A First Step Towards Characterizing Stealthy Botnets

Justin Leonard, Shouhuai Xu, Ravi Sandhu

University of Texas at San Antonio

Overview

Dynamic Graph ModelModel ParametersDetection RatioResilienceImpact of TopologyImpact of FragmentationImpact of Sophistication

Dynamic Graph Model

Directed graph representationVertex set represents botsEdge set represents “knows” relation – e.g., (u,v) implies u can spontaneous communication with v.Does capturing u imply exposure of v?Undirected graph is special case

Role of anonymous channels

Anonymous channels offer a mechanism to communicate exposing their identity.Some implementations may allow duplex communications.Fully anonymous channels are assumed to be “out of botnet”.

Roles of bots

Master is considered “out-of-botnet”.Entry Bot is a bot which directly receives communications from master.Each bot relays communications over its out edges according to topology.Extreme case every bot is an entry bot, and edge set is empty.

Model Parameters

Attack sophistication α,βProbability of exposure due to sending

C&CProbability of exposure due to receiving

C&C.Anonymous channels may reduce or

eliminate either.Out-of-botnet channels are

“undetectable”.

Model Parameters

Graph TopologyType of graph structure created by

adversaryAssumed to be fixed over a single

attack round

Detection Threshold kMaster's estimation of defender's

detection capabilities.Risk management of bots.

Detection Ratio

Define Exposedness as probability a bot has been captured after conducting some previous C&C activity, and potentially conducting some additional C&C activity.

Detection ratio is number of bots above risk threshold k relative to the size of the botnet.

Resilience

Complement of ratio of size of “traceable” bots over size of botnet.

Tracing uses “knows” relationshipRequires restriction that β > 0, e.g.

we cannot trace “backwards” over receiver anonymous channels in a single round.

Simulation Study

Difficult to combine definitions with topologies to gain insights.

Intuitively large-degree botnets are not stealthy, so focus on small-degree “p2p” style botnets.

Initially investigated homogenous topologies.

Impact of topology

Impact of Fragmentation

In-degree regular vs random (out-degree is similar) detection ratio

Impact of Fragmentation

In-degree regular vs random (out-degree is similar) resilience

Impact of Sophistication

Equal detection vs sender weighted detection, in-random topology.

Impact of Sophistication

Equal detection vs sender weighted detection, in-regular topology.

Future Issues

Can we build a holistic framework for both C&C and attack activities?

Can we extend the model for attack-defense interactions?

How should we validate against real-world testbeds and case studies?

Questions?