An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational.

Slides:



Advertisements
Similar presentations
A Construction of Locality-Aware Overlay Network: mOverlay and Its Performance Found in: IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 22, NO.
Advertisements

Hadi Goudarzi and Massoud Pedram
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Maximum Battery Life Routing to Support Ubiquitous Mobile Computing in Wireless Ad Hoc Networks By C. K. Toh.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
SOCELLBOT: A New Botnet Design to Infect Smartphones via Online Social Networking th IEEE Canadian Conference on Electrical and Computer Engineering(CCECE)
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
LightFlood: An Optimal Flooding Scheme for File Search in Unstructured P2P Systems Song Jiang, Lei Guo, and Xiaodong Zhang College of William and Mary.
Forwarding Redundancy in Opportunistic Mobile Networks: Investigation and Elimination Wei Gao 1, Qinghua Li 2 and Guohong Cao 3 1 The University of Tennessee,
An Energy Efficient Hierarchical Heterogeneous Wireless Sensor Network
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Trust Level Based Self-Organized Routing Protocol for Secure Ad Hoc Networks Li Xiaoqi, GiGi 12/3/2002.
A Trust Based Assess Control Framework for P2P File-Sharing System Speaker : Jia-Hui Huang Adviser : Kai-Wei Ke Date : 2004 / 3 / 15.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Threat infrastructure: proxies, botnets, fast-flux
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Distributed Quality-of-Service Routing of Best Constrained Shortest Paths. Abdelhamid MELLOUK, Said HOCEINI, Farid BAGUENINE, Mustapha CHEURFA Computers.
1 Napster & Gnutella An Overview. 2 About Napster Distributed application allowing users to search and exchange MP3 files. Written by Shawn Fanning in.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
BotNet Detection Techniques By Shreyas Sali
Developing Analytical Framework to Measure Robustness of Peer-to-Peer Networks Niloy Ganguly.
A Framework for Hybrid Structure P2P Botnet Speakers:MA2G0207 bo rong,sue Source:IEEE.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
An efficient secure distributed anonymous routing protocol for mobile and wireless ad hoc networks Authors: A. Boukerche, K. El-Khatib, L. Xu, L. Korba.
DELAYED CHAINING: A PRACTICAL P2P SOLUTION FOR VIDEO-ON-DEMAND Speaker : 童耀民 MA1G Authors: Paris, J.-F.Paris, J.-F. ; Amer, A. Computer.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.
Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.
Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks Jin Tang, Yu Cheng and Yong Hao Department of Electrical and Computer Engineering.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Load-Balancing Routing in Multichannel Hybrid Wireless Networks With Single Network Interface So, J.; Vaidya, N. H.; Vehicular Technology, IEEE Transactions.
Peer Pressure: Distributed Recovery in Gnutella Pedram Keyani Brian Larson Muthukumar Senthil Computer Science Department Stanford University.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
Robustness of complex networks with the local protection strategy against cascading failures Jianwei Wang Adviser: Frank,Yeong-Sung Lin Present by Wayne.
Interconnect simulation. Different levels for Evaluating an architecture Numerical models – Mathematic formulations to obtain performance characteristics.
Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.
A P2P-Based Architecture for Secure Software Delivery Using Volunteer Assistance Purvi Shah, Jehan-François Pâris, Jeffrey Morgan and John Schettino IEEE.
Mitigation strategies on scale-free networks against cascading failures Jianwei Wang Adviser: Frank,Yeong-Sung Lin Present by Chris Chang.
Ad Hoc Network.
LightFlood: An Efficient Flooding Scheme for File Search in Unstructured P2P Systems Song Jiang, Lei Guo, and Xiaodong Zhang College of William and Mary.
Multi-channel Wireless Sensor Network MAC protocol based on dynamic route.
Cooperative Mobile Live Streaming Considering Neighbor Reception SPEAKER: BO-YU HUANG ADVISOR: DR. HO-TING WU 2015/10/15 1.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
A Bandwidth Scheduling Algorithm Based on Minimum Interference Traffic in Mesh Mode Xu-Yajing, Li-ZhiTao, Zhong-XiuFang and Xu-HuiMin International Conference.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
SERENA: SchEduling RoutEr Nodes Activity in wireless ad hoc and sensor networks Pascale Minet and Saoucene Mahfoudh INRIA, Rocquencourt Le Chesnay.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
A Two-Tier Heterogeneous Mobile Ad Hoc Network Architecture and Its Load-Balance Routing Problem C.-F. Huang, H.-W. Lee, and Y.-C. Tseng Department of.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Presented by Edith Ngai MPhil Term 3 Presentation
2010 IEEE Global Telecommunications Conference (GLOBECOM 2010)
Presentation transcript:

An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational Intelligence and Communication Networks Speaker : Po Chung, Shen( ) 1/34

Outline Introduction Evaluation Model – Stealthy – Effectiveness – Efficiency – Robustness Conclusion 2/34

