Modeling Botnets and Epidemic Malware

1
Modeling Botnets and Epidemic Malware

• Marco Ajelli, Renato Lo Cigno, Alberto Montresor
• DISI University of Trento, Italy
• Locigno _at_ disi.unitn.it
• http//disi.unitn.it/locigno

2
BOTNETS

• Collection of bots, i.e. machines remotely
  controlled by a bot-master
• Today intrinsically associated with malware
• Viruses, worms, ...
• SPAM sending, data spying, ...
• A bot is created by spreading a piece of
  software that infects machines
• Bot software self-replicate
• Bot Software may be
• Active doing its intended damage/action/...
• Replicating sending new copies to non-infected
  machines
• Sleeping just waiting to go into one of the
  above states

3
Why Modeling Botnets

• To ... improve their design ? ... or
• To understand how to counter them better
• Little is known about how botnets works and
  operate
• Worms and Viruses are among the most dangerous
  threats to Internet evolution
• SPAM (90 of it is deemed to be generated by
  botnets!) is hampering e-mail communications ...
  and can be worse on other services like voice!
• Bots can scan the disk to grab, important,
  sensitive, personal information
• ...

4
How to model a Botnet?

• Intrinsically difficult
• Large, distributed system with complex behavior
• Measures are not available and very difficult to
  collect (this limits also the scope of
  modeling, since it is not possible to validate
  them)
• No clues on the dynamic behavior, apart from the
  fact that they spread by infection new machines
• No space for a proper stochastic model
• Learn from biology diseases spreading
• We propose a model technique based on
  compartmental ordinary differential equations

5
Compartmental ordinary differential equations

• Differential Eq. df(x) a f(x)
• The rate of change of e.g. a population is
  proportional to its value
• Compartment introduce multiple populations
  influencing each other
• System of coupled differential equations

6
Botnets subject to immunization I-bot

• s susceptibles PCsthat can be infected
• i infected PCs that got the malware and are
  spamming
• v hidden infected computers which are not
  spamming
• r recovered computers which were de-malwerized
• p apportioning coefficient between
  spamming/hidden nodes regulate the rate of
  toggling between states
• We normalize the system w.r.t. an arbitrary
  transition rate m, which it absolute rate of
  transition between states i and v

7
Botnets with re-infection R-bot

• Recovered PCs can be re-infected with some
• Susceptibles can be immunized (antivirus
  footprint update, etc. )

8
More complex models ...

• You can find examples/details on Ajelli, M. and
  Lo Cigno, R. and Montresor, A., Compartmental
  differential equations models of botnets and
  epidemic malware (extended version), University
  of Trento, T.R. DISI-10-011, 2010,
  http//disi.unitn.it/locigno/preprints/TR-DISI-10
  -011.pdf

9
Insights and Metrics given by the Model

• What are the admissible parameters for a bot to
  work?
• Threshold conditions
• What are the spreading parameters that makes a
  bot dangerous?
• Nice closed form equations
• look for them in the paper
• you do not want a nasty 2 lines equation on a
  slide ?
• How many PCs will be affected in the population?
• What is the fraction of infected PCs in time?
• What is the amount of damage done by the botnet?

10
Fraction of PCs infected I-bot

• Measures how many PCs will be infected during the
  epidemics
• Function of the ratio between infectivity b and
  recovery g
• Three values of p 0.2,0.5,0.8

11
Maximum number of infected PCs I-bot

• Measures the maximum fraction of PCs will
  infected during the entire epidemics
• Function of the ratio between infectivity b and
  recovery g
• Three values of p 0.2,0.5,0.8

more infected nodes are active
12
Fraction of infected PCs in time I-bots
Hidden
b 0.5 g 0.25
p decreases

• Active

p decreases
13
R0 and R-botnet diffusion

• I-botnets are probably too simplistic
• Infection always starts, even if it can be
  non-effective if the worm/virus is too much or
  too little aggressive
• R-botnets are more interesting, due to the
  possibility that the malware simply do not spread
  if immunization is fast enough
• R0 gt 1 means that the infection can happen, lt 1
  means that the malware is cured before it can do
  meaningful harm
• Interestingly this fundamental property can be
  computed in closed for the model

14
R-botnets areas of effectiveness

• Grey areas are those for which the epidemics will
  occur for the given set of parameters

g 0.25
b
b
15
Harm caused by botnets

• How much damage can a botnet cause?
• Are I-bots more dangerous than R-bots or vice
  versa?
• Are aggressive bots more or less dangerous than
  hidden ones?

16
I-bots waves of spam-storm

• Even simple i-bots show very complex behavior
  just by changing a parameter like p
• Multiple waves of infection can be simply the
  consequence of swapping coordinately between
  different p values

17
Conclusions

• We have proposed a modeling methodology for
  understanding the behavior of botnets
• Even simple, deterministic compartmental
  differential equations highlight interesting
  phenomena and complex behavior
• Available measures would enable
• Validation of averages
• Stochastic models
• Botnets are currently one of the major threats in
  the Internet, but they covert and complex
  behavior lead (possibly) to underestimate their
  impact
• Read the paper (better the extended version) to
  learn more!!

18
THE END

• Thank you!
• Questions?
• Comments?