@techreport{oai:ipsj.ixsq.nii.ac.jp:00094470,
 author = {Khamphao, Sisaat and Hiroaki, Kikuchi and Surin, Kittitornkun and Chaxiong, Yukonhiatou and Masato, Terada and Hiroshi, Ishii and Khamphao, Sisaat and Hiroaki, Kikuchi and Surin, Kittitornkun and Chaxiong, Yukonhiatou and Masato, Terada and Hiroshi, Ishii},
 issue = {55},
 month = {Jul},
 note = {Many of recent cyber-attacks are being lunched by botnets for the purpose of carrying out large scale cyber-attacks such as DDoS, spam email, network scanning, and so on. In many cases, these botnets consist of a lot of bots or compromised PCs, which have been infected by specific malware. These bots try to propagate themselves into other victim via the multiple C&C servers in the Internet, which are controlled by a remote botmaster. This makes it more difficult to identify botnet attacks and harder to trace the source country/IP address of the botmaster. To identify the C&C servers during malware/bot downloading phase, time zone correlation can be used as a tool to identify the time zone of the C&C servers. In this paper, we do a time zone correlation analysis with the malware download up to 100 honeypots in the IIJ MITF (Internet Initiative Japan - Malware Investigation Task Force) Dataset 2012 comprising over 30 million data records and almost 5 hundreds unique malware names. Baesd on GeoIP service, a time zone correlation model has been proposed to determine the correlation coefficient between malware dwnloads from Japan and other countries. We found a strong correlation between active bot downloads and time zone of the C&C servers. As a result, our model confirmts that malware/bot downloads are synchronized with time zone (country) of the corresponding C&C servers., Many of recent cyber-attacks are being lunched by botnets for the purpose of carrying out large scale cyber-attacks such as DDoS, spam email, network scanning, and so on. In many cases, these botnets consist of a lot of bots or compromised PCs, which have been infected by specific malware. These bots try to propagate themselves into other victim via the multiple C&C servers in the Internet, which are controlled by a remote botmaster. This makes it more difficult to identify botnet attacks and harder to trace the source country/IP address of the botmaster. To identify the C&C servers during malware/bot downloading phase, time zone correlation can be used as a tool to identify the time zone of the C&C servers. In this paper, we do a time zone correlation analysis with the malware download up to 100 honeypots in the IIJ MITF (Internet Initiative Japan - Malware Investigation Task Force) Dataset 2012 comprising over 30 million data records and almost 5 hundreds unique malware names. Baesd on GeoIP service, a time zone correlation model has been proposed to determine the correlation coefficient between malware dwnloads from Japan and other countries. We found a strong correlation between active bot downloads and time zone of the C&C servers. As a result, our model confirmts that malware/bot downloads are synchronized with time zone (country) of the corresponding C&C servers.},
 title = {Time Zone Analysis on IIJ Network Traffic for Malicious Botnet Activities},
 year = {2013}
}