1 / 18

Modeling Botnets and Epidemic Malware

Modeling Botnets and Epidemic Malware. Marco Ajelli, Renato Lo Cigno, Alberto Montresor DISI – University of Trento, Italy Locigno @ disi.unitn.it http://disi.unitn.it/locigno. BOTNETS. Collection of bots, i.e. machines remotely controlled by a bot-master

hector-mason
Download Presentation

Modeling Botnets and Epidemic Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling Botnets and Epidemic Malware Marco Ajelli, Renato Lo Cigno, Alberto Montresor DISI – University of Trento, Italy Locigno @ disi.unitn.it http://disi.unitn.it/locigno

  2. BOTNETS • Collection of bots, i.e. machines remotely controlled by a bot-master • Today intrinsically associated with malware • Viruses, worms, ... • SPAM sending, data spying, ... • A bot is “created” by spreading a piece of software that infects machines • Bot software self-replicate • Bot Software may be • Active: doing its intended damage/action/... • Replicating: sending new copies to non-infected machines • Sleeping: just waiting to go into one of the above states www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  3. Why Modeling Botnets • To ... improve their design  ... or • To understand how to counter them better • Little is known about how botnets works and operate • Worms and Viruses are among the most dangerous threats to Internet evolution • SPAM (90% of it is deemed to be generated by botnets!) is hampering e-mail communications ... and can be worse on other services like voice! • Bots can scan the disk to grab, important, sensitive, personal information • ... www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  4. How to model a Botnet? • Intrinsically difficult • Large, distributed system with complex behavior • Measures are not available and very difficult to collect (this limits also the “scope” of modeling, since it is not possible to validate them) • No clues on the dynamic behavior, apart from the fact that they spread by infection new machines • No “space” for a proper stochastic model • Learn from biology diseases spreading • We propose a model technique based on compartmental ordinary differential equations www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  5. df(x) = a f(x) + b g(x) dg(x) = c f(x) + d g(x) c f g a d b Compartmental ordinary differential equations • Differential Eq. df(x) = a f(x) • The rate of change of e.g. a population is proportional to its value • Compartment == introduce multiple populations influencing each other • System of coupled differential equations www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  6. Botnets subject to immunization I-bot • s = susceptibles: PCsthat can be infected • i = infected: PCs that got the malware and are spamming • v = hidden: infected computers which are not spamming • r = recovered: computers which were de-malwerized • p = apportioning coefficient between spamming/hidden nodes: regulate the rate of toggling between states • We normalize the system w.r.t. an arbitrary transition rate m, which it absolute rate of transition between states i and v www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  7. Botnets with re-infection R-bot • Recovered PCs can be re-infected with some • Susceptibles can be immunized (antivirus footprint update, etc. ) www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  8. More complex models ... • You can find examples/details on Ajelli, M. and Lo Cigno, R. and Montresor, A., “Compartmental differential equations models of botnets and epidemic malware (extended version),” University of Trento, T.R. DISI-10-011, 2010, http://disi.unitn.it/locigno/preprints/TR-DISI-10-011.pdf www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  9. Insights and Metrics given by the Model • What are the admissible parameters for a bot to work? • Threshold conditions • What are the spreading parameters that makes a bot dangerous? • Nice closed form equations • look for them in the paper • you do not want a nasty 2 lines equation on a slide  • How many PCs will be affected in the population? • What is the fraction of infected PCs in time? • What is the amount of damage done by the botnet? www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  10. more infected nodes are active Fraction of PCs infected: I-bot • Measures how many PCs will be infected during the epidemics • Function of the ratio between infectivity b and recovery g • Three values of p: 0.2,0.5,0.8 www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  11. Maximum number of infected PCs: I-bot • Measures the maximum fraction of PCs will infected during the entire epidemics • Function of the ratio between infectivity b and recovery g • Three values of p: 0.2,0.5,0.8 more infected nodes are active www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  12. Fraction of infected PCs in time: I-bots Active Hidden b = 0.5 g = 0.25 p decreases p decreases www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  13. R0 and R-botnet diffusion • I-botnets are probably too simplistic • Infection always starts, even if it can be non-effective if the worm/virus is too much or too little aggressive • R-botnets are more interesting, due to the possibility that the malware simply do not spread if “immunization is fast enough • R0 > 1 means that the infection can happen, < 1 means that the malware is cured before it can do meaningful harm • Interestingly this fundamental property can be computed in closed for the model www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  14. R-botnets: areas of “effectiveness” • Grey areas are those for which the epidemics will occur for the given set of parameters g = 0.25 b = b = www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  15. Example: R-bot with: g = 0.25 r = 0.125 b variable Medium aggressiveness pays better; Larger b increase the damage (obvious) Harm caused by botnets • How much damage can a botnet cause? • Are I-bots more dangerous than R-bots or vice versa? • Are aggressive bots more or less dangerous than hidden ones? www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  16. light gray: p=0.1 dark gray: p=0.9 I-bots: waves of spam-storm • Even simple i-bots show very complex behavior just by changing a parameter like p • Multiple “waves” of infection can be simply the consequence of swapping coordinately between different p values www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  17. Conclusions • We have proposed a modeling methodology for understanding the behavior of botnets • Even simple, deterministic compartmental differential equations highlight interesting phenomena and complex behavior • Available measures would enable • Validation of averages • Stochastic models • Botnets are currently one of the major threats in the Internet, but they covert and complex behavior lead (possibly) to underestimate their impact • Read the paper (better the extended version) to learn more!! www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

  18. THE END Thank you! Questions? Comments? www.disi.unitn.it/locigno ICC 2010 - NGS, Cape Town, June 26 2010

More Related