a first step towards characterizing stealthy botnets
DESCRIPTION
A First Step Towards Characterizing Stealthy Botnets . Justin Leonard, Shouhuai Xu, Ravi Sandhu University of Texas at San Antonio. Overview. Dynamic Graph Model Model Parameters Detection Ratio Resilience Impact of Topology Impact of Fragmentation Impact of Sophistication. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/1.jpg)
A First Step Towards Characterizing Stealthy Botnets
Justin Leonard, Shouhuai Xu, Ravi Sandhu
University of Texas at San Antonio
![Page 2: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/2.jpg)
Overview
Dynamic Graph ModelModel ParametersDetection RatioResilienceImpact of TopologyImpact of FragmentationImpact of Sophistication
![Page 3: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/3.jpg)
Dynamic Graph ModelDirected graph representationVertex set represents botsEdge set represents “knows” relation – e.g., (u,v) implies u can spontaneous communication with v.Does capturing u imply exposure of v?Undirected graph is special case
![Page 4: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/4.jpg)
Role of anonymous channelsAnonymous channels offer a mechanism to communicate exposing their identity.Some implementations may allow duplex communications.Fully anonymous channels are assumed to be “out of botnet”.
![Page 5: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/5.jpg)
Roles of bots
Master is considered “out-of-botnet”.Entry Bot is a bot which directly receives communications from master.Each bot relays communications over its out edges according to topology.Extreme case every bot is an entry bot, and edge set is empty.
![Page 6: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/6.jpg)
Model Parameters
Attack sophistication α,βProbability of exposure due to sending
C&CProbability of exposure due to receiving
C&C.Anonymous channels may reduce or
eliminate either.Out-of-botnet channels are
“undetectable”.
![Page 7: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/7.jpg)
Model Parameters
Graph TopologyType of graph structure created by
adversaryAssumed to be fixed over a single
attack roundDetection Threshold k
Master's estimation of defender's detection capabilities.
Risk management of bots.
![Page 8: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/8.jpg)
Detection Ratio
Define Exposedness as probability a bot has been captured after conducting some previous C&C activity, and potentially conducting some additional C&C activity.
Detection ratio is number of bots above risk threshold k relative to the size of the botnet.
![Page 9: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/9.jpg)
Resilience
Complement of ratio of size of “traceable” bots over size of botnet.
Tracing uses “knows” relationshipRequires restriction that β > 0, e.g.
we cannot trace “backwards” over receiver anonymous channels in a single round.
![Page 10: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/10.jpg)
Simulation Study
Difficult to combine definitions with topologies to gain insights.
Intuitively large-degree botnets are not stealthy, so focus on small-degree “p2p” style botnets.
Initially investigated homogenous topologies.
![Page 11: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/11.jpg)
Impact of topology
![Page 12: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/12.jpg)
Impact of Fragmentation
In-degree regular vs random (out-degree is similar) detection ratio
![Page 13: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/13.jpg)
Impact of Fragmentation
In-degree regular vs random (out-degree is similar) resilience
![Page 14: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/14.jpg)
Impact of Sophistication
Equal detection vs sender weighted detection, in-random topology.
![Page 15: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/15.jpg)
Impact of Sophistication
Equal detection vs sender weighted detection, in-regular topology.
![Page 16: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/16.jpg)
Future Issues
Can we build a holistic framework for both C&C and attack activities?
Can we extend the model for attack-defense interactions?
How should we validate against real-world testbeds and case studies?
![Page 17: A First Step Towards Characterizing Stealthy Botnets](https://reader035.vdocuments.site/reader035/viewer/2022081515/56816028550346895dcf2f60/html5/thumbnails/17.jpg)
Questions?