以SIR傳染模型探討BotNet擴散模式與網路防禦管理策略效能分析之研究

全文

(1)國立高雄大學資訊管理研究所碩士論文. 以SIR傳染模型探討BotNet擴散模式與網路防禦管理策略效能分析之研究 A Study of BotNet Diffusion Model and Effective Analysis of Network Prevention Management Strategies Using SIR Model. 研究生：陳坤裕撰指導教授：蕭漢威博士. 中華民國一○一年五月.

(2) Approval Page. i.

(3) Acknowledgement 將近四年的碩士班生涯終於結束了！就讀碩士班期間，就好像進入了一個立方體，立方體的每一面都是一個挑戰，而我的任務就是將這些『牆』往外推，推的越遠，我的空間就越大、也就有越多的空間能發揮。然而這些牆，可不是我一人就能推的動，在過程中我受到許多人的協助，在背後大力推我一把，我才得以順利達成目標。首先，要感謝辛苦指導的蕭漢威老師，無論我設立了什麼目標，老師總是最支持我的。遇到阻礙時，老師也總是耐心與我討論解決方案。在這過程中，肯定也給老師添了許多麻煩，但老師總是完全站在學生的角度，不遺餘力的幫助學生。在此，深深的向老師表達我的謝意。老師，謝謝你！. 就讀碩士班期間，其中一個艱辛的挑戰便是在美國猶他大學一年的學習。在此感謝王學亮老師，能夠提供我相關的資訊並在申請過程中給予協助。感謝我在鹽湖城扶輪社的 Host Counselor, Dr. Scott Leckman 感謝您幫我安排的每一場演講，讓我得以完成扶輪社交付與我的任務。感謝猶他大學胡仁華老師，讓我有機會能夠在猶他大學學習。感謝楊超和李心怡，在鹽湖城的日子，多虧有你們，我才能撐下去。. 最後，我要感謝我的父母，從小到大，你們總是給予我各種支持，讓我得以心無旁騖，完成我該完成的所有事。此時此刻，最想跟你們說的是：. 爸爸媽媽，辛苦了！我愛你們！. 陳坤裕謹誌於國立高雄大學資料工程與網路管理實驗室中華民國一○一年五月. ii.

(4) 以SIR傳染模型探討BotNet擴散模式與網路防禦管理策略效能分析之研究國立高雄大學資訊管理學系指導教授：蕭漢威博士. 國立高雄大學資訊管理學系碩士班研究生：陳坤裕. 摘要. 資訊科技之快速發展，使電腦網路在現今社會中，普及程度不斷上升。然而，電腦病毒等網路威脅也透過電腦網路對人類產生了危害。近年來，更有網路蠕蟲、木馬與自動代理人技術之結合而產生的 BotNet 攻擊技術。其所帶來之危害則更加劇烈。不僅造成個人隱私資料被竊取，甚至企業與政府單位所提供之網路服務也被阻斷。因此對於網路與系統管理者而言，如何透過防禦策略來降低 BotNet 之擴散及危害，是個值得重視的問題。然而，在眾多防禦 BotNet 之策略中。哪一策略能有較好之防禦效能，對於防禦者而言，之前的研究似乎沒有一個較可靠的參考依據。為此，本研究從防禦生物傳染病的角度進行類比。挑選出屏障防範 (Barrier Precaution)策略以及安裝修補程式(Patching)策略來進行防禦策略效能之比較。透過數學模型的建立與模擬實驗之結果，我們發現，安裝修補程式策略的表現優於屏障防範策略。此外，在導入時間上，我們也發現越早導入安裝修補程式策略，對於整個 BotNet 之擴散將能更早控制到穩定的程度。同時，我們也了解到在使用安裝修補程式策略防禦 BotNet 時，針對已感染電腦進行修補，將比. iii.

(5) 針對未受感染電腦進行修補更有效。我們的發現，不僅幫助防禦者了解不同防禦策略之防禦效能。同時也提供了在使用單一防禦策略時，將其效用發揮至最大之建議。我們希望本研究會是 BotNet 防禦策略數學建模的一個起點。未來在本研究之基礎上，可再考量經濟成本或混和策略至模型中。其將能使防禦者在使用防禦策略時能有更多的參考。. 關鍵詞：SIR 擴散模型、網路安全、BotNet、網路防禦策略. iv.

