C3E Idea Detail - Botnet Epidemiology

C3E Idea Detail - Botnet Epidemiology        View all ideas



Submitted by Luanne Burns

Title: Botnet Epidemiology

Problem:

Botnets are loosely defined as a set of “zombie” computers unwillingly controlled by a “botmaster” through other machines that serve communications, exploit delivery, and code delivery functions. In addition, zombie host machines may store or forward information or files to other computers. It is assumed that many botnets are operated by fiscally motivated 3rd parties who rent their services to botnet customers. Because of their potential size, botnets can leverage attacks that require scale, dispersion, or heterogeneity. For all of these reasons, it is difficult to parameterize the threat posed by a botnet or if a collection of computers is even a botnet at all.
 
Rajab, et al., identified challenges related to Botnet size estimation and other research efforts have proposed various approaches for size estimation. However, simply estimating the size of a botnet is not sufficient to quantify how effective, efficient, or robust a particular botnet may be. In addition, current assessments do not account for potential countermeasures employed by the botnet itself or its associated malware to defend itself or obscure its characteristics. Finally, reactive approaches may be ineffective for those botnets without zombies in a honeypot or whose countermeasures obscure them from observers, but it may be possible to intelligently detect some botnet activity through traffic analysis.

Proposal:

Botnet Potency Evaluation – The USG should work with academia, honeypot projects, the open source, and the commercial software industry. This approach would include developing tactics for measuring botnet activity, creating the associated algorithms, creating a sensor infrastructure for capturing botnet data, and creating a processing and analysis infrastructure for the data.

Strengths:

·         Provides better vocabulary for risk assessment – Media coverage of botnet often focuses on botnet size as an indicator of risk. A realistic risk assessment that takes into account metrics proposed by Dagon, et al could be combined with probable scenarios to better assess botnet risk.
·         Provides common language for coordination and visualization – Lacking a common vocabulary for describing botnet potency, it may be difficult to coordinate in the interagency. In addition, merely tracking botnets by size does not lend to evaluating how the nature of a botnet may be changing over time nor lend to visualizing its state in a meaningful way.
·         Drives generalized approach for sampling and/or estimating botnets – A common set of metrics should be driven by reusable, standardized ways of collecting and processing data. This would allow individuals to understand the limitations of a given metric and it may allow organizations best positioned technology to provide a metric to the community in a way that is scientifically satisfying.
·         Enhances prioritization of research, defense, or exploitation assets – While evaluating the potency of a botnet may in itself be a resource intensive task, subsequent prioritization of CNO assets would benefit from having a baseline understanding of a botnet’s potency and how it is changing over time.
·         Provides a basic data model for analysis – Standardizing botnet potency metrics would allow for larger analysis by allowing collection of historic and trend data.

Weaknesses:

·         Large scale adoption required for cost-benefit, larger utility – Characterizing botnets would most likely require infrastructure, staff, and incur associated costs. Furthermore, metrics generated may not be worth the cost unless the knowledge can be leveraged by CNO entities to achieve their objectives
·         Sampling challenges: legal, tactical, and infrastructure – Any effort to sample computing activity spanning international boundaries will have associated legal issues. In general, the tactic of infecting a host in a honeypot may not be sufficient and other tactics may be necessary. Finally, getting proper visibility of a botnet may require a large sensor infrastructure for collection and a significant processing capability.
·         Countermeasures – Some botnets have employed sophisticated countermeasures and it may be possible for botnets to morph to avoid sampling or observation. Any sensor network developed would have to be agile enough to keep up with botnet countermeasures. Furthermore, VM detection and other technologies may limit the usefulness of honeypots for observing botnets.
·         Classification – What constitutes membership in a particular botnet is somewhat arbitrary. For metrics to be meaningful how a botnet is defined may require more formality. Is it appearance (phenotype), composition (genotype), relationships with other computers? Peer-to-peer botnets may also be hard to classify, and it is possible that zombies reporting to a common C2 structure may be performing different functions.
·         Intent determination – While potency metrics themselves may be useful, if potency is to be measured by intent and outcome, then sensor or honeypot data may not be enough. In order to get the full picture of what a botnet is doing, the sensor system might need to be integrated into human and communications intelligence sources. Given potential sensitivities and botnet scale this type of analysis/collaboration may pose a technological, sensitivity, or cultural challenge.

References:

Bailey, M, E Cooke, F Jahanian, Y Xu, and M Karir. 2009. A Survey of Botnet Technology and Defenses. Proceedings - Cybersecurity Applications and Technology Conference for Homeland Security, CATCH 2009. 299-304.


Dagon, D, O Gu, C.P Lee, and W Lee. 2007. A Taxonomy of Botnet Structures. Proceedings - Annual Computer Security Applications Conference, ACSAC. 325-338.


Hemmingsen… Spam, Phishing, and the Looming Challenge of Big Botnets
Hu, Jun, Zhitang Li, Junfeng Yu, and Dezhong Yao. 2009. Measuring Botnet Size by Using URL and Collaborative MailServers. Proceedings of the 5th International Conference on Networking and Services, ICNS 2009. 161-164.


Livadas, C, R Walsh, D Lapsley, and WT Strayer. 2006. Using Machine Learning Techniques to Identify Botnet Traffic. 31st IEEE Conference on Local Computer Networks, Proceedings. 967-974.


Paulson, Linda Dailey. 2006. Hackers Strengthen Malicious Botnets by Shrinking Them. Computer V. 39 No. 4 (April 2006) P. 19. 39, no. 4: 19.


Paxton, N.C., Ahn G, Kelly, R, Pearson,K.,Chu, B., “Collecting and Analyzing Bots in a Systematic Honeynet-based Testbed Environment.” Proceedings of the 11th Colloquium for Information Systems Security Education, Boston University Boston, MA June 4-7, 2007


Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A., “Multifaceted Approach to Understanding the Botnet Phenomenon,” Computer Science Department, Johns Hopkins University.



Rajab, M.A., Zarfoss, J., Monrose, F.,Terzis, A., My Botnet is Bigger than Yours (Maybe, Better than Yours): why size estimates remain challenging,” Computer Science Department, Johns Hopkins University.

Zhaosheng, Z, J.F Zhi, L Guohan, R Phil, C Yan, and H Keesook. 2008. Botnet Research Survey. Proceedings - International Computer Software and Applications Conference. 967-972.


Zonghu, Z, R Ando, and Y Kadobayashi. 2009. Hardening Botnet by a Rational Botmaster. Lecture Notes in Computer Science (including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 5487: 348-369.

Richard Howard Measuring the size of a botnet or the power of it seems like an academic exercise which does not help us in the end. If we develop an algorithm that allows is to accomplish the task, what then? We now can measure its relative power. We still have not stopped it. If the problem was limited resources to dismantle all of the botnets in the world and we needed a way to prioritize the effort, then this would be a good idea. But since we don't know how to dismantle even one botnet, this research is not very relevant. It will give us pretty stats but will have not moved us one inch closer to solving the problem.

Reply

Salvatore Stolfo What might be missing here is a focus on new attack surfaces where botnets can be formed and bots herded. For example, most effort is devoted to client side botnets...but it is technically feasible to construct stealthy botnets using vulnerable network embedded devices, such as web cams, VOIP phones, even home routers. No one is looking to defend these devices from penetration. We have run a scan (see http://hacktory03.cs.columbia.edu/) to measure how many such vulnerable and unprotected devices there may be and we found an enormous number. A brief report is available describing the results, but the scan is incomplete. We will soon turn our attention to the .mil domain.

Reply