Problem Formulation

Let n be the total number of vulnerable nodes in a network, then n can also be considered as the nodes needed for SPRT to reach H₀ in the normal case. Therefore, from Eq. 4.1 in Chapter 4, we know that when all other parameters are fixed, p₁ is only determined by n and vice versa. Moreover, from Eq. 4.1, the larger/smaller the n, the smaller/larger the p₁. That is to say, choosing larger p₁ (smaller n) means that we should take more effort to ensure the large portion of nodes to be secure nodes.

Accordingly, if p₁ is small (n is large), this means we can take less effort such that only a

relatively small portion of nodes need to be secure. Therefore, p₁− p0 is a measure on how much effort we need to take to provide corresponding security level under p0. Since this effort can be represented in terms of time or money, p₁− p0 can be further considered as a cost needed to prevent against bots in the corresponding network. Of course, the smaller the cost, the better the detection scheme from the administrator’s or defender’s perspective.

In contrast, given the provided security level, as discussed in both Chapter 4 and Appendix 5, the portion of bots that can be used by the botmaster without being detected is given as np^′/N (N is the total number of nodes in the testing data, p^′ is derived from Eq. 4.7orE.1).

That is, np^′/N is the gain that can be obtained by the botmaster under given p₁.

In other words, np^′/N is the loss from the defender’s perspective. This loss can also be considered as a cost in terms of time or money (e.g. damages from the botnet in the corresponding network). Therefore, we also want this loss to be small.

In summary, the security effort and portion of nodes available to the botmaster can be considered as costs in terms of time or money. Therefore, we want the overall cost to be minimized. Without loss of generality, we want the sum of these two losses to be minimized, which has been discussed in Chapter 4.

In addition, we use Fig. D.1 to better illustrate the idea discussed in Chapter 4 and this part. In Fig. D.1, although all the parameters including p₁ are known to the botmasters, p1 is not fixed and considered as a variable. To derive the value of p1, different coefficients can also be assigned to each cost depending on the relative importance of these costs in the corresponding network.

Figure D.1 Formulation of SPRT-FOD

APPENDIX E. Another Solution to SPRT Optimization

The optimization problem of SPRT discussed in Chapter 4 can be also considered in another much trickier way. That is, in order to be detected under rate γ, the detection scheme needs to conclude p^′ is from p₀ at least 1− γ of time. In other words, this is equivalent to the case where p0 = p^′ and the false positive rate α^′ = γ. Considering the average number n^′ caused by p^′ should also be equal to n, we can formulate the above problem in another way. As shown in the follows, both ways reach the same results in terms of optimal n, hence p₁.

n^′ = E₀(n^′) = (1− α^′) ln_1−α^β _′ + α^′ln^1−β_α′

p^′ln^p_p¹_′ + (1− p^′) ln^1−p_1−p¹_′ = n (E.1)

p^′lnp₁

p^′ + (1− p^′) ln1− p1

1− p^′ = (1− α^′) ln_1−α^β _′ + α^′ln^1−β_α′

n (E.2)

Similarly, we formulate the detection problem as the following optimization problem:

1<n<N,n=f (pmin 1)c(n) = lu(n) + lp(n)

where

l_u(n) = p₁(n)− p0, l_p(n) = n∗ p^′(n)/N

And the comparison of the previous scheme (p1 based) and this scheme (p0 based) are illustrated in Fig. E.1 E.2 E.3 E.4. The other parameters are the same as used in Chapter 4. As we can find from these figures, although the combined cost are slightly different, the minimum values are achieved under the same n (hence (p1)) for both schemes.

0 10 20 30 40 50 60 70 80 90 100

Bibliography

[1] M. Dunham. Data Mining Introduction and Advanced Topics. Prentice Hall, 2003.

[2] M. Kutner, C. Nachtsheim, J. Neter and W. Li. Applied Linear Statistical Models. 5th ed. McGraw-Hill.

[3] G. Casella, R. Berger. Statistical Inference. 2nd ed. Duxbury Press.

[4] K. Xu, Z. Zhang and S. Bhattacharyya. Profiling Internet Backbone Traffic: Behavior Models and Applications. Proc. ACM SIGCOMM, August 2005.

[5] T. Karagiannis, K. Papagiannaki, N. Taft, M. Faloutsos. Profiling the End Host. PAM 2007.

