×

Simulation-based study of botnets and defense mechanisms against them. (English. Russian original) Zbl 1292.68019

J. Comput. Syst. Sci. Int. 52, No. 1, 43-65 (2013); translation from Izv. Ross. Akad. Nauk, Teor. Sist. Upr. 2013, No. 1, 45-68 (2013).
Summary: To defend oneself against botnet attacks, one must have tools that make it possible to investigate the processes occurring on all stages of the lifecycle of botnets (propagation, control, attack) and possess defense mechanisms that can counteract botnets. A simulation-based approach to the investigation of botnets and the corresponding defense mechanisms is proposed. The simulation is performed using a special software environment developed by the authors. The architecture of this environment and the libraries needed to create models of botnets and defense mechanisms are described. Experimental data demonstrating the capabilities of the simulation environment for studying various stages of the botnet lifecycle and the efficiency of the corresponding defense mechanisms are discussed.

MSC:

68M11 Internet topics
68P25 Data encryption (aspects in computer science)

Software:

OMNet++; Chord; BotDigger
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] I. Kotenko and A. Ulanov, ”Agent Teams in Cyberspace: Security Guards in the Global Internet,” in Proc. Int. Conf. on Cyberworlds (CW’2006) (IEEE Computer Society, Lausanne, 2006), pp. 133–140.
[2] I. Kotenko and A. Ulanov, ”Agent-Based Modeling and Simulation of Network Softbots’ Competition. Knowledge Based Software,” in Proc. of the Seventh Joint Conf. on Knowledge-Based Software Engineering, Frontiers in Artificial Intelligence and Applications, Ed. by E. Tyugu and T. Yamaguchi (IOS, Amsterdam, 2006), Vol. 140, pp. 139–146.
[3] I. Kotenko and A. Ulanov, ”Multi-Agent Framework for Simulation of Adaptive Cooperative Defense Against Internet Attacks,” in Int. Workshop on Autonomous Intelligent Systems: Agents and Data Mining (AIS-ADM-07) Lect. Notes in Artif. Intell. 4476, 212–228 (2007). · doi:10.1007/978-3-540-72839-9_18
[4] I. Kotenko, ”Multi-agent Modeling and the Simulation of Computer Network Security Processes: A Game of Network Cats and Mice,” in NATO Science for Peace and Security Series, D: Information and Communication Security. Vol. 17. Aspects of Network and Information Security, Ed. by E. Kranakis, E. Haroutunian, and E. Shahbazian (IOS, Lansdale, 2008), pp. 56–73.
[5] I. Kotenko, ”Simulation of Agent Teams: the Application of Domain-Independent Framework to Computer Network Security,” in Proc.of the 23rd European Conf. on Modelling and Simulation (ECMS’2009), Madrid, 2009, pp. 137–143.
[6] I. Kotenko, ”Agent-Based Modelling and Simulation of Network Cyber-Attacks and Cooperative Defence Mechanisms,” in Discrete Event Simulations (Sciyo, Rijeka, Croatia, 2010), pp. 223–246.
[7] I. Kotenko, A. Konovalov, and A. Shorov, ”Agent-Based Modeling and Simulation of Botnets and Botnet Defense,” in Proc. of the Conf. on Cyber Conflict. (Tallinn, 2010), pp. 21–44. · Zbl 1205.68491
[8] M. Bailey, E. Cooke, F. Jahanian, et al., ”A Survey of Botnet Technology and Defenses,” in Proc. of the Cybersecurity Applications Technology Conf. for Homeland Security (USA, Washington, 2009), pp. 299–304.
[9] J. B. Grizzard, V. Sharma, C. Nunnery, et al., ”Peer-to-Peer Botnets: Overview and Case Study,” in Proc. of the First Workshop on Hot Topics in Understanding Botnets, Berkeley, 2007, pp. 1–2.
[10] J. Govil and G. Jivika, ”Criminology of Botnets and Their Detection and Defense Methods,” in Proc. of the IEEE Int. Conf. on Electro-Information Technology, Chicago, 2007, pp. 215–220.
[11] C. Mazzariello, ”IRC Traffic Analysis for Botnet Detection,” in Proc. of the Fourth Int. Conf. on Information Assurance and Security, Naples, 2008, pp. 318–323.
[12] B. Botezatu, ”Anatomy of a Botnet,” MalwareCity News, http://www.malwarecity.com/
[13] M. Feily, A. Shahrestani, and S. Ramadass, ”A Survey of Botnet and Botnet Detection,” in Third Int. Conf. on Emerging Security Information Systems and Technologies, Athens, 2009, pp. 268–273.
[14] F. Naseem, M. Shafqat, U. Sabir, et al., ”A Survey of Botnet Technology and Detection,” Int. J. Video & Image Proc. Network Security 10(1), 13–17 (2010).
