Revisiting Botnet Models and Their Implications for Takedown Strategies

  • Ting-Fang Yen
  • Michael K. Reiter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7215)


Several works have utilized network models to study peer-to-peer botnets, particularly in evaluating the effectiveness of strategies aimed at taking down a botnet. We observe that previous works fail to consider an important structural characteristic of networks — assortativity. This property quantifies the tendency for “similar” nodes to connect to each other, where the notion of “similarity” is examined in terms of node degree. Empirical measurements on networks simulated according to the Waledac botnet protocol, and on network traces of bots from a honeynet running in the wild, suggest that real-world botnets can be significantly assortative, even more so than social networks. By adjusting the level of assortativity in simulated networks, we show that high assortativity allows networks to be more resilient to takedown strategies than predicted by previous works, and can allow a network to “heal” itself effectively after a fraction of its nodes are removed. We also identify alternative takedown strategies that are more effective, and more difficult for the network to recover from, than those explored in previous works.


Closeness Centrality Graph Property Large Connected Component Network Administrator Edge Probability 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Albert, R., Jeong, H., Barabasi, A.L.: Error and attack tolerance of complex networks. Nature 406 (2000)Google Scholar
  2. 2.
    Barabási, A.L., Albert, R.: Emergence of scaling in random networks. Science 286, 509–512 (1999)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Barabási, A.L., Albert, R., Jeong, H.: Mean-field theory for scale-free random networks. Physica A 272, 173–187 (1999)CrossRefGoogle Scholar
  4. 4.
    Borup, L.: Peer-to-peer botnets: A case study on Waledac. Master’s thesis, Technical University of Denmark (2009)Google Scholar
  5. 5.
    Callaway, D.S., Hopcroft, J.E., Kleinberg, J.M., Newman, M.E.J., Strogatz, S.H.: Are randomly grown graphs really random? Phys. Rev. E 64(4), 041902 (2001)CrossRefGoogle Scholar
  6. 6.
    Calvet, J., Davis, C.R., Bureau, P.: Malware authors don’t learn, and that’s good! In: Intl. Conf. Malicious and Unwanted Software (2009)Google Scholar
  7. 7.
    Collins, M.P., Reiter, M.K.: Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 276–295. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets. In: Wksh. Steps to Reducing Unwanted Traffic on the Internet (2005)Google Scholar
  9. 9.
    Crucitti, P., Latora, V., Marchiori, M., Rapisarda, A.: Error and attack tolerance of complex networks. Phys. A 340, 388–394 (2004)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Dagon, D., Gu, G., Lee, C.P., Lee, W.: A taxonomy of botnet structures. In: Annual Computer Security Applications Conf. (2007)Google Scholar
  11. 11.
    Davis, C.R., Neville, S., Fernandez, J.M., Robert, J.-M., McHugh, J.: Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures? In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 461–480. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Dorogovtsev, S.N., Mendes, J.F.F.: Scaling properties of scale-free evolving networks: Continuous approach. Phys. Rev. E 63, 056125 (2001)CrossRefGoogle Scholar
  13. 13.
    Erdös, P., Rényi, A.: On the evolution of random graphs. Publications of the Mathematical Institute of the Hungarian Academy of Sciences 5, 17–61 (1960)zbMATHGoogle Scholar
  14. 14.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: USENIX Security Symp. (2008)Google Scholar
  15. 15.
    Holme, P., Kim, B., Yoon, C., Han, S.: Attack vulnerability of complex networks. Phys. Rev. E 65, 056109 (2002)CrossRefGoogle Scholar
  16. 16.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: A case study on Storm worm. In: USENIX Wksh. Large-Scale Exploits and Emergent Threats (2008)Google Scholar
  17. 17.
