Modeling Peer-to-Peer Botnet on Scale-Free Network

Peer-to-peer (P2P) botnets have emerged as one of the serious threats to Internet security. To prevent effectively P2P botnet, in this paper, a mathematical model which combines the scale-free trait of Internet with the formation of P2P botnet is presented. Explicit mathematical analysis demonstrates that the model has a globally stable endemic equilibrium when infection rate is greater than a critical value. Meanwhile, we find that, in scale-free network, the critical value is very little. Hence, it is unrealistic to completely dispel the P2P botnet. Numerical simulations show that one can take effective countermeasures to reduce the scale of P2P botnet or delay its outbreak. Our findings can provide meaningful instruction to network security management.


Introduction
A botnet is a network of thousands of compromised computers (bots) under the control of botmaster, which usually recruits new vulnerable computers by running all kinds of malicious software, such as Trojan horses, worms, and computer viruses [1].For nefarious profits, the botnetmaster which operates a botnet manipulates remotely zombie computers to work on various malicious activities, such as distributed denial-of-service attacks (DDoS), email spam, and password cracking.Nowadays, botnets have become one of the most serious threats to Internet.
According to operating mechanism of botnets, there are two kinds of botnets.One is the traditional botnet using Internet relay chat (IRC) as a form of communication for centralized command and control (C&C) structure (see Figure 1 [2]).The other is peer-to-peer botnet utilizing a distributed command-and-control structure (see Figure 2 [2]).Traditional botnets are easily checked and cracked by defenders, and the threats of botnets can be mitigated and eliminated if the central of C&C is unavailable [3].By contrast, P2P botnets employing a decentralized commandand-control structure are more robust and are much harder for security community to dismantle [4].Therefore, P2P botnets, such as Trojan.Peacomm and Storm botnet [5], have emerged and gradually escalated in recent years.Moreover, P2P botnets are increasingly sophisticated and thus their potential damage is much greater than traditional botnets.Further, the potential for more damage exits in the future.
Therefore, threats of P2P botnets to Internet security have drawn widespread attention [6][7][8][9][10][11][12].Yan et al. [6] mathematically analyzed the performance of Antbot-a new type of P2P botnets-from the perfectives of resilience, reachability, and scalability, and the authors developed a distributed P2P botnet simulator to evaluate the effectiveness of Antbot against pollution-based mitigation in practice.Kolesnichenko et al. [7] developed the mean-field model to analyze behaviors of P2P botnet and compared it with simulations obtained from the Mobius tool (a software tool for modeling the behavior of complex systems).Results show that the mean-field method is much faster than simulation for predicting the behavior of P2P botnet.van Ruitenbeek and Sanders [8] presented a stochastic model of Storm Worm P2P botnet to examine how different factors, such as the removal rate and the initial infection rate, impact the total propagation bots.To be well prepared for future botnet attacks, Wang et al. [9] studied advanced botnet attack techniques that could be developed by botmasters in the future and proposed the design of an advanced hybrid P2P botnet.Results show that a honeypot, in computer terminology, is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.Generally, a honeypot consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers-play an important role to defend against an advanced botnet.
Nevertheless, few people studied the dynamical behaviors of P2P botnets.In [7], the authors proposed a mean-field model of P2P botnet, but the model has not been analyzed mathematically.In fact, explicit mathematical analysis contributes to understand deeply the prevalent characteristics of P2P botnet.Aiming at describing the dynamics of P2P botnets in a more effective way, in this paper, we employ the dynamical model of computer worms, which has been widely used by many researchers to study Internet malware propagation [13][14][15][16][17][18][19][20][21][22].As many botnets are created by computer worms [23], it is reasonable to describe the prevalence of P2P botnets with the model of worm propagation.In addition, by analyzing data from real computer virus epidemics, the authors [24] pointed out the importance of incorporating the peculiar topology of scale-free network in the theoretical description of computer worm propagation.In biological epidemic areas, there is much valuable research which considers the effect of complex network on pathophoresis [25,26].However, we have not seen the report which considers the effect of complex network on prevalence of P2P botnet.Hence, it is necessary to examine the effect of the topology of the network on the propagation of P2P botnet.
In this paper, the dynamics of leaching P2P botnets are investigated.In a leaching P2P botnet, botmasters recruit new zombies on the Internet.For constructing this kind of P2P botnet, there are two steps: the first step is trying to infect new vulnerable hosts throughout the Internet, and the second step is newly compromised hosts joining the botnet and connecting with other bots [2].In SF network, taking into account the heterogeneity induced by the hosts with different degree , we divide the hosts into different states where the hosts in each state have the same degree .

The Model
To model the propagation of the P2P botnet on the Internet, we assume that the total number of nodes on Internet is a constant .Each node changes over time among four states: susceptible (), exposed (), infected (), and recovered () due to the spread of computer worm.We describe these four states in detail as follows.
(1) Susceptible (): a node has the software vulnerability that the bot program can exploit.
(2) Exposed (): a node has been infected by the bot program, but it has not become a member of P2P botnet.
(3) Infected (): a node is a formal member of P2P botnet, which means the node can infect its neighbors with the bot program.
(4) Removed (): a node has installed a detection tool that can identify and remove the bot program, or a node has installed a software patch to eliminate the node vulnerability exploited by the bot program.
There are five state transitions among these four states.
(1) Propagating the bot program: nodes in the "susceptible" state will change to the "exposed" state with the infection rate .
(2) Joining the P2P botnet from exposed state: nodes in the "exposed" state will join the P2P botnet under the control of the botmaster and change to "infected" state at the proportion .
(3) Immunizing nodes from susceptible state: nodes in the "susceptible" state will change to the "recovered" state at the proportion   if corresponding nodes take countermeasures, for example, antivirus software, patching, firewall, and intrusion detection system (IDS).The immune rate is affected by many factors, for example, user vigilance.
(4) Immunizing nodes from exposed state: nodes in the "exposed" state will change to the "recovered" state at the proportion  1 if corresponding nodes take antivirus countermeasures.
(5) Immunizing nodes from infected state: nodes in the "infected" state will change to the "recovered" state at the proportion  2 if corresponding nodes take antivirus countermeasures.