[15] P. Wang, S. Sparks, and C. C. Zou, ”An Advanced Hybrid Peer-to-Peer Botnet,” in Proc. of the First Workshop on Hot Topics in Understanding Botnets, Orlando, 2007, p. 2.
[16] D. Dagon, G. Gu, C. P. Lee, et al., ”A Taxonomy of Botnet Structures,” in Twenty-Third Annual Computer Security Applications Conf. (ACSAC’07), Florida, 2007, pp. 325–339.
[17] S. Sen, O. Spatscheck, and D. Wang, ”Accurate, Scalable in Network Identification of P2P Traffic Using Application Signatures,” in Proc. of the 13th Int. Conf. on World Wide Web (ACM, New York, 2004), pp. 512–521.
[18] J. R. Binkley and S. Singh, ”An Algorithm for Anomaly-Based Botnet Detection,” in Proc. of the 2nd Conf. on Steps to Reducing Unwanted Traffic on the Internet, Berkeley, 2006, Vol. 2, pp. 43–48.
[19] M. Mahoney and P. K. Chan, ”An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection,” Florida Tech. Report CS-2003-02, 2003.
[20] C. Hyunsang, L. Hanwoo, L. Heejo, et al., ”Botnet Detection by Monitoring Group Activities in DNS Traffic,” in Proc. of tge 7th IEEE Int. Conf. on Computer and Information Technology (CIT), Fukushima, Japan, 2007, pp. 715–720.
[21] C. Mao, Y. Chen, S. Huang, et al., ”IRC-Botnet Network Behavior Detection in Command and Control Phase Based on Sequential Temporal Analysis,” in Proc. of the 19th Cryptology and Information Security Conf. (CISC’2009), Taipei, Taiwan, 2009.
[22] R. Villamarin-Salomon and J. C. Brustoloni, ”Bayesian Bot Detection Based on DNS Traffic Similarity,” in Proc. of the ACM Symp. on Applied Computing (SAC’09), New York, 2009, pp. 2035–2041.
[23] Y. Kugisaki, Y. Kasahara, Y. Hori, et al., ”Bot Detection Based on Traffic Analysis,” in Proc. Int. Conf. on Intelligent Pervasive Computing (IPC’07), Jeju Island, South Korea, 2007, pp. 303–306.
[24] M. Williamson, ”Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code,” in Proc. of the ACSAC Security Conf., Las Vegas, 2002, pp. 61–68.
[25] S. Chen and Y. Tang, ”Slowing down Internet Worms,” in Proc. of the 24th Int. Conf. on Distributed Computing Systems (ICDCS’04) (IEEE Computer Society, New York, 2004).
[26] V. Nagaonkar and J. Mchugh, ”Detecting Stealthy Scans and Scanning Patterns Using Threshold Random Walk” (Dalhousie University, Halifax, 2008).
[27] P. Ferguson and D. Senie, ”Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing,” internet Engineering Task Force (IETF), RFC 2827, 2009.
[28] J. Li, J. Mirkovic, M. Wang, et al., ”Save: Source Address Validity Enforcement Protocol,” in Proc. IEEE INFOCOM, New York, 2002, pp. 1557–1566.
[29] T. Peng, C. Leckie, and K. Ramamohanarao, ”Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring,” Lect. Notes Comput. Sci. 3042, 771–782 (2004). · doi:10.1007/978-3-540-24693-0_63
[30] C. Jin, H. Wang, and K. Shin, ”Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic,” in Proc. of the 10th ACM Conf. on Computer and Communications Security, New York, 2003, pp. 30–41.
[31] H. Wang, D. Zhang, and K. Shin, ”Detecting SYN Flooding Attacks,” in Proc. IEEE INFOCOM, New York, 2002, pp. 1530–1539.
[32] J. Oikarinen and D. Reed, RFC 1459: Internet Relay Chat Protocol (Network Working Group, 1993).
[33] M. Akiyama, T. Kawamoto, M. Shimamura, et al., ”A Proposal of Metrics for Botnet Detection Based on Its Cooperative Behavior,” in SAINT Workshops, Hiroshima, Japan, 2007, p. 82.
[34] W. Strayer, R. Walsh, C. Livadas, et al., ”Detecting Botnets with Tight Command and Control,” in Proc. of the 31st Int. Conf. on Local Computer Networks (LCN), Tampa, USA, 2006, pp. 195–202.
[35] K. Chiang and L. Lloyd, ”A Case Study of the Rustock Rootkit and Spam Bot,” in Proc. of the First Workshop on Hot Topics in Understanding Botnets, Berkeley, 2007, p. 10.
[36] ”SSAC Advisory on Fast Flux Hosting and DNS,” Technical Report of the ICANN Security and Stability Advisory Committee, 2008: http://www.icann.org/en/committees/security/ .
[37] H. Tu, Z. T. Li, and B. Liu, ”Detecting Botnets by Analyzing DNS Traffic,” in Proc. of the Pacific Asia Workshop on Intelligence and Security Informatics (PAISI), Berlin, 2007, pp. 323–324.
[38] R. V. Salomon and J. C. Brustoloni, ”Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic,” in Proc. of the 5th IEEE Consumer Communications and Networking Conf., Las Vegas, 2008, pp. 476–481.