[6] C. Manning, P. Raghavan and H. Schutze, Introduction to Information Retrieval, Cam-bridge University Press. 2008.

[7] V. Padmanabhan, S. Ramabhadran, J. Padhye. NetProfiler: Profiling Wide-Area Net-works Using Peer Cooperation. Proc. IPTPS 2005.

[8] S. Wei, J. Mirkovic and E. Kissel. Profiling and Clustering Internet Hosts. Proceedings of the 2006 International Conference on Data Mining, June 2006

[9] M. Allman, E. Blanton and V. Paxson. An Architecture for Developing Behavioral History.

Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), July 2005.

[10] R. Pang, M. Allman, M. Bennett, J. Lee, V. Paxson and B. Tierney. A first look at modern enterprise traffic. In ACM/USENIX Internet Measurement Conference, Oct. 2005.

[11] A. Strehl, J. Ghosh and R. Mooney. Impact of similarity measures on web-page clustering.

AI for Web Search, pages 58-64, 2000.

[12] Rasmussen et al. wCLUTO: A Enabled Clustering Toolkit. wCLUTO: A Web-Enabled Clustering Toolkit. Plant Physiol 2003.

[13] B. Krishnamurthy and J. Wang. On Network-Aware Clustering of Web Clients. Proc.

ACM SIGCOM, August 2000.

[14] Wireshark: http://www.wireshark.org/

[15] A. Wald and J. Wolfowitz: Optimum character of the sequential probability ratio test.

Ann. Math. Statist. 19 (1948), 326-339.

[16] A. Agrawal and H. Casanova. Host Clustering in P2P and Global Computing Platforms.

Proc. Workshop on Global and Peer-to-Peer Computing on Large Scale Distributed Sys-tems, May 2003.

[17] A. McGregor, M. Hall, P. Lorier and J. Brunskill. Flow Clustering Using Machine Learning Techniques. PAM, 2004.

[18] F. Hernandez-Campos, F. Smith and K. Jeffay. Statistical Clustering of Internet Com-munication Patterns. Proc. the Symposium on the Interface of Computing Science and Statistics, 2003.

[19] S. Stolfo, S. Hershkop, K. Wang, O. Nimeskern and C. Hu. Behavior Profiling of Email.

Proc. the NSF/NIJ Symposium on Intelligence & Security Informatics, June 2003.

[20] T. Karagiannis, K. Papagiannaki and M. Faloutsos. BLINC: Multilevel Traffic Classifica-tion in the Dark. Proc. ACM SIGCOMM, 2005.

[21] A. Lakhina, M. Crovella and C. Diot. Mining Anomalies Using Traffic Feature Distribu-tions. Proc. ACM SIGCOMM, 2005.

[22] A. Lakhina, M. Crovella and C. Diot, Diagnosing Network-Wide Traffic Anomalies. Proc.

ACM SIGCOMM, 2004.

[23] P. McDaniel, S. Sen, O. Spatscheck, J. Van der Merwe, B. Aiello and C. Kalmanek.

Enterprise Security: A Community of Interest Based Approach. NDSS, 2006.

[24] M. Reiter and T. Yen. Traffic aggregation for malware detection. In Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware and Vulnera-bility Assessment (DIMVA’08), 2008

[25] M. Xie, K. Tabatabai and H. Wang. Identifying Low-Profile Web Server’s IP Fingerprint.

In IEEE QEST, 2006.

[26] J. Devore. Probability and Statistics for Engineering and the Sciences. Brooks/Cole Pub-lishing Company, 6th edition, 2003.

[27] G. Gu, R. Perdisci, J. Zhang and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. Security, 2008.

[28] G. Gu, J. Zhang, W. Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. in Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS), 2008.

[29] G. Gu, P. Porras, V.Yegneswaran, M. Fong, W. Lee. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. Security, 2007.

[30] G. Gu, V. Yegneswaran, P. Porras, J. Stoll and W. Lee. Active Botnet Probing to Iden-tify Obscure Command and Control Channels. in Proceedings of 2009 Annual Computer Security Applications Conference (ACSAC’09), December 2009.

[31] G. JB, Sharma V, Nunnery C. Peer-to-Peer botnets: Overview and case study. HotBots 2007.

[32] RFC 4948 Unwanted Traffic August 2007 issues identified.

http://www.rfc-editor.org/rfc/rfc4948.txt

[33] Knowing Your Enemy: Tracking Botnets, http://www.honeynet.org/papers/bots

[34] L. McLaughlin. Bot Software Spreads, Causes New Worries. IEEE DISTRIBUTED SYS-TEMS, June 2004.

