diff --git a/acronyms.tex b/acronyms.tex index 916b3f6e..b15ed756 100644 --- a/acronyms.tex +++ b/acronyms.tex @@ -58,4 +58,9 @@ long = {Botnet Monitoring System} } +\DeclareAcronym{bsf}{ + short = {BSF}, + long = {Botnet Simulation Framework} +} + % vim: set filetype=tex ts=2 sw=2 tw=0 et : diff --git a/content.tex b/content.tex index 256c4215..3c27ef27 100644 --- a/content.tex +++ b/content.tex @@ -147,14 +147,17 @@ There are three subtypes auf active detection: \section{Methodology} The implementation of the concepts of this work will be done as part of \ac{bms}\footnotemark, a monitoring platform for \ac{p2p} botnets described by \citeauthor{bock_poster_2019} in~\cite{bock_poster_2019}. -\Ac{bms} uses a hybrid active approach of crawlers and sensors (reimplementations of the \ac{p2p} protocol of a botnet, that won't perform malicious actions) to collect live data from active botnets. - \footnotetext{\url{https://github.com/Telecooperation/BMS}} +\Ac{bms} uses a hybrid active approach of crawlers and sensors (reimplementations of the \ac{p2p} protocol of a botnet, that won't perform malicious actions) to collect live data from active botnets. % TODO: reference for page rank In an earlier project, I implemented different node ranking algorithms (among others \enquote{PageRank}~\cite{page_pagerank_1998}) to detect sensors and crawlers in a botnet, as described in \citetitle{karuppayah_sensorbuster_2017}. +Both ranking algorithms use the \(\deg^+\) and \(\deg^-\) to weight the nodes. +Another way to enumerate candidates for sensors in a \ac{p2p} botnet is to find weakly connected components in the graph. +Sensors will have few to none outgoing edges, since they don't participate actively in the botnet. The goal of this work is to complicate detection mechanisms like this for botmasters, by centralizing the coordination of the system's crawlers and sensors, thereby reducing the node's rank for specific graph metrics. +The changes should allow the current sensors to use the new abstraction with as few changes as possible to the existing code. The final result should be as general as possible and not depend on any botnet's specific behaviour but it assumes, that every \ac{p2p} botnet has some kind of \enquote{getNeighbourList} method in the protocol, that allows other peers to request a list of active nodes to connect to. @@ -164,19 +167,36 @@ That sensor will be responsible to monitor the new node. If it is not possible, to select a specific sensor so that the monitoring activity stays inconspicuous, the coordinator can do a complete shuffle of all nodes between the sensors to restore the wanted graph properties or warn if more sensors are required to stay undetected. +The improved sensor system should allow new sensors to register themselves and their capabilities (\eg{} bandwidth, geolocation, ), so the amount of work can be scaled accordingly between hosts. +Further work might even consider autoscaling the monitoring activity using some kind of cloudcomputing provider. + +To validate the result, the old sensor implementation will be compared to the new system using different graph metrics. + +% TODO: maybe? +If time allows, \ac{bsf}\footnotemark{} will be used to simulate a botnet place sensors in the simulated network and measure the improvement archived by the coordinated monitoring effort. +\footnotetext{\url{https://github.com/tklab-tud/BSF}} + +% TODO: which botnet? +As a proof of concept, the coordinated monitoring approach will be implemented and deployed in the (Sality, Mirai, ...)? botnet. + +%}}} methodology %{{{ primitives \subsection{Protocol Primitives} The coordination protocol must allow the following operations: +% TODO: Testnet + testnet crawler erweitern um mit complete knowledge zu verifizieren + %{{{ sensor to backend \subsubsection{Sensor to Backend} \begin{itemize} + % TODO: bestehende session Mechanik verwenden/erweitern \item \mintinline{go}{registerSensor(capabilities)}: Register new sensor with capabilities (which botnet, available bandwidth, \ldots) + % TODO: failedTries im backend statt eigenem nachrichtentyp \item \mintinline{go}{unreachable(targets)}: \end{itemize}