(6) A Study of BotNet Diffusion Model and Effective Analysis of Network Prevention Management Strategies Using SIR Model. Advisor: Dr. Han Wei Hsiao Department of Information Management National University of Kaohsiung. Student: Kun Yu Chen Department of Information Management National University of Kaohsiung. ABSTRACT. With the rapid growth of Information technology, resources on the Internet can be coordinated in a more efficient and effective way. However, this advantage has its drawback when it is used with criminal purposes. In recent years, a new Internet threat (BotNet) has been created. BotNet incorporates the techniques of Internet worms, Trojans and agents together and brings serious disasters to Internet users. v.

(7) Hence, for defenders, choosing appropriate defense strategies becomes critical while defending BotNet. However, prior researches draw little attention on this question. Therefore, in this research, by describing the analogies of defense strategies between biological diseases and BotNet, two defense strategies are chosen. Through mathematical modeling and simulations, our simulation results show patching strategy performs better than barrier precaution strategy. Further, we also found the earlier the implementation, the earlier the BotNet outbreak approaches to steady state. Meanwhile, we found patch infected hosts performs better than patch susceptible hosts. Our findings not only help defenders to compare the effectiveness of defense strategies but also provide suggestions to maximum the effectiveness of deploy patching strategy. We anticipate our research to be a starting point for more sophisticated in modeling and analyzing the effectiveness of defense strategies against BotNet. For example, take economic perspective or hybrid defense strategies into account. This can help defender to have more references while defending BotNet.. Keywords: SIR Propagation model, Network Security, BotNet, Network Defense Strategy. vi.

(8) Content Approval Page ............................................................................................................ i Chinese Abstract....................................................................................................... iii English Abstract ........................................................................................................ v Chapter 1. Introduction .............................................................................................. 1 1.1.. Research Background .............................................................................. 1. 1.2.. Research Motivation and Goal ................................................................ 3. Chapter 2. Literature Review ..................................................................................... 5 2.1.. BotNet: An Overview .............................................................................. 5. 2.2.. Propagation Models and Models for Defense Strategy Against BotNet .... 7. 2.3.. Strategies against BotNet ........................................................................ 9. Chapter 3. Research Method .................................................................................... 14 3.1.. SIR Model Description and Equation .................................................... 14. 3.2.. Barrier Precaution Model Description and Equation .............................. 23. 3.3.. Patching Model Description and Equation ............................................. 26. Chapter 4. Simulation Results.................................................................................. 31 4.1.. Original System .................................................................................... 31. 4.2.. Barrier Precaution System ..................................................................... 35. 4.3.. Patching System .................................................................................... 40 vii.

(9) 4.4.. Barrier Precaution System vs. Patching System ..................................... 43. 4.5.. Different Implementation Day in Patching System ................................ 45. 4.6.. Different Proportions of Patch Implementation in Susceptible and Infected Hosts ....................................................................................... 48. Chapter 5. Conclusion and Future Research ............................................................. 52 Reference. 58. viii.

(10) List of Tables Table 3-1. Summary of parameters in SIR model equations .................................. 17. Table 3-2. Different situations of transmitted volumes and its consequences ........ 22. Table 3-3. Summary of parameters in barrier precaution model. ........................... 24. Table 3-4. Summary of parameters in patching model .......................................... 28. Table 4-1. Summary of parameter values in original system ................................. 33. Table 4-2. Summary of parameter values in barrier precaution system ................. 36. Table 4-3. Summary of parameter values in various barrier precaution system ..... 37. Table 4-4. Summary of parameter values in patching system ................................ 41. ix.

(11) List of Figures Figure 3-1. SIR model.......................................................................................... 15. Figure 3-2. Transmission volumes that affect infected machines. ......................... 21. Figure 3-3. Barrier precaution model.................................................................... 23. Figure 3-4. Patching model .................................................................................. 26. Figure 4-1. Original system .................................................................................. 33. Figure 4-2. Barrier precaution systems vs. Original system .................................. 37. Figure 4-3. Horizontal zoom-in of the first peaks in figure 4-2 ............................. 37. Figure 4-4. Vertical zoom-in of the second peaks in figure 4-2 ............................. 38. Figure 4-5. Patching system vs. Original system .................................................. 42. Figure 4-6. Patching system vs. Strong barrier precaution system ........................ 44. Figure 4-7. Patching system (implement at day 20 and day 30) ............................ 46. Figure 4-8. Patching system (implement at day 40 and day 50) ............................ 46. Figure 4-9. Reduce proportions of patch installed in susceptible and infected hosts to 10% .............................................................................................. 49. Figure 4-10. Reduce proportion of patch installed susceptible hosts to 13% and 10% .................................................................................................. 50. Figure 4-11. Reduce proportion of patch installed in infected hosts to 13% and 10% .................................................................................................. 50 x.

