340 likes | 429 Views
An Evaluation model of botnet based on peer to peer. Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational Intelligence and Communication Networks Speaker : Po Chung, Shen (102064530). O utline. Introduction Evaluation Model Stealthy
E N D
An Evaluation model of botnet based on peer to peer GaoJianKangFengZHENG,YiXianYang,XinXinNiu 2012 Fourth International Conference on Computational Intelligence and Communication Networks Speaker:Po Chung, Shen(102064530)
Outline • Introduction • Evaluation Model • Stealthy • Effectiveness • Efficiency • Robustness • Conclusion
Introduction Botnet • 〝Botnet〞 is a network of compromised computers (bots)running malicious software to fulfill their malicious intents. • Botnet have one other important ability that sets them apart from other forms of malware, they remain Command-and-Control(C&C) infrastructure.
Introduction Botnet • Most of current research has focused on the Internet Relay Chat(IRC) based botnets. • The centralized C&C mechanism of such Botnet has made them easy to be detected and disabled. • Therefore, a new generation of Botnet which can be more reliable and more robust have emerged, Peer-to-Peer(P2P) based Botnets.
Introduction Purpose • In this paper we try to construct a more comprehensive evaluation model, which can evaluate botnets’ performance from different aspects. • We provide the detailed calculation formula and the process, and analyze the relationship between them and degree of botnets.
Evaluation Model • In [4],they present the design of an advanced hybrid peer-to-peer botnet, at the same time she present three important indexes: Effectiveness, Efficiency and Robustness. • In [7],they evaluate the impact of responses on different topologies using simulation and demonstrate the utility of their proposed metrics (Effectiveness, Efficiency and Robustness). • In [8], they focus on the resiliency and efficiency of a malnet, and through calculation.
Evaluation Model • We summarize and analyze the evaluation indicators that have been proposed, and there is a more comprehensive study of the characteristics of botnets, then we put forward a comprehensive four evaluation indicators: • Stealthy • Effectiveness • Efficiency • Robustness
Evaluation Model Stealthy • The stealthy of botnets is the key indicator which mainly aimed at the existing means of detecting botnet. • The existing main detection methods are based on host behavior and detection method based on network feature. • Therefore, the host can be divided into two aspects, including the hidden based on host and hidden based on network communication.
Evaluation Model Stealthy • The hidden of network communication include • encryption mechanisms used in the communication process • the traffic of task communication • maintenance of communication traffic • the ability to against anti-virus software
Evaluation Model Stealthy– Communication encryption mechanism • In order to avoid Intrusion detection and firewall, most of botnets are using communication encryption mechanism, making the bot managed to escape the users host and intrusion detection to improve the viability of the botnet. • Sinit[1] uses the public key encryption update process of verification in the communication process. • [4] further put forward the command certification, in different key mechanisms of point to point to ensure the safety of botnets, with each different super-nodes have different keys.
Evaluation Model Stealthy– Communication encryption mechanism • It is difficult to assess the encryption algorithm is good or bad, so we put the botnet communication mechanism into the following three levels: no encryption, fixed keys, dynamic keys.
Evaluation Model Stealthy– The traffic of task communication • The traffic of task communication is the sum of communication generated by each bot program receives the command sent by control. • In IRC botnet architecture, the control issues commands to the IRC server, terminal program received orders directly from the IRC server, there aren’t some Redundant traffic, so the traffic can be expressed as: T = n*S where T is traffic generated by a task. n is the number of nodes. S is the size of the task order.
Evaluation Model Stealthy– The traffic of task communication • Because of the introduction P2P in the P2P botnet , issuing the command mainly rely on transfer between P2P nodes, so produce Inevitably some redundant traffic. The amount of the average task communication can be expressed as: T = (n+P)*S where P is the number of redundant communication • The size of P will be different because of using different P2P structures. P is closely linked to the node degree and botnet command forwarding mechanism.
Evaluation Model Stealthy– The traffic of task communication • Assume • the initial degree of node is d • in the initial state has d +1 nodes, • the d +1 nodes are neighbors of each other • The task of traffic that send a command is d + d(d −1) • Add a new node which its degrees is d, the task communication volume is d + d(d −1) + 2d −1 • When the number of nodes increases to x, the task communication volume is
Evaluation Model Stealthy– Maintenance of communication traffic • In order to maintain the stability of the network, P2P botnets will adjust timely some nodes off-line or the nodes deleted. • Each node will initiate outbound connection every H time to declare their own survival, or node will actively probe the existence of their own neighbors after every H time. Therefore, maintenance of communication volume can be expressed as: • where W is the number of connections generated in an hour, r is the number of connections after the node issued each H time, that is, the number of its neighbor nodes.
