Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

International Conference on Principles of Security and Trust

POST 2012: Principles of Security and Trust pp 249–268Cite as

  1. Home
  2. Principles of Security and Trust
  3. Conference paper
Revisiting Botnet Models and Their Implications for Takedown Strategies

Revisiting Botnet Models and Their Implications for Takedown Strategies

  • Ting-Fang Yen18 &
  • Michael K. Reiter19 
  • Conference paper
  • 1260 Accesses

  • 7 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7215)

Abstract

Several works have utilized network models to study peer-to-peer botnets, particularly in evaluating the effectiveness of strategies aimed at taking down a botnet. We observe that previous works fail to consider an important structural characteristic of networks — assortativity. This property quantifies the tendency for “similar” nodes to connect to each other, where the notion of “similarity” is examined in terms of node degree. Empirical measurements on networks simulated according to the Waledac botnet protocol, and on network traces of bots from a honeynet running in the wild, suggest that real-world botnets can be significantly assortative, even more so than social networks. By adjusting the level of assortativity in simulated networks, we show that high assortativity allows networks to be more resilient to takedown strategies than predicted by previous works, and can allow a network to “heal” itself effectively after a fraction of its nodes are removed. We also identify alternative takedown strategies that are more effective, and more difficult for the network to recover from, than those explored in previous works.

Keywords

  • Closeness Centrality
  • Graph Property
  • Large Connected Component
  • Network Administrator
  • Edge Probability

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

  1. Albert, R., Jeong, H., Barabasi, A.L.: Error and attack tolerance of complex networks. Nature 406 (2000)

    Google Scholar 

  2. Barabási, A.L., Albert, R.: Emergence of scaling in random networks. Science 286, 509–512 (1999)

    CrossRef  MathSciNet  Google Scholar 

  3. Barabási, A.L., Albert, R., Jeong, H.: Mean-field theory for scale-free random networks. Physica A 272, 173–187 (1999)

    CrossRef  Google Scholar 

  4. Borup, L.: Peer-to-peer botnets: A case study on Waledac. Master’s thesis, Technical University of Denmark (2009)

    Google Scholar 

  5. Callaway, D.S., Hopcroft, J.E., Kleinberg, J.M., Newman, M.E.J., Strogatz, S.H.: Are randomly grown graphs really random? Phys. Rev. E 64(4), 041902 (2001)

    CrossRef  Google Scholar 

  6. Calvet, J., Davis, C.R., Bureau, P.: Malware authors don’t learn, and that’s good! In: Intl. Conf. Malicious and Unwanted Software (2009)

    Google Scholar 

  7. Collins, M.P., Reiter, M.K.: Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 276–295. Springer, Heidelberg (2007)

    CrossRef  Google Scholar 

  8. Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets. In: Wksh. Steps to Reducing Unwanted Traffic on the Internet (2005)

    Google Scholar 

  9. Crucitti, P., Latora, V., Marchiori, M., Rapisarda, A.: Error and attack tolerance of complex networks. Phys. A 340, 388–394 (2004)

    CrossRef  MathSciNet  Google Scholar 

  10. Dagon, D., Gu, G., Lee, C.P., Lee, W.: A taxonomy of botnet structures. In: Annual Computer Security Applications Conf. (2007)

    Google Scholar 

  11. Davis, C.R., Neville, S., Fernandez, J.M., Robert, J.-M., McHugh, J.: Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures? In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 461–480. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  12. Dorogovtsev, S.N., Mendes, J.F.F.: Scaling properties of scale-free evolving networks: Continuous approach. Phys. Rev. E 63, 056125 (2001)

    CrossRef  Google Scholar 

  13. Erdös, P., Rényi, A.: On the evolution of random graphs. Publications of the Mathematical Institute of the Hungarian Academy of Sciences 5, 17–61 (1960)

    MATH  Google Scholar 

  14. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: USENIX Security Symp. (2008)

    Google Scholar 

  15. Holme, P., Kim, B., Yoon, C., Han, S.: Attack vulnerability of complex networks. Phys. Rev. E 65, 056109 (2002)

    CrossRef  Google Scholar 

  16. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: A case study on Storm worm. In: USENIX Wksh. Large-Scale Exploits and Emergent Threats (2008)

    Google Scholar 

  17. Jackson, M.O., Rogers, B.W.: Meeting strangers and friends of friends: How random are social networks? American Economic Review 97(3) (2007)

    Google Scholar 

  18. Krapivsky, P., Redner, S.: Organization of growing random networks. Phys. Rev. E 63, 066123 (2001)

    CrossRef  Google Scholar 

  19. Li, J., Ehrenkranz, T., Kuenning, G., Reiher, P.: Simulation and analysis on the resiliency and efficiency of malnets. In: Wksh. Principles of Advanced and Distributed Simulation (2005)

