Login | Register

Analytical Lifecycle Modeling and Threat Analysis of Botnets

Title:

Analytical Lifecycle Modeling and Threat Analysis of Botnets

Khosroshahy, Masood (2013) Analytical Lifecycle Modeling and Threat Analysis of Botnets. PhD thesis, Concordia University.

[img]
Preview
Text (application/pdf)
Khosroshahy_PhD_S2013.pdf - Accepted Version
2MB

Abstract

Botnet, which is an overlay network of compromised computers built by cybercriminals known as botmasters, is the new phenomenon that has caused deep concerns to the security professionals responsible for governmental, academic, and private sector networks. Botmasters use a plethora of methods to infect network-accessible devices (nodes). The initial malware residing on these nodes then either connects to a central Command & Control (C&C) server or joins a Peer-to-Peer (P2P) botnet. At this point, the nodes can receive the commands of the botmaster and proceed to engage in illicit activities such as Distributed Denial-of-Service (DDoS) attacks and massive e-mail spam campaigns.

Being able to reliably estimate the size of a botnet is an important task which allows the adequate deployment of mitigation strategies against the botnet. In this thesis, we develop analytical models that capture the botnet expansion and size evolution behaviors in sufficient details so as to accomplish this crucial estimation/analysis task. We develop four Continuous-Time Markov Chain (CTMC) botnet models: the first two, SComI and SComF, allow the prediction of initial unhindered botnet expansion in the case of infinite and finite population sizes, respectively. The third model, the SIC model, is a botnet lifecycle model which accounts for all important node stages and allows botnet size estimates as well as evaluation of botnet mitigation strategies such as disinfections of nodes and attacks on botnet's C&C mechanism. Finally, the fourth model, the SIC-P2P model, is an extension of the SIC model suitable for P2P botnets, allowing fine-grained analysis of mitigation strategies such as index poisoning and sybil attack.

As the convergence of Internet and traditional telecommunication services is underway, the threat of botnets is looming over essential basic communication services. As the last contribution presented in this thesis, we analyze the threat of botnets in the 4G cellular wireless networks. We identify the vulnerability of the air interface, i.e. the Long Term Evolution (LTE), which allows a successful botnet-launched DDoS attack against it. Through simulation using an LTE simulator, we determine the number of botnet nodes per cell that can significantly degrade the service availability of such cellular networks.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Electrical and Computer Engineering
Item Type:Thesis (PhD)
Authors:Khosroshahy, Masood
Institution:Concordia University
Degree Name:Ph. D.
Program:Electrical and Computer Engineering
Date:March 2013
Thesis Supervisor(s):Mehmet Ali, Mustafa K. and Qiu, Dongyu
Keywords:Analytical models, Markov processes, Computer viruses, Computer security, Communication system security, Epidemic models, Malware propagation, Botnets, Peer-to-peer, Cellular radio, Long Term Evolution, LTE
ID Code:976958
Deposited By: MASOOD KHOSROSHAHY
Deposited On:17 Apr 2013 14:05
Last Modified:18 Jan 2018 17:43
Related URLs:

References:

[1] M. Ajelli, R. L. Cigno, and A. Montresor, “Modeling botnets and epidemic malware,” in Proc. IEEE Int'l Communications Conference (ICC), 2010, pp. 1–5.

[2] S. Mansfield-Devine, “Battle of the botnets,” Network Security, vol. 2010, no. 5, pp.4 - 6, 2010.

[3] D. Bleaken, “Botwars: the fight against criminal cyber networks,” Computer Fraud & Security, vol. 2010, no. 5, pp. 17 – 19, 2010.

[4] C. J. Mielke and H. Chen, “Botnets, and the cybercriminal underground,” in Proc. IEEE Int. Conf. Intelligence and Security Informatics (ISI), 2008, pp. 206–211.

[5] N. Daswani and M. Stoppelman, “The anatomy of clickbot.a,” in Proc. FirstWorkshop on Hot Topics in Understanding Botnets. Berkeley, CA, USA: USENIX Association, 2007.

[6] D. Emm, “The kido botnet: Back to the future,” in Global Security, Safety, and Sustainability, ser. Communications in Computer and Information Science, H. Jahankhani, A. G. Hessami, and F. Hsu, Eds. Springer Berlin Heidelberg, 2009, vol. 45, pp. 191–194.

