An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational Intelligence and Communication Networks Speaker ： Po Chung, Shen( ) 1/34

Outline Introduction Evaluation Model – Stealthy – Effectiveness – Efficiency – Robustness Conclusion 2/34

Introduction 〝 Botnet 〞 is a network of compromised computers (bots) running malicious software to fulfill their malicious intents. Botnet have one other important ability that sets them apart from other forms of malware, they remain Command-and- Control(C&C) infrastructure. 3/34 Botnet

Most of current research has focused on the Internet Relay Chat(IRC) based botnets. The centralized C&C mechanism of such Botnet has made them easy to be detected and disabled. Therefore, a new generation of Botnet which can be more reliable and more robust have emerged, Peer-to-Peer(P2P) based Botnets. 4/34 Introduction Botnet

In this paper we try to construct a more comprehensive evaluation model, which can evaluate botnets’ performance from different aspects. We provide the detailed calculation formula and the process, and analyze the relationship between them and degree of botnets. 5/34 Introduction Purpose

Evaluation Model In [4], they present the design of an advanced hybrid peer-to- peer botnet, at the same time she present three important indexes: Effectiveness, Efficiency and Robustness. In [7], they evaluate the impact of responses on different topologies using simulation and demonstrate the utility of their proposed metrics (Effectiveness, Efficiency and Robustness). In [8], they focus on the resiliency and efficiency of a malnet, and through calculation. 6 /34

Evaluation Model We summarize and analyze the evaluation indicators that have been proposed, and there is a more comprehensive study of the characteristics of botnets, then we put forward a comprehensive four evaluation indicators ： – Stealthy – Effectiveness – Efficiency – Robustness 7 /34

Evaluation Model The stealthy of botnets is the key indicator which mainly aimed at the existing means of detecting botnet. The existing main detection methods are based on host behavior and detection method based on network feature. Therefore, the host can be divided into two aspects, including the hidden based on host and hidden based on network communication. 8 /34 Stealthy

Evaluation Model The hidden of network communication include – encryption mechanisms used in the communication process – the traffic of task communication – maintenance of communication traffic – the ability to against anti-virus software 9 /34 Stealthy

Evaluation Model In order to avoid Intrusion detection and firewall, most of botnets are using communication encryption mechanism, making the bot managed to escape the users host and intrusion detection to improve the viability of the botnet. Sinit[1] uses the public key encryption update process of verification in the communication process. [4] further put forward the command certification, in different key mechanisms of point to point to ensure the safety of botnets, with each different super-nodes have different keys. 10 /34 Stealthy – Communication encryption mechanism

Evaluation Model It is difficult to assess the encryption algorithm is good or bad, so we put the botnet communication mechanism into the following three levels: no encryption, fixed keys, dynamic keys. 11 /34 Stealthy – Communication encryption mechanism

Evaluation Model The traffic of task communication is the sum of communication generated by each bot program receives the command sent by control. In IRC botnet architecture, the control issues commands to the IRC server, terminal program received orders directly from the IRC server, there aren’t some Redundant traffic, so the traffic can be expressed as: T = n*S where T is traffic generated by a task. n is the number of nodes. S is the size of the task order. 12 /34 Stealthy – The traffic of task communication

Evaluation Model Because of the introduction P2P in the P2P botnet, issuing the command mainly rely on transfer between P2P nodes, so produce Inevitably some redundant traffic. The amount of the average task communication can be expressed as: T = (n+P)*S where P is the number of redundant communication The size of P will be different because of using different P2P structures. P is closely linked to the node degree and botnet command forwarding mechanism. 13 /34 Stealthy – The traffic of task communication

Evaluation Model Assume – the initial degree of node is d – in the initial state has d +1 nodes, – the d +1 nodes are neighbors of each other The task of traffic that send a command is d + d(d −1) Add a new node which its degrees is d, the task communication volume is d + d(d −1) + 2d −1 When the number of nodes increases to x, the task communication volume is 14 /34 Stealthy – The traffic of task communication

Evaluation Model In order to maintain the stability of the network, P2P botnets will adjust timely some nodes off-line or the nodes deleted. Each node will initiate outbound connection every H time to declare their own survival, or node will actively probe the existence of their own neighbors after every H time. Therefore, maintenance of communication volume can be expressed as: – where W is the number of connections generated in an hour, r is the number of connections after the node issued each H time, that is, the number of its neighbor nodes. 15 /34 Stealthy – Maintenance of communication traffic

Evaluation Model We use message transmission mechanism. Assume – the initial degree of node is d – in the initial state has d +1 nodes, – the d +1 nodes are neighbors of each other – the heartbeat time of all nodes is h The maintenance of communication volume is 16 /34 Stealthy – Maintenance of communication traffic

Evaluation Model Add a new node which its degress is d, according to neighbor each other principle, the d nodes in the previous d +1 nodes must add a degree, then at this point the maintenance of communication volume is When the number of nodes increases to x, the maintenance of communication volume is 17 /34 Stealthy – Maintenance of communication traffic