[35] D. Dagon, G. Gu, C. Lee and W. Lee. A taxonomy of botnet structures. In In Proceedings of the 23 Annual Computer Security Applications Conference, 2007

[36] D. Dagon, C. Zou and Wenke Lee. Modeling Botnet Propagation Using Time Zones, in 13th Annual Network and Distributed System Security Symposium (NDSS), p.235-249, Feb. 2-4, San Diego, 2006

[37] A. Ramachandran and N. Feamster, Understanding the Network-Level Behavior of Spam-mers; Proc. ACM SIGCOMM, Pisa, Italy, September 2006.

[38] C. Zou and R. Cunningham, Honeypot-Aware Advanced Botnet Construction and Main-tenance, DSN, June 25-28, Philadelphia, 2006

[39] C. Zou, D. Towsley, W. Gong. Modeling and Simulation Study of the Propagation and De-fense of Internet Email Worm, IEEE Transactions on Dependable and Secure Computing, 4(2), APRIL-JUNE 2007.

[40] Y. Chen, IRC-Based Botnet Detection on High-Speed Routers, ARO-DARPA-DHS Spe-cial Workshops on Botnets, June 2006.

[41] M. Rajab, J. Zarfoss, F. Monrose and A. Terzis, A Longitudinal Analysis of Botnet Dy-namics: Challenges, Insights and Lessons Learned, Symantec Corp. Oct, 2006

[42] R. Vogt and J. Aycock. Attack of the 50 Foot Botnet, Technical Report 2006-840-33, Department of Computer Science, University of Calgary, 2006.

[43] N. Provos. A virtual honeypot framework. In Proceedings of 13th USENIX Security Sym-posium, 2004.

[44] D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levin and H. Owen. Honeystat: Local worm detection using honeypots. RAID, 2004.

[45] C. Zou, W. Gong, D. Towsley and L. Gao. The Monitoring and Early Detection of Internet Worms, IEEE/ACM Transactions on Networking, 2005.

[46] K. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos and A. Keromytis.

Detecting targeted attacks using shadow honeypots. In Proceedings of 14th USENIX Security Symposium, 2005.

[47] M. Bailey, E. Cooke, D.Watson, F. Jahanian and N. Provos. A hybrid honeypot archi-tecture for scalable network monitoring. Technical Report CSE-TR-499-04, U. Michigan, 2004.

[48] J. Franklin, M. Luk, J. McCune, A. Seshadri, A. Perrig and L. Doorn. Remote Virtual Machine Monitor Detection ARO-DARPA-DHS Special Workshop on Botnets, Arlington, VA, June 2006.

[49] J. Kristoff, Botnets, Presentation at NANOG 32.

[50] E. Cooke, F. Jahanian and D. McPherson. The Zombie Roundup: Understanding, De-tecting and Disrupting Botnets, SRUTI, 2005.

[51] J. Li, T. Ehrenkranz, G. Kuenning and P. Reiher. Simulation and Analysis on the Re-siliency and Efficiency of Malnets. In Proceedings of the IEEE Symposium on Measure-ment, Modeling and Simulation of Malware, Monterey, CA, June, 2005, pp. 262-269.

[52] A. Ramachandran, N. Feamster and D. Dagon, Revealing Botnet Membership with DNSBL Counter-Intelligence, SRUTI, 2006.

[53] Z. Li, M. Sanghi, B. Chavez, Y. Chen, M. Kao, Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, IEEE Symposium on Se-curity and Privacy 2006.

[54] M. Collins, T. Shimeall, S. Faber, J. Janies, R.Weaver, M. D. Shon and J. Kadane. Using uncleanliness to predict future botnet addresses, IMC, 2007.

[55] J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation.

HotBots, 2007.

[56] A. Karasaridis, B. Rexroad and D. Hoeflin. Widescale botnet detection and characteriza-tion. In USENIX Hotbots 07, 2007.

[57] K. Wang, G. Cretu, S. Stolfo. Anomalous Payload-based Worm Detection and Signature Generation, RAID, 2005.

[58] S. Antonatos, K. Anagnostakis and E. Markatos. Generating realistic workloads for net-work intrusion detection systems. WOSP 2004.