[39] B. Al-Duwairi and L. Al-Ebbini, ”BotDigger: A Fuzzy Inference System for Botnet Detection,” in Proc. of the 5th Int. Conf. on Monitoring and Protection (ICIMP’10), Barcelona, Spain, 2010, pp. 16–21.
[40] I. Stoica, R. Morris, D. Karger, et al., ”Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications, in ACM SIGCOMM, New York, 2001, pp. 149–160.
[41] P. Maymounkov and D. Mazieres, ”Kademlia: A P2P Information System Based on the XOR Metric,” in Proc. of the Int. Workshop on Peer-to-Peer Systems, London, 2002, pp. 53–62.
[42] Zh. Huang, X. Zeng, and Y. Liu, ”Detecting and Blocking P2P Botnets through Contact Tracing Chains,” int. J. Internet Protocol Technology Archive 5, 44–54 (2010). · doi:10.1504/IJIPT.2010.032614
[43] J. Kang and J. Y. Zhang, ”Application Entropy Theory To Detect New Peer-to-Peer Botnet with Multi-Chart CUSUM,” in Proc. of the 2nd Int. Symp. on Electronic Commerce and Security, Washington, 2009, Vol. 1, pp. 470–474.
[44] E. V. Ruitenbeek and W. H. Sanders, ”Modeling Peer-to-Peer Botnets,” in Proc. of the 5th Int. Conf. on Quantitative Evaluation of Systems (QEST’08), St. Malo, France, 2008, pp. 307–316.
[45] D. Dagon, C. C. Zou, and W. Lee, ”Modeling Botnet Propagation Using Time Zones,” in Proc. of the 13th Annual Network and Distributed System Security Symposium (NDSS’06), San Diego, 2006.
[46] P. Owezarski and N. Larrieu, ”A Trace Based Method for Realistic Simulation,” in Comm. of the IEEE Int. Conf., Toulouse, 2004, pp. 2236–2239.
[47] R. Simmonds, R. Bradford, and B. Unger, ”Applying Parallel Discrete Event Simulation to Network Emulation,” in Proc. of the Fourteenth Workshop on Parallel and Distributed Simulation (PADS’00), Washington, 2000, pp. 15–22.
[48] A. Wagner, T. Dubendorfer, B. Plattner, et al., ”Experiences with Worm Propagation Simulations,” in Proc. of the ACM Workshop on Rapid Malcode, New York, 2003, pp. 34–41.
[49] G. Riley, M. Sharif, and W. Lee, ”Simulating Internet Worms,” in Proc. of the 12th Int. Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS), Atlanta, 2004, pp. 268–274.
[50] A. Suvatne, ”Improved Worm Simulator and Simulations,” Master’s Projects (San Jose, USA 2010).
[51] J. Krishnaswamy, ”Wormulator: Simulator for Rapidly Spreading Malware,” Master’s Projects (San Jose, USA, 2009).
[52] M. Schuchard, A. Mohaisen, D. Kune, et al., ”Loosing Control of the Internet: Using the Data Plane to Attack the Control Plane,” in Proc. of the 17th ACM Conf. on Computer and Communication Security (CCS/10) (ACM, USA, 2010), pp. 726–728.
[53] T. Gamer and C. Mayer, ”Large-Scale Evaluation of Distributed Attack Detection,” in Proc. of the 2nd Int. Workshop on OMNeT++, Rome, 2009, pp. 1–8.
[54] A. Varga and R. Hornig, ”An Overview of the OMNeT++ Simulation Environment,” in Proc. of the Int. Conf. on Simulation Tools and Techniques for Communications, Networks and Systems & Workshops (Simutools’08), Brussels, 2008, pp. 1–10.
[55] The INET Framework is an Open-Source Communication Networks Simulation Package for the OMNeT++ Simulation Environment, http://inet.omnetpp.org/
[56] ReaSE-Realistic Simulation Environments for OMNeT++, https://i72projekte.tm.uka.de/trac/ReaSE/
[57] L. Li, D. Alderson, W. Willinger, et al., ”A First-Principles Approach to Understanding the Internet’s Router-Level Topology,” ACM SIGCOMM Computer Communication Review, 3–14 (2004).
[58] S. Zhou, G. Zhang, G. Zhang, et al., ”Towards a Precise and Complete Internet Topology Generator,” in Proc. of the Int. Conf. on Communications, Circuits and Systems (ICCCAS), Guilin, China, 2006, pp. 1830–1834.
[59] K. V. Vishwanath and A. Vahdat, ”Realistic and Responsive Network Traffic Generation,” in Proc. of the Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications, New York, 2006, pp. 111–122.
[60] S. Jones, ”Internet Relay Chat,” in Encyclopedia of New Media: An Essential Reference to Communication and Technology (SAGE Publications, Thousand Oaks, California: 2002), pp. 256–257.
[61] B. Saha and A. Gairola, ”Botnet: An Overview,” CERT-In White Paper CIWP, 2005, http://www.mendeley.com/research/bots-botnet-overview/
[62] A. Oram, Peer to Peer: Harnessing the Power of Disruptive Technologies (O’Reilly Media, Sebastopol, 2001).
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.