(12) Chapter 1. Introduction. In recent years, new types of Internet threats emerged. Among those threats, BotNet is one of the serious threats that caused huge losses to enterprises, government agencies and individual users. Therefore, it is essential for defenders to use defense strategy effectively to reduce losses caused by BotNet. However, in the selection of strategies, which strategy performs better? This remains a question. Hence, in section 1.1, we first provide a research background about BotNet. In section 1.2, we provide a more detailed explanation of our research motivation, goal and the structure of this research.. 1.1.. Research Background. With advances in Information Technology, people start using new technologies to coordinate resources that connect to the Internet. Therefore, project like SETI@home launched. SETI@home seeks to coordinate computing resources of hosts around the world so as to analyze whether the aliens have sent messages to human beings or not. However, the same knife cuts bread and fingers. New Internet threats e.g. Internet worms, Trojans come up, if the coordination techniques are used with criminal purposes. 1.

(13) In recent years, a new kind of Internet threat has arisen. It inherited features from Internet worms, Trojans and Agent. We call it BotNet. “Bots” is a set of scripts (Agent) that can be executed in the host. While executing the scripts, the host can receive Information or commands from other hosts and launch special activities (Normally with criminal purpose.). The controllers of BotNet connect the Bots through the Internet and give commands through the C&C (Command & Control) infrastructure.. This kind of new threat caused huge disasters. According to NISCC (National infrastructure Security Co-Ordination Centre) [1], the disasters caused by BotNet can be classified. into. two. categories,. Confidentiality. and. Availability.. The. term. “Confidentiality” can be defined as victims who suffer losses unconsciously. For example, Bots that hide in the hosts steal peoples’ sensitive or private Information (such as credit card numbers, ID numbers, and passwords etc.) secretly. On the other side, the term “Availability” can be defined as victims who suffer losses consciously. For example, Facebook [2], Twitter, and even U.S. Federal Trade Commission [3] suffered DDoS (Distributed Denial of Service) attacks. Users therefore, cannot visit the sites normally. While launching DDoS attacks, the attacker gives commands to the BotNet. Bots who receive the commands would send huge amount of network packets to the targets so as to exhaust their resources and to cause the network disruption. Similar 2.

(14) disasters come over and over again. Therefore, for network and system managers, BotNet has become an inevitable and difficult problem to challenge.. 1.2.. Research Motivation and Goal. The technology progress has moved in accelerating rate, this has led to a faster speed for BotNets to spread and more severe disasters for BotNet to cause. Therefore, it is essential to use defense strategy to effectively reduce losses caused by BotNet. However, among many defense strategies against BotNet which performs better? This remains a question. In view of this, Prior researches attempted to investigate on this question. However, some of them [4] didn’t provide tangible solutions for defenders; others discussed optimizing the use of only single and specific defense strategy [5], [6], the other research [7] compares the performances of different tangible solutions, however, in compare with mathematical models, it is relatively lack of resilience while adjusting parameters and hard to forecast unknown Internet threats.. With the concerns above, our research uses mathematical models and simulations to gain resiliency while adjusting parameters and to analyze different tangible defense strategies, seeks to help defenders in their strategy selection. Therefore, in chapter 2, 3.

(15) first, we provide an overview of BotNets, and discuss the specific type of BotNets we investigate in this research. Second, by describing analogies of defense strategies between biological epidemic diseases and BotNets, we choose defense strategies for defending BotNets. In chapter 3, we developed compartmental models to discuss the propagation of BotNets and optimal strategies for defenders. In chapter 4, we conduct simulations and analyze the simulations numerically to find out the better defense strategy while combating BotNet. Further, we provide suggestions to maximum the effectiveness of deploy the better defense strategy.. 4.

