1 / 17

A First Step Towards Characterizing Stealthy Botnets

A First Step Towards Characterizing Stealthy Botnets . Justin Leonard, Shouhuai Xu, Ravi Sandhu University of Texas at San Antonio. Overview. Dynamic Graph Model Model Parameters Detection Ratio Resilience Impact of Topology Impact of Fragmentation Impact of Sophistication.

marcy
Download Presentation

A First Step Towards Characterizing Stealthy Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A First Step Towards Characterizing Stealthy Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of Texas at San Antonio

  2. Overview Dynamic Graph Model Model Parameters Detection Ratio Resilience Impact of Topology Impact of Fragmentation Impact of Sophistication

  3. Dynamic Graph Model Directed graph representation Vertex set represents bots Edge set represents “knows” relation – e.g., (u,v) implies u can spontaneous communication with v. Does capturing u imply exposure of v? Undirected graph is special case

  4. Role of anonymous channels Anonymous channels offer a mechanism to communicate exposing their identity. Some implementations may allow duplex communications. Fully anonymous channels are assumed to be “out of botnet”.

  5. Roles of bots Master is considered “out-of-botnet”. Entry Bot is a bot which directly receives communications from master. Each bot relays communications over its out edges according to topology. Extreme case every bot is an entry bot, and edge set is empty.

  6. Model Parameters Attack sophistication α,β Probability of exposure due to sending C&C Probability of exposure due to receiving C&C. Anonymous channels may reduce or eliminate either. Out-of-botnet channels are “undetectable”.

  7. Model Parameters Graph Topology Type of graph structure created by adversary Assumed to be fixed over a single attack round Detection Threshold k Master's estimation of defender's detection capabilities. Risk management of bots.

  8. Detection Ratio Define Exposedness as probability a bot has been captured after conducting some previous C&C activity, and potentially conducting some additional C&C activity. Detection ratio is number of bots above risk threshold k relative to the size of the botnet.

  9. Resilience Complement of ratio of size of “traceable” bots over size of botnet. Tracing uses “knows” relationship Requires restriction that β > 0, e.g. we cannot trace “backwards” over receiver anonymous channels in a single round.

  10. Simulation Study Difficult to combine definitions with topologies to gain insights. Intuitively large-degree botnets are not stealthy, so focus on small-degree “p2p” style botnets. Initially investigated homogenous topologies.

  11. Impact of topology

  12. Impact of Fragmentation In-degree regular vs random (out-degree is similar) detection ratio

  13. Impact of Fragmentation In-degree regular vs random (out-degree is similar) resilience

  14. Impact of Sophistication Equal detection vs sender weighted detection, in-random topology.

  15. Impact of Sophistication Equal detection vs sender weighted detection, in-regular topology.

  16. Future Issues Can we build a holistic framework for both C&C and attack activities? Can we extend the model for attack-defense interactions? How should we validate against real-world testbeds and case studies?

  17. Questions?

More Related