diff --git a/assets/avg_out_edges.png b/assets/avg_out_edges.png
index 602904e2..beeb00e3 100644
Binary files a/assets/avg_out_edges.png and b/assets/avg_out_edges.png differ
diff --git a/assets/sensorbuster/sensor_with_outgoing.drawio b/assets/sensorbuster/sensor_with_outgoing.drawio
new file mode 100644
index 00000000..6834fcc4
--- /dev/null
+++ b/assets/sensorbuster/sensor_with_outgoing.drawio
@@ -0,0 +1 @@
+7ZrLjpswFIafJstIYEOAZZO5tFKrVora6dYCT2BEcGScy/Tp6xSTBJtMGAbIidRNBAew8e/P9u9DRni23D1ysoq/sYimI2RFuxG+GyHkT3z5uw+8FgHHd4rAgidREbKPgXnyh6qgpaLrJKJ55UbBWCqSVTUYsiyjoajECOdsW73tmaXVWldkQY3APCSpGX1KIhGrZrnWMf6ZJou4rNm21JUlKW9WgTwmEduehPD9CM84Y6I4Wu5mNN1rV+pSPPdw5urhxTjNRJMHxNPYmaIX8oXgOVq+5Lv4Zz5GRSkbkq6rDc7FaymBLEaqLU+m2zgRdL4i4f7KVva3jMVimcozWx6SfFV0wXOyo7LW6TPLhOpS+XJ4ar6yqm1DuaC7k5BqwiNlSyr4q7ylvDpRciqeUKn39qR3VCg+6ZgyRhQPi0PJR8nkgVLtHQpiQ0EftoLIqSqI0ZUVdAwFPdgKYo1B59oMuoaCCLaCOoP+lQWcGAK6sAV0oU2DnqHgBLaCjg9sGvQNBZ3bUvDagzgwBMSwBTysI9dSzLYNyUzFsujT3kfLszAleZ6EVaE4W2fRXqE76z0q5WzNQ3rZmQrCF1RcXvtoVPHxpuYnGrs1GpcxTlMikk3VDNcJr2r4wRLZsuOYsLR5We+7ot3qqVO3rhWke4zDilkWVAhjFPSPg0OzP4CGuTMAg4bbEI0AFhq21qNBV2hYA6NhbnnAoBE0RMOHhQbSvIjeo03RMKafodEw93Jg0PBvc0HBGhp2WzScK6NhblLBoDG5TTTOJXI+jMbQXsPcfoNBo6kNxbDQcDU0cFdeQ/ezfaNh5hXAoOE0RAOY19B6FOuDvbXXGBoNM2ECBg3vNmcNT0PD7WpBGRoNMxUEBo2ms4YHC41AQ8Nru6DoflYvqGc0So8EEQ3cEA0HFBqutg7g1ikv3c/2N2sk0Wz84EdsOv4aWJtf8++/nfuxmQyd0yxn3OSj4ySykTGuwafxx8ghvwTVyoiGGWAa/Z25+/No3HxOWd8VIH1X0PMAGyhv2AkZNSkBeGQgvUPbGjbsXSioZzIGSht2QkbN1weAZOirwqQtGf6FgnomY6CsYSdk1Oz6AJKhD/XWTj64UFDPZAyUNOyEjJpNH0Ay9KHe2mcMlxmqVXGgnOF7yXhr09HsW/Z/B3qWDHl6/Ct1cfvx/+j4/i8=
\ No newline at end of file
diff --git a/assets/sensorbuster/sensor_without_outgoing.drawio b/assets/sensorbuster/sensor_without_outgoing.drawio
new file mode 100644
index 00000000..00c456b0
--- /dev/null
+++ b/assets/sensorbuster/sensor_without_outgoing.drawio
@@ -0,0 +1 @@
+1ZrbjpswEIafJpeRiA0BLpvsqVKrVora7a0F3sCK4Aicw/bp6xSThDGrsCyQyU0EA4zxP5/t8ZARna/2jxlbR99FyJMRscL9iN6NCPGmnvo9GN4Kg+3ZhWGZxWFhmpwMi/gv10ZLWzdxyPPKjVKIRMbrqjEQacoDWbGxLBO76m0vIqm2umZLbhgWAUtM63Mcykh3y7FO9iceL6Oy5Ymlr6xYebM25BELxe7MRO9HdJ4JIYuj1X7Ok4N2pS7Fcw/vXD2+WMZT2eQB+Ty2Z+SVfWV0QVav+T76lY9J4WXLkk21w7l8KyVQbpTa6mS2i2LJF2sWHK7sVLyVLZKrRJ1N1CHL10UIXuI9V63OXkQqdUjVy9GZ+cq6tS3PJN+fmXQXHrlYcZm9qVvKq1Mtp+aJlHrvzqKjTdFZYEob0zwsj55PkqkDrdoHFKSGgh5uBYldVZCSKytoGwq6uBWkgEH72gw6hoIEt4KQQe/KAk4NAR3cAjrYpkHXUHCKW0HbQzYNeoaC9m0peO1B7BsCUtwCHteRayk2mRiSmYql4ZdDHq3OgoTleRxUhcrEJg0PCt1ZH1EpF5ss4JczU8myJZeX1z4eVvJ4U/MzjZ0ajUtbxhMm4201Ga4TXrfwU8SqZ6cxYYF5Gcau6Ld+6jxbB45gjnFcMUtHhTCGo/8cHLv9CTTMnQEaNJyGaPi40JiAiPpdoWENjIa55UGDht8QDQ8XGgTkIjCiTdEwpp+h0TD3cmjQ8G5zQaEAjUlbNOwro2FuUtGgMb1NNN4r5HwajaFzDXP7jQaNpmkoxYWGA9CgXeUaMJ/tGw2zroAGDbshGshyDRBRCgd761xjaDTMggkaNNzbnDVcgIbT1YIyNBpmKQgNGk1nDRcXGj5Aw227oMB8FjrqGY0yR8KIBm2Iho0KDQesA7R1yQvms/3NGnE4Hz94oZiNv/nW9vfixx/7fmwWQxc8zUVm8tFxEdmoGNfg0/hj5JBfgmplJMMMMEB/Z9n9+2jcfE0Z7goI3BX0PMAGqht2QkZNSQAfGQQGtG3CRt0LjnomY6CyYSdk1Hx9QEgGXBWmbcnwLjjqmYyBqoadkFGz60NIBhzqrTN5/4KjnskYqGjYCRk1mz6EZMCh3jrP6K0ypE5Pf5gtbj/965je/wM=
\ No newline at end of file
diff --git a/content.tex b/content.tex
index 9bc55222..c5c80782 100644
--- a/content.tex
+++ b/content.tex
@@ -605,7 +605,6 @@ The following candidates to place on the neighbor list will be investigated:
Returning all the other sensors when responding to peer list requests, thereby effectively creating a complete graph \(K_\abs{C}\) among the workers, creates valid outgoing edges.
The resulting graph will still form a \ac{wcc} with now edges back into the main network.
-Also, this would leak the information about all known sensors to the botmasters.
%{{{ churned peers
\subsubsection{Churned Peers After IP Rotation}
@@ -634,7 +633,7 @@ Those peers can be used as fake neighbors and create valid-looking outgoing edge
\clearpage{}
\section{Evaluation}
-To evaluate the strategies from above, we took a snapshot of the Sality~\cite{bib:falliere_sality_2011} botnet obtained from \ac{bms} throughout of \daterange{2021-04-21}{2021-04-28}.
+To evaluate the strategies from above, we took a snapshot of the Sality~\cite{bib:falliere_sality_2011} botnet obtained from \ac{bms} throughout of \daterange{2021-04-21}{2021-04-28}, if not stated otherwise.
%{{{ eval load balancing
\subsection{Load Balancing}
@@ -875,21 +874,53 @@ Applying PageRank with an initial rank of \(0.25\) once on the example graphs in
While this works for small networks, the crawlers must account for a significant amount of peers in the network for this change to be noticeable.
