In this letter, we develop a behavioral metric with which spamming botnets can be quickly identified with respect to their residing IP blocks. Our method aims at line-speed operation without deep inspection, so only TCP/IP header fields of the passing packets are examined. However, the proposed metric yields a high-quality receiver operating characteristics (ROC), with high detection rates and low false positive rates.
|Number of pages||3|
|Journal||IEICE Transactions on Communications|
|Publication status||Published - 2010 Aug|
- False positive
ASJC Scopus subject areas
- Computer Networks and Communications
- Electrical and Electronic Engineering