Zhiqi Zhang Baochen Lu Peng L iao Chaoge Liu Xiang Cui Computer Science and Automation Engineering CSAE 2011 IEEE International Conference Speaker YiTing Tsai Date 102117 ID: 584457
Download Presentation The PPT/PDF document "A Hierarchical Hybrid Structure for Botn..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
A Hierarchical Hybrid Structure for Botnet Control and Command
Zhiqi Zhang , Baochen Lu , Peng Liao , Chaoge Liu , Xiang Cui - Computer Science and Automation Engineering (CSAE), 2011 IEEE International Conference
Speaker : Yi-Ting Tsai
Date : 102.11.7Slide2
Outline
Centralized Botnet P2P Botnet Hyprid P2P Botnet
Hierechical hybrid Botnet
Robustness
Simulation
Defense against the proposed
Botnet
Conclusion Slide3
Botnet
1/14Slide4
Characteristics:
relay on C&C ServersWeakness:
single-failure
Example:
AgoBot , SDBot , SpyBot
2/14Slide5
P2P Botnet
Kademlia-based protocol
random probing protocol
Bootstrap failure
Extensive abnormal traffic
3/14
Example : Slapper botnets
Example : Sinit botnets
--
--
--
--
--
--
--
--
Sybil attack
Sybil attack Slide6
----
servent
bots :
static
global IP
slave bots
:
dynamic private IP
Servent bots IP
Peer list
---------
---------
Slave bots
(client)
Servent bots
(server+client)
----
----
----
----
----
----
Weakness:
Sybil attack
communication between clients
4/14Slide7
Hierechical hybrid Botnet
1 . Resolve --
Sybil attack
communication between clients
2 . Difficult to be shut down
3 . Keep botnet under control
5/14
Slave bots
(client)
Servent bots
(server+client) Slide8
No
Sybil attack
Advanced
bootstrap process
No
detect
No
hijacking
0
failure
Poll succeed
1
failure
Poll
fail
Poll succeed
2
failure
Poll
fail
Poll succeed
N-1
failure
N
failure
Delete
Poll
fail
Poll
fail
0 failure
1
failure
2
failure
N-1 failure
N failure
6/14
0
failureSlide9
Peer list
0 failure
1
failure
N failure
. . . .
< IP , port >
7/14
No
Sybil
attack
Advanced
bootstrap process
No
detect
No
hijackingSlide10
Peer list
0 failure
1
failure
N failure
. . . .
< IP , port >
Random service
port
||
Perfect !
+
Data
encryption
8/14
No
Sybil
attack
Advanced
bootstrap process
No
detect
No
hijackingSlide11
Communication Encryption
Command Authentication
One-time padding
Private key signature
Private key
Public key
Public key
Private key
Public key
9/14
Private key
No
Sybil
attack
Advanced
bootstrap process
No
detect
No
hijackingSlide12
Robustness Simulation
Definition : the probability that a botnet remains connected together after a fraction of bots are removed.
10/14
G = ( V , E )
V : botsSlide13
Simulation settings
Servent bots : 25%Maximum size of botnets : 10000Peer list () : 20
igraph library
Network Workbench
Tool
11/14Slide14
Peer list size and Robustness
Servent bots : 25%
Maximum size of botnets :
10000
Bots to removed ( P ) = 95%
12/14Slide15
Defense against the proposed Botnet
Host-based DetectionSignature-based malware detectionBehavior-based detection
13/14
Honeypot-based
MonitoringSlide16
Conclusion
Hierarchical hybrid p2p botnetan advanced peer listIt can defend against Sybil attacksWeakness :
very high
complexity
very high
latency
14/14