(16) Chapter 2. Literature Review. In this section, we first provide an overview of BotNet in different infrastructures and define the type of BotNet we investigate in this study. We then review prior research concerning propagation models for epidemic diseases, host viruses, Internet worms, BotNet and models that take defense strategies against BotNet into account, identify a research gap that we attempt to address in this study. Finally, we discuss and choose defense strategies against BotNet so as to take account those strategies in the propagation models we developed in Chapter 3.. 2.1.. BotNet: An Overview. In early days, IRC (Internet Relay Chat) is a protocol that allows people to communicate with each other through the Internet. In 1993, the first bot, Eggdrop, was created. It was designed to help the IRC managers to coordinate and manage both the Internet resources and the IRC channel. However, people with criminal purposes take advantages of this mechanism to launch illegal activities. Further, with the rapid growth of the Information technology, BotNet’s communication topology has changed from the original IRC-Based to recently HTTP (Hypertext Transfer Protocol) -Based and P2P 5.

(17) (Peer-to-Peer) -Based. That is to say, the network topology has changed from Client-Server (centralized) infrastructure to P2P infrastructure. The Client-Server infrastructure provides users (clients) a specific server. Once users connect to the server, the service will be delivered. However, P2P infrastructure does not provide users (clients) a specific server to connect with. The concept of P2P infrastructure demonstrates the possibility of a host playing the role both as a client and a server. This has led to an increase of stability and invisibility of BotNet in compare with the client-server infrastructure. According to [8], possible advanced communication topologies can be classified into three distinct types which are Centralized, Peer-to-Peer, and Random. Cooke termed these three types C&C (Command and Control) infrastructure. Since most of the BotNets belongs to C&C infrastructure, therefore, in this research, we won’t discuss BotNet in microscopic level but to focus on BotNet that belongs to C&C infrastructure That is to say, any specific communication topology of BotNet is not out present concern.. 6.

(18) 2.2.. Propagation Models and Models for Defense. Strategy Against BotNet. During 1927-1930, Kermack and McKendrick [9–11] established the extremely important propagation model, SIR (Susceptible, Infected, Recovered/Removed) model. This model aims to describe the propagation patterns of epidemic diseases. Based on SIR model, scientists developed models for specific epidemic diseases such as SARS (Severe Acute Respiratory Syndrome) and models took countermeasures into account [12].. For the past decades, host and Internet technology have been rapidly developed. This has brought the Internet new threats (host viruses, Internet Worms, Trojans). However, scientists have found and described analogies between host viruses and population diseases [13]. They found the similarities in many aspects. First, both the complex systems of the host network and the biological organisms are composed by large number of simple components that have links among each other. Second, once the local system is attacked, this will lead to malfunction of hosts/humans, and the disorder will spread along the network/system. Therefore, based on SIR model, scientists developed models to simulate propagations of host viruses [14], [15] and Internet 7.

(19) worms [16–20]. Further, some scientists [21–26] took countermeasures against Internet threats into account so as to help policy makers and network managers to combat those threats.. In recent years, a new kind of Internet threats, BotNet, caused huge losses to government agencies, private business units and many others. Therefore, scientists again, developed propagation models to simulate the propagation of BotNet [27–31], and models for BotNet that take countermeasures into accounts. In Bensoussan’s work [4], scientists use game-theoretical approach to measure the performances of strategies against BotNet. However, they didn’t describe precisely what strategies they use. Rather than that, they use one parameter, vD. [0, 1] to show whether the defender exert a full. defense effort to achieve the maximal effectiveness. For example, if vD = 1, the defender group exerts a full defense effort to achieve the maximal effectiveness. Therefore, in our study, we will discuss and choose tangible strategies such as using firewall, barrier precaution, patch etc. so as to provide policy makers and network managers a tangible solution combating BotNet.. 8.