The generated \(K_n\) needs to be at least as big as the smallest regular component in the botnet, which is not feasible.
+Also, if detected, this would leak the information about all known sensors to the botmasters.
+The limited scalability, and potential information leak, which might be used by botmasters to retaliate against the sensors or the whole monitoring operation, make this approach unusable in real-world scenarios.
%}}} other sensors
+
+\subsubsection{Effectiveness against SensorBuster}
+
+SensorBuster relies on the assumption that sensors don't have any outgoing edges, thereby creating a disconnected graph component.
+
+\begin{figure}[H]
+\centering
+\begin{subfigure}[b]{.5\textwidth}
+ \centering
+ \includegraphics[width=.8\linewidth]{sensorbuster/sensor_without_outgoing.drawio.pdf}
+ \caption{Sensor without outgoing edge creates disconnected graph component}
+\end{subfigure}%
+\begin{subfigure}[b]{.5\textwidth}
+ \centering
+ \includegraphics[width=.8\linewidth]{sensorbuster/sensor_with_outgoing.drawio.pdf}
+ \caption{Single outgoing edge connects sensor back to the main component}\label{fig:sensorbusterWithOutgoing}
+\end{subfigure}%
+\end{figure}
+
+\Fref{fig:sensorbusterWithOutgoing} shows how a single valid edge back into the network (from \emph{Sensor} to peer \num{3} in the example) renders the SensorBuster metric ineffective by making the sensor part of the main graph component.
+
+For the \ac{wcc} metric, it is obvious that even a single edge back into the main network is enough to connect the sensor back to the main graph and therefore beat this metric.
+
+\todo{formulieren}
+
+\subsubsection{Effectiveness against Page- and SensorRank}
+
+In this section we will evaluate how adding outgoing edges to a sensor impacts it's PageRank and SensorRank values.
+Before doing so, we will check the impact of the initial rank by calculating it with different initial values and comparing the value distribution of the result.
+
\begin{table}[H]
\centering
\begin{tabular}{lllll}
\textbf{Iteration} & \textbf{Avg. PR} & \textbf{Crawler PR} & \textbf{Avg. SR} & \textbf{Crawler SR} \\
- 1 & 0.24854932 & 0.63277194 & 0.15393478 & 0.56545578 \\
- 2 & 0.24854932 & 0.63277194 & 0.15393478 & 0.56545578 \\
- 3 & 0.24501068 & 0.46486353 & 0.13810930 & 0.41540997 \\
- 4 & 0.24501068 & 0.46486353 & 0.13810930 & 0.41540997 \\
- 5 & 0.24233737 & 0.50602884 & 0.14101354 & 0.45219598 \\
+ \num{1} & \num{0.24854932} & \num{0.63277194} & \num{0.15393478} & \num{0.56545578} \\
+ \num{2} & \num{0.24854932} & \num{0.63277194} & \num{0.15393478} & \num{0.56545578} \\
+ \num{3} & \num{0.24501068} & \num{0.46486353} & \num{0.13810930} & \num{0.41540997} \\
+ \num{4} & \num{0.24501068} & \num{0.46486353} & \num{0.13810930} & \num{0.41540997} \\
+ \num{5} & \num{0.24233737} & \num{0.50602884} & \num{0.14101354} & \num{0.45219598} \\
\end{tabular}
- \caption{Values for PageRank iterations with initial rank \(\forall v \in V : \text{PR}(v) = 0.25\)}\label{tab:pr_iter_table_25}
+ \caption{Values for PageRank iterations with initial rank \(\forall v \in V : \text{PR}_0(v) = 0.25\)}\label{tab:pr_iter_table_25}
\end{table}
\begin{figure}[H]
@@ -904,20 +935,20 @@ The generated \(K_n\) needs to be at least as big as the smallest regular compon
\includegraphics[width=1\linewidth]{0.25_5_sr.png}
