressesacquiredthroughpri-vatereportsfromathirdparty phish Provided Phishing 2006/05/01-2006/11/01 53,789 AddressesfromaPhishingreportlist scan Observed Scanning 2006/10/01-2006/10/14 151,908 IPaddressesscanningtheobservednetwork spam Observed Spam 2006/10/01-2006/10/14 397,306 IPaddressesspammingtheobservednetwork Reportsforhypothesistesting bot�test Provided Bots 2006/05/10 186 Botnetaddressesacquiredthroughprivatecommunication control Observed N/A 2006/09/25-2006/10/02 46,899,928 Controladdressesacquiredfromtheobservednetwork Table1:Tableoftagsusedtoanalyzespatialandtemporaluncleanliness.canusedierentmethodologiestoobservethesameeects.Forexample,aphishinglistcanacquireIPaddressesbyusingspamtraps[19]orbycollectinguserreports,(e.g.,thesubmissionformattheCastleCopsPIRTservice[1]).Fortheanalyseswithinthispaper,weuseonlyonesourceperreportandassumethatthesource'scollectionmethodologyisconsistentoverthereportperiod.Incontrasttoprovidedreports,observedreportsaregen-eratedfromnetworktraclogsreportingtraccoveringalargeedgenetwork.Becausewegenerateobservedreports,weareabletocollectobservedreportsatanytime,whichgivesusgreater exibilityinpickingdatathaninthecaseofprovidedreports.Eachreportisdierentiatedbyatagwhich,forthispaper,summarizestheperiodandsourceforthereport.WeexpressthisusingthenotationRT,whereTisthetag(e.g.,scan).AlistofreportsisprovidedinTable1;thislistisusedfortestinguncleanlinessproperties.Anotherlist,giveninTable2,willbeusedfortheanalysisinx6.Becauseweexpectuncleanlinesstobeanetworkproperty,weapproximatedistinctnetworksbyusingidenticallysizedCIDRblocks.WedeneaCIDRmaskingfunctionCn(i).TheCIDRmaskingfunctionevaluatestotheuniqueCIDRblockwithprexlengthnthatcontainstheIPaddressi(e.g.,C16(127:1:135:14)=127:1:0:0=16).Forconvenience,whentheCIDRmaskingfunctionisappliedonareportS,theresultisset-valuedandreturnsthesetofalln-bitCIDRblocksinthatset,thatis:Cn(S)[i2SCn(i)(1)WhendeterminingwhetherornotanIPaddressresideswithinasetofCIDRblocks,wewilluseaCIDRinclusionrelation,,toindicatethatanIPaddressisresidentinoneofasetofCIDRblocks:iS!9ns:t:Cn(i)2Cn(S)(2)Withallsetsandreports,weusebarstoindicatecardi-nality,i.e.,jSjisthenumberofelementsinthesetS.3.2ReportsTable1isaninventoryofthereportsusedinthispapertotestspatialandtemporaluncleanliness.Recallthatpro-videdreportshavebeengiventousbyotherpartiesandthatwegenerateobservedreportsusingtraclogsfromtheobservednetwork.Becauseofthis,thedatesthatwecantestfortemporaluncleanlinessareconstrainedbythetimesthattheprovidedreportscover.Theobservednetworkiscomposedofover20milliondis-tinctIPv4addressesandcontainsseveralserversthatareheavilyusedbyclientsacrosstheInternet.Giventhesizeandactivityoftheobservednetwork,weassumethatIPad-dressesfromtheInternetcrossingintoitarearepresentativesampleoftheInternetasawhole.Allreportshavebeenlteredtoonlyincludeaddressesthatareoutsideoftheobservednetworkandarenotother-wisereserved(e.g.,alladdressesspeciedinRFC1918havebeenremovedfromreports).Thislteringstepisintendedtoremoveselectionbiasfromourobservedreports;givenourfamiliaritywiththeobservednetworkanditssize,wemayidentifymoreofaparticularphenomenonthantheprovidedreportsmayidentify.Weclassifyfourofthereportsinthislistasuncleanre-ports.Thesearethereportsweuseasgroundtruthforidentifyingthefourclassesdescribedinx3.1:bots,phish-ing,scanningandspamming.DuringthetwoweekperiodofOctober1st{14th,2006,wehavebothprovidedandob-servedreportsonallclassesofuncleanactivity,consequentlyweusethisperiodtotesttemporaluncleanliness.Thenextsetofreportsareusedspecicallytotestthespa-tialandtemporaluncleanlinesshypotheses.Thebot�testre-portdescribesasmallbotnetfromvemonthsbeforealltheotheractivityanalyzedinthispaper,bot�testisusedasanextremecaseforprediction:ifave-montholdreportcanaccuratelypredictcurrentuncleanactivity,thenarecentreportshouldbemoreeective.Thecontrolreportconsistsof47millionuniqueIPad-dressesobservedduringtheweekofSeptember25th,2006.Wecomparethedatafromourotherreportsagainstran-domlygeneratedsubsetsofcontrolinordertodeterminewhetherornotthesereportsexhibitspatialortemporalun-cleanliness.Weusethecontrolreporttomoreaccuratelyre- ectthestructureofIPv4spacethanwewouldusingpurelyrandomlychosenIPaddresses.ThereportconsistsofIPad-dressesobservedtoengageinpayload-bearingTCPactivity, Figure2:Comparisonofdensityestimationtechniques(naiveandempirical)againstactualbotnetdensity.Notethatthenumberofblocksestimatedusingthenaivetechniqueisconsiderablyhigherthantheothertwo.smallersizeofthephishingreportsincomparisontotheotherreports.AsshowninTable1,thesixmonthphishingreportisapproximatelyanorderofmagnitudesmallerthantheotheruncleanreports.AswithFigure3(i),addressesinthephishingreportaremoretightlypackedthanaddressesselectedfromthecontrolreport.Figure3(iii)plotsthevolumeofRspamfromOctober1stto14th,2006.Figure3(iv)plotsthevolumeofRscanforthesameperiod.Eachofthesereportsismoretightlypackedthanthecomparativecontrolreports.AsFigures2and3show,uncleanreportshaveann-bitdensitygreaterthanorequaltoorgreaterthenthen-bitdensityofthecontrolreportsforallvaluesofn.Conse-quently,thisdatasupportsthespatialuncleanlinesshypoth-esis:compromisedhostsaredisproportionatelyconcentratedincertainnetworks.5.TEMPORALUNCLEANLINESSWenowaddresstemporaluncleanliness:thepropensityfornetworkstoremainuncleanforextendedperiodsoftime.Inordertotestfortemporaluncleanlinesswecomparetheabilityofareportofuncleanaddressestopredictfuturecom-promisedaddresses;inparticular,whetherornotareportofbotaddressescanpredictfuturebots,spamming,scanningandphishing.Thissectionisdividedasfollows:x5.1describesourmethodformeasuringthepresenceoftemporaluncleanliness,andx5.2showstheresults.5.1ModelandMethodologyToobservetemporaluncleanliness,weexaminethepre-dictivecapacityofreportsofuncleandata.Considerthreereports:Revent�past,whichreportsonsomeeventinthepast;Rnormal�past,whichreportsonpastactivitywithoutanypar-ticularcriterion,andRevent�present,whichdescribesthesameevent'spopulationinthepresent.IfRevent�pastandRnormal�pastareofequalcardinality,thenRevent�pastisabetterpredictorofthereportRevent�presentatprexlengthnif:jCn(Revent�past)\Cn(Revent�present)j�jCn(Rnormal�past)\Cn(Revent�present)j(4)Iftemporaluncleanlinessexists,thenweexpectthatun-cleanreportswillconsistentlybebetterpredictorsoffutureuncleanreportsthanacontrolreport.However,wenotethatduetospatialuncleanliness,anuncleanreportwillpop-ulatefewerequallysizedblocksthananequivalentcontrolreport.Asaconsequence,asblocksizeincreases,thecon-trolreportwillhavealargernumberofimprecisesuccesses.Therefore,therewillbesomeprexlengthbelowwhichtheuncleanreportwillbeaworsepredictor.Fortesting,weusetheformofthetemporaluncleanli-nesshypothesisgivenintheequationbelow.GiventhatRunclean�pastandRnormal�pasthaveequalcardinality,then (i)Rbot(ii)Rphish (iii)Rspam(iv)RscanFigure3:ComparativedensityofuncleanblocksagainstaddressesselectedfromRcontrol.Notethatineachcase,theexpectednumberofblocksinRcontrolishigherthantheobservedvalues,indicatingthatuncleanaddressesaremoredenselypackedinthoseblocksthanrandomlyselectedaddresses.9n2[16;32]s:t:jCn(Runclean�past)\Cn(Runclean�present)j�jCn(Rnormal�past)\Cn(Runclean�present)j(5)Thatis,thereexistsaprexlengthwhereapreviouslygeneratedreportofuncleanactivityismorepredictiveofpresentuncleanactivitythanacontrolreportofequalcar-dinality.Aswithspatialuncleanliness,welimitouranalysestoblockswithaCIDRprexlengthofatleast16bits.5.2AnalysisWenowtestthetemporaluncleanlinesshypothesisformu-latedinEquation5.Todoso,weuseRbot�testasRunclean�pastandthencompareagainsteachofouruncleanreportscol-lectedduringtheperiodofOctober1st-14th,2006.Recallthatwedon'tcontrolthedatesforwhichwereceivepro-videdreports.Duringthisperiod,wehavedatafromeachoftheprovidedreportsandcouldgenerateobservedreportsforthesameperiod.Byusingavemonthgapintime,wealsotestanextremecase:ifpastactivitycaneectivelypre-dictfutureactivityvemonthsinadvance,thenweshouldbeabletopredictfutureactivityovershorterperiods.Figure4showstherelativepredictivecapacityofRbot�testagainstfutureuncleanreports;forthesegures,RphishisasubreportofRphishfromTable1.Thisreportisconsiderablysmallerthantheothers,containing2302addresses.Thisresultsinasmallerdegreeofintersectionwiththerandomlygeneratedreportsfromthecontrolreport.Asinx4.2,wegeneratethereferencelinebyplottingaboxplotshowingthevarianceof1000randomlyselectedtestreportsdrawnfromRcontrol.IncontrastwithFigure3,thesmallcardinalityofRbot�testensuresthatthevariationsob-servedbytheboxplotarevisible.WeconsidertRbot�testtobeabetterpredictorthanRcontrolifthecardinalityofitsintersectionwiththecorrespondinguncleanreportishigherthantheintersectionwithrandomlyselectedaddressesin95%oftheobservedcases.AsFigure4shows,Rbot�testisabetterpredictorthanRcontrolforbotnets,spammingandscanningatvariousprexlengths.Alsoofnoteistheimpactofspatialuncleanliness:inthesethreegures,Rbot�testisabetterpredictorforprexlengthsofapproximately19-20bitsandlonger.Atshorterprexlengths,randomlyselectedaddressesbecomebetterpredictors.Usingthe95%threshold,Rbot�testisastrongerpredictoroffuturebotnetactivitybetween20and25bits,spammingbetween19and32bits,andscanningbetween20and24bits.Forprexlengthslongerthanthesevalues,the tworeportsareequallypredictiveduetothelowprobabilityofseeingCIDRblocksfromeitherreportintersect.Figure4(ii)plotsthepredictivecapacityofRbot�testagainstRphish.IncontrasttotheotherplotsinFigure4,thisplotin-dicatesthatRbot�testisnotagoodpredictoroffuturephish-ingactivityincomparisontorandomlyselectedcontrolsets.Wehavetwohypothesesastowhythisoccursforphishingdata:Ramachandranetal.[22]describehowbotnetown-ersplaceahigherpremiumonaddressesthathavenotyetbeenidentiedasbots.Becausephishingsitesneedtobepublicized,aphishingIPaddressbecomespublicknowledge,markedonblacklistsandconsequentlyhighlyunattractivefortheownerofabotnet.Analternativeexplanationisthat,incontrasttobotnets,phishingsitesaregenerallyhostedonwebservers,andaphishermayprefertohostphishingsitesinaactualdat-acentertoensurerobustnessduringa ashcrowd.Attheminimum,aphishingsitemustbepubliclyaccessible,whileausefulbotcanexistbehindaNATorarewall.There-fore,phishersmayprefersitesthatarealreadyhostingwebserversandhavetheresourcestohandleahightracload.Inordertodeterminewhetherthetemporaluncleanlinesshypothesisdoesholdforphishing,wenowconsideratestthatusesphishingdataexclusively.Figure5plotsthein-tersectionofRphish�testagainstthesamephishingsetasinFigure4(ii).Inthiscase,jRphish�testj=1386.Wenotethatthisgureshowsstrongevidencefortemporaluncleanlinessinphishing.SincetheseresultsshowthatvemontholdreportscanbeusedtomoreeectivelypredictthepopulationoffuturereportsthanrandomlyselectedIPaddressesfromaweekbe-fore,weconcludethatthetemporaluncleanlinesshypothesisissupportedbythisdata.Furthermore,inEquation5,wechosearangeofIPblocksarbitrarily,wecannowestablishalowerlimitfortheprexlengthof20bits,ananupperlimitinexcessof24bits.Wehavealsoshownthatphishingactivityandbotnetac-tivityarenotrelatedinthewaythatbots,scanningandspammingare.Asnotedelsewhere[21,15],scanningandspammingarecommonlyimplementedwithbotnets,sowewouldexpectthatRbot;RscanandRspamarerelated.How-ever,theinabilityofRbot�testtopredictfuturephishingac-tivitysuggeststhatameasurementforuncleanlinesswillhavetobemultidimensional:phishingsitesarestilltakenover,butitmaybethatphishershavedierentcriteriaforthemachinestheyoccupythanbotnetowners.6.BLOCKINGTESTSThespatialandtemporaluncleanlinesshypothesesto-getherprovideamethodforidentifyingtheriskthattracfromaparticularnetworkoriginatesfromacompromisedhost.Wenowaddresstheissueofwhetheruncleannetworkscanbeeectivelyblocked;thatis,whetherornotblockingasetofuncleannetworkswilladverselyaectlegitimatetracenteringanactivenetwork.Todeterminewhetherwecaneectivelyblocktrac,weconductalimitedexperimenttoshowtheimpactofblock-ingasetofuncleannetworkswouldhaveonincomingtractoalivenetwork.Theremainderofthissectionisstruc-turedasfollows:x6.1describesouranalyticalmethod,andx6.2discussestheresults.6.1MethodTodeterminewhetherwecanproductivelyblocktraf-cfromuncleannetworks,weexaminetraclogsfromalivenetworkandcomparetheintersectionbetweenincom-ingtrac,theRbot�testandotheruncleanlinessreportsfromthesameobservationperiodastheincomingtrac.WebeginbycollectingtraclogsofalltracthatcrossestheobservednetworkfromallIPaddressesiC24(Rbot�test)fortheobservationperiodofOctober1st{14th2006.Thisreport,Rcandidate,consistsofallIPaddressesobservedintraf-ccrossingtheobservednetworkthatsharea/24incom-monwithanyoftheIPaddressesinRbot�test.Thisallowsustotesttheeectivenessoflteringfromthe/24tothe/32range;wepickthisrangebecause,asseeninFigure3,24bitsistheminimumblocksizeatwhichRbot�testisanunambiguouslybetterpredictoroffutureuncleanlinessthancontroldata.WefurtherconstrainRcandidatetothosead-dressesthatgenerateatleastoneTCPrecordduringthisperiod.ThetracdatausedinthisanalysisconsistsCISCONet-Flow5V5records.NetFlowrecordsarearepresentationofapproximatesessionsconsistingofalogofallidenticallyad-dressedpacketswithinalimitedtime.Flowrecordsareacompactrepresentationoftrac,butdonotcontainpay-load.Consequently,ouranalysisincludesadegreeofuncer-taintybecausewecannotvalidatewhatanysessionwasen-gagedin.Tocompensateforthis,wedierentiateaddressesbymembershipinoneoftheuncleanreportsandbybehav-iorobservedinthe owrecords.WepartitiontheaddressesinRcandidateintothreereports:Runknown,RhostileandRinnocent.AfullinventoryofthereportsusedinthisanalysisisgiveninTable2.RhostileconsistsofanyIPaddressinRcandidatethatisalsopresentintheuncleanreports(i.e.,scanning,spamming,phishingorbotnetmembership).Thehostilesetisidentiedpurelybyintersectingthesereports,andonceanIPaddressisidentiedashostileitcannotbepresentintheremainingtworeports.RunknownconsistsoftheaddressesinRcandidateaddressthatarenotpresentinoneoftheuncleanreports,buthavenopayloadbearing ows.Wedenea owaspayload-bearingifitisaTCP owwithatleast36bytesofpayloadandatleastoneACK ag.DuetoTCPoptions,a3-packetSYNscanwilloftenhave36bytesofpayload,eventhoughthisdataisstillpartoftheTCPhandshake.Hand-examinationofthe