Circos: Applying a genetic mapping tool to Internet DDoS attack campaigns

This small experimental project was done for the Shadowserver Foundation. They are a volunteer, Not for Profit organization who deal in the capture, analysis and dissemination of data and intelligence relating to nefarious activity on the internet. Shadowserver provided us with one day worth of data for us to apply some known techniques, and experiment with some new ones. 

Drone activity (sinkhole data) Shadowserver and other security researchers collect data that indicates that an computer coming from an IP adress is infected (sometimes these are called drones or bots). This data is collected by taking control of the server that issues "Command and Control" (or C&C) instructions too these drones. The infected PC's periodically attempt to contact these C&C servers, so the IP address of the drone and the time is logged. Where possible, this information is then given to the networks responsible for these IP's so that the drones can be cleaned up.

We used a tool called "Circos" to create these graphs. Circos was designed for the study of genetic attributes. Most people find these circos graphs a challenge to understand at first, if so - stick with it as it's worth the effort.

The circos graphs show the relative prevalance of trojan families per country.
Copyright dataviz Australia 2010