Introduction 〝 Botnet 〞 is a network of compromised computers (bots) running malicious software to fulfill their malicious intents. Botnet have one other important ability that sets them apart from other forms of malware, they remain Command-and- Control(C&C) infrastructure. 3/34 Botnet

Most of current research has focused on the Internet Relay Chat(IRC) based botnets. The centralized C&C mechanism of such Botnet has made them easy to be detected and disabled. Therefore, a new generation of Botnet which can be more reliable and more robust have emerged, Peer-to-Peer(P2P) based Botnets. 4/34 Introduction Botnet

In this paper we try to construct a more comprehensive evaluation model, which can evaluate botnets’ performance from different aspects. We provide the detailed calculation formula and the process, and analyze the relationship between them and degree of botnets. 5/34 Introduction Purpose

Evaluation Model In [4], they present the design of an advanced hybrid peer-to- peer botnet, at the same time she present three important indexes: Effectiveness, Efficiency and Robustness. In [7], they evaluate the impact of responses on different topologies using simulation and demonstrate the utility of their proposed metrics (Effectiveness, Efficiency and Robustness). In [8], they focus on the resiliency and efficiency of a malnet, and through calculation. 6 /34

Evaluation Model We summarize and analyze the evaluation indicators that have been proposed, and there is a more comprehensive study of the characteristics of botnets, then we put forward a comprehensive four evaluation indicators : – Stealthy – Effectiveness – Efficiency – Robustness 7 /34

Evaluation Model The stealthy of botnets is the key indicator which mainly aimed at the existing means of detecting botnet. The existing main detection methods are based on host behavior and detection method based on network feature. Therefore, the host can be divided into two aspects, including the hidden based on host and hidden based on network communication. 8 /34 Stealthy

Evaluation Model The hidden of network communication include – encryption mechanisms used in the communication process – the traffic of task communication – maintenance of communication traffic – the ability to against anti-virus software 9 /34 Stealthy

Evaluation Model In order to avoid Intrusion detection and firewall, most of botnets are using communication encryption mechanism, making the bot managed to escape the users host and intrusion detection to improve the viability of the botnet. Sinit[1] uses the public key encryption update process of verification in the communication process. [4] further put forward the command certification, in different key mechanisms of point to point to ensure the safety of botnets, with each different super-nodes have different keys. 10 /34 Stealthy – Communication encryption mechanism

Evaluation Model It is difficult to assess the encryption algorithm is good or bad, so we put the botnet communication mechanism into the following three levels: no encryption, fixed keys, dynamic keys. 11 /34 Stealthy – Communication encryption mechanism

Evaluation Model The traffic of task communication is the sum of communication generated by each bot program receives the command sent by control. In IRC botnet architecture, the control issues commands to the IRC server, terminal program received orders directly from the IRC server, there aren’t some Redundant traffic, so the traffic can be expressed as: T = n*S where T is traffic generated by a task. n is the number of nodes. S is the size of the task order. 12 /34 Stealthy – The traffic of task communication

Evaluation Model Because of the introduction P2P in the P2P botnet, issuing the command mainly rely on transfer between P2P nodes, so produce Inevitably some redundant traffic. The amount of the average task communication can be expressed as: T = (n+P)*S where P is the number of redundant communication The size of P will be different because of using different P2P structures. P is closely linked to the node degree and botnet command forwarding mechanism. 13 /34 Stealthy – The traffic of task communication

Evaluation Model Assume – the initial degree of node is d – in the initial state has d +1 nodes, – the d +1 nodes are neighbors of each other The task of traffic that send a command is d + d(d −1) Add a new node which its degrees is d, the task communication volume is d + d(d −1) + 2d −1 When the number of nodes increases to x, the task communication volume is 14 /34 Stealthy – The traffic of task communication

Evaluation Model In order to maintain the stability of the network, P2P botnets will adjust timely some nodes off-line or the nodes deleted. Each node will initiate outbound connection every H time to declare their own survival, or node will actively probe the existence of their own neighbors after every H time. Therefore, maintenance of communication volume can be expressed as: – where W is the number of connections generated in an hour, r is the number of connections after the node issued each H time, that is, the number of its neighbor nodes. 15 /34 Stealthy – Maintenance of communication traffic

Evaluation Model We use message transmission mechanism. Assume – the initial degree of node is d – in the initial state has d +1 nodes, – the d +1 nodes are neighbors of each other – the heartbeat time of all nodes is h The maintenance of communication volume is 16 /34 Stealthy – Maintenance of communication traffic

Evaluation Model Add a new node which its degress is d, according to neighbor each other principle, the d nodes in the previous d +1 nodes must add a degree, then at this point the maintenance of communication volume is When the number of nodes increases to x, the maintenance of communication volume is 17 /34 Stealthy – Maintenance of communication traffic

