Warning that botnets are a "dynamic, evolving threat," researchers from the Georgia Institute of Technology have proposed the classification of botnet structures to provide an effective response framework for attacks and general remediation.
In a paper presented at the 23rd Annual Computer Security Applications Conference (ACSAC '07) in Miami last week, the Georgia Tech research team reported that targeted responses are particularly effective against scale-free botnets. Increasing the robustness of scale-free networks results poses a structural problem for botmasters, the team said.
The research team, which created a simulated peer-to-peer (p2p) network, also determined that random-graph botnets, such as those using (p2p) formations, are highly resistant to both random and targeted responses.
“Random network models give botnets considerable resilience…[resisting] both random and targeted responses, ” the Georgia Tech researchers said in the paper. “Our analysis showed that targeted removals on scale-free botnets offer the best response.”
The paper, entitled “A Taxonomy of Botnet Structures,” called for the creation of a classification taxonomy for botnet structures based on their utility to the botmaster. Co-authored by Georgia Tech researchers David Dagon, Guofei Gu, Christopher Lee and Wenke Lee, the paper identifies key metrics for measuring the utility of communications activities deployed in attacks, such as spam and DDoS attacks, which can then be used to rate the effectiveness of different response techniques to degrade or disrupt botnets.
In creating a botnet topology, the Georgia Tech team considered potential attack strategies, as well as past attacks.
“We believe that it is inadequate to simply enumerate the botnets we have seen to date in the wild,” the Georgia Tech team said in the ACSAC '07 paper. “Botnets have proven to be very dynamic. For example, researchers have observed changes in botnet sizes, which have trended from large networks (more than 100,000 bots) to numerous smaller botnets (1,000 to 5,000 bots). Likewise, we have seen a rapid transition from centralized botnets [using internet relay chat] to distributed organizational structures (p2p). We must therefore consider the structural and organizational potential of botnets.”
Researchers have consistently cited botnets as a growing threat to both home users and corporate networks. The latest SANS Institute Top 20, released last month, cited client-side, botnet-building bugs as a growing threat.
The Georgia Tech project applied a methodology previously used to detail key aspects of worms. Based on what it called “a utilitarian analysis,” the team said it identified a relatively small number of likely structural forms for botnets. While botmasters may innovate new uses of botnets, they said, the ability of a botnet to meet existing uses -- such as spam, DDoS, warez distribution and phishing -- is roughly approximated by size and available bandwith.
However, botnet size is not defined by the paper to mean the total population count (a metric used in worm epidemiology studies), but rather it refers to the “giant” component of the botnet – the largest connected (or online) portion.
“Botnets are, of course, more powerful if they have large infected populations, but the giant component lets us directly measure the damage potentially caused by certain botnet functions,” the paper stated.
In a paper presented at the 23rd Annual Computer Security Applications Conference (ACSAC '07) in Miami last week, the Georgia Tech research team reported that targeted responses are particularly effective against scale-free botnets. Increasing the robustness of scale-free networks results poses a structural problem for botmasters, the team said.
The research team, which created a simulated peer-to-peer (p2p) network, also determined that random-graph botnets, such as those using (p2p) formations, are highly resistant to both random and targeted responses.
“Random network models give botnets considerable resilience…[resisting] both random and targeted responses, ” the Georgia Tech researchers said in the paper. “Our analysis showed that targeted removals on scale-free botnets offer the best response.”
The paper, entitled “A Taxonomy of Botnet Structures,” called for the creation of a classification taxonomy for botnet structures based on their utility to the botmaster. Co-authored by Georgia Tech researchers David Dagon, Guofei Gu, Christopher Lee and Wenke Lee, the paper identifies key metrics for measuring the utility of communications activities deployed in attacks, such as spam and DDoS attacks, which can then be used to rate the effectiveness of different response techniques to degrade or disrupt botnets.
In creating a botnet topology, the Georgia Tech team considered potential attack strategies, as well as past attacks.
“We believe that it is inadequate to simply enumerate the botnets we have seen to date in the wild,” the Georgia Tech team said in the ACSAC '07 paper. “Botnets have proven to be very dynamic. For example, researchers have observed changes in botnet sizes, which have trended from large networks (more than 100,000 bots) to numerous smaller botnets (1,000 to 5,000 bots). Likewise, we have seen a rapid transition from centralized botnets [using internet relay chat] to distributed organizational structures (p2p). We must therefore consider the structural and organizational potential of botnets.”
Researchers have consistently cited botnets as a growing threat to both home users and corporate networks. The latest SANS Institute Top 20, released last month, cited client-side, botnet-building bugs as a growing threat.
The Georgia Tech project applied a methodology previously used to detail key aspects of worms. Based on what it called “a utilitarian analysis,” the team said it identified a relatively small number of likely structural forms for botnets. While botmasters may innovate new uses of botnets, they said, the ability of a botnet to meet existing uses -- such as spam, DDoS, warez distribution and phishing -- is roughly approximated by size and available bandwith.
However, botnet size is not defined by the paper to mean the total population count (a metric used in worm epidemiology studies), but rather it refers to the “giant” component of the botnet – the largest connected (or online) portion.
“Botnets are, of course, more powerful if they have large infected populations, but the giant component lets us directly measure the damage potentially caused by certain botnet functions,” the paper stated.