(20) Without using propagation models, Davis [5] and Wang [6] tried to use graph model and probability model to find optimal defense strategy against BotNet. However, they mainly focus on particular strategy/countermeasure and find out different ways to optimize the using of one single strategy/countermeasure. In our research, we investigate different strategies/countermeasures and seek to find the one that has better performance against BotNet. Ha’s [7] research compared the performances of different tangible defense strategies against BotNet. However, their simulation platform, testbed, has several drawbacks in compare with using mathematical models: 1) it is relatively hard to forecast unknown Internet threats. 2) It is relatively lack of resilience while adjusting the parameters. Therefore, rather than using testbed, in this research, we use mathematical model to conduct numerical analysis to measure the performances of defense strategies against BotNet.. 2.3.. Strategies against BotNet. As we know, when biological epidemic diseases break out, both the governments and the healthcare agencies will be in panic. Therefore, they would resort to measures against the epidemic diseases so as to minimize the propagation and the scale of disasters. According to Bauch [11], the most common strategies the administrators use 9.

(21) against epidemic diseases are 1.Quarantine and isolation. 2. Barrier precautions. Encourage residents to have healthy behaviors so as to increase resistance to the diseases. 3. Development of vaccines.. Same as in the world of Internet, the defenders will use strategies against Internet threats, in this paper, the BotNet. According to [32], those strategies can be classified into two categories, “prevention for potential agent” (susceptible) and “response for agent” (infected). Although there are many defenses to use under each category, however, in this paper, we learn from strategies against epidemic diseases and consider several measures to combat BotNet.. In the category of “prevention for potential agent”, we have strategies that encourage users to have good habits of using hosts and Internet. For example, strengthen password strength, turn off the support for scripting language, increase the level of security settings on the Internet browser, user right management etc. For vulnerable machines, this can help to create more barriers against viruses or malware and to decrease the probability of being compromised. Therefore, in this paper, we use the strategy of barrier precaution for the susceptible machines.. 10.

(22) In the second category, “response for agent”, we have strategies that isolate the system on the network. For example, network and system managers can set iptables that block specific clients’ connection. That is to say, once the managers find the infected machines (Bot Agents), they can set rules that block connections from the outside and connections sending out from the inside (Bot Agents).. Another important measure against BotNet is patching. This measure covers the above two categories [33]. For susceptible machines, patching can fix the vulnerabilities so as to protect the host from getting infected. As for the infected machines, patching can delete malicious codes or scripts and help users to patch the vulnerabilities.. In the above paragraphs, we discussed three measures to combat BotNet. However, generally speaking, from the network managers’ point of view, in local area networks, despite the firewall may block most of the malicious connections from the outside, but inside the firewall, it could be totally a mess. That is to say, firewall can’t stop attacks that are launched inside the network. Further, from end-users’ point of view, despite their operating system may equip firewall (Linux Iptables, Windows firewall). However, the configuration of the firewall involves much professional knowledge that most of the users don’t have. Hence, with this drawback in mind, in this paper, we aim at the 11.

(23) strategies of “barrier precaution” and “patching”. In the following sections, we discuss each strategy in detail.. As we all know, the stronger the barrier, the more difficult the hosts get invaded. However, many host users overlook the importance of network security. They may set an ‘easy to remember’ or use a default password for their machines. Or they may browse porn or other strange websites that may have auto scripts running behind while users are browsing. Further, in order to facilitate the using of their machines, they give every user account the highest right for the host. The above, all lead to higher probability of being infected by Internet threats. Think from another angle, having a good habit of using hosts can increase the barriers against Internet threats and lower the probability of being infected. Therefore, it is of a necessary for the network managers to notice and to promote the importance of barrier precaution.. After an outbreak of host viruses or Internet worms, the venders of operating system would develop and provide the users patch to download and install. After the patching, the hosts can prevent the intrusions brought by host viruses or Internet worms and can delete the virus or worms and recover the infected machines. Most of the operating systems provide patching e.g. windows update. However, some users disabled this 12.

(24) mechanism since this will lower the performance of their hosts. Some other users disabled this mechanism because they use illegal copies of the operating system. Before patching, the mechanism will automatically detect users’ host to make sure they’re using licensed copies. Once they’re detected illegal, some functions of the operating system will be disabled. As for the network and system managers, some of them use restorable card on hosts. When booting, the card makes each host recover to the state before the card was installed. That is to say, hosts that are patched could be un-patched when the next booting occur. Therefore, for the defenders, it is essential to make sure that hosts they handle are all patched and to remind users the importance of patching so as to protect the hosts or servers from getting infected.. 13.

