Modeling and Analysis of Peer-to-Peer Botnets

Peer-to-Peer P2P botnets have emerged as one of the most serious threats to Internet security. To effectively eliminate P2P botnets, in this paper, the authors present two novel dynamical models to portray the process of formation of P2P botnets, one of which is called microlevel model, the other is calledmacrolevel model. Also, the stability of equilibria is investigated alongwith the analysis of how to prevent the P2P botnet. Furthermore, by analyzing the relationship between infection rate and the proportion of the hosts with countermeasures, we obtain the mathematical expressions of effective immune regions and depict their numerical simulations. Finally, numerical simulations verify the correctness of mathematical analysis. Our results can provide the guidance for security practitioners to defend and eliminate P2P botnet at a cost-effective way.


Introduction
A botnet is a network of thousands or more of compromised hosts under the control of a botnetmaster, which usually recruits new vulnerable computers by running all kinds of malicious software malware , such as Trojan horses, worms, computer viruses, and so forth 1 .For a variety of nefarious purposes, a botnetmaster who operates a botnet controls remotely those zombie computers to pursuit various malicious activities, such as distributed denial-of-service attacks DDoS , email spam, password cracking, and so forth 2 .Botnets have been turned out one of the most serious threat to Internet 3 .
To effectively fight against botnets, researchers have endeavored to explore working mechanisms of botnets from different perspectives in the past few years see 4-11 .These existing researches provide perfect insight into detection and elimination of botnets.Aiming at describing the dynamical characteristics of botnets, Dagon et al. 12 constructed a Susceptible-Infective-Recovered SIR model, which took into account the effect of time and location on malware spread dynamics.The model accurately characterizes the population growth of a botnet.Considering the interactions among botnets, Song et al. 1 presented the interaction game model among botnets to investigate the effect of the cooperation and the competition on the number of botnet individuals.
Most previous botnets as shown in Figure 1 use Internet relay chat IRC as a form of communication for centralized command and control C&C structure.Botnets based on C&C structure are easily checked and cracked by defenders; as well as the threats of botnets can be mitigated and eliminated if the central of C&C is unavailable 13 .In comparison, Peerto-Peer P2P betnets as shown in Figure 2 employing a distributed command-and-control structure are more robust and more difficult for the security community to defend.Thus, P2P botnets, such as Trojan.Peacomm, Storm botnet 14 , have emerged and gradually escalated in recent years.The threats of P2P botnets to Internet security have drawn widespread attention.Reference 15 presented a stochastic model of Storm Worm P2P botnet to examine how different factors, such as the removal rate and the initial infection rate, impact the total propagation bots.Kolesnichenko et al. developed a mean-field model to analyze P2P botnet behaviors 16 .In their seminal work, Yan et al. 17 mathematically elaborated the performance of a new type of P2P botnet-AntBot from perspectives of reachability, resilience to pollution and scalability.They also developed a P2P botnet simulator to evaluate the effectiveness of analysis.Furthermore, the authors suggested some potential defense schemes for defenders to effectively disrupt AntBot operations.
For security workers to be better prepared for potentially destructive P2P botnets, it is necessary for them to understand deeply factors that influence the formation of P2P botnets.Against this backdrop, in this paper, we utilize mathematical modeling method to investigate how immunizations affect the dynamical actions of P2P botnets.Our key contributions are summarized as follows: i we propose novel dynamical models which reflect the formation of P2P botnets; ii we derive mathematically the feasible region of immunization and depict their numerical simulations; iii we suggest a probable immune method for researchers and security professionals.
The remainder of the paper is organized as follows.Section 2 elaborates modeling mechanism.In Section 3, we derive the equilibria of models and prove their stabilities.In Section 4, we get the mathematical expressions of immune feasible regions and obtain the results of numerical simulations.In Section 5, we depict the numerical simulations to verify conclusions of Section 4. Section 6 concludes this paper with some conclusions.