\caption{Distribution after 5 iterations}\label{fig:dist_sr_25_5}
\end{subfigure}%
- \caption{SensorRank distribution with initial rank \(\forall v \in V : \text{PR}(v) = 0.25\)}\label{fig:dist_sr_25}
+ \caption{SensorRank distribution with initial rank \(\forall v \in V : \text{PR}_0(v) = 0.25\)}\label{fig:dist_sr_25}
\end{figure}
\begin{table}[H]
\centering
\begin{tabular}{lllll}
\textbf{Iteration} & \textbf{Avg. PR} & \textbf{Crawler PR} & \textbf{Avg. SR} & \textbf{Crawler SR} \\
- 1 & 0.49709865 & 1.26554389 & 0.30786955 & 1.13091156 \\
- 2 & 0.49709865 & 1.26554389 & 0.30786955 & 1.13091156 \\
- 3 & 0.49002136 & 0.92972707 & 0.27621861 & 0.83081993 \\
- 4 & 0.49002136 & 0.92972707 & 0.27621861 & 0.83081993 \\
- 5 & 0.48467474 & 1.01205767 & 0.28202708 & 0.90439196 \\
+ \num{1} & \num{0.49709865} & \num{1.26554389} & \num{0.30786955} & \num{1.13091156} \\
+ \num{2} & \num{0.49709865} & \num{1.26554389} & \num{0.30786955} & \num{1.13091156} \\
+ \num{3} & \num{0.49002136} & \num{0.92972707} & \num{0.27621861} & \num{0.83081993} \\
+ \num{4} & \num{0.49002136} & \num{0.92972707} & \num{0.27621861} & \num{0.83081993} \\
+ \num{5} & \num{0.48467474} & \num{1.01205767} & \num{0.28202708} & \num{0.90439196} \\
\end{tabular}
- \caption{Values for PageRank iterations with initial rank \(\forall v \in V : \text{PR}(v) = 0.5\)}\label{tab:pr_iter_table_5}
+ \caption{Values for PageRank iterations with initial rank \(\forall v \in V : \text{PR}_0(v) = 0.5\)}\label{tab:pr_iter_table_5}
\end{table}
\begin{figure}[H]
@@ -932,20 +963,20 @@ The generated \(K_n\) needs to be at least as big as the smallest regular compon
\includegraphics[width=1\linewidth]{0.50_5_sr.png}
\caption{Distribution after 5 iterations}\label{fig:dist_sr_50_5}
\end{subfigure}%
- \caption{SensorRank distribution with initial rank \(\forall v \in V : \text{PR}(v) = 0.5\)}\label{fig:dist_sr_50}
+ \caption{SensorRank distribution with initial rank \(\forall v \in V : \text{PR}_0(v) = 0.5\)}\label{fig:dist_sr_50}
\end{figure}
\begin{table}[H]
\centering
\begin{tabular}{lllll}
\textbf{Iteration} & \textbf{Avg. PR} & \textbf{Crawler PR} & \textbf{Avg. SR} & \textbf{Crawler SR} \\
- 1 & 0.74564797 & 1.89831583 & 0.46180433 & 1.69636734 \\
- 2 & 0.74564797 & 1.89831583 & 0.46180433 & 1.69636734 \\
- 3 & 0.73503203 & 1.39459060 & 0.41432791 & 1.24622990 \\
- 4 & 0.73503203 & 1.39459060 & 0.41432791 & 1.24622990 \\
- 5 & 0.72701212 & 1.51808651 & 0.42304062 & 1.35658794 \\
+ \num{1} & \num{0.74564797} & \num{1.89831583} & \num{0.46180433} & \num{1.69636734} \\
+ \num{2} & \num{0.74564797} & \num{1.89831583} & \num{0.46180433} & \num{1.69636734} \\
+ \num{3} & \num{0.73503203} & \num{1.39459060} & \num{0.41432791} & \num{1.24622990} \\
+ \num{4} & \num{0.73503203} & \num{1.39459060} & \num{0.41432791} & \num{1.24622990} \\
+ \num{5} & \num{0.72701212} & \num{1.51808651} & \num{0.42304062} & \num{1.35658794} \\
\end{tabular}
- \caption{Values for PageRank iterations with initial rank \(\forall v \in V : \text{PR}(v) = 0.75\)}\label{tab:pr_iter_table_75}
+ \caption{Values for PageRank iterations with initial rank \(\forall v \in V : \text{PR}_0(v) = 0.75\)}\label{tab:pr_iter_table_75}
\end{table}
\begin{figure}[H]
@@ -960,26 +991,27 @@ The generated \(K_n\) needs to be at least as big as the smallest regular compon
\includegraphics[width=1\linewidth]{0.75_5_sr.png}