[7] P. Porras, “Inside risks: Reflections on conficker,” Commun. ACM, vol. 52, pp. 23–24, Oct. 2009.

[8] H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang, “On the analysis of the zeus botnet crimeware toolkit,” in Proc. Eighth Annual Int Privacy Security and Trust (PST) Conf, 2010, pp. 31–38.

[9] D. Bradbury, “Digging up the hacking underground,” Infosecurity, vol. 7, no. 5, pp.14 – 17, 2010.

[10] W. H. Murray, “The application of epidemiology to computer viruses,” Computers & Security, vol. 7, no. 2, pp. 139 – 145, 1988.

[11] J. O. Kephart and S. R. White, “Directed-graph epidemiological models of computer viruses,” in Proc. IEEE Computer Society Symp Research in Security and Privacy, 1991, pp. 343–359.

[12] G. Serazzi and S. Zanero, “Computer virus propagation models,” in Performance Tools and Applications to Networked Systems, ser. Lecture Notes in Computer Science, M. C. Calzarossa and E. Gelenbe, Eds. Springer Berlin Heidelberg, 2004, vol.2965, pp. 26–50.

[13] S. Fei, L. Zhaowen, and M. Yan, “A survey of internet worm propagation models,” in Proc. 2nd IEEE Int. Conf. Broadband Network&Multimedia Technology (IC-BNMT), 2009, pp. 453–457.

[14] “Voice and video calling over lte,” Ericsson, White paper 284 23-3163 Uen, Feb. 2012. [Online]. Available: http://www.ericsson.com/res/docs/whitepapers/WP-Voice-Video-Calling-LTE.pdf

[15] A. Berger, I. Gojmerac, and O. Jung, “Internet security meets the ip multimedia subsystem: an overview,” Security Comm. Networks, vol. 3, no. 2-3, pp. 185–206, 2010.

[16] C. Elliott, “Botnets: To what extent are they a threat to information security?” Information Security Technical Report, vol. 15, no. 3, pp. 79 – 103, 2010 (computer crime - a 2011 update).

[17] M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir, “A survey of botnet technology and defenses,” in Proc. Cybersecurity Applications & Technology Conference for Homeland Security (CATCH). Washington, DC, USA: IEEE Computer Society, 2009, pp. 299–304.

[18] P. Wang, L. Wu, B. Aslam, and C. Zou, “A systematic study on peer-to-peer botnets,” in Proc. 18th Internatonal Conference on Computer Communications and Networks (ICCCN), Aug. 2009, pp. 1 –8.

[19] D. Dittrich and S. Dietrich, “P2p as botnet command and control: A deeper insight,” in Proc. 3rd Int. Conf. Malicious and Unwanted Software (MALWARE), 2008, pp.41–48.

[20] J. Leonard, S. Xu, and R. Sandhu, “A framework for understanding botnets,” in Proc. Int. Conf. Availability, Reliability and Security (ARES ’09), 2009, pp. 917–922.

[21] H. R. Zeidanloo and A. A. Manaf, “Botnet command and control mechanisms,” in Proc. Second Int. Conf. Computer and Electrical Engineering (ICCEE), vol. 1, 2009, pp. 564–568.

[22] G. Gu, J. Zhang, and W. Lee, “Botsniffer: Detecting botnet command and control channels in network traffic,” in Proc. 15th Annual Network and Distributed System Security Symposium (NDSS’08), San Diego, CA, USA, Feb. 10-13 2008.

[23] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling, “Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm,” in Proc. 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. Berkeley, CA, USA: USENIX Association, 2008, pp. 9:1–9:9.

[24] G. Sinclair, C. Nunnery, and B. B.-H. Kang, “The waledac protocol: The how and why,” in Proc. 4th Int Malicious and Unwanted Software (MALWARE) Conf, 2009, pp. 69–77.

[25] P. Wang, S. Sparks, and C. C. Zou, “An advanced hybrid peer-to-peer botnet,” in Proc. First Workshop on Hot Topics in Understanding Botnets. Berkeley, CA, USA: USENIX Association, 2007.