Modeling P2P Botnets
Considering bot candidates and the network a botnet attaches itself to, we roughly divide P2P botnets into three categories 18 : i Parasite P2P botnet, in which all bot members are chosen from an existing P2P network; ii Leaching P2P botnet, which is a botnet that bot candidates are from vulnerable hosts throughout the Internet, but they will join in and depend on an existing P2P network; iii Bot-only P2P botnet, which refers to a botnet that occurs in an unattached network, and there are no nonmalignant peers except bots.
For parasite P2P botnet, once a vulnerable host is compromised by botnet malware, it will directly become a bot member and serve for the botmaster without further joining the botnet.Up to this trait, in Section 2.1, we present a deterministic mathematical model named "microlevel model" to reflect its dynamical features.However, many botmasters extend their scales to the whole Internet to recruit new zombies because the scale of parasite botnet is limited by the number of peers in an existing P2P network.For constructing this type P2P botnet, there are two steps: the first step is trying to infect new vulnerable hosts throughout the whole Internet, and the second step is new compromised hosts joining into network and connecting with other bots.In Section 2.2, we use a novel mathematical model, which we call "macrolevel model" to characterize their dynamical actions.

The Microlevel Model
In this subsection, we employ the classical SIR model, which has been widely used by many researchers to study Internet malware propagation 19-24 , to characterize the dynamical behavior of parasite P2P botnets.Let S t , I t , and R t be the numbers of hosts at time t in stats S, I, and R, respectively.Let N be the total number of hosts in a P2P network and be relatively stable, then we have That is, given a P2P network with a total of N hosts, any host in the network will be at a state of either S, I, or R, and the sum of all hosts in these states equals N. In addition, unlike the traditional SIR model, our model includes the impact of real-time immunization to virus propagation.
As a result, the model we employ is as follows: where μ is the replacement rate of the hosts per hours; β is infection rate per hour; r s is the state transition rate from S to R due to real-time immune measures; r i is the recovery rate from infected state I to R due to antivirus measures.It is easy to verify that the positive cone R 3 is a positive invariant set with respect to system 2.2 , where In what follows, we consider the effect of immunization on computer virus propagation in the P2P network.In reality, it is reasonable for us to assume that some hosts have immune measures, others have not.Hence, in our model the total hosts can be partitioned into two subclasses: immune and no immune hosts.Let f be the proportion of the hosts with immune measures 0 ≤ f ≤ 1 .We make a simple assumption that immunization has no effect on the infected time.So, we need only to change infection rate β.Let β 1 be the proportion of hosts with immune measures infected by infective hosts, and let β 2 β 1 ≤ β 2 be the proportion of hosts without immune measures infected by infective hosts.Therefore rewrite infection rate β as Hence, the new differential equation model can be expressed as follows: 2.4

The Macrolevel Model
In this subsection, we use a two-stage SIR model to depict the dynamical action of leeching P2P botnets, in which botmasters recruit new bots from the whole Internet.The model monitors the four populations of susceptible S , stage-1-infected I 1 hosts that are compromised but not connect with other bots, and stage-2-infected I 2 hosts that are indeed bots and recovered R .We assume that the number of hosts on Internet is relatively stable, which is often adopted in other existing efforts 25, 26 .Let N be the total number of hosts on Internet.Then our model can be formulated as follows: where μ is the replacement rate of the hosts per hours, α 1 and α 2 is infection rate per hour, respectively, and r s is the state transition rate from S to R due to real-time immune measures, r i i 1, 2 is the recovery rate from infected state I 1 and I 2 due to antivirus measures, respectively.
It is easy to verify the positive cone R 4 that is a positive invariant set with respect to system 2.5 , where In what follows, we analyze the effect of immunization on dynamical characteristics of P2P botnets.Let g be the proportion of the hosts that have immune measures 0 ≤ g ≤ 1 .We make a simple assumption that immunization has no effect on the infected time.So, we need only to change infection rate α 1 and α 2 .Let α 11 be the proportion of hosts with immune measures in S state infected by infective hosts I 1 ; let α 21 be the proportion of hosts with immune measures in S state infected by infective hosts I 2 ; let α 12 α 11 ≤ α 12 be the proportion of hosts without immune measures in S state infected by infective hosts I 1 , and let α 22 α 21 ≤ α 22 be the proportion of hosts without immune measures in S state infected by infective hosts I 2 .Therefore rewrite infection rate α 1 and α 2 as

2.6
Hence, the new macrolevel differential equation model is 2.7

Model Analysis
To achieve the effective region of f and g, we first obtain the stable equilibria for systems 2.4 and 2.7 .