owlogsfoundmultipleexamplesof36-byteSYN-onlyscanstoapparentlyrandomlyselectedportsondiversetargets.TheIPaddressesinRunknownarenotproventobehostilebutarehighlysuspicious.Duetothelackofpayloadin owdata,wecannotdenitivelycategorizemembersofthisreportintoeitheroftheothertworeportsandconsequentlyweremovethemfromthefalsepositivecalculations.Forthisanalysis,weconsiderthefalsenegativeratetobeeectivelyzero,asweareonlyconsideringaddressesthatwehaveoptedtoblock.ThepopulationofRinnocentconsequentlyconsistsofanyIPaddressthatdoesconductpayload-bearingTCPactivityandisnotpresentinanyoftheuncleanreports.OurpredictionscenarioassumesthatthenetworkblocksCn(Rbot�test)forsomevalueofn2[24;32].Thesuccess 5http://www.cisco.com/go/netflow Figure5:Comparativepredictivecapacityofphishingreports.Notethatthisdatadoeseectivelypredictfuturetrac,likethebotsinFigure4(i),(iii)and(iv).FP(n)=XiCn(Rbot�test)m(i;Rcandidate\Rinnocent)(9)Table3summarizestheeectivenessofthispredictionmethod.Asthistableshows,allthreepopulationsincreaseasthebitlengthincreases.Atn=24,90%oftheincomingaddressesarecorrectlyidentiedashostile.Ifweassumethatunknownaddressesarehostile,thetruepositiverateis97%.Furthermore,thefalsepositiverateremainsrelativelylowuntiln=26.pa n TP(n) FP(n) pop(n) Runknown 24 287 35 322 708 25 172 22 194 344 26 81 1 82 200 27 38 1 39 105 28 18 0 18 60 29 7 0 7 29 30 1 0 1 14 31 1 0 1 7 32 1 0 1 0 Table3:ObservedtrueandfalsepositivecountsOfnotewiththisdatasetarethevolumeofuncertainad-dresses(i.e.,thepopulationofRunknown).Ata24bitprexlength,jC24(Rbot�test)\C24(Runknown)jyieldsapproximately700addresses.WerstnotethatunknownaddresseshaveengagedinTCPcommunications,buthavenotexchangedpayload-consequently,blockingtheseaddressesdoesnotimpacttrac.OfmoreconcernisthatalloftheaddressesinRunknownengageinsomeformofsuspiciousbehavior(thatis,suspi-ciousapartfromtryingtoconnectwiththenetworkandnotexchangingpayload).Handexaminationfoundmanyaddressestryingtoopencommunicationsfromephemeralportstoephemeralportsorengagedinslowscanning.Thelatteraddressesdidnotappearinourscanningreportbe-causethescandetectionmechanismiscalibratedtoidentifyscansthattakeplaceoveranhour,whilescansobservedinthisdatasetwouldoftencontactlessthan30addressesperdayovertheobservationperiod.Thestrengthofthisblockingmethodispredicatedontherelativelysparseamountoftracissuingfromtheseblocks.AsTable3shows,1030IPaddresseswereblockedwhennwassetto24bits.jC24(Rbot�test)j=173,whichyieldsapotentialsetof44,288addressthatcanbeblocked.Conse-quently,lessthan2%ofthetotalIPaddressesavailableinthose/24scommunicatedwiththeobservednetworkduringthistime.Someoftheeectivenessofthismethodmaybeattributedtothedemographicsofthebotnetandtheobservednet-workRbot�testconsistsprimarilyofaddressesoutsidetheEnglish-speakingworld,with70%oftheaddressescomingfromTurkey.Despiteitssize,theobservednetworkanedgenetwork;alltracatitsborderiseitheroriginatingfromanaddresswithinthatborderorgoingtoanIPaddresswithinthatborder.Wethereforeconcludethatourtestresultsindicatethe Reportsusedforpredictiontesting Tag Type Class ValidDates Size Reportingmethod unclean Provided Special 2006/10/01-2006/10/14 1,158,103 Theunionofthefouruncleanre-ports,notethatthereisoverlap candidate Observed N/A 2006/10/01-2006/10/14 1030 IPAddressescrossingthenetworkborderandthatareinthesame/24'sasRunclean hostile Observed N/A 2006/10/01-2006/10/14 287 MembersofRcandidatealsopresentinRunclean unknown Observed N/A 2006/10/01-2006/10/14 708 MembersofRcandidatenotinRunclean,butengagedinsuspiciousactivity innocent Observed N/A 2006/10/01-2006/10/14 35 MembersofRcandidatenotpresentinRhostileorRunknown Table2:Tableofreportsusedforpredictiontest.feasibilityofblockinghostileaddresses,butthatthisap-proachisbestusedinconjunctionwithothertracanalysismechanismsinordertodeterminethebestpracticesforin-dividualnetworks.7.CONCLUSIONInthispaper,wehavedemonstratedthatitispossibletoeectivelypredictfuturehostileactivityfrompastnetworkactivity.Todoso,wehavedenedanetwork-basedqual-ityofuncleanliness,whichisanindicatorofhowlikelyanetworkistocontaincompromisedhosts.Asaninitialworkinthiseld,wehavefocusedontestingbasichypothesesaboutuncleanliness,whichwehavedenedwiththespatialandtemporaluncleanlinesshypotheses.Us-ingreportsofnetworkactivityandtraclogsofalargenetworkwehaveshownevidenceofspatialandtemporaluncleanliness.Wehavealsoshownthatanuncleanlinessmeasuremayinvolvemultipledimensions,suchasbotnetsandphishing.Finally,wehavedemonstratedthatspatialandtempo-raluncleanliness,coupledwiththelimitedaudienceofanedgenetwork,canbeeectivelyusedtoblockhostiletraf-cinthefuture.Giventhedemographicsissuesnotedinx6,uncleanlinessmaybestbeusedasariskindicator{byshowingthatanetworkisdemonstratinguncleanbehavior,securitypersonnelcanevaluatewhethertheriskofhostileactivityfromthenetworkisworththebenetofreceivingcommerceandcommunicationfromthatnetworkundernor-malcircumstances.Ourimmediategoalfollowingthisworkistodevelopamorerigorousandpreciseuncleanlinessmetric.Inparticu-lar,amultidimensionaluncleanlinessmetrictomeasuretheaggregateprobabilitythatanaddressisoccupied.Theele-mentsofthismetricinvolvethecomponentsdiscussedinthisworkaswellasotherpredictiveindicatorsofvulnerability(communicationwithbotnetC&Cnodes).Wealsobelievethatspatialuncleanlinesshasusefulimpli-cationsfornetworkloganalysis.Ifweknowthatahostfromonenetworkisattacking,scanningorotherwiseinterferingwiththetraconanobservednetwork,itisreasonabletoexamineothertracfromthatnetworktoseeifthereiscoordinatedhostileactivity.8.ACKNOWLEDGEMENTSWewouldliketothanktherefereesandourshepherdfortheirinsightfulcommentsinpreparingthispaper.9.ADDITIONALAUTHORSAdditionalauthor:JosephB.Kadane(CMUDepartmentofStatistics,email:kadane@stat.cmu.edu)10.REFERENCES[1]CastleCops.Castlecopsphishingincidentreporting&termination(PIRT)squad.Accessibleathttp://www.castlecops.com/pirt,fetchedonJanuary29th,2007.[2]M.Collins,C.Gates,andG.Kataria.Amodelforopportunisticnetworkexploits:ThecaseofP2Pworms.InProceedingsofthe2006WorkshoponEconomicsandInformationSecurity,2006.[3]M.CollinsandM.Reiter.Anempiricalanalysisoftarget-residentDoSlters.InProceedingsofthe2004IEEESymposiumonSecurityandPrivacy,2004.May9{12,2004.[4]D.Cook,J.Hartnett,K.Manderson,andJ.Scanlan.Catchingspambeforeitarrives:domainspecicdynamicblacklists.InACSWFrontiers'06:Proceedingsofthe2006AustralasianworkshopsonGridcomputingande-research,Darlinghurst,Australia,Australia,2006.[5]F.Freiling,T.Holz,andG.Wicherski.Botnettracking:Exploringaroot-causemethodologytopreventdistributeddenial-of-serviceattacks.InProceedingsofthe2005EuropeanSymposiumonResearchinComputerSecurity,2005.[6]C.Gates,J.McNutt,J.Kadane,andM.Kellner.DetectingscansattheISPlevel.TechnicalReportCMU/SEI-2006-TR-005,SoftwareEngineeringInstitute,2006.[7]C.Gates,J.McNutt,J.Kadane,andM.Kellner.Scandetectiononverylargenetworksusinglogisticregressionmodeling.InISCC'06:Proceedingsofthe11thIEEESymposiumonComputersandCommunications,Washington,DC,USA,2006.[8]T.Holz.Learningmoreaboutattackpatternswithhoneypots.InSicherheit2006:Sicherheit-SchutzundZuverlassigkeit,Beitrageder3.Jahrestagungdes