Geographical Visualization of Malware Download for Anomaly Detection

Abstract

We study a linkage between attacks in cyberspace and incidents in our real world. For example, the Internet had been closed down in Egypt for preventing protests against President Hosni Mubarak. Meanwhile, for more than two weeks we have observed that no port-scan packet were sent from Egypt to Japan. This motivates us for this study to find any incident between botnet attacks which were involved many vulnerable servers and the real events occurred in the world. For this purpose, we developed the virtualization system on Google Earth service for plotting source IP addresses of botnet communications. We investigated the actual malware downloading events observed by more than 70 distributed honey pots in the Japanese backbone network. In order to automate the detection process, we study some anomaly detection schemes base on the entropy of honey pot activities. Our analysis shows some evidences that botnet attacks are involved in our real world.