(25) Chapter 3. Research Method In this chapter, we introduce SIR (Susceptible, Infected and Recovered) model and its characteristics. Then, based on SIR model and the strategies we discussed in chapter 2, we propose two models to simulate BotNet propagation with strategies. In the following sections, we describe both the characteristics and the equations of each model.. 3.1.. SIR Model Description and Equation. In this world, it is filled with complex phenomenon and problems. With the advances in academic research, scientists have tried to explain these by using scientific methods. One of the popular methods is mathematical modeling. By using these methods, scientists can describe and simplify natural phenomenon with mathematics. This can help scientists to have an insight look of problems. Based on that, scientists therefore, can find and even predict the solutions of the problem. Among mathematical models, SIR model is an extremely important model for investigating the propagation of epidemic diseases. This model has several assumptions. 1) The population is finite. 2) Three distinctive states and two transmission rates are recognized. In the following section, more details of these assumptions will be discussed. 14.

(26) Figure 3-1 SIR model. In SIR model, the population is finite. This means there won’t be new population added in and existing population distracted out from this model. In this research, we discuss BotNet propagation based on SIR model; therefore, we will also describe each state and transmission rates corresponding to BotNet propagation.. As shown above, these states are susceptible, infected and recovered. The member of this model can only be one state at one time. In the following paragraph, we will introduce each state and transmission rate individually:.  Susceptible (S) The category represents the one who hasn’t infected. Corresponding to the network of BotNet, it will be regarded as the one (host or server) that hasn’t the executable scripts downloaded.. 15.

(27)  Infected (I) The category represents the one who has already been infected. Corresponding to the network of BotNet, it will be regarded as the one (host or server) that already has the executable scripts downloaded..  Recovered (R) The category represents the one who has already recovered from the illness. Corresponding to the network of BotNet, it will be regarded as the one (host or server) that already has the executable scripts removed.. . (Infection rate) Transmission rate and incorporates the average contact number between susceptible and infected individuals together with the probability of transmission. Corresponding to the network of BotNet, it represents the rate that transmits the state from vulnerable hosts to bots. In this model,. . is a constant rate at all times.. (Recovery rate) Transmission rate transmits the ‘infected’ to ‘recovered’. Simply the fixed proportion of the infected group will recover during any given day. In other words, 16.

(28) is the probability that each infected host recovers per day. Corresponding to the network of BotNet, it represents the rate that transmits the state from bots to recovered machines. In this model,. is a constant rate at all times.. Table 3-1 Summary of parameters in SIR model equations Parameter. Description Number of susceptible individuals at time t. Number of infected individuals at time t. Number of recovered individuals at time t. The susceptible proportion of the population at time t. The infected proportion of the population at time t. The recovered proportion of the population at time t. Transmission rate that incorporates the average contact number between susceptible and infected individuals together with the probability of transmission. .. The fixed proportion of the infected group will recover during any given day.. In the above sections, we have described basic concepts of SIR model. In this section, we introduce SIR model equations. Suppose that each individual infected host has a fix number. of contact per day. Each contact may not result in transmission. We. assume that only. percent of the contact result in transmission. Thus, the potential. number of transmissions may be at most. . We define this value as. . If. we assume a homogeneous mixing of the population, the proportion of these contacts 17.

(29) that are with susceptible is generates. . Thus, on average, each infected individual. new infected individuals per day. Each infected host recovers at. some rate. Let the proportion of the infected group that recovers be . In other words, is the probability that each infected host recovers per day. Thus, we have infected equation as equation (1). d I (t ).   s (t ) I (t )   I (t ). (1). dt. From equation (1), we know. d S (t ).   s (t ) I (t ). (2). dt. d R (t ).   I (t ). dt. (3). The reproduction rate is an epidemic threshold that determines whether the propagation occurs or the disease dies out. Derived from equation (1), the reproduction rate is,. 18.

(30) Rt .  s (t ) . (4). During the propagation, the volume fluctuation of S (Susceptible) and I (Infected) can be discussed by equation (2) and equation (4). In equation (2), when the volume of I and the transmission rate,. get larger, this will speed up the decline rate of S; In. addition, when the proportion of S gets larger, the total volume that transmitted from S to I will be larger as well. On the contrary, when the values of the above parameters get smaller, the reactions will be the opposite situations. In the following paragraphs, we provide 3 examples:.  The volume of I gets larger: Consider a class that has 50 students, assuming we have 2 situations. In the first situation, half of the students catch a cold. In the second situation, only 2 students in the class catch a cold. It’s clear that in the first situation, the probability of the other students to catch a cold is lower than the situation 2.. 19.

