Download - Speaker : Yi-Ting Tsai Date : 102.11.7
![Page 1: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/1.jpg)
A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang , Baochen Lu , Peng Liao , Chaoge Liu , Xiang Cui - Computer Science and Automation Engineering (CSAE), 2011 IEEE International Conference
Speaker : Yi-Ting TsaiDate : 102.11.7
![Page 2: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/2.jpg)
Outline Centralized Botnet
P2P Botnet
Hyprid P2P Botnet
Hierechical hybrid Botnet
Robustness Simulation
Defense against the proposed Botnet
Conclusion
![Page 3: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/3.jpg)
Botnet
Botmaster
C&C Server
Bot
1/14
![Page 4: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/4.jpg)
Centralized Botnet
xCharacteristics: relay on C&C ServersxWeakness: single-failurexExample: AgoBot , SDBot , SpyBot
2/14
![Page 5: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/5.jpg)
P2P Botnet
xKademlia-based protocol
xrandom probing protocol
xBootstrap failure
xExtensive abnormal traffic
3/14
xExample : Slapper botnets
xExample : Sinit botnets
----
----
----
----
xSybil attack
xSybil attack
![Page 6: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/6.jpg)
----
Hyprid P2P Botnet
xservent bots : static global IPxslave bots : dynamic private
IP
Servent bots IP
Peer list
------------------
Slave bots (client)
Servent bots(server+client)
----
----
------
--
----
----
xWeakness: xSybil attack xcommunication between
clients4/14
![Page 7: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/7.jpg)
Hierechical hybrid Botnet
1 . Resolve --xSybil attack xcommunication between
clients2 . Difficult to be shut down3 . Keep botnet under control
5/14
Slave bots (client)
Servent bots(server+client)
![Page 8: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/8.jpg)
No Sybil attack
Advanced bootstrap process
No detect
No hijacking
0failur
ePoll succeed
1failur
e
Poll fail
Poll succeed
2 failur
e
Poll fail
Poll succeed
N-1 failur
e
Nfailur
eDelet
e
Poll fail
Poll fail
0 failure1 failure2 failureN-1 failureN failure
6/14
0 failure
![Page 9: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/9.jpg)
Peer list0 failure
1 failure
N failure. . . .
< IP , port >
7/14
No Sybil attack
Advanced bootstrap process
No detect
No hijacking
![Page 10: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/10.jpg)
Peer list0 failure
1 failure
N failure
. . . .
< IP , port >
ᘞ Random service port
||
Perfect !
+ᘞ Data encryption
8/14
No Sybil attack
Advanced bootstrap process
No detect
No hijacking
![Page 11: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/11.jpg)
xCommunication Encryption
xCommand Authentication
xOne-time padding
xPrivate key signature
Private keyPublic key
Public key
Private key
Public key9/14
Private key
No Sybil attack
Advanced bootstrap process
No detect
No hijacking
![Page 12: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/12.jpg)
Robustness Simulation Definition : the probability that a botnet remains connected together after a fraction of bots are removed.
10/14G = ( V , E ) V : bots
![Page 13: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/13.jpg)
Simulation settingsServent bots : 25%Maximum size of botnets : 10000Peer list () : 20
igraph library
Network Workbench
Tool 11/14
![Page 14: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/14.jpg)
Peer list size and Robustness
Servent bots : 25%Maximum size of botnets : 10000Bots to removed ( P ) = 95%
12/14
![Page 15: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/15.jpg)
Defense against the proposed Botnet
A. Host-based Detection• Signature-based malware detection• Behavior-based detection
13/14
B. Honeypot-based Monitoring
![Page 16: Speaker : Yi-Ting Tsai Date : 102.11.7](https://reader031.vdocument.in/reader031/viewer/2022020921/5681658a550346895dd84d1f/html5/thumbnails/16.jpg)
Conclusion xHierarchical hybrid p2p botnet
xan advanced peer listx It can defend against Sybil attacks
xWeakness : xvery high complexityxvery high latency
14/14