\caption{Distribution after 5 iterations}\label{fig:dist_sr_75_5}
\end{subfigure}%
- \caption{SensorRank distribution with initial rank \(\forall v \in V : \text{PR}(v) = 0.75\)}\label{fig:dist_sr_75}
+ \caption{SensorRank distribution with initial rank \(\forall v \in V : \text{PR}_0(v) = 0.75\)}\label{fig:dist_sr_75}
\end{figure}
-The distribution graphs in \Fref{fig:dist_sr_25}, \Fref{fig:dist_sr_50} and \Fref{fig:dist_sr_75} show that the initial rank has no effect on the distribution, only on the actual numeric rank values.
+The distribution graphs in \Fref{fig:dist_sr_25}, \Fref{fig:dist_sr_50} and \Fref{fig:dist_sr_75} show that the initial rank has no effect on the distribution, only on the actual numeric rank values and how far apart they are spread.
-For all combinations of initial value and PageRank iterations, the rank for a well-known crawler is in the \nth{95} percentile, so for our use case, those parameters do not matter.
+For all combinations of initial value and PageRank iterations, the rank for a well-known crawler is in the \nth{95} percentile, so for our use case---detecting sensors due their high ranks---those parameters do not matter.
-On average, peers in the analyzed dataset have \num{223} successors over the whole week.
-Looking at the data in smaller buckets of one hour each, the average number of successors per peer is \num{90}.\todo{timeline with peers per bucket}
+% On average, peers in the analyzed dataset have \num{223} successors over the whole week.
+Looking at the data in smaller buckets of one hour each, the average number of successors per peer is \num{90}.
%{{{ fig:avg_out_edges
-\begin{figure}[h]
+\begin{figure}[H]
\centering
\includegraphics[width=1\linewidth]{./avg_out_edges.png}
\caption{Average outgoing edges per peer per hour}\label{fig:avg_out_edges}
\end{figure}
-\todo{use better data?}
%}}}fig:avg_out_edges
-Experiments were performed, in which a percentage of random outgoing edges were added to the known sensor, based on the amount of incoming edges:
+% Experiments were performed, in which a percentage of random outgoing edges were added to the known sensor, based on the amount of incoming edges:
+We evaluate the impact of outgoing edges by picking a percentage of random nodes in each bucket and creating edges from the sensor to each of the sampled peers, thereby evening the ratio between \(\deg^{+}\) and \(\deg^{-}\).
+
\begin{figure}[H]
\centering
@@ -1030,7 +1062,6 @@ Experiments were performed, in which a percentage of random outgoing edges were
\end{figure}
These results show, that simply adding new edges is not enough and we need to limit the incoming edges to improve the Page- and SensorRank metrics.
-For the \ac{wcc} metric, it is obvious that even a single edge back into the main network is enough to connect the sensor back to the main graph and therefore beat this metric.
%}}} eval creating edges
diff --git a/report.pdf b/report.pdf
index 4c483509..de2a19e3 100644
Binary files a/report.pdf and b/report.pdf differ
diff --git a/report.tex b/report.tex
index 28619987..93bd7301 100644
--- a/report.tex
+++ b/report.tex
@@ -68,6 +68,7 @@ headsepline,
\sisetup{%
group-separator={,},
group-minimum-digits=5,
+ group-digits=integer,
range-phrase={\text{\ensuremath{-}}},
per-mode = fraction,
fraction-function=\nicefrac,