More content and references

This commit is contained in:
Valentin Brandl 2021-11-16 16:02:26 +01:00
parent 7c9b1bf863
commit bf6bc6b0dc
2 changed files with 95 additions and 19 deletions

View File

@ -126,4 +126,21 @@
file = {Karuppayah et al. - 2016 - BoobyTrap On autonomously detecting and character.pdf:/home/me/Zotero/storage/UAUH5ZAN/Karuppayah et al. - 2016 - BoobyTrap On autonomously detecting and character.pdf:application/pdf} file = {Karuppayah et al. - 2016 - BoobyTrap On autonomously detecting and character.pdf:/home/me/Zotero/storage/UAUH5ZAN/Karuppayah et al. - 2016 - BoobyTrap On autonomously detecting and character.pdf:application/pdf}
} }
@inproceedings{andriesse_reliable_2015,
location = {Tokyo Japan},
title = {Reliable Recon in Adversarial Peer-to-Peer Botnets},
isbn = {978-1-4503-3848-6},
url = {https://dl.acm.org/doi/10.1145/2815675.2815682},
doi = {10.1145/2815675.2815682},
eventtitle = {{IMC} '15: Internet Measurement Conference},
pages = {129--140},
booktitle = {Proceedings of the 2015 Internet Measurement Conference},
publisher = {{ACM}},
author = {Andriesse, Dennis and Rossow, Christian and Bos, Herbert},
urldate = {2021-11-16},
date = {2015-10-28},
langid = {english},
file = {Andriesse et al. - 2015 - Reliable Recon in Adversarial Peer-to-Peer Botnets.pdf:/home/me/Zotero/storage/YJZMYTCB/Andriesse et al. - 2015 - Reliable Recon in Adversarial Peer-to-Peer Botnets.pdf:application/pdf}
}
/* vim: set filetype=bib ts=2 sw=2 tw=0 et :*/ /* vim: set filetype=bib ts=2 sw=2 tw=0 et :*/