[59] J. Sommers, V. Yegneswaran and P. Barford. Toward Comprehensive Traffic Generation for Online IDS Evaluation, UW Technical Report, 2005.

[60] P. Fogla and W. Lee. Evading Network Anomaly Detection Systems: Formal Reasoning and Practical Techniques. CCS 2006.

[61] P. Laborge. Bot attacks could hide in VoIP traffic, http://www.securityfocus.com/print/brief/119

[62] C. Bambenek. Botnets: Proactive System Defense, ARO-DARPA-DHS Special Workshop on Botnets, 2006

[63] D. Malan and M. Smith. Host-based detection of worms through peer-to-peer cooperation, Proceedings of the 2005 ACM WORM, 2005.

[64] L. Stinson, J. Mitchell. Host-based, Run-time Win32 Bot Detection, ARO-DARPA-DHS Special Workshop on Botnets, 2006

[65] P. Wang, S. Sparks and C. Zou. An Advanced Hybrid Peer-to-Peer Botnet, HotBots, 2007.

[66] S. Chang, T. Daniels, Node Behavior Clustering based C&C Detection for P2P Botnets, in Proceedings of ACM CCS Workshop on Security and Artificial Intelligence (AISec), November, 2009.

[67] S. Chang, T. Daniels, Node Behavior Profiling for Enterprise Network Security, in Pro-ceedings of Third International Conference on Emerging Security Information, Systems and Technologies (Securware), June, 2009.

[68] S. Chang, T. Daniels, A Framework for P2P based Botnets, in Proceedings of International Conference on Communications and Mobile Computing (CMC), January, 2009.

[69] M. Al-kofahi, S. Chang and T. Daniels, SCWIM an Integrity Model for SOA Networks, in Proceedings of IEEE International Conference on Web Services (ICWS), September, 2008.

[70] S. Chang, T. Daniels, SPRT based Fast and Optimized (SPRT-FOD) Detection of C&C Channel for P2P Botnets, submitted to ASIACCS, 2010.

[71] S. Chang, T. Daniels, A Novel Background Traffic Modeling Structure for NIDS Evalua-tions, submitted to INFOCOM 2010.

[72] S. Chang, T. Daniels, Anomaly Detection of P2P Botnets using Statistical Node Behavior Profiling, in preparation for IEEE Trans on Information Forensics and Security.

[73] S. Chang, T. Daniels, Realistic Background Modeling using Node Behavior Profiling, in preparation for IEEE Trans on Information Forensics and Security.

[74] A. Dainotti, A. Pescape, P. Salvo Rossi, F. Palmieri and G. Ventre. Internet Traffic Model-ing by means of Hidden Markov Models, International Journal of Computer and Telecom-munications Networking Volume 52 , Issue 14, 2008

[75] F. Hernandez-Campos. Generation and Validation of Empirically-Derived TCP Applica-tion Workloads, Ph.D. DissertaApplica-tion, Dept. of Computer Science, 2006, University of North Carolina at Chapel Hill.

[76] S. Avallone, D. Emma, A. Pescap and G. Ventre. A Distributed Multiplatform Architec-ture for Traffic Generation, SPECTS 2004, San Jose.

[77] S. Luo, Marin, G. A. Generating Realistic Network Traffic for Security Experiments, IEEE Southeast Con 2004.

[78] A. Spyros, G. Kostas, P. Evangelos. Generating Realistic Workloads for Network Intrusion Detection System. WOSP, 2004.

[79] K. Vishwanath and A. Vahdat. Realistic and responsive network traffic generation. Pro-ceedings of the ACM SIGCOMM 2006.

[80] S. Luo, A. Gerald. Realistic internet traffic simulation through mixture modeling and a case study. Winter Simulation Conference 2005.

[81] J. Sommers and P. Barford. Self-Configuring Network Traffic Generation. Internet Mea-surement Conference, October 2004.

[82] S. Luo, Gerald A. Marin: Simulating application level self-similar network traffic using hybrid heavy-tailed distributions. ACM Southeast Regional Conference 2005.

[83] G. H. Kayacik and A. Zincir-Heywood. Generating Representative Traffic for Intrusion.

Detection System Benchmarking, CNSR 2005

[84] J. Kolbusz, S. Paszczyski and Wilamowski, B. M., Network Traffic Model for Industrial Environment, Industrial Informatics, IEEE Transactions, 2006.

