An Assessment of Overt Malicious Activity Manifest in Residential Networks

  • Gregor Maier
  • Anja Feldmann
  • Vern Paxson
  • Robin Sommer
  • Matthias Vallentin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)


While conventional wisdom holds that residential users experience a high degree of compromise and infection, this presumption has seen little validation in the way of an in-depth study. In this paper we present a first step towards an assessment based on monitoring network activity (anonymized for user privacy) of 20,000 residential DSL customers in a European urban area, roughly 1,000 users of a community network in rural India, and several thousand dormitory users at a large US university. Our study focuses on security issues that overtly manifest in such data sets, such as scanning, spamming, payload signatures, and contact to botnet rendezvous points. We analyze the relationship between overt manifestations of such activity versus the “security hygiene” of the user populations (anti-virus and OS software updates) and potential risky behavior (accessing blacklisted URLs). We find that hygiene has little correlation with observed behavior, but risky behavior—which is quite prevalent—more than doubles the likelihood that a system will manifest security issues.


Local System Risky Behavior Malicious Activity Residential User Residential Network 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AirJaldi Network,
  2. 2.
    Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: Proc. Cybersecurity Applications & Technology Conference for Homeland Security (2009)Google Scholar
  3. 3.
    Carlinet, Y., Me, L., Debar, H., Gourhant, Y.: Analysis of computer infection risk factors based on customer network usage. In: Proc. SECUWARE Conference (2008)Google Scholar
  4. 4.
    Conficker Working Group,
  5. 5.
    Dagon, D., Provos, N., Lee, C.P., Lee, W.: Corrupted DNS resolution paths: The rise of a malicious resolution authority. In: Proc. Network and Distributed System Security Symposium, NDSS (2009)Google Scholar
  6. 6.
    Dreger, H., Feldmann, A., Mai, M., Paxson, V., Sommer, R.: Dynamic application-layer protocol analysis for network intrusion detection. In: Proc. USENIX Security Symposium (2006)Google Scholar
  7. 7.
  8. 8.
    Google. Google safe browsing API,
  9. 9.
    Hao, S., Feamster, N., Gray, A., Syed, N., Krasser, S.: Detecting spammers with SNARE: spatio-temporal network-level automated reputation engine. In: Proc. USENIX Security Symposium (2009)Google Scholar
  10. 10.
    Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proc. IEEE Symp. on Security and Privacy (2004)Google Scholar
  11. 11.
    Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: Proc. Internet Measurement Conference, IMC (2009)Google Scholar
  12. 12.
    Maier, G., Schneider, F., Feldmann, A.: NAT usage in residential broadband networks. In: Spring, N., Riley, G.F. (eds.) PAM 2011. LNCS, vol. 6579, pp. 32–41. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Maier, G., Sommer, R., Dreger, H., Feldmann, A., Paxson, V., Schneider, F.: Enriching network security analysis with time travel. In: Proc. ACM SIGCOMM Conference (2008)Google Scholar
  14. 14.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks Journal 31, 23–24 (1999) Bro homepage, CrossRefGoogle Scholar
  15. 15.
    Porras, P., Saidi, H., Yegneswaran, V.: An analysis of Conficker’s logic and rendezvous points. Tech. rep., SRI International (2009)Google Scholar
  16. 16.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proc. USENIX Security Symposium (2008)Google Scholar
  17. 17.
    Ramachandran, A., Feamster, N., Vempala, S.: Filtering spam with behavioral blacklisting. In: Proc. ACM Conf. on Computer and Communications Security, CCS (2007)Google Scholar
  18. 18.
    Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. Systems Administration Conference, LISA (1999)Google Scholar
  19. 19.
  20. 20.
    Stone-Gross, B., Kruegel, C., Almeroth, K., Moser, A., Kirda, E.: FIRE: FInding Rogue nEtworks. In: Proc. Computer Security Applications Conference, ACSAC (2009)Google Scholar
  21. 21.
    The Spamhaus Project,
  22. 22.
  23. 23.
    Weaver, R.: A probabilistic population study of the conficker-C botnet. In: Krishnamurthy, A., Plattner, B. (eds.) PAM 2010. LNCS, vol. 6032, pp. 181–190. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  24. 24.
  25. 25.

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Gregor Maier
    • 1
    • 2
  • Anja Feldmann
    • 2
  • Vern Paxson
    • 1
    • 3
  • Robin Sommer
    • 1
    • 4
  • Matthias Vallentin
    • 3
  1. 1.International Computer Science InstituteBerkeleyUSA
  2. 2.Deutsche Telekom LaboratoriesTU BerlinBerlinGermany
  3. 3.University of California at BerkeleyUSA
  4. 4.Lawrence Berkeley National LaboratoryBerkeleyUSA

Personalised recommendations