Modeling Botnets and Epidemic Malware Marco Ajelli, Renato Lo Cigno, Alberto Montresor DISI – University of Trento, Italy disi.unitn.it

ICC NGS, Cape Town, June BOTNETS Collection of bots, i.e. machines remotely controlled by a bot-master Today intrinsically associated with malware  Viruses, worms,...  SPAM sending, data spying,... A bot is “created” by spreading a piece of software that infects machines Bot software self-replicate Bot Software may be  Active: doing its intended damage/action/...  Replicating: sending new copies to non-infected machines  Sleeping: just waiting to go into one of the above states

ICC NGS, Cape Town, June Why Modeling Botnets To... improve their design... or To understand how to counter them better Little is known about how botnets works and operate Worms and Viruses are among the most dangerous threats to Internet evolution SPAM (90% of it is deemed to be generated by botnets!) is hampering communications... and can be worse on other services like voice! Bots can scan the disk to grab, important, sensitive, personal information...

ICC NGS, Cape Town, June How to model a Botnet? Intrinsically difficult  Large, distributed system with complex behavior  Measures are not available and very difficult to collect (this limits also the “scope” of modeling, since it is not possible to validate them) No clues on the dynamic behavior, apart from the fact that they spread by infection new machines  No “space” for a proper stochastic model Learn from biology diseases spreading We propose a model technique based on compartmental ordinary differential equations

ICC NGS, Cape Town, June Compartmental ordinary differential equations Differential Eq. df(x) = a f(x)  The rate of change of e.g. a population is proportional to its value Compartment == introduce multiple populations influencing each other  System of coupled differential equations f g a c b d df(x) = a f(x) + b g(x) dg(x) = c f(x) + d g(x)

ICC NGS, Cape Town, June Botnets subject to immunization I-bot s = susceptibles: PCs that can be infected i = infected: PCs that got the malware and are spamming v = hidden: infected computers which are not spamming r = recovered: computers which were de-malwerized p = apportioning coefficient between spamming/hidden nodes: regulate the rate of toggling between states We normalize the system w.r.t. an arbitrary transition rate , which it absolute rate of transition between states i and v

ICC NGS, Cape Town, June Botnets with re-infection R-bot Recovered PCs can be re-infected with some Susceptibles can be immunized (antivirus footprint update, etc. )

ICC NGS, Cape Town, June More complex models... You can find examples/details on Ajelli, M. and Lo Cigno, R. and Montresor, A., “Compartmental differential equations models of botnets and epidemic malware (extended version),” University of Trento, T.R. DISI , 2010,

ICC NGS, Cape Town, June Insights and Metrics given by the Model What are the admissible parameters for a bot to work? Threshold conditions  What are the spreading parameters that makes a bot dangerous?  Nice closed form equations look for them in the paper you do not want a nasty 2 lines equation on a slide How many PCs will be affected in the population? What is the fraction of infected PCs in time? What is the amount of damage done by the botnet?

ICC NGS, Cape Town, June Fraction of PCs infected: I-bot Measures how many PCs will be infected during the epidemics Function of the ratio between infectivity  and recovery  Three values of p: 0.2,0.5,0.8 more infected nodes are active

ICC NGS, Cape Town, June Maximum number of infected PCs: I-bot Measures the maximum fraction of PCs will infected during the entire epidemics Function of the ratio between infectivity  and recovery  Three values of p: 0.2,0.5,0.8 more infected nodes are active

ICC NGS, Cape Town, June Fraction of infected PCs in time: I-bots Active Hidden p decreases  = 0.5  = 0.25

ICC NGS, Cape Town, June R 0 and R-botnet diffusion I-botnets are probably too simplistic  Infection always starts, even if it can be non-effective if the worm/virus is too much or too little aggressive R-botnets are more interesting, due to the possibility that the malware simply do not spread if “immunization is fast enough R 0 > 1 means that the infection can happen, < 1 means that the malware is cured before it can do meaningful harm Interestingly this fundamental property can be computed in closed for the model

ICC NGS, Cape Town, June R-botnets: areas of “effectiveness” Grey areas are those for which the epidemics will occur for the given set of parameters  = 0.25 

ICC NGS, Cape Town, June Harm caused by botnets How much damage can a botnet cause? Are I-bots more dangerous than R-bots or vice versa? Are aggressive bots more or less dangerous than hidden ones? Example: R-bot with:  = 0.25  =  variable Medium aggressiveness pays better; Larger  increase the damage (obvious)

ICC NGS, Cape Town, June I-bots: waves of spam-storm Even simple i-bots show very complex behavior just by changing a parameter like p Multiple “waves” of infection can be simply the consequence of swapping coordinately between different p values light gray: p=0.1 dark gray: p=0.9

ICC NGS, Cape Town, June Conclusions We have proposed a modeling methodology for understanding the behavior of botnets Even simple, deterministic compartmental differential equations highlight interesting phenomena and complex behavior Available measures would enable  Validation of averages  Stochastic models Botnets are currently one of the major threats in the Internet, but they covert and complex behavior lead (possibly) to underestimate their impact Read the paper (better the extended version) to learn more!!

ICC NGS, Cape Town, June THE END Thank you! Questions? Comments?