Evaluation Model Stealthy– Maintenance of communication traffic • We use message transmission mechanism. • Assume • the initial degree of node is d • in the initial state has d +1 nodes, • the d +1 nodes are neighbors of each other • the heartbeat time of all nodes is h • The maintenance of communication volume is
Evaluation Model Stealthy– Maintenance of communication traffic • Add a new node which its degress is d, according to neighbor each other principle, the d nodes in the previous d +1 nodes must add a degree, then at this point the maintenance of communication volume is • When the number of nodes increases to x , the maintenance of communication volume is
Evaluation Model Stealthy– The ability to against anti-virus software • If you want a machine running with antivirus software, there must have modules of againsting the antivirus software, as to ensure the stealthy of bots. • We need to objectively evaluate the ability about a sample fight against anti-virus zombie software. • First of all, for the same virus samples the different anti-virus software with different killing capacity. • We can use these common anti-virus softwares to scan the zombie samples have been obtained. The results of scanning are only two, we denote anti-virus software alarm is 1, no alarm is 0.
Evaluation Model Stealthy– The ability to against anti-virus software • We use VirScan.org for online virusscanning, during anti-virus software checkes the virus.
Evaluation Model Stealthy– The ability to against anti-virus software • Formula about the ability of against anti-virus software is: • where AntiAV identifies the ability of against anti-virus software. Wiis capacity for a market share of anti-virus software. Piis the result of the anti-virus software kills virus samples. • This value more close to 0 indicate that the ability of antivirus softwareagainst is stronger, more close to 1 indicate that most antivirus software can be killing the sample and the ability of antivirus software against the is weaker.
Evaluation Model Effectiveness • The effectiveness is used to assess the devastating of botnet attacks. • The more the number of infected machine includes, then the greater the effect produces. • We believe that the size of the botnet reflects the effectiveness of botnets to a large extent.
Evaluation Model Effectiveness • But for the nature of the Internet at present, each machine has different on-line times, and each machine can provide different bandwidth. • Therefore, we assess on the basis of the size of botnets, taking into account the online time slice, type of network access and other key factors.
Evaluation Model Effectiveness • For time slice of each infected host can be measured. After bot run on the host, in order to allow other hosts and control access to the host-side information, bots will send their own alive information every other time. • If the bot willreceive the messages from the host each a heartbeat time,then the host is online at this time. • If two informationheartbeat intervals of the host is over two heartbeat cycles,then the host is offline during this period.
Evaluation Model Effectiveness • We can calculate the probability of the hostonline, at a point A, in n+1 day, according to the heartbeattime record of a machine before n days. • where Oirepresents that the host is whether online atthe point A in i day, online is 1, offline is 0. • Therefore, we can calculate the number of hosts we can use at the time A of the zombie network. • where PAiis the online probability of the i-host at the point A.
Evaluation Model Effectiveness • At the meantime we can calculate the largest number of hosts we can use. • where Num0indicate the number of host we can use at time 0, Num1440−sis the number of host we can use at the 24 * 60-s time, s is the time interval.
Evaluation Model Efficiency • The efficiency is said that the attacker to launch an attack, the command issued from the attackers began to each node (the node does not include off-line) have received the mandate how long. • So we defined Dia as diameter of botnets and it means the maximum distance between any two nodes. where Niand Njare any two nodes in botnets.
Evaluation Model Efficiency • We also defined TimeALL as all the heartbeat time. • Above shows that the diameter and the heartbeat time are two important indicators related to the efficiency of botnet.
Evaluation Model Robustness • Many of the papers research on botnet analyze different aspects about the robustness of botnets. • Because all the node of botnet control distribute in various places, they are likely to be common machine or the server, so their online time is uncertainty. • The performance of the nodes in botnets is offline, whether the node withdraws temporarily and permanent killing. Therefore, the offline nodes play an important part in researching robustness.
Evaluation Model Robustness • The average degree of nodes is an important indicator of researching the robustness; the greater number of the average degree, the more neighbor nodes of each node, while the better the robustness of a botnet. • At the same time the maintenance of communication volume become greater, the number of exposure after the node captured also become more. The average degree of all P2P nodes in the network can be expressed as:
Evaluation Model Robustness • At the same time the distribution of node degree reflects the stability of the entire network, some nodes with large degrees may lead to overload of the nodes, nodes with the high degrees offline can lead to greater impact on the entire network. Therefore, differences of node degree can be expressed as:
Evaluation Model Robustness • Here we simulate 10,000 nodes, there are only 5 nodes in the initial state, the neighbor nodes of each node are the other 4 nodes. • We use two strategy of joining nodes: • Firststrategy is each new node join into, and select randomly 4 ofthe existing nodes as its neighbor, the node selected also jointhe new node to its neighbors list. • Second strategy is eachnew node join into, and select the 4 of nodes with lowestdegrees as its neighbors, the same token, the node selectedalso join the new node to its neighbors list.
Evaluation Model Robustness
Evaluation Model Robustness • After we remove randomly0-8000 nodes form network of two strategies, we find thatthe network with smaller the difference of degree have betterrobustness. • Previous studies believe that the average degree plays animportant part in robustness of the entire network.
Conclusion • Researching the evaluation model of botnets ,aswell as possible botnets construction methods ,can improveus in-depth understanding of details of botnets. • To assist in this effort, we proposed evaluation model and key metrics to measure botnet utility for various activities, and presented specific algorithm for each metric. • In our future work, we will rich our metrics of botnet,explore effective techniques for more accurate algorithm ofthese metrics in real-world botnets.