CONSTRAINED CONDITIONAL MODELS TUTORIAL Jingyu Chen, Xiao Cheng.
Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.
-
Upload
walter-henderson -
Category
Documents
-
view
213 -
download
0
Transcript of Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.
Appear in IEEE TDSC 2008
Presented by Wei-Cheng Xiao
Introduction Proposed hybrid P2P botnet
Two classes of bots Command and control Botmaster's monitoring Botnet construction
Botnet robustness study Defences against the proposed botnet Discussions Summary
Most of current research focuses on existing botnets. Studying current botnets is important, but not
enough. Botmasters may upgrade their future
botnets. It is necessary to conduct research on
possible advanced future botnets. How botnets will evolve? How can we defend future botnets?
Phatbot utilizes Gnutella cache servers for the bootstrap process. Easy to shut down or block
Sinit removes the bootstrap procedure and uses random probing to find other bots. Poor connectivity
Slapper does not implement command encryption and authentication. Easy to hijack
Proposed a hybrid P2P botnet with the following features Two classes of bots – servent and client Command authentication and individualized
encryption Limited-sized peer lists Dynamically changeable sensor for bots monitoring No bootstrap procedure Balanced and robust connectivity
Analyzed several possible defences against this botnet
Servent (server + client) bot Public static IP address
Client bot Dynamic IP, private IP,
behind firewalls…
Only servents appear in the peer list. Servents act as C&C servers.
Contains much more C&C servers than other botnets do
Command authentication Digital signature Prevent hijacking
Individualized command encryption key Symmetric encryption is used instead. Each bot keeps a list of tuples (IPi, Ki, Pi) in its peer
list. Messages between bots and servent i are
encrypted with the key Ki.
Individualized service port Each servent i picks port Pi for communication. The port can be randomly selected or chosen from
standard encryption port like SSH (22), HTTPS (443), IMAPS (993), etc.
Benefits for botmasters Prevent hijacking No global exposure if some bots are captured Dispersed network traffic, difficult to detect
Botmasters need to know Bot ID (used to find NAT and DHCP) Bot population, connectivity, bandwidth, diurnal
dynamics, … IP address types (DHCP ones can be used for spam)
Challenges – monitoring should be easy for botmasters but difficult for defenders.
Monitor via dynamically changeable sensors Each bot sends its information to one or some sensors
after receiving the report command. A botmaster can change the role of sensors each time
she issues the report command.
A botnet is networked by peer lists. There are some initial servent bots. New infection
Bot A passes its peer list to B when infecting B. A and B may add each other into their lists.
Reinfection (A infects B) B updates its list based on A's list. Reinfection improves connectivity. A cannot get B's list (prevent recursive infection).
The updating procedure It is triggered by the update command. Every bot gets an updated peer list from a
specified sensor. Benefits
Balance the connectivity Reconnect broken botnets
Risks Expose parts of the botnet to defenders
20,000 bots, including 5000 servents
Peer list size = 20. The peer-list updating
procedure runs once when 1000 servents are infected.
Connection degree 300 ~ 500 for the
first 1000 servents 20 ~ 30 for the
rest
Formula: C(p) = 1 - pM
Annihilation Attack initial bots
Quick detection is required for defenders. Attack servents
It is easier to attack if the # of servent is small. Use the honeypot techniques
Defenders can pretend to be servents and then shut down the botnet.
Large amount of defenders are required because the botnet can survive with 20% servents left.
Opportunities Collect information as bots reporting
themselves to sensors Know the target in an attack command and
try to prevent the attack Get peer list during peer-list updating
I = 20000, # of bots K = 1000, # of
servents before peer-list updating
M = 20, peer list size
n: # of honeypots
M
osed K
nINE 11exp
x
osed K
MKNE 11'exp
K = 1000, # of servents used in peer-list updating
M = 20, peer list size
x: # of infection attempts
Detecting honeypots is important for botmasters.
Shutting down a botnet is harder than monitoring it.
The centralized sensor hosts are not as week as C&C servers in other botnets. Connectivity maintenance and C&C
communication is separated.
It is important to be well prepared for such possible attack in the future.
A robust P2P botnet is proposed. Two classes of bots Command authentication and individualized
encryption and service port Botmaster's monitoring capability Botnet construction
The botnet robustness is studied. Honeypot-based defences are analyzed.