The Day after Patch Tuesday: Effects Observable in IP Darkspace Traffic
We investigated how Patch Tuesday affects the volume and characteristics of malicious and unwanted traffic as observed by a large IPv4 (/8) darkspace monitor over the first six months of 2012. We did not discover significant changes in overall traffic volume following Patch Tuesday, but we found a significant increase of the number of active hosts sending to our darkspace monitor the day after Patch Tuesday for all six investigated months. Our early results suggest the effects of Patch Tuesday are worth deeper investigation. Detecting time intervals during which new sources become active can help tune sampling methods toward activity periods that likely contain more interesting information (i.e., many new malicious sources) than other time periods.
Unable to display preview. Download preview PDF.
- 1.UCSD Network Telescope (2010), http://www.caida.org/data/passive/network_telescope.xml
- 2.Aben, E.: Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope. Technical report, CAIDA (February 2009), http://www.caida.org/research/security/ms08-067/conficker.xml
- 4.CAIDA. Patch Tuesday Dataset (2012), http://www.caida.org/data/passive/telescope-patch-tuesday.xml
- 5.Alistair King. Corsaro (October 2012), http://www.caida.org/tools/measurement/corsaro/