[26] R. Vogt, J. Aycock, and M. Jacobson, “Army of botnets,” in Proc. 14th Network and Distributed System Security Symp. (NDSS), Feb. 2007.

[27] P. Wang, B. Aslam, and C. C. Zou, “Peer-to-peer botnets,” in Handbook of Information and Communication Security, P. Stavroulakis and M. Stamp, Eds. Springer Berlin Heidelberg, 2010, pp. 335–350.

[28] J. R. Binkley and S. Singh, “An algorithm for anomaly-based botnet detection,” in Proc. 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, vol. 2. Berkeley, CA, USA: USENIX Association, 2006.

[29] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “Bothunter: detecting malware infection through ids-driven dialog correlation,” in Proc. 16th USENIX Security Symposium on USENIX Security Symposium. Berkeley, CA, USA: USENIX Association, 2007, pp. 12:1–12:16.

[30] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “Botminer: clustering analysis of network traffic for protocol- and structure-independent botnet detection,” in Proc. 17th conference on Security symposium. Berkeley, CA, USA: USENIX Association, 2008, pp.139–154.

[31] S. Gianvecchio, M. Xie, Z. Wu, and H. Wang, “Measurement and classification of humans and bots in internet chat,” in Proc. 17th conference on Security symposium. Berkeley, CA, USA: USENIX Association, 2008, pp. 155–169.

[32] A. Brodsky and D. Brodsky, “A distributed content independent method for spam detection,” in Proc. First Workshop on Hot Topics in Understanding Botnets. Berkeley, CA, USA: USENIX Association, 2007.

[33] D. Dittrich, F. Leder, and T. Werner, “A case study in ethical decision making regarding remote mitigation of botnets,” in Financial Cryptography and Data Security, ser. Lecture Notes in Computer Science, R. Sion, R. Curtmola, S. Dietrich, A. Kiayias, J. Miret, K. Sako, and F. Sebe, Eds. Springer Berlin / Heidelberg, 2010, vol. 6054, pp. 216–230.

[34] P. Maymounkov and D. Mazières, “Kademlia: A peer-to-peer information system based on the xor metric,” in Revised Papers from the First International Workshop on Peer-to-Peer Systems, ser. IPTPS ’01. London, UK: Springer-Verlag, 2002, pp.53–65.

[35] J. Liang, N. Naoumov, and K.W. Ross, “The index poisoning attack in p2p file sharing systems,” in Proc. 25th IEEE Int. Conf. Computer Communications (INFOCOM), 2006, pp. 1–12.

[36] J. R. Douceur, “The sybil attack,” in Revised Papers from the First InternationalWorkshop on Peer-to-Peer Systems, ser. IPTPS ’01. London, UK: Springer-Verlag, 2002, pp. 251–260.

[37] M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D. S. Wallach, “Secure routing for structured peer-to-peer overlay networks,” SIGOPS Oper. Syst. Rev., vol. 36, pp.299–314, Dec. 2002.

[38] C. Davis, J. Fernandez, S. Neville, and J. McHugh, “Sybil attacks as a mitigation strategy against the storm botnet,” in Proc. 3rd International Conference on Malicious and Unwanted Software (MALWARE), Oct. 2008, pp. 32 –40.

[39] C. Davis, J. Fernandez, and S. Neville, “Optimising sybil attacks against p2p-based botnets,” in Proc. 4th International Conference on Malicious and Unwanted Software (MALWARE), Oct. 2009, pp. 78 –87.

[40] D. Ha, G. Yan, S. Eidenbenz, and H. Ngo, “On the effectiveness of structural detection and defense against p2p-based botnets,” in Proc. IEEE/IFIP International Conference on Dependable Systems Networks (DSN ’09), Jul. 2009, pp. 297 –306.

[41] Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K. Han, “Botnet research survey,” in Proc. 32nd Annual IEEE Int. Computer Software and Applications (COMPSAC), 2008, pp. 967–972.

[42] The honeynet project. [Online]. Available: http://www.honeynet.org/

[43] B. B. Kang, E. Chan-Tin, C. P. Lee, J. Tyra, H. J. Kang, C. Nunnery, Z. Wadler, G. Sinclair, N. Hopper, D. Dagon, and Y. Kim, “Towards complete node enumeration in a peer-to-peer botnet,” in Proc. 4th International Symposium on Information, Computer, and Communications Security, ser. ASIACCS ’09. New York, NY, USA: ACM, 2009, pp. 23–34.