[85] F. Donelson Smith, F. Hernandez, K. Jeffay and D. Ott. What TCP/IP protocol headers can Tell Us About the Web, CM SIGMETRICS/Performance 2001.

[86] S. Floyd and V. Paxon. Difficultes in simulating the Internet. In IEEE/ACM Transaction on Network (TON), 2001.

[87] M. Weigle, P. Adurthi, F. Hernandez-Campos, K. Jeffay and F. Smith, Tmix: a tool for generating realistic TCP application workloads in ns-2, ACM SIGCOMM Computer Communication Review, July 2006.

[88] F. Hernandez-Campos, K. Jeffay, F. Smith. Modeling and generating TCP application workloads, BROADNETS 2007.

[89] J. McHugh. Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln laboratory. ACM trans-actions on information and system security, vol. 3, no. 4, November 2000, pp.262-294 [90] TCPreplay - traffic replay utility. http://tcpreplay.sourceforge.net

[91] J. Sommers, V. Yegneswaran, P. Barford. A framework for malicious workload generation.

Internet Measurement Conference 2004: 82-87

[92] V. Paxson and S. Floyd. Wide Area Traffic: The Failure of Poisson Modeling. IEEE/ACM Transactions on Networking, 1995.

[93] S. Floyd and V. Jacobson. Random Early Detection gateways for Congestion Avoidance.

IEEE/ACM Transactions on Networking, V.1 N.4, August 1993, pp. 397-413.

[94] M. Christiansen, K. Jeffay, D. Ott, et al., Tuning RED for web traffic, in Proceedings of ACM SIGCOMM 2000, Stockholm, Sweden, pp. 139-150, August 28-September 1, 2000.

[95] G. Gu, A. Cardenas and W. Lee. Principled Reasoning and Practical Applications of Alert Fusion in Intrusion Detection Systems. ACM Symposium on Information, Computer and Communications Security (ASIACCS’08). Tokyo, Japan, March 2008.

[96] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C.

Kruegel and G. Vigna. Your Botnet is My Botnet: Analysis of a Botnet Takeover, UCSB Technical Report, Santa Barbara, CA, April 2009.

[97] G. Gu. Correlation-based Botnet Detection in Enterprise Networks. Ph.D. Dissertation, 2008, Georgia Institute of Technology.

[98] M. Ward. More than 95% of e-mail is junk.

http://news.bbc.co.uk/1/hi/technology/5219554.stm, 2006.

[99] Internet World Stats. Available: http://www.internetworldstats.com [100] Mazu Networks, Mazu Enforcer, http://www.mazunetworks.com/

[101] Arbor Networks, Peakflow, http://www.arbornetworks.com

[102] M. Allman, E. Blanton and V. Paxson, An Architecture for Developing Behavioral His-tory. In Proc. of the First Conference on Steps to Reduce Unwanted Traffic in the Internet (SRUTI), Cambridge, Massachusetts, 2005.

[103] S. Ratnasamy, M. Handley, R. Karp and S. Shenker, Topologically-Aware Overlay Con-struction and Server Selection, Proc. INFOCOM 2002.

[104] A. Moore and D. Zuev, Internet Traffic Classification Using Bayesian Analysis Tech-niques, Proc. the ACM SIGMETRICS, June 2005.

[105] A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava and V. Kumar, A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection, Proc. the Third SLAM Conference on Data Mining, May 2003.

[106] P. Dokas, L. Ertoz, V. Kumar, A. Lazarevic, J. Srivastava and P. Tan. Data Mining for Network Intrusion Detection, Proc. NSF Workshop on Next Generation Data Mining, November 2002.

[107] P. Barford. and V. Yengneswaran. An Inside Look at Botnets. Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag, 2006.

[108] T. Garfinkel, K. Adams, A. Warfield and J. Franklin. Compatibility is Not Transparency:

VMM Detection Myths and Realities, in Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI), May 2007.

[109] T. Holz and F. Raynal. Detecting honeypots and other suspicious environments, in Sixth Annual IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop (IAW’ 05), 2005

[110] J. Binkley and S. Singh. An algorithm for anomaly-based botnet detection, in Proceedings of USENIX SRUTI’06, pp. 43-48, July 2006

[111] C. Livadas, R. Walsh, D. Lapsley and W. Strayer. Using machine learning techniques to identify botnet traffic, in Proceedings of the 2nd IEEE LCN Workshop on Network Security (WoNS’2006), 2006

[112] W. Strayer, R. Walsh, C. Livadas and D. Lapsley, Detecting botnets with tight command and control, in Proceedings of the 31st IEEE Conference on Local Computer Networks (LCN’06), 2006

[113] Xen-virtual machine monitor, online at

http://www.cl.cam.ac.uk/Research/SRG/netos/xen/

[114] B. Anderson, T. Daniels. Xen Worlds: Xen and the Art of Computer Engineering Edu-cation. In proceedings of 2006 ASEE Annual Conference and Exposition, June 2006.

