Giovane C.M. Moura
7 March 2014
Title: Towards ISP-normalized botnet infection metrics
Various blacklists, websites, and studies have ranked Internet Service Providers (ISPs) botnet-related performance by either counting the total number of unique IP addresses or attacks observed over a monitoring period.
However, it is a known fact that IP addresses do not account for the actual number of infected hosts or subscribers in the network of ISPs, due to DHCP lease policies. As a consequence, ISPs having dissimilar DHCP renewing policies may have very dissimilar number of infected subscribers. In this presentation, we will cover the first steps towards normalizing bot count across various ISPs.