To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi All,
As part of a project for a visualization class, I'm working on a visual tool for exploring data collected from a variety of realtime blocklists (RBLs), a couple of spamtraps, and a few other miscellaneous sources, and was hoping to get some feedback or suggestions on my ideas. My hope is that correlations in the data can be readily visually explored and that through the exploration, information about botnets may fall out. This is a very different approach from using, say, NMAP to monitor specific ports or a honeypot to trap a bot and monitor comms with C&C. Instead of determining whether a specific network is hosting bots or the behavior of a single type of bot, I'm effectively trying to take metadata about broader internet abuse and use it to attempt to observe more general behavior consistent with botnets. Of course, I have an enormous amount of data, and all data simply represent a snapshot in time, so any picture I develop will only be valid for that time period. One possible visualization I've considered includes plotting RBL issues on a world map after geocoding the IP's and playing an animation of the development of issues over some period of time in which the user is interested. As well, the user could stop the animation at any time, zoom on a region and by mousing over an issue or block of issues, get more detailed information. Another feature I'm interested in implementing is a dynamic query that updates the visual representation of the data in realtime as a result of the application of some interactive filters. Some of the dimensions I have for analyzing this data are RBL Data: Issue Type - (Spam source, open relay, open proxy, etc.) Timestamp (opened) Timestamp (closed) AS Name/Number Source IP Spam Data: Source IP Domain given in ehlo message Message size URL's contained in message Misc Data: BGP Routing Update logs DNS and Reverse DNS snapshots IPs I've scrubbed from this lists archives One question I have is how many of the issues being reported by RBLs are actually coming from bots? I don't really know the answer, but I suspect that bots are responsible for a large portion of internet misbehavior. However, the extent to which I can establish patterns that might qualify machines as bots from the data I have is still very much an open question. I think using visual techniques should speed the process, but it will depend heavily on choosing appropriate visualizations and incorporating the right information. Anyway, I just thought I'd check in and see if this sounds interesting to anyone, or if you guys might have suggestions about interesting ways of slicing the data, visualizing the data, or hypothesizing and testing relationships between different dimensions of the data. Thanks, Aaron _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