The Microlevel Model Analysis
In this subsection, we will solve the equilibria of system 2.4 and investigate their stability.
The first two equations in system 2.4 do not depend on the third equation, and therefore this equation may be omitted without loss of generality.Hence, system 2.4 can be rewritten as

3.1
Now, we analyze system 3.1 by finding its equalibria.Steady states of system 3.1 satisfy the following equation: Solving the system 3.2 , we can conclude that system 3.1 always has a virus-free equilibrium DFE E 0 μ N/ μ r s , 0 .Furthermore, define Lemma 3.1.DFE E 0 is locally asymptotically stable when R 0 < 1 and unstable when R 0 > 1.
Proof.The characteristic equation of system 3.
Further, we have the following theorem.
Proof.Learn from the first equation of system 3.1 ˙ S t ≤ μ N − μ r s S t . 3.5 Thus, When t → ∞, one can get We choose Lyapunov function to be the form The time derivative of V t along system 3.1 is given by The theorem is proven.
Next, we will analyze the stability of virus-epidemic equilibrium E 1 of system 3.1 .
Proof.The characteristic equation of system 3.1 at E 1 is given by det where a μ r s R 0 , b μ r s μ r i R 0 − 1 r s 1 − μ .Obviously, in accordance with the relationship between roots and coefficients of quadratic equation, all eigenvalues of 3.11 have negative real parts.Thus, E 1 is locally asymptotically stable when R 0 > 1.
Proof.Consider the following Lypunov function 26 which is always positive in R 2 .Moreover, the function satisfies

3.13
Thus, we prove that the endemic equilibrium E 1 is globally asymptotically stable.

The Macrolevel Model Analysis
In this subsection, we will solve the equilibria of system 2.7 and investigate their stability.The first two equations in system 2.7 do not depend on the third equation, and therefore this equation may be omitted without loss of generality.Hence, system 2.7 can be rewritten as

3.14
The equalibria of system 3.14 are determined by setting dS t /dt dI 1 t /dt dI 2 t /dt 0. There is always a virus-free equilibrium DFE Q 0 μ/ μ r s N, 0, 0 .Furthermore, define
Proof.The characteristic equation of system 3.14 near DFE Q 0 can be written as follows: 3.17 The above equation has a negative real part characteristic root λ − μ r s and roots of where c μ r 2 − α 1 μ/ μ r s δ μ r 1 , d μ r 2 δ μ r 1 1 − R 0 .It is easy to verify that c is always positive.Obviously, when R 0 < 1, d is positive.In accordance with the relationship between roots and coefficients of quadratic equation, there are no positive real roots of 3.18 .Hence, DFE Q 0 of system 3.14 is locally asymptotically stable when R 0 < 1 and unstable when R 0 > 1.
Further, the following theorem holds.Theorem 3.6.DFE Q 0 of system 3.14 is global asymptotically stable if R 0 ≤ 1.
Proof.From the first equation of system 3.14 , we obtain Ṡ t ≤ μN − μ r s S t .

3.19
Thus, When t → ∞, we have S t ≤ μ μ r s N.

3.21
Consider the Lyapunov function Moreover, in the case of system 3.14 , the function satisfies So, the DFE Q 0 is globally attractive.Combining Lemma 3.5, we have DFE Q 0 is globally asymptotically stable.
Next, we will analyze the stability of virus-epidemic equilibrium Q 1 of system 3.14 .