    Jackson, M.O., Rogers, B.W.: Meeting strangers and friends of friends: How random are social networks? American Economic Review 97(3) (2007)Google Scholar
  18. 18.
    Krapivsky, P., Redner, S.: Organization of growing random networks. Phys. Rev. E 63, 066123 (2001)CrossRefGoogle Scholar
  19. 19.
    Li, J., Ehrenkranz, T., Kuenning, G., Reiher, P.: Simulation and analysis on the resiliency and efficiency of malnets. In: Wksh. Principles of Advanced and Distributed Simulation (2005)Google Scholar
  20. 20.
    Li, X., Duan, H., Liu, W., Wu, J.: The growing model of botnets. In: Intl. Conf. Green Circuits and Systems (2010)Google Scholar
  21. 21.
    Liben-Nowell, D., Balakrishnan, H., Karger, D.: Analysis of the evolution of peer-to-peer systems. In: ACM Symp. Principles of Distributed Computing (2002)Google Scholar
  22. 22.
    Matei, R., Iamnitchi, A., Foster, P.: Mapping the Gnutella network. IEEE Internet Computing 6, 50–57 (2002)CrossRefGoogle Scholar
  23. 23.
    Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the source. In: IEEE Intl. Conf. Network Protocols (2002)Google Scholar
  24. 24.
    Moore, C., Ghoshal, G., Newman, M.: Exact solutions for models of evolving networks with addition and deletion of nodes. Phys. Rev. E 74, 036121 (2006)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Newman, M.: Assortative mixing in networks. Phys. Rev. Lett. 89(20) (2002)Google Scholar
  26. 26.
    Newman, M.: Mixing patterns in networks. Phys. Rev. E 67, 026126 (2003)CrossRefGoogle Scholar
  27. 27.
    Newman, M., Park, J.: Why social networks are different from other types of networks. Phys. Rev. E 68, 036122 (2003)CrossRefGoogle Scholar
  28. 28.
    Pandurangan, G., Raghavan, P., Upfal, E.: Building low-diameter P2P networks. In: IEEE Symp. Foundations of Computer Science (2001)Google Scholar
  29. 29.
    Pastor-Satorras, R., Vazquez, A., Vespignani, A.: Dynamical and correlation properties of the internet. Phys. Rev. Lett. 87(25) (2001)Google Scholar
  30. 30.
    Pastor-Satorras, R., Vespignani, A.: Epidemic spreading in scale-free networks. Phys. Rev. Lett. 86(14) (2001)Google Scholar
  31. 31.
    Porras, P., Saidi, H., Yegneswaran, V.: A multi-perspective analysis of the Storm (Peacomm) worm. Tech. rep., Computer Science Laboratory, SRI International (2007)Google Scholar
  32. 32.
    Sarshar, N., Roychowdhury, V.: Scale-free and stable structures in complex ad hoc networks. Physical Review E 69(2), 026101 (2004)CrossRefGoogle Scholar
  33. 33.
    Schechter, S.E., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  34. 34.
    Sekar, V., Xie, Y., Reiter, M.K., Zhang, H.: A multi-resolution approach for worm detection and containment. In: Intl. Conf. Dependable Syst. and Netw. (2006)Google Scholar
  35. 35.
    Sinclair, G., Nunnery, C., Kang, B.B.: The Waledac protocol: The how and why. In: Intl. Conf. Malicious and Unwanted Software (2009)Google Scholar
  36. 36.
    Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the Storm and Nugache trojans: P2P is here. USENIX; Login 32(6) (2007)Google Scholar
  37. 37.
    Watts, D.J.: A simple model of global cascades on random networks. Natl. Acad. Sci. 99(9) (2002)Google Scholar
  38. 38.
    Watts, D.J., Strogatz, S.H.: Collective dynamics of ‘small-world’ networks. Nature 393 (1998)Google Scholar
  39. 39.
    Xie, Y., Sekar, V., Reiter, M.K., Zhang, H.: Forensic analysis for epidemic attacks in federated networks. In: 14th IEEE Intl. Conf. Network Protocols (2006)Google Scholar
  40. 40.
    Xulvi-Brunet, R., Sokolov, I.: Reshuffling scale-free networks: From random to assortative. Phys. Rev. E 70, 066102 (2004)CrossRefGoogle Scholar
  41. 41.
    Yu, J., Li, Z., Hu, J., Liu, F., Zhou, L.: Using simulation to characterize topology of peer to peer botnets. In: Intl. Conf. Computer Modeling and Simulation (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Ting-Fang Yen
    • 1
  • Michael K. Reiter
    • 2
  1. 1.RSA LaboratoriesCambridgeUSA
  2. 2.University of North CarolinaChapel HillUSA

Personalised recommendations