See 2014

Towards ISP-normalized botnet infection metrics


Giovane C.M. Moura


7 March 2014




ZI 2126

Title: Towards ISP-normalized botnet infection metrics


Various blacklists, websites, and studies have ranked Internet Service Providers (ISPs) botnet-related performance by either counting the total number of unique IP addresses or attacks observed over a monitoring period.

However, it is a known fact that IP addresses do not account for the actual number of infected hosts or subscribers in the network of ISPs, due to DHCP lease policies. As a consequence, ISPs having dissimilar DHCP renewing policies may have very dissimilar number of infected subscribers. In this presentation, we will cover the first steps towards normalizing bot count across various ISPs.