Evaluation Model If you want a machine running with antivirus software, there must have modules of againsting the antivirus software, as to ensure the stealthy of bots. We need to objectively evaluate the ability about a sample fight against anti-virus zombie software. First of all, for the same virus samples the different anti-virus software with different killing capacity. We can use these common anti-virus softwares to scan the zombie samples have been obtained. The results of scanning are only two, we denote anti-virus software alarm is 1, no alarm is 0. 20/34 Stealthy – The ability to against anti-virus software

Evaluation Model We use VirScan.org for online virus scanning, during anti-virus software checkes the virus. 19 Stealthy – The ability to against anti-virus software

Evaluation Model Formula about the ability of against anti-virus software is: – where AntiAV identifies the ability of against anti-virus software. W i is capacity for a market share of anti-virus software. P i is the result of the anti-virus software kills virus samples. This value more close to 0 indicate that the ability of antivirus software against is stronger, more close to 1 indicate that most antivirus software can be killing the sample and the ability of antivirus software against the is weaker. 20 /34 Stealthy – The ability to against anti-virus software

Evaluation Model The effectiveness is used to assess the devastating of botnet attacks. The more the number of infected machine includes, then the greater the effect produces. We believe that the size of the botnet reflects the effectiveness of botnets to a large extent. 21 /34 Effectiveness

Evaluation Model But for the nature of the Internet at present, each machine has different on-line times, and each machine can provide different bandwidth. Therefore, we assess on the basis of the size of botnets, taking into account the online time slice, type of network access and other key factors. 22 /34 Effectiveness

Evaluation Model For time slice of each infected host can be measured. After bot run on the host, in order to allow other hosts and control access to the host-side information, bots will send their own alive information every other time. If the bot will receive the messages from the host each a heartbeat time, then the host is online at this time. If two information heartbeat intervals of the host is over two heartbeat cycles, then the host is offline during this period. 23 /34 Effectiveness

Evaluation Model We can calculate the probability of the host online, at a point A, in n+1 day, according to the heartbeat time record of a machine before n days. – where O i represents that the host is whether online at the point A in i day, online is 1, offline is 0. Therefore, we can calculate the number of hosts we can use at the time A of the zombie network. – where P Ai is the online probability of the i-host at the point A. 24 /34 Effectiveness

Evaluation Model At the meantime we can calculate the largest number of hosts we can use. – where Num 0 indicate the number of host we can use at time 0, Num 1440−s is the number of host we can use at the 24 * 60-s time, s is the time interval. 25 /34 Effectiveness

Evaluation Model The efficiency is said that the attacker to launch an attack, the command issued from the attackers began to each node (the node does not include off-line) have received the mandate how long. So we defined Dia as diameter of botnets and it means the maximum distance between any two nodes. where N i and N j are any two nodes in botnets. 26 /34 Efficiency

Evaluation Model We also defined Time ALL as all the heartbeat time. Above shows that the diameter and the heartbeat time are two important indicators related to the efficiency of botnet. 27 /34 Efficiency

Evaluation Model Many of the papers research on botnet analyze different aspects about the robustness of botnets. Because all the node of botnet control distribute in various places, they are likely to be common machine or the server, so their online time is uncertainty. The performance of the nodes in botnets is offline, whether the node withdraws temporarily and permanent killing. Therefore, the offline nodes play an important part in researching robustness. 28 /34 Robustness

Evaluation Model The average degree of nodes is an important indicator of researching the robustness; the greater number of the average degree, the more neighbor nodes of each node, while the better the robustness of a botnet. At the same time the maintenance of communication volume become greater, the number of exposure after the node captured also become more. The average degree of all P2P nodes in the network can be expressed as: 29 /34 Robustness

Evaluation Model At the same time the distribution of node degree reflects the stability of the entire network, some nodes with large degrees may lead to overload of the nodes, nodes with the high degrees offline can lead to greater impact on the entire network. Therefore, differences of node degree can be expressed as: 30 /34 Robustness

Evaluation Model Here we simulate 10,000 nodes, there are only 5 nodes in the initial state, the neighbor nodes of each node are the other 4 nodes. We use two strategy of joining nodes : – First strategy is each new node join into, and select randomly 4 of the existing nodes as its neighbor, the node selected also join the new node to its neighbors list. – Second strategy is each new node join into, and select the 4 of nodes with lowest degrees as its neighbors, the same token, the node selected also join the new node to its neighbors list. 31 /34 Robustness

Evaluation Model 32 /34 Robustness

Evaluation Model 33 /34 Robustness After we remove randomly nodes form network of two strategies, we find that the network with smaller the difference of degree have better robustness. Previous studies believe that the average degree plays an important part in robustness of the entire network.

Conclusion Researching the evaluation model of botnets,as well as possible botnets construction methods,can improve us in- depth understanding of details of botnets. To assist in this effort, we proposed evaluation model and key metrics to measure botnet utility for various activities, and presented specific algorithm for each metric. In our future work, we will rich our metrics of botnet, explore effective techniques for more accurate algorithm of these metrics in real-world botnets. 34 /34