View File

@ -9,7 +9,6 @@ Many personal and professional workflows are so dependent on the internet, that
%{{{ motivation %{{{ motivation
\subsection{Motivation} \subsection{Motivation}
% TODO: fast consumer internet connections 100 Mbit/s ++
The number of connected \ac{iot} devices is around 10 billion in 2021 and estimated to be constantly growing over the next years up to 25 billion in 2030~\cite{statista_iot_2020}. The number of connected \ac{iot} devices is around 10 billion in 2021 and estimated to be constantly growing over the next years up to 25 billion in 2030~\cite{statista_iot_2020}.
Many of these devices run on outdated software, don't receive any updates and don't follow general security best practices. Many of these devices run on outdated software, don't receive any updates and don't follow general security best practices.
While in 2016 only 77\% of German households had a broadband connection with a bandwidth of 50 Mbit/s or more, in 2020 it were already 95\% with more than 50 Mbit/s and 59\% with at least 1000 Mbit/s~\cite{statista_broadband_2021}. While in 2016 only 77\% of German households had a broadband connection with a bandwidth of 50 Mbit/s or more, in 2020 it were already 95\% with more than 50 Mbit/s and 59\% with at least 1000 Mbit/s~\cite{statista_broadband_2021}.
@ -20,23 +19,58 @@ In recent years, \ac{iot} botnets have been responsible for some of the biggest
% TODO: what is a bot? Infected systems. Malware. DGA, beispiele, tree vs graph % TODO: what is a bot? Infected systems. Malware. DGA, beispiele, tree vs graph
A botnet describes a network of connected computers with some way to control the infected systems. A botnet describes a network of connected computers with some way to control the infected systems.
In classic botnets, there are one or more central coordinating hosts called \acp{c2}. In classic botnets, there are one or more central coordinating hosts called \ac{c2} servers.
These \acp{c2} could use anything from \ac{irc} over \ac{http} to Twitter to communicate with the infected systems. These \ac{c2} servers could use anything from \ac{irc} over \ac{http} to Twitter as communication channel with the infected systems.
The infected systems can be abused for a number of things, \eg{} \ac{ddos} attacks, stealing data from victims, as proxies to hide the attackers identity, send spam emails\dots{} The infected systems can be abused for a number of things, \eg{} \ac{ddos} attacks, stealing data from victims, as proxies to hide the attackers identity, send spam emails\dots{}
Analyzing and shutting down a centralized botnet is comparatively easily since every bot knows the IP address, domain name, Twitter handle, \ac{irc} channel \dots{} the \acp{c2} are using. Analyzing and shutting down a centralized botnet is comparatively easily since every bot knows the IP address, domain name, Twitter handle or \ac{irc} channel the \ac{c2} servers are using.
A targeted operation with help from law enforcement, hosting providers, domain registrars and platform providers could shut down or take over the operation by changing how requests are rooted or simply shutting down the controlling servers/accounts. A targeted operation with help from law enforcement, hosting providers, domain registrars and platform providers could shut down or take over the operation by changing how requests are rooted or simply shutting down the controlling servers/accounts.
% TODO: better image for p2p, really needed?
%{{{ fig:c2vsp2p
\begin{figure}[h]
\centering
\begin{subfigure}[b]{.5\textwidth}
\centering
\includegraphics[width=1\linewidth]{c2.pdf}
\caption{Topology of a \ac{c2} controlled botnet}\label{fig:c2}
\end{subfigure}%
\begin{subfigure}[b]{.5\textwidth}
\centering
\includegraphics[width=1\linewidth]{p2p.pdf}
\caption{Topology of a \ac{p2p} botnet}\label{fig:p2p}
\end{subfigure}%
\caption{Communication paths in different types of botnets}\label{fig:c2vsp2p}
\end{figure}
%}}}fig:c2vsp2p
% TODO: too informal? % TODO: too informal?
A number of botnet operations were shut down like this and as the defenders upped their game, so did attackers --- the idea of \ac{p2p} botnets came up. A number of botnet operations were shut down like this and as the defenders upped their game, so did attackers --- the idea of \ac{p2p} botnets came up.
The idea is to build a decentralized network without single points of failure where the \acp{c2} are. The idea is to build a decentralized network without single points of failure where the \ac{c2} servers are as shown in \autoref{fig:p2p}.
In a \ac{p2p} botnet, each node in the network knows a number of it's neighbours and connects to those, each of these neighbours has a list of neighbours on his own, and so on. In a \ac{p2p} botnet, each node in the network knows a number of it's neighbours and connects to those, each of these neighbours has a list of neighbours on his own, and so on.
This lack of a \ac{spof} makes \ac{p2p} botnets more resilient to take-down attempts since the communication is not stopped and botmasters can easily rejoin the network and send commands. This lack of a \ac{spof} makes \ac{p2p} botnets more resilient to take-down attempts since the communication is not stopped and botmasters can easily rejoin the network and send commands.
Formally, a \ac{p2p} botnet can be modeled as a digraph
\[
G = (V, E)
\]
With the set of vertices \(V\) describing the bots in the network and the set of edges \(E\) describing the \enquote{is neighbour of} relationships between bots.
For a vertex \(v \in V\), the in degree \(\deg^{+}(v) = \abs{\{ u \in V \mid (u, v) \in E \}}\) and out degree \(\deg^{-}(v) = \abs{\{ u \in V \mid (v, u) \in E \}}\) describe how many bots know \(v\) and how many nodes \(v\) knows respectively.
% TODO: source for constantly growing, position in text
% TODO: take-down? take down?
The damage produced by botnets has been constantly growing and there are many researchers and law enforcement agencies trying to shut down these operations.
The monetary value of these botnets directly correlates with the amount of effort, botmasters are willing to put into implementing defense mechanisms against take-down attempts.
Some of these countermeasures include deterrence, which limits the amount of allowed bots per IP address or subnet to 1; blacklisting, where known crawlers and sensors are blocked from communicating with other bots in the network (mostly IP based); disinformation, when fake bots are placed in the neighbourhood lists, which invalidates the data collected by crawlers; and active retaliation like \ac{ddos} attacks against sensors or crawlers~\cite{andriesse_reliable_2015}.
%}}} motivation %}}} motivation
%{{{ detection techniques %{{{ detection techniques
\subsection{Detection Techniques for \Acs*{p2p} Botnets} \subsection{Detection Techniques for \Acs*{p2p} Botnets}
@ -50,18 +84,7 @@ This has some advantages in that it is not possible for botmasters to detect or
\citeauthor{zhang_building_2014} propose a system of statistical analysis to solve some of these problems in~\cite{zhang_building_2014}. \citeauthor{zhang_building_2014} propose a system of statistical analysis to solve some of these problems in~\cite{zhang_building_2014}.
Also getting access to the required datasets might not be possible for everyone. Also getting access to the required datasets might not be possible for everyone.
%}}} passive detection % TODO: no context
%{{{ active detection
\subsubsection{Active Detection}
In this case, a subset of the botnet protocol are reimplemented to place pseudo-bots or sensors in the network, which will only communicate with other nodes but won't accept or execute commands to perform malicious actions.
The difference in behaviour from the reference implementation and conspicuous graph properties (\eg{} high $\deg_{\text{in}}$ vs.\ low $\deg_{\text{out}}$) of these sensors allows botmasters to detect and block the sensor nodes.
%}}} active detection
%}}} detection techniques
\begin{itemize} \begin{itemize}
% TODO: BotGrep (in zhang_building_2014) % TODO: BotGrep (in zhang_building_2014)
@ -72,6 +95,30 @@ The difference in behaviour from the reference implementation and conspicuous gr
\end{itemize} \end{itemize}
%}}} passive detection
%{{{ active detection
\subsubsection{Active Detection}
In this case, a subset of the botnet protocol are reimplemented to place pseudo-bots or sensors in the network, which will only communicate with other nodes but won't accept or execute commands to perform malicious actions.
The difference in behaviour from the reference implementation and conspicuous graph properties (\eg{} high \(\deg^{+}\) vs.\ low \(\deg^{-}\)) of these sensors allows botmasters to detect and block the sensor nodes.
There are three subtypes auf active detection:
\begin{enumerate}
\item Crawlers: recursively ask known bots for their neighbourhood lists
\item Sensors: implement a subset of the botnet protocol and become part of the network without performing malicious actions
\item Hybrid of crawlers and sensors
\end{enumerate}
%}}} active detection
%}}} detection techniques
%{{{ detection criteria %{{{ detection criteria
\subsection{Detection Criteria} \subsection{Detection Criteria}
@ -86,6 +133,18 @@ The difference in behaviour from the reference implementation and conspicuous gr
\end{itemize} \end{itemize}
%}}} detection criteria %}}} detection criteria
%{{{ methodology
\subsection{Methodology}
The implementation of the concepts of this work will be done as part of \ac{bms}\footnotemark, a monitoring platform for \ac{p2p} botnets described by \citeauthor{bock_poster_2019} in~\cite{bock_poster_2019}.
\Ac{bms} uses a hybrid active approach of crawlers and sensors (reimplementations of the \ac{p2p} protocol of a botnet, that won't perform malicious actions) to collect live data from active botnets.
\footnotetext{\url{https://github.com/Telecooperation/BMS}}
%}}} methodology
%}}} introduction %}}} introduction
% vim: set filetype=tex ts=2 sw=2 tw=0 et spell : % vim: set filetype=tex ts=2 sw=2 tw=0 et foldmethod=marker spell :