[44] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging,” in Proc. First Workshop on Hot Topics in Understanding Botnets. Berkeley, CA, USA: USENIX Association, 2007.

[45] C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, and S. Savage, “The heisenbot uncertainty problem: challenges in separating bots from chaff,” in Proc. 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. Berkeley, CA, USA: USENIX Association, 2008, pp. 10:1–10:9.

[46] Q. Wang, Z. Chen, C. Chen, and N. Pissinou, “On the robustness of the botnet topology formed by worm infection,” in Proc. IEEE Global Telecommunications Conf. (GLOBECOM), 2010, pp. 1–6.

[47] P. Porras, H. Saidi, and V. Yegneswaran, “A multi-perspective analysis of the storm (peacomm) worm,” Computer Science Laboratory, SRI International, CSL Technical Note, Oct. 2007. [Online]. Available: http://www.cyber-ta.org/pubs/StormWorm/

[48] E. V. Ruitenbeek and W. H. Sanders, “Modeling peer-to-peer botnets,” in Proc. Fifth International Conference on Quantitative Evaluation of Systems (QEST). Washington, DC, USA: IEEE Computer Society, 2008, pp. 307–316.

[49] A. Kolesnichenko, A. Remke, P.-T. de Boer, and B. Haverkort, “Comparison of the mean-field approach and simulation in a peer-to-peer botnet case study,” in Computer Performance Engineering, ser. Lecture Notes in Computer Science, N. Thomas, Ed. Springer Berlin / Heidelberg, 2011, vol. 6977, pp. 133–147.

[50] A. White, A. Tickle, and A. Clark, “Overcoming reputation and proof-of-work systems in botnets,” in Proc. 4th Int Network and System Security (NSS) Conf, 2010, pp.120–127.

[51] J. Calvet, C. R. Davis, J. M. Fernandez, J.-Y. Marion, P.-L. St-Onge, W. Guizani, P.-M. Bureau, and A. Somayaji, “The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet,” in Proc. 26th Annual Computer Security Applications Conference, ser. ACSAC. New York, NY, USA: ACM, 2010, pp. 141–150.

[52] F. Brauer, P. van den Driessche, and J. Wu, Eds., Mathematical Epidemiology. Springer-Verlag Berlin Heidelberg, 2008.

[53] R. Weaver, “A probabilistic population study of the conficker-c botnet,” in Passive and Active Measurement, ser. Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2010, vol. 6032, pp. 181–190.

[54] X. Li, H. Duan, W. Liu, and J. Wu, “The growing model of botnets,” in Proc. Int Green Circuits and Systems (ICGCS) Conf, 2010, pp. 414–419.

[55] S. Li, X. Yun, Z. Hao, X. Cui, and Y.Wang, “A propagation model for social engineering botnets in social networks,” in Proc. 12th Int Parallel and Distributed Computing, Applications and Technologies (PDCAT) Conf, 2011, pp. 423–426.

[56] Y. Wang, S. Wen, W. Zhou, W. Zhou, and Y. Xiang, “The probability model of peer-to-peer botnet propagation,” in Algorithms and Architectures for Parallel Processing, ser. Lecture Notes in Computer Science, Y. Xiang, A. Cuzzocrea, M. Hobbs, and W. Zhou, Eds. Springer Berlin / Heidelberg, 2011, vol. 7016, pp. 470–480.

[57] C. C. Zou and R. Cunningham, “Honeypot-aware advanced botnet construction and maintenance,” in Proc. Int. Conf. Dependable Systems and Networks (DSN), 2006, pp. 199–208.

[58] D. Dagon, C. Zou, and W. Lee, “Modeling botnet propagation using time zones,” in Proc. 13th Network and Distributed System Security Symposium (NDSS), 2006.

[59] R. Li, L. Gan, and Y. Jia, “Propagation model for botnet based on conficker monitoring,” in Proc. Second Int Information Science and Engineering (ISISE) Symp, 2009, pp. 185–190.

[60] W. Xin-liang, C. Lu-Ying, L. Fang, and L. Zhen-ming, “Analysis and modeling of the botnet propagation characteristics,” in Proc. 6th Int Wireless Comm. Netw. & Mobile Comp. (WiCOM) Conf, 2010, pp. 1–4.