(31)  The proportion of S gets larger: Consider two classes that have 50 students and 5 students respectively. The transmission rate. = 0.2) remains constant at all time. The number of infected. students in each class is 2. In the first class, the volume transmitted from susceptible into infected is 10 students (50 * 0.2 = 10). However, in situation 2, the volume transmitted is only 1 student (5 * 0.2 = 1)..  The value of. gets larger:. Consider we have a class that has 50 students,. is given as 0.2 and 0.5. respectively. It’s clear that the transmitted volume (50 * 0.2 = 10) given that the rate as 0.2 is smaller than the volume (50 * 0.5 = 25) given that the rate as 0.5.. As we can see from the discussions above, if the defenders want to lower BotNets’ impact on susceptible machines, they can start from lowering the volumes of I, the proportion of S and value of .. The volume fluctuation of I can be discussed by equation (4), the reproduction rate. This rate is an epidemic threshold that determines whether the disease propagates or dies out. That is to say, when the number gets larger, infected people will get more and 20.

(32) more by the time increase. However, if the number gets smaller, the disease will gradually die out. In equation (4), when the numerator (. and s(t)) gets smaller, the. reproduction rate gets smaller. In addition, when the denominator ( ) gets larger, the rate gets smaller. That is to say, if the defenders want to lower the BotNets’ impact on infected machine, they will have to lower the value of numerator and increase the value of denominator.. Figure 3-2 Transmission volumes that affect infected machines.. The volume fluctuation of I can also be discussed by another perspective. As shown in equation (1), we can see that the volume of I is affected by two transmission volumes. and. . We define those volumes as. and. That is to say, different amounts of two transmission volumes can cause changes in the volume of I. In table 3-1, we list five situations of these two transmission volumes and the impact on infected machines. As described in the table, from the perspective of defender, situation 4 and 5 can lower BotNets’ impact on infected machines. In other words, they can enhance 21. and weaken. ..

(33) Table 3-2 Different situations of transmitted volumes and its consequences Situation. Transmission volume. Consequence. 1. >>. The volume of I grows as time increase.. 2. >. The volume of I grows as time increase, but the increase volume is less than. 3. =. >> .. The volume of I remains the same as time increase.. 4. <<. The volume of I decrease as time increase.. 5. <. The volume of I decrease as time increase, but the decrease volume is less than. << .. In the sections above, we introduced the SIR model and described the analogies between biological diseases and BotNets. However, we intend to discuss not only the propagation of BotNet but also the effectiveness of the defense strategies against BotNet. Therefore, in the following sections, based on the SIR model, we develop models respectively to simulate defense strategies (strengthen barrier strength and patching) against BotNet.. 22.

(34) 3.2.. Barrier Precaution Model Description and. Equation. Figure 3-3 Barrier precaution model. In the figure above, we consider the influence of strengthening barrier strength strategy into the SIR model. In this model, we employ the strategy only on the susceptible hosts because it is meaningless to strengthen infected machines. As discussed in section 3.1, in the equation of reproduction rate, we can see that this strategy seeks to impact the numerator (. and s(t)) so as to lower BotNets’ impacts on. infected machines. Further, in real world, recovered machines are somehow possible to be transmitted from recovered to susceptible due to reinstallation of operating system etc. Therefore, in this model, we take this consideration into account. In the model, we set three proportions with three different barrier strengths respectively. In the first proportion ( ), the barrier strength is set to ‘strong’. In the second proportion ( ), the 23.

(35) barrier strength is set to ‘good’. As for the third proportion (. ), the barrier strength is. set to ‘weak’. Different barriers strengths lead to different transmission rates. In the first proportion, the transmission rate. transmissions the susceptible hosts with strong. barrier strength to ‘infected’. In the second proportion, the transmission rate transmissions the susceptible hosts with good barrier strength to ‘infected’. As for the third proportion, the transmission rate. transmissions the susceptible hosts with. weak barrier strength to ‘infected’. The transmission rate ( ) that transmissions the infected to recovered remains the same. Finally, transmission rate. transmits the. recovered to susceptible.. Table 3-3 Summary of parameters in Barrier precaution model. Parameters. Description Proportion of the susceptible that has the barrier strength set to strong. Proportion of the susceptible that has the barrier strength set to good Proportion of the susceptible that has the barrier strength set to weak. Transmission rate that transmits strong barrier hosts into infected. Transmission rate that transmits good barrier hosts into infected. Transmission rate that transmits weak barrier hosts into infected. Transmission rate that transmits infected to recovered. Transmission rate that transmits the recovered to susceptible.. 24.