[115] Kolmogorov-Smirnov Test, online: http://en.wikipedia.org/wiki/Kolmogorov Smirnov [116] Botnets on cell phones in 2009? online: http://news.cnet.com/8301-1009

3-10067994-83.html

[117] Evidence suggests first zombie Mac botnet is active, http://arstechnica.com/apple/news/2009/04/

evidence-suggests-first-zombie-mac-botnet-is-active.ars

[118] A guide to understanding covert channel analysis of trusted systems, version 1. NCSC-TG-030, Library No. S-240,572, National Computer Security Center November 1993.

[119] V. Paxson. Empirically Derived Analytic Models of Wide-area TCP Connections.

IEEE/ACM Transactions on Networking V. 2, N. 4, 1994, pp. 316 - 336.

[120] S. Zanero, S. M. Savaresi. Unsupervised Learning Techniques for an Intrusion Detection System, Proceedings of the ACM Symposium on Applied Computing, ACM SAC 2004, pp. 412-419, 14-17 Mar 2004, Nicosia, Cyprus.

[121] S. Zanero and G. Serazzi. Unsupervised Learning Algorithms for Intrusion Detection, IEEE Network Operations and Management Symposium 2008, April 2008.

[122] F. Maggi, M. Matteucci and S. Zanero. Detecting Intrusions through System Call Se-quence and Argument Analysis. IEEE Transactions on Dependable and Secure Systems (to appear).

[123] U. Bayer, P. Milani, C. Hlauschek, C. Kruegel and E. Kirda. Scalable, behavior-based malware clustering, in NDSS 2009.

[124] List of Known ports,

http://en.wikipedia.org/wiki/List of TCP and UDP port numbers [125] List of Known ports, http://www.bekkoame.ne.jp/s ita/port/

[126] Trojan Port List, http://www.misec.net/trojanhunter/portlist/

[127] M. Rajab, J. Zarfoss, F. Monrose and A. Terzis. A Multifaceted Approach to Under-standing the Botnet Phenomenon, in proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference, October, Brazil, 2006.

[128] A. Antonopoulos. Security predictions for 2009, http://www.computerworld.com.au/.

[129] D. Dittrich and S. Dietrich. P2p as botnet command and control: a deeper insight. In 3rd International Conference on Malicious and Unwanted Software (Malware), 2008.

[130] S. Tantaratana and J. Thomas. Relative efficiency of the sequential probability ratio test in signal detection. In IEEE Transactions on Information Theory, 1978.

[131] J. Jung, V. Paxson, A. Berger and H. Balakrishnan. Fast portscan detection using se-quential hypothesis testing. In IEEE Symposium on Security and Privacy, 2004.

[132] A. Wald. Sequential Analysis. Dover Publications, 2004.

[133] R. Santiago-Mozos, R. Ferndndez-Lorenzana, F. Perez-Cruz and A. Artes-Rodriguez. On the uncertainty in sequential hypothesis testing. In 5th IEEE International Symposium on Biomedical Imaging: From Nano to Macro, 2008.

[134] S. Tantaratana. Design of nonparametric truncated sequential detectors withparallel lin-ear boundaries. In IEEE Transactions on Aerospace and Electronic Systems, 1989.

[135] R. Schoof and R. Koning. Detecting peer-to-peer botnets.

http://staff.science.uva.nl/delaat/sne-2006-2007/p17/report.pdf.

[136] L. Liu, S. Chen, G. Yan and Z. Zhang. Bottracer: Execution-based bot-like malware detection. In ISC, 2008.

[137] Iseage: Internet-scale event and attack generation evironment. http://www.iseage.org/.

[138] Netbottle: Environment modeling and traffic generation for network security testbeds . http://home.eng.iastate.edu/ hawklan/nb-index.html.

In document Securing Enterprise Networks with Statistical Node Behavior Profiling (Page 152-169)