Identifying IP Blocks with Spamming Bots by Spatial Distribution

Sangki YUN  Byungseung KIM  Saewoong BAHK  Hyogon KIM  

IEICE TRANSACTIONS on Communications   Vol.E93-B    No.8    pp.2188-2190
Publication Date: 2010/08/01
Online ISSN: 1745-1345
DOI: 10.1587/transcom.E93.B.2188
Print ISSN: 0916-8516
Type of Manuscript: LETTER
Category: Internet
botnet,  spamming,  identification,  detection,  false positive,  

Full Text: PDF>>
Buy this Article

In this letter, we develop a behavioral metric with which spamming botnets can be quickly identified with respect to their residing IP blocks. Our method aims at line-speed operation without deep inspection, so only TCP/IP header fields of the passing packets are examined. However, the proposed metric yields a high-quality receiver operating characteristics (ROC), with high detection rates and low false positive rates.