    Google Scholar 

  20. Li, X., Duan, H., Liu, W., Wu, J.: The growing model of botnets. In: Intl. Conf. Green Circuits and Systems (2010)

    Google Scholar 

  21. Liben-Nowell, D., Balakrishnan, H., Karger, D.: Analysis of the evolution of peer-to-peer systems. In: ACM Symp. Principles of Distributed Computing (2002)

    Google Scholar 

  22. Matei, R., Iamnitchi, A., Foster, P.: Mapping the Gnutella network. IEEE Internet Computing 6, 50–57 (2002)

    CrossRef  Google Scholar 

  23. Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the source. In: IEEE Intl. Conf. Network Protocols (2002)

    Google Scholar 

  24. Moore, C., Ghoshal, G., Newman, M.: Exact solutions for models of evolving networks with addition and deletion of nodes. Phys. Rev. E 74, 036121 (2006)

    CrossRef  MathSciNet  Google Scholar 

  25. Newman, M.: Assortative mixing in networks. Phys. Rev. Lett. 89(20) (2002)

    Google Scholar 

  26. Newman, M.: Mixing patterns in networks. Phys. Rev. E 67, 026126 (2003)

    CrossRef  Google Scholar 

  27. Newman, M., Park, J.: Why social networks are different from other types of networks. Phys. Rev. E 68, 036122 (2003)

    CrossRef  Google Scholar 

  28. Pandurangan, G., Raghavan, P., Upfal, E.: Building low-diameter P2P networks. In: IEEE Symp. Foundations of Computer Science (2001)

    Google Scholar 

  29. Pastor-Satorras, R., Vazquez, A., Vespignani, A.: Dynamical and correlation properties of the internet. Phys. Rev. Lett. 87(25) (2001)

    Google Scholar 

  30. Pastor-Satorras, R., Vespignani, A.: Epidemic spreading in scale-free networks. Phys. Rev. Lett. 86(14) (2001)

    Google Scholar 

  31. Porras, P., Saidi, H., Yegneswaran, V.: A multi-perspective analysis of the Storm (Peacomm) worm. Tech. rep., Computer Science Laboratory, SRI International (2007)

    Google Scholar 

  32. Sarshar, N., Roychowdhury, V.: Scale-free and stable structures in complex ad hoc networks. Physical Review E 69(2), 026101 (2004)

    CrossRef  Google Scholar 

  33. Schechter, S.E., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  34. Sekar, V., Xie, Y., Reiter, M.K., Zhang, H.: A multi-resolution approach for worm detection and containment. In: Intl. Conf. Dependable Syst. and Netw. (2006)

    Google Scholar 

  35. Sinclair, G., Nunnery, C., Kang, B.B.: The Waledac protocol: The how and why. In: Intl. Conf. Malicious and Unwanted Software (2009)

    Google Scholar 

  36. Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the Storm and Nugache trojans: P2P is here. USENIX; Login 32(6) (2007)

    Google Scholar 

  37. Watts, D.J.: A simple model of global cascades on random networks. Natl. Acad. Sci. 99(9) (2002)

    Google Scholar 

  38. Watts, D.J., Strogatz, S.H.: Collective dynamics of ‘small-world’ networks. Nature 393 (1998)

    Google Scholar 

  39. Xie, Y., Sekar, V., Reiter, M.K., Zhang, H.: Forensic analysis for epidemic attacks in federated networks. In: 14th IEEE Intl. Conf. Network Protocols (2006)

    Google Scholar 

  40. Xulvi-Brunet, R., Sokolov, I.: Reshuffling scale-free networks: From random to assortative. Phys. Rev. E 70, 066102 (2004)

    CrossRef  Google Scholar 

  41. Yu, J., Li, Z., Hu, J., Liu, F., Zhou, L.: Using simulation to characterize topology of peer to peer botnets. In: Intl. Conf. Computer Modeling and Simulation (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. RSA Laboratories, Cambridge, MA, USA

    Ting-Fang Yen

  2. University of North Carolina, Chapel Hill, NC, USA

    Michael K. Reiter

Authors
  1. Ting-Fang Yen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael K. Reiter
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Informatica, Università di Pisa, Largo Bruno Pontecorvo, 3, 56127, Pisa, Italy

    Pierpaolo Degano

  2. Computer Science, Worcester Polytechnic Institute, 100 Institute Road, 01609, Worcester, MA, USA

    Joshua D. Guttman

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Yen, TF., Reiter, M.K. (2012). Revisiting Botnet Models and Their Implications for Takedown Strategies. In: Degano, P., Guttman, J.D. (eds) Principles of Security and Trust. POST 2012. Lecture Notes in Computer Science, vol 7215. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28641-4_14

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-28641-4_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-28640-7

  • Online ISBN: 978-3-642-28641-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature