Microsimulations of a Botnet’s Lifecycle

Conference abstract and presentation

Abstract

Botnet is the most dangerous weapon in modern hackers’ arsenal (Abu Rajab, et al. 2006). It consists of a network of computers ("zombie army") that have unknowingly been infected by malicious software (spread by e.g. hijacked emails or websites), and taken over by a remote source (Command & Control centre) for nefarious purposes. These may include spamming, phishing, hosting illegal materials, mining Bitcoin, DDoS attacks, penetrating corporate networks, stealing sensitive data, or sabotaging strategic country infrastructures, thus posing a national security threat. Botnet attack prevention, detection and mitigation is the major task of cybersecurity organisations like NASK.

Currently used forensic procedures are based on low-level analysis of malicious software and tracing the activity of operating botnets. An important network security indicator is the actual size of the zombie army, so far estimated in a crude and ad hoc fashion, based on tracing zombies’ communication with C&C centres infiltrated and seized by cybersecurity teams (sinkholes). Existing theoretical models of botnets are too simplistic to be used in practice and don’t exploit information from the acquired data, see e.g. (Santos & Moura 2017).

Our goal was to built a simulation of a large-scale computer network exposed to a cyberattack in order to model the lifecycle of a botnet, find statistical estimators of infection rate and botnet size, recognise cybersecurity threats via the analysis of possible attack scenarios, as well as test interventions. We achieved it using a spatial microsimulation (Monte-Carlo) technique with elements of multiagent modelling (Werpachowska 2017, Werpachowska & Werpachowski 2017), which exploits available information about the analysed Internet infrastructure, computer systems and configurations, Internet providers’ and users’ nuanced practices and behaviours. Finally, our microsimulation in combination with statistical optimisation methods (Shahriari, et al. 2016) enables us to reverse-engineer of the likely size, structure and operation of the botnet based on the stream of data about the activity of zombies tracked by sinkholes.

The figure shows an example of a botnet lifecycle in the environment of 355,000 computers (desktops and laptops) connected in (and sometimes moving between) 80,000 household and 3,750 corporate networks with varying grade of susceptibility dependent on the OS type (Windows or Linux) and version, antivirus, administrator maintenance and user habits. The zombie computers switch between the mode of propagating the malicious software (via infected emails), working on other tasks assigned to them by the C&C centre or going dormant. The OS and antivirus software providers publish patches and upgrades, which can be applied by network administrators or computer users.

Abu Rajab, M., J. Zarfoss, F. Monrose, and A. Terzis. “A multifaceted approach to understanding the botnet phenomenon.” Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement 2006. Rio de Janeiro, Brazil, 2006. 41-52.

Santos, A. A., Nogueira M., and J. M. F. Moura. “A Stochastic Adaptive Model to Explore Mobile Botnet Dynamics.” IEEE Communications Letters, 2017: 753-756.

Shahriari, B., K. Swersky, Z. Wang, R. P. Adams, and N. de Freitas. “Taking the Human Out of the Loop: A Review of Bayesian Optimization.” Proceedings of the IEEE, 2016: 148-175.

Werpachowska, A. “Forecasting the impact of state pension reforms in post-Brexit England and Wales.” Proceedings of PenCon 2018 Pensions Conference. Lodz, Poland, 2017. 120-132.

Werpachowska, A., and R. Werpachowski. “Microsimulations of Demographic Changes in England and Wales Under Different EU Referendum Scenarios.” International Journal of Microsimulation, 2017: 103-117.

Presentation

Download PDF