speaker : yi-ting tsai date : 102.11.7
DESCRIPTION
A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang , Baochen Lu , Peng L iao , Chaoge Liu , Xiang Cui - Computer Science and Automation Engineering (CSAE), 2011 IEEE International Conference . Speaker : Yi-Ting Tsai Date : 102.11.7. Outline . - PowerPoint PPT PresentationTRANSCRIPT
A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang , Baochen Lu , Peng Liao , Chaoge Liu , Xiang Cui - Computer Science and Automation Engineering (CSAE), 2011 IEEE International Conference
Speaker : Yi-Ting TsaiDate : 102.11.7
Outline Centralized Botnet
P2P Botnet
Hyprid P2P Botnet
Hierechical hybrid Botnet
Robustness Simulation
Defense against the proposed Botnet
Conclusion
Botnet
Botmaster
C&C Server
Bot
1/14
Centralized Botnet
xCharacteristics: relay on C&C ServersxWeakness: single-failurexExample: AgoBot , SDBot , SpyBot
2/14
P2P Botnet
xKademlia-based protocol
xrandom probing protocol
xBootstrap failure
xExtensive abnormal traffic
3/14
xExample : Slapper botnets
xExample : Sinit botnets
----
----
----
----
xSybil attack
xSybil attack
----
Hyprid P2P Botnet
xservent bots : static global IPxslave bots : dynamic private
IP
Servent bots IP
Peer list
------------------
Slave bots (client)
Servent bots(server+client)
----
----
------
--
----
----
xWeakness: xSybil attack xcommunication between
clients4/14
Hierechical hybrid Botnet
1 . Resolve --xSybil attack xcommunication between
clients2 . Difficult to be shut down3 . Keep botnet under control
5/14
Slave bots (client)
Servent bots(server+client)
No Sybil attack
Advanced bootstrap process
No detect
No hijacking
0failur
ePoll succeed
1failur
e
Poll fail
Poll succeed
2 failur
e
Poll fail
Poll succeed
N-1 failur
e
Nfailur
eDelet
e
Poll fail
Poll fail
0 failure1 failure2 failureN-1 failureN failure
6/14
0 failure
Peer list0 failure
1 failure
N failure. . . .
< IP , port >
7/14
No Sybil attack
Advanced bootstrap process
No detect
No hijacking
Peer list0 failure
1 failure
N failure
. . . .
< IP , port >
ᘞ Random service port
||
Perfect !
+ᘞ Data encryption
8/14
No Sybil attack
Advanced bootstrap process
No detect
No hijacking
xCommunication Encryption
xCommand Authentication
xOne-time padding
xPrivate key signature
Private keyPublic key
Public key
Private key
Public key9/14
Private key
No Sybil attack
Advanced bootstrap process
No detect
No hijacking
Robustness Simulation Definition : the probability that a botnet remains connected together after a fraction of bots are removed.
10/14G = ( V , E ) V : bots
Simulation settingsServent bots : 25%Maximum size of botnets : 10000Peer list () : 20
igraph library
Network Workbench
Tool 11/14
Peer list size and Robustness
Servent bots : 25%Maximum size of botnets : 10000Bots to removed ( P ) = 95%
12/14
Defense against the proposed Botnet
A. Host-based Detection• Signature-based malware detection• Behavior-based detection
13/14
B. Honeypot-based Monitoring
Conclusion xHierarchical hybrid p2p botnet
xan advanced peer listx It can defend against Sybil attacks
xWeakness : xvery high complexityxvery high latency
14/14