Model Analysis
In this subsection, we solve the equilibria of system (2) and investigate their stability.The first three equations in system (2) do not depend on the fourth equation, and, therefore, this equation may be omitted without loss of generality.Hence, system (2) can be rewritten as The equilibria of system (7)  ( There is always a disease-free equilibrium (DFE)  0 = (/( +   ), 0, 0).Furthermore, solving the endemic equilibrium of (5), one can obtain  1 = ( *  ,  *  ,  *  ), where Substituting  *  into (3), we have Obviously, if the endemic equilibrium exists, there must be and it equals Let   be the minimum value of  satisfying the above inequality.Then, that is where Hence, Summarizing the above analysis, one can get the following theorem.
In what follows, the endemic-equilibrium point  * will be analyzed.
The Jacobian matrix of system (4) at  * is ) , and the associated characteristic equation is where According to Hurwitz criteria [27], Hence, one can obtain the following lemmas.
The proofs of the above conclusions are similar to those presented in [28,29].Here, we will omit them.
Next, main results will be presented.

Numerical Examples.
In this subsection we present the results of numerical experiments investigating the effectiveness of theoretic analysis.In order to observe the effects of parameters on transmission process, we use system (4) to simulate the evolution behavior of P2P botnet for given parameters on SF network with ⟨⟩ = 8 and  = 100000.Here, we set the parameter values of system (4) which are, respectively,  = 0.01,   = 0.01,  1 = 0.06,  2 = 0.06, and  = 0.6.By calculation, one can obtain   = 1.49× 10 −5 .Figures 3 and 4 show the simulation results with  = 0.005 >   and  = 1.5 × 10 −6 <   , respectively, which are consistent with theoretical analysis.
From the conclusion of Theorem 7, we learn that it is necessary for eliminating P2P botnet on the Internet to let  <   by corresponding countermeasures.Meanwhile, the simulation results show that the critical value of infection   is very little, and this means that it is difficult to destroy completely the P2P botnet in reality.

Control Strategies.
In what follows, we consider mainly the effect of the real-time immune measurement and antivirus software on the scale of the P2P botnet.
From Figure 5, it can be observed that enhancing real-time immune measures contributes to reduce the scale of P2P botnet and delay its outbreak.Hence, it is strongly advised that network users should install patches for bugs in time and update antivirus software to the latest version.
(ii) For fixed model parameters,  = 0.01,  1 = 0.06,  2 = 0.06,   = 0.01, and  = 0.005, we investigate the effect of antivirus software () on the scale of P2P botnet.Simulation results are depicted in Figure 6.The profile of Figure 6 demonstrates that the larger percent conversion from  to  there is, the bigger scale a P2P botnet has.Thus, it is proposed that malware is killed when the node is infected by the bot program but does not join botnet.Additionally, the effect of average degree ⟨⟩ on prevalent behavior of P2P botnet is depicted in Figure 7. From Figure 7, we find that the scale of P2P botnet will increase when ⟨⟩ becomes larger.So decreasing the average degree of network can also control the massive outbreak of P2P botnet.

Conclusions
As a new kind of attack platform to network security, P2P botnets have attracted considerable attention.Research is necessary to fully understand the threat and prepare to defend against it.To better exploit the spreading behavior of P2P botnet, in this paper, we present a mathematical model of creation of P2P botnet, which combines the scale-free character of Internet with the formation trait of P2P botnet.Hence, the model can portrait more accurately the dynamical features of P2P botnet propagation.Theoretical analysis shows that the model has a globally stable endemic equilibrium.The influence of some parameters to the scale of P2P botnet has been investigated.Simulation results demonstrate that it is difficult to destroy completely the P2P botnet in reality.This is the reason that many malwares saturate to a very low level of persistence [30].However, Figures 6 and 7 show that we can reduce the scale of P2P botnet and delay its outbreak by efficient countermeasures, such as real-time immunity or autorunning of antivirus software.
The dynamical model we present could be extended to study the growth possibilities of P2P botnets in future work.The model is also possible to predict how botnetmasters could create more potent and aggressive botnets.Such predictions could ultimately be useful to antimalware developers as well.In what follows, consider the convergence of the sequence defined in (A.2).By (A.2), for all ,  (2)   ≤ 1 =  (1)   .If for all ,  (+1)  ≤  ()   , then it is easy to obtain  (+2)  ≤  (+1)  .By induction, for all , the sequence  ()  is decreasing, so its limit exists, denoted by   = lim  → ∞  ()   .Then it is easy to show that   = lim  → ∞ sup   () ≤   .

Figure 5 :Figure 6 :
Figure 5: An illustration of the impact of real-time immune measure (  ) on the density of infected nodes.

Figure 7 :
Figure 7: An illustration of the impact of average degree (⟨⟩) on the density of infected nodes.