[61] H. Okamura, H. Kobayashi, and T. Dohi, “Markovian modeling and analysis of internet worm propagation,” in Proc. 16th IEEE Int. Symp. Software Reliability Engineering (ISSRE), 2005.

[62] D. Zwillinger, Handbook of Differential Equations, 3rd Ed. Academic Press, 1997.

[63] L. Kleinrock, Queueing Systems - Volume I: Theory. Wiley-Interscience, 1975.

[64] G. E. Riley, M. L. Sharif, and W. Lee, “Simulating internet worms,” in Proc. IEEE Computer Society’s 12th Annual Int. Symp. Modeling, Analysis, and Simulation of Computer and Telecommunications Systems (MASCOTS), 2004, pp. 268–274.

[65] J. Rrushi, E. Mokhtari, and A. A. Ghorbani, “A statistical approach to botnet virulence estimation,” in Proc. 6th ACM Symp. on Info., Comp. & Comm. Sec., ser. ASIACCS, 2011, pp. 508–512.

[66] J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon, “Peer-to-peer botnets: overview and case study,” in Proc. First Workshop on Hot Topics in Understanding Botnets (HotBots’07). Berkeley, CA, USA: USENIX Association, 2007.

[67] Q. Wang, Z. Chen, and C. Chen, “Characterizing internet worm infection structure,” in Proc. 4th USENIX conference on Large-scale exploits and emergent threats, ser. LEET. Berkeley, CA, USA: USENIX Association, 2011.

[68] Z. Li, A. Goyal, Y. Chen, and V. Paxson, “Automating analysis of large-scale botnet probing events,” in Proc. 4th International Symposium on Information, Computer, and Communications Security, ser. ASIACCS ’09. New York, NY, USA: ACM, 2009, pp. 11–22.

[69] C. C. Zou, D. Towsley, andW. Gong, “On the performance of internet worm scanning strategies,” Perform. Eval., vol. 63, no. 7, pp. 700–723, Jul. 2006.

[70] A. Papoulis and S. U. Pillai, Probability, Random Variables and Stochastic Processes, 4th ed. McGraw-Hill, 2002.

[71] “Top 10 botnet threat report - 2010,” Damballa Inc., Tech. Rep., 2011. [Online]. Available: http://www.damballa.com/downloads/r_pubs/Damballa_2010_Top_10_Botnets_Report.pdf

[72] M. Khosroshahy, M. K. Mehmet-Ali, and D. Qiu. (2012, Mar.) Sic-p2p: A lifecycle model for the evaluation of mitigation strategies against p2p botnets (accompanying tech report: Mathematica derivations). [Online]. Available: http://www.masoodkh.com/files/papers/SIC/SIC-P2P-TechReport.pdf

[73] P. A. Porras, H. Saidi, and V. Yegneswaran, “An analysis of the ikee.b iphone botnet,” MobiSec, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Springer, vol. 47, pp. 141–152, 2010.

[74] A. Berger and M. Hefeeda, “Exploiting sip for botnet communication,” in Proc. 5th IEEE Workshop Secure Network Protocols, 2009, pp. 31–36.

[75] C. Mulliner and J.-P. Seifert, “Rise of the ibots: Owning a telco network,” in Proc. 5th International Conference on Malicious and Unwanted Software (MALWARE), Oct. 2010, pp. 71 –80.

[76] P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, and T. La Porta, “On cellular botnets: measuring the impact of malicious devices on a cellular network core,” in Proc. 16th ACM conference on Computer and communications security, ser. CCS. NY, USA: ACM, 2009, pp. 223–234.

[77] G. Piro, L. A. Grieco, G. Boggia, F. Capozzi, and P. Camarda, “Simulating lte cellular systems: An open-source framework,” IEEE Transactions on Vehicular Technology, vol. 60, no. 2, pp. 498–513, 2011.

[78] T. Camp, J. Boleng, and V. Davies, “A survey of mobility models for ad hoc network research,” Wireless Communications and Mobile Computing, vol. 2, no. 5, pp. 483–502, 2002.

Refs. [79]-[85] in the document (not included here for space restriction).
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top