A First Step Towards Characterizing Stealthy Botnets
description
Transcript of A First Step Towards Characterizing Stealthy Botnets
A First Step Towards Characterizing Stealthy Botnets
Justin Leonard, Shouhuai Xu, Ravi Sandhu
University of Texas at San Antonio
Overview
Dynamic Graph ModelModel ParametersDetection RatioResilienceImpact of TopologyImpact of FragmentationImpact of Sophistication
Dynamic Graph ModelDirected graph representationVertex set represents botsEdge set represents “knows” relation – e.g., (u,v) implies u can spontaneous communication with v.Does capturing u imply exposure of v?Undirected graph is special case
Role of anonymous channelsAnonymous channels offer a mechanism to communicate exposing their identity.Some implementations may allow duplex communications.Fully anonymous channels are assumed to be “out of botnet”.
Roles of bots
Master is considered “out-of-botnet”.Entry Bot is a bot which directly receives communications from master.Each bot relays communications over its out edges according to topology.Extreme case every bot is an entry bot, and edge set is empty.
Model Parameters
Attack sophistication α,βProbability of exposure due to sending
C&CProbability of exposure due to receiving
C&C.Anonymous channels may reduce or
eliminate either.Out-of-botnet channels are
“undetectable”.
Model Parameters
Graph TopologyType of graph structure created by
adversaryAssumed to be fixed over a single
attack roundDetection Threshold k
Master's estimation of defender's detection capabilities.
Risk management of bots.
Detection Ratio
Define Exposedness as probability a bot has been captured after conducting some previous C&C activity, and potentially conducting some additional C&C activity.
Detection ratio is number of bots above risk threshold k relative to the size of the botnet.
Resilience
Complement of ratio of size of “traceable” bots over size of botnet.
Tracing uses “knows” relationshipRequires restriction that β > 0, e.g.
we cannot trace “backwards” over receiver anonymous channels in a single round.
Simulation Study
Difficult to combine definitions with topologies to gain insights.
Intuitively large-degree botnets are not stealthy, so focus on small-degree “p2p” style botnets.
Initially investigated homogenous topologies.
Impact of topology
Impact of Fragmentation
In-degree regular vs random (out-degree is similar) detection ratio
Impact of Fragmentation
In-degree regular vs random (out-degree is similar) resilience
Impact of Sophistication
Equal detection vs sender weighted detection, in-random topology.
Impact of Sophistication
Equal detection vs sender weighted detection, in-regular topology.
Future Issues
Can we build a holistic framework for both C&C and attack activities?
Can we extend the model for attack-defense interactions?
How should we validate against real-world testbeds and case studies?
Questions?