Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Civil Engineering

A Framework for P2P Botnets Speaker: Chi-Sheng Chen Date:2010/11/16

advertisement 
A Framework for P2P Botnets
Su Chang, Linfeng Zhang, Yong Guan, Thomas E. Daniels
Dept of Electrical and Computer Engineering
Iowa State University
Ames, Iowa 50011, USA
Speaker: Chi-Sheng Chen
Date:2010/11/16
Introduction
Previously, DDoS and spamming were the primary concern,
but now applications such as keylogging and click fraud
and other “for profit” purposes are becoming a focus of
botnets. To make effective countermeasures against botnets,
it is very important to not only study the existing ones of
various kinds separately,but the inherent relationships
among different botnets/worms (since most current botnets
make use of worms to propagate), as well as the ones to
appear in the
2016/7/15
2
Introduction
In this paper, we address the above issues and
makecontributions in
1) proposing a general framework for understanding botnet
of different kinds;
2) predicting a new botnet from the framework and
comparing its performance with known ones.
To the best of our knowledge, we are the first to propose
the framework for botnets/worms, the lcbot concept in
botnet and related fields
2016/7/15
3
Related Work
2016/7/15
4
Related Work
Many schemes are proposed in the literature to detect
botnets of centralized structure. To summarize, those
schemes are based on one or more of the following
techniques:
DNS inspection
DNSBL inspection
traffic pattern recognition
tempro or spatial correlation
2016/7/15
5
Related Work
Encryption, C&C structure (P2P), commonly used protocols
for C&C are the main directions of their evolution.Encryption
makes identifying botnets more difficult resulting in the
inefficacy of schemes based on signatures or abnormal
detections using character distribution.
C&C by other commonly used protocols makes the
communication among bots more covert as it hides its
messages among legitimate traffic. Consequently, there are
reports of botnets using VoIP, Skype, Gmail, and HTTP in
C&C.
2016/7/15
6
Related Work
A P2P structure makes the botnet robust and resilient to bot
removal/repair.
Lists the timeline of captured botnets using P2P.
The main ideas is that each bot has a “buddy list” or routing
information consisting of IP addresses of n other infected
hosts.
2016/7/15
7
Related Work
PUSH” based botnets
The peerlist construction of supernode in is similar to
except that only exchange of peerlist is needed, there is no
replacement of newly infected supernodes’ IPs, and only
client nodes can infect supernodes.
PULL” based botnet
The idea of botnet structure in is similar to , except that the
clients periodically communicate with any servant bot in
their peerlist to grab the command.
2016/7/15
8
Predicting the New Botnet
For a network composed of either a worm or a botnet, each
infected host i is associated with three parameters psi, pci, and
ki, which are defined as follows:
• psi ∈ {0, 1}: “Can the infected host i be a server in the
botnet?”
• pci ∈ {0, 1}: “Can infected host i be a client in the
botnet?”
• ki: the number of hosts with which an infected host i can
communicate.
2016/7/15
9
Predicting the New Botnet
From the viewpoint of communication in command delivery,
we can integrate various botnets/worms into a framework
by setting different value
2016/7/15
10
Predicted Botnet (lcbot)
The values of psi and ki are important to current botnets.
On one hand, the botmaster wants the number of bots having
psi = 1 and ki as low as possible to make the C&C control
more covert.
On the other hand, given certain portion of bots in the botnet
will be turned off or cleaned at any time, these values have
to be large enough to maintain connectivity with the
remaining botnet. Normally it is expected that attackers can
adjust the above values to balance the tradeoff in these
proposed botnets under specific situations.
2016/7/15
11
Predicted Botnet (lcbot)
The basic concept of lcbot is to consider the botnet being
composed of many groups of different group codes, and
decouple psi into pisi and posi.
Any bot in the lcbot have pisi equal to 1, and the peerlist
contains all the other bots in the same group.
Within each group, a small number of bots in have posi equal
to 1, each of these bots has only one out link to another bot in
different groups.
2016/7/15
12
Predicted Botnet (lcbot)
2016/7/15
13
Related documents
Motivation behind botnets
Motivation behind botnets
Jason and Abhishek`s presentation on botnets
Jason and Abhishek`s presentation on botnets
Botnet detection
Botnet detection
Malware Botnet and DDoS Md. Safiqul Islam Internetworking
Malware Botnet and DDoS Md. Safiqul Islam Internetworking
Botnet Research Survey Speaker: Hom-Jay Hom Date:2009/10/20 Zhaosheng Zhu.et al
Botnet Research Survey Speaker: Hom-Jay Hom Date:2009/10/20 Zhaosheng Zhu.et al
Botnets - Information Security Group
Botnets - Information Security Group
BotnetPres
BotnetPres
CAP6135: Malware and Software Vulnerability Analysis The Next Generation Peer-to-Peer Botnet Attacks
CAP6135: Malware and Software Vulnerability Analysis The Next Generation Peer-to-Peer Botnet Attacks
Entelecheia: Detecting P2P Botnets in their Waiting Stage
Entelecheia: Detecting P2P Botnets in their Waiting Stage
this PDF file - Institute of Advanced Engineering and
this PDF file - Institute of Advanced Engineering and
fulltext
fulltext
Discovering a botnet from Russia (With love)
Discovering a botnet from Russia (With love)
Download
advertisement