Evaluation Model If you want a machine running with antivirus software, there must have modules of againsting the antivirus software, as to ensure the stealthy of bots. We need to objectively evaluate the ability about a sample fight against anti-virus zombie software. First of all, for the same virus samples the different anti-virus software with different killing capacity. We can use these common anti-virus softwares to scan the zombie samples have been obtained. The results of scanning are only two, we denote anti-virus software alarm is 1, no alarm is 0. 20/34 Stealthy – The ability to against anti-virus software

Evaluation Model We use VirScan.org for online virus scanning, during anti-virus software checkes the virus. 19 Stealthy – The ability to against anti-virus software

Evaluation Model Formula about the ability of against anti-virus software is: – where AntiAV identifies the ability of against anti-virus software. W i is capacity for a market share of anti-virus software. P i is the result of the anti-virus software kills virus samples. This value more close to 0 indicate that the ability of antivirus software against is stronger, more close to 1 indicate that most antivirus software can be killing the sample and the ability of antivirus software against the is weaker. 20 /34 Stealthy – The ability to against anti-virus software

Evaluation Model The effectiveness is used to assess the devastating of botnet attacks. The more the number of infected machine includes, then the greater the effect produces. We believe that the size of the botnet reflects the effectiveness of botnets to a large extent. 21 /34 Effectiveness

Evaluation Model But for the nature of the Internet at present, each machine has different on-line times, and each machine can provide different bandwidth. Therefore, we assess on the basis of the size of botnets, taking into account the online time slice, type of network access and other key factors. 22 /34 Effectiveness

Evaluation Model For time slice of each infected host can be measured. After bot run on the host, in order to allow other hosts and control access to the host-side information, bots will send their own alive information every other time. If the bot will receive the messages from the host each a heartbeat time, then the host is online at this time. If two information heartbeat intervals of the host is over two heartbeat cycles, then the host is offline during this period. 23 /34 Effectiveness

Evaluation Model We can calculate the probability of the host online, at a point A, in n+1 day, according to the heartbeat time record of a machine before n days. – where O i represents that the host is whether online at the point A in i day, online is 1, offline is 0. Therefore, we can calculate the number of hosts we can use at the time A of the zombie network. – where P Ai is the online probability of the i-host at the point A. 24 /34 Effectiveness

Evaluation Model At the meantime we can calculate the largest number of hosts we can use. – where Num 0 indicate the number of host we can use at time 0, Num 1440−s is the number of host we can use at the 24 * 60-s time, s is the time interval. 25 /34 Effectiveness

Evaluation Model The efficiency is said that the attacker to launch an attack, the command issued from the attackers began to each node (the node does not include off-line) have received the mandate how long. So we defined Dia as diameter of botnets and it means the maximum distance between any two nodes. where N i and N j are any two nodes in botnets. 26 /34 Efficiency

Evaluation Model We also defined Time ALL as all the heartbeat time. Above shows that the diameter and the heartbeat time are two important indicators related to the efficiency of botnet. 27 /34 Efficiency

Evaluation Model Many of the papers research on botnet analyze different aspects about the robustness of botnets. Because all the node of botnet control distribute in various places, they are likely to be common machine or the server, so their online time is uncertainty. The performance of the nodes in botnets is offline, whether the node withdraws temporarily and permanent killing. Therefore, the offline nodes play an important part in researching robustness. 28 /34 Robustness

Evaluation Model The average degree of nodes is an important indicator of researching the robustness; the greater number of the average degree, the more neighbor nodes of each node, while the better the robustness of a botnet. At the same time the maintenance of communication volume become greater, the number of exposure after the node captured also become more. The average degree of all P2P nodes in the network can be expressed as: 29 /34 Robustness

Evaluation Model At the same time the distribution of node degree reflects the stability of the entire network, some nodes with large degrees may lead to overload of the nodes, nodes with the high degrees offline can lead to greater impact on the entire network. Therefore, differences of node degree can be expressed as: 30 /34 Robustness

Evaluation Model Here we simulate 10,000 nodes, there are only 5 nodes in the initial state, the neighbor nodes of each node are the other 4 nodes. We use two strategy of joining nodes ： – First strategy is each new node join into, and select randomly 4 of the existing nodes as its neighbor, the node selected also join the new node to its neighbors list. – Second strategy is each new node join into, and select the 4 of nodes with lowest degrees as its neighbors, the same token, the node selected also join the new node to its neighbors list. 31 /34 Robustness

Evaluation Model 32 /34 Robustness

Evaluation Model 33 /34 Robustness After we remove randomly nodes form network of two strategies, we find that the network with smaller the difference of degree have better robustness. Previous studies believe that the average degree plays an important part in robustness of the entire network.

Conclusion Researching the evaluation model of botnets,as well as possible botnets construction methods,can improve us in- depth understanding of details of botnets. To assist in this effort, we proposed evaluation model and key metrics to measure botnet utility for various activities, and presented specific algorithm for each metric. In our future work, we will rich our metrics of botnet, explore effective techniques for more accurate algorithm of these metrics in real-world botnets. 34 /34