3.25
where According to Hurwitz criteria

3.26
Hence, we can get the following theorem.

Control Strategies of P2P Botnets
Theorems 3.2 and 3.6 indicate that P2P botnets will be eliminated if reasonable antivirus strategies are taken represented by the formulations of R 0 and R 0 .Here, we will investigate effective methods eliminating P2P botnets by deriving the feasible region of f and g.First, we derive the feasible region of f.Substituting 2.3 into 3.3 , we have According to the meaning of R 0 , we can quantify the lower limit for an effective immunity f.When R 0 1, it is easy to get We define the "immune effective region" f as follows 0 ≤ f e < f ≤ 1.Similarly, one will get the feasible region of g.Substituting 2.6 into 3.15 , one can obtain According to the meaning of R 0 , one can quantify the lower limit for an effective immunization g.When R 0 1, one has Define "immune effective region" g as follows.

4.6
Corollary 4.2.If 0 < g e < 1 and g satisfies g e < g ≤ 1, then it is possible to eliminate P2P botnets on Internet.Otherwise, if g e > 1 or g e > g, then immunization can only reduce the scale of P2P botnets.

Numerical Simulations
To validate the accuracy of f e obtained from 4.2 , we simulate system 2.4 with the following parameters: N 100000, μ 2.28E − 4, β 2 0.8, r s 0.0059, r i 0.0059, β 1 0.1, and i f 0.95, where f > f e 0.9079; ii f 0.6, where f < f e 0.9079.Initial values are set to S 0 99998, I 0 10, and R 0 0, respectively.Figures 5 and 6 show the simulation results with the above two sets of parameters, respectively, which are consistent with theoretical prediction.
For investigating the effect of different replacement rate μ on f, we depict simulation results of f e in Figure 9, in which we set μ 1.14E − 4, 2.28 × 10 −4 , 3.42E − 4, and 4.57E − 4, that is, replacement time is one year, nine months, a half year, and three months.Other parameters are the same to Figure 3.
Similarly, for investigating the effect of μ on g, we set μ 1.14E−4, 2.28×10 −4 , 3.42E−4, and 4.57E − 4; other parameters are the same to Figure 4.The simulation result is depicted in Figure 10.Figures 9 and 10 reflect the fact that decreasing the replacement rate of computers can enhance the effectiveness of immunizations.This finding contributes to management and maintenance of networks at a cost-effective way.

Conclusions
As a kind of new form of botnets, P2P botnets have attracted considerable attention.In this paper, the authors explore two novel dynamical models.The first is a micro-level model which describes the dynamical behavior of Parasite P2P botnets.The Second is the macrolevel model which characterizes the dynamical action of Leaching P2P botnet.Throughout the paper, we focus on the effect of immunization on dynamics of P2P botnets.Through detailed mathematical analysis, the feasible region of immunization has been derived.In addition, we simulate the feasible region of immunization by using different parameter values.Furthermore, the correctness of feasible region has been verified.
The thresholds of immunizations have demonstrated that antivirus strategies have great influence on the dynamics of P2P botnets.More specifically, in feasible regions of immunizations, the spread of computer viruses will be stopped, and the botnet will be cracked.In contrary, immune measures merely decrease the scale of hosts infected by computer viruses, and the botnet will survive.In addition, our results also show that the replacement rate of computers will affect the threshold of immunizations.
Our investigations can provide insight on the effectiveness of various antivirus measures e.g., antivirus products and user education .According to the thresholds of 4.2 and 4.5 , secure organizations can make cost-effective countermeasures to work well in practice.Our study is only limited to unstructured P2P networks, such as Gnutella.Taken a step further, our models are adapted to topology-independent malware, such as file-sharing worms, viruses, Trojans, and so on.In the future, we will concentrate our attentions on the propagation model of topology-aware malware.
Laboratory of Power Transmission Equipment and System Security and New Technology, Chongqing University, under Grant 2007DA10512711206.

4 Figure 6 :
Figure 6: The virus propagation result when f < f e .

Figure 7 :
Figure 7: The result of virus propagation when g > g e .

4 . 4 Figure 10 :
Figure 10: The effect of different μ on g e .