a framework for p2p botnets
DESCRIPTION
A Framework for P2P Botnets. Su Chang, Linfeng Zhang, Yong Guan, Thomas E. Daniels Dept of Electrical and Computer Engineering Iowa State University Ames, Iowa 50011, USA. Speaker: Chi-Sheng Chen Date:2010/11/16. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Speaker: Chi-Sheng Chen
Date:2010/11/16
A Framework for P2P Botnets
Su Chang, Linfeng Zhang, Yong Guan, Thomas E. DanielsDept of Electrical and Computer EngineeringIowa State UniversityAmes, Iowa 50011, USA
IntroductionPreviously, DDoS and spamming were the primary concern, but now applications such as keylogging and click fraud and other “for profit” purposes are becoming a focus of botnets. To make effective countermeasures against botnets, it is very important to not only study the existing ones of various kinds separately,but the inherent relationships among different botnets/worms (since most current botnets make use of worms to propagate), as well as the ones to appear in the
112/04/21 2
IntroductionIn this paper, we address the above issues and
makecontributions in
1) proposing a general framework for understanding botnet of different kinds;
2) predicting a new botnet from the framework and comparing its performance with known ones.
To the best of our knowledge, we are the first to propose the framework for botnets/worms, the lcbot concept in botnet and related fields
112/04/21 3
Related Work
112/04/21 4
Related WorkMany schemes are proposed in the literature to detect botnets of centralized structure. To summarize, those schemes are based on one or more of the following techniques:
DNS inspection
DNSBL inspection
traffic pattern recognition
tempro or spatial correlation
112/04/21 5
Related WorkEncryption, C&C structure (P2P), commonly used protocols
for C&C are the main directions of their evolution.Encryption
makes identifying botnets more difficult resulting in the
inefficacy of schemes based on signatures or abnormal
detections using character distribution.
C&C by other commonly used protocols makes the
communication among bots more covert as it hides its
messages among legitimate traffic. Consequently, there are
reports of botnets using VoIP, Skype, Gmail, and HTTP in
C&C.
112/04/21 6
Related WorkA P2P structure makes the botnet robust and resilient to bot
removal/repair.
Lists the timeline of captured botnets using P2P.
The main ideas is that each bot has a “buddy list” or routing
information consisting of IP addresses of n other infected
hosts.
112/04/21 7
Related WorkPUSH” based botnets
The peerlist construction of supernode in is similar to except that only exchange of peerlist is needed, there is no replacement of newly infected supernodes’ IPs, and only client nodes can infect supernodes.
PULL” based botnet
The idea of botnet structure in is similar to , except that the clients periodically communicate with any servant bot in their peerlist to grab the command.
112/04/21 8
Predicting the New BotnetFor a network composed of either a worm or a botnet, each
infected host i is associated with three parameters psi, pci, and
ki, which are defined as follows:
• psi {0, 1}: “Can the infected host i be a server in ∈ the botnet?”
• pci {0, 1}: “Can infected host i be a client in the∈botnet?”
• ki: the number of hosts with which an infected host i can communicate.
112/04/21 9
Predicting the New BotnetFrom the viewpoint of communication in command delivery,
we can integrate various botnets/worms into a framework
by setting different value
112/04/21 10
Predicted Botnet (lcbot)The values of psi and ki are important to current botnets.
On one hand, the botmaster wants the number of bots having psi = 1 and ki as low as possible to make the C&C control more covert.
On the other hand, given certain portion of bots in the botnet will be turned off or cleaned at any time, these values have to be large enough to maintain connectivity with the remaining botnet. Normally it is expected that attackers can adjust the above values to balance the tradeoff in these proposed botnets under specific situations.
112/04/21 11
Predicted Botnet (lcbot)The basic concept of lcbot is to consider the botnet being
composed of many groups of different group codes, and
decouple psi into pisi and posi.
Any bot in the lcbot have pisi equal to 1, and the peerlist
contains all the other bots in the same group.
Within each group, a small number of bots in have posi equal
to 1, each of these bots has only one out link to another bot in
different groups.
112/04/21 12
Predicted Botnet (lcbot)
112/04/21 13