10-04-2017, 09:08 PM
Abstract
Future network intruders will probably use an organized army of malicious nodes (here called \malnodes", or collectively a \malnet") to deliver many di_erent attacks, rather than recruiting a disorganized set of compromised nodes per attack. However, partly due to the lack of understanding of the resiliency and e_ciency a malnet can have, countering malnets has been ine_ective. This paper begins to address this de_ciency. Through calculation and simulation for three representative malnets random, small-world, and Gnutella-like we show that extremely resilient malnets can be formed to deliver attack code quickly. In particular, we show that disconnecting malnets is possible, but extremely naive approaches such as randomly disinfecting malnodes will not su_ce, and e_ective defenses must either happen very quickly during a second-wave attack, or take e_ect prior to it.
1. Introduction
An increasingly important problem in network security is the emergence of large numbers of networks of malicious nodes (here called \malnodes", or collectively a \malnet"). A single malnet can be used repeatedly for various nefarious purposes, such as launching DDoS (distributed denial-of-service) attacks, sending spam, or simply stealing computing cycles. Although such networks are not new, recent malnets have increased in number and sophistication. For example, trinoo, a distributed denial-of-service attack tool, builds a simple three-layer trinoo network [1] in which the attacker controls one or more \master" servers, each master controls many \daemons," and the daemons are all instructed to coordinate an attack against one or more victim systems (Figure 1(a)). Botnets and their variants [2] can also be harmful. For example, a botnet can use IRC channels to connect a collection of IRC bots, where each bot is executable (malicious) code on an IRC client [3]. The study in [4] reported two main types of IRC botnet structures: the Hub-Leaf structure in which all bots connect through a hub, resulting in a star architecture (Figure 1(b)), and the Channel structure in which a bot needs to join an IRC channel to listen to commands issued by the controller (Figure 1©). According to [2], security experts identify botnets with 10 to 100 compromised hosts several times a day, and botnets with 10,000 or more hosts weekly. Botnets with 100,000 computers have also been found. It is also known that malnodes of a worm can form a worm network through which an attacker can issue commands and perform remote control [6]. In this worm network, every malnode keeps a list of other worm malnodes, and can create encrypted communication channels with them; therefore, the command from the attacker can be injected into any malnode and then propagated further toward all remaining malnodes. Furthermore, redundancy can be used to keep the worm network connected even if some malnodes are disinfected and thus removed from the network. In this paper, we generalize all of these networks as \malnets", which are overlay networks of malnodes. A malnet can be built by malicious code (such as a worm or a Trojan horse) during its infection phase. Further overlay construction can continue even if that malicious code stops propagating.
Download full report
http://googleurl?sa=t&source=web&cd=2&ve...cs.hmc.edu%2F geoff%2Fiee_smmsm_2005.pdf&ei=af1JTs_3H8HHrQfMxvGxBw&usg=AFQjCNGsgzK5_G3-W-X7bkVfmPnL38Q5EA&sig2=78KlcOPkxuVlnjN_4HZIVg