170 likes | 299 Views
A First Step Towards Characterizing Stealthy Botnets . Justin Leonard, Shouhuai Xu, Ravi Sandhu University of Texas at San Antonio. Overview. Dynamic Graph Model Model Parameters Detection Ratio Resilience Impact of Topology Impact of Fragmentation Impact of Sophistication.
E N D
A First Step Towards Characterizing Stealthy Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of Texas at San Antonio
Overview Dynamic Graph Model Model Parameters Detection Ratio Resilience Impact of Topology Impact of Fragmentation Impact of Sophistication
Dynamic Graph Model Directed graph representation Vertex set represents bots Edge set represents “knows” relation – e.g., (u,v) implies u can spontaneous communication with v. Does capturing u imply exposure of v? Undirected graph is special case
Role of anonymous channels Anonymous channels offer a mechanism to communicate exposing their identity. Some implementations may allow duplex communications. Fully anonymous channels are assumed to be “out of botnet”.
Roles of bots Master is considered “out-of-botnet”. Entry Bot is a bot which directly receives communications from master. Each bot relays communications over its out edges according to topology. Extreme case every bot is an entry bot, and edge set is empty.
Model Parameters Attack sophistication α,β Probability of exposure due to sending C&C Probability of exposure due to receiving C&C. Anonymous channels may reduce or eliminate either. Out-of-botnet channels are “undetectable”.
Model Parameters Graph Topology Type of graph structure created by adversary Assumed to be fixed over a single attack round Detection Threshold k Master's estimation of defender's detection capabilities. Risk management of bots.
Detection Ratio Define Exposedness as probability a bot has been captured after conducting some previous C&C activity, and potentially conducting some additional C&C activity. Detection ratio is number of bots above risk threshold k relative to the size of the botnet.
Resilience Complement of ratio of size of “traceable” bots over size of botnet. Tracing uses “knows” relationship Requires restriction that β > 0, e.g. we cannot trace “backwards” over receiver anonymous channels in a single round.
Simulation Study Difficult to combine definitions with topologies to gain insights. Intuitively large-degree botnets are not stealthy, so focus on small-degree “p2p” style botnets. Initially investigated homogenous topologies.
Impact of Fragmentation In-degree regular vs random (out-degree is similar) detection ratio
Impact of Fragmentation In-degree regular vs random (out-degree is similar) resilience
Impact of Sophistication Equal detection vs sender weighted detection, in-random topology.
Impact of Sophistication Equal detection vs sender weighted detection, in-regular topology.
Future Issues Can we build a holistic framework for both C&C and attack activities? Can we extend the model for attack-defense interactions? How should we validate against real-world testbeds and case studies?