(36) In the above sections, we have described basic concepts of SIR model. In this section, we will introduce barrier model equations. Let’s look at the differential equations individually:.  Infected equation: When the infected hosts recover, the volume of the transmitted would be deducted from the infected machines. Moreover, when the susceptible hosts get infected, the different transmitted volumes would be deducted from the susceptible machines and added into infected machines. Volume of the infected machines changes by the increase of time. The equation is shown below.. dI dt.   1 ( p1 ) sI   2 ( p 2 ) sI   3 ( p 3 ) sI   I. (6).  Recovered equation: When the infected hosts recover, the transmitted volume would be deducted from infected machines and added into recovered machines. In addition, when the recovered hosts become susceptible, the transmitted volume would be deducted from recovered machines. Volume of the recovered machines changes by the increase of time. The equation is shown below.. 25.

(37) dR.  I R. (7). dt.  Susceptible equation: As we can see from the equations above, once the susceptible hosts are infected, the different transmitted volumes would be deducted from the susceptible machines. In addition, when the recovered hosts become susceptible, the transmitted volume would be added to susceptible machines. Volume of the susceptible machines changes by the increase of time. The equation is shown below.. dS dt. 3.3..    1 ( p1 ) sI   2 ( p 2 ) sI   3 ( p 3 ) sI   R. Patching Model Description and Equation. Figure 3-4 Patching model. 26. (8).

(38) In the figure above, we consider the influence of patching into the SIR model. The strategy works on both the susceptible machines and the infected machines. As discussed in section 3.1, in the equation of reproduction rate, we can see that this strategy seeks to impact both the numerator (. and s(t)) and the denominator ( ) so as. to lower BotNets’ impacts on infected machines. Further, in real world, recovered machines are somehow possible to be transmitted from recovered to susceptible due to reinstallation of operating system etc. Therefore, like Barrier model, we take this consideration into account. In the susceptible machines, we set two proportions with two different states, ‘patched’ and ‘not patched’. In the first proportion (. ), the. susceptible machines are patched. On the other hand, in the rest of the proportion (. ), the susceptible machines are not patched. In addition, we divide the infected. machines into two states, the same as the susceptible; they are ‘patched’ and ‘not patched’. In the infected machines, the proportion that is patched is given as ( ). The rest of the proportion that are not patched is then given as ( transmission rate (. ). In proportion ( ),. ) that transmissions the susceptible machines that are patched into. infected. In proportion (. ), the transmission rate (. ) that transmissions the. susceptible machines that are not patched into infected. As for the transmission rates that transmission the infected into recovered, transmission rate (. ) transmissions. infected machines that are patched into recovered. For the infected machines that are not 27.

(39) patched, the transmission rate is (. ). Finally, transmission rate. transmits the. recovered to susceptible.. Table 3-4 Summary of parameters in Patching model Parameters. Description Proportion of the susceptible that is patched. Proportion of the infected that is not patched. Transmission rate that transmits susceptible machines that are patched into infected. Transmission rate that transmits susceptible machines that are not patched into infected. Transmission rate that transmits infected machines that that are patched into recovered. Transmission rate that transmits infected machines that are not patched into recovered. Transmission rate that transmits the recovered to susceptible.. In the above sections, we have described basic concepts of Patching model. In this section, we will introduce barrier model equations. Let’s look at the differential equations individually:.  Infected equation: When the infected hosts recover, the different transmitted volumes would be deducted from the infected machines. Moreover, when the susceptible hosts get infected, the different transmitted volumes would be deducted from the susceptible 28.

(40) machines and added into infected machines. Volume of the infected machines changes by the increase of time. The equation is shown below.. dI dt.   1 ( p1 ) sI   2 (1  p1 ) sI   1 ( p 2 ) I   2 (1  p 2 ) I. (9).  Recovered equation: When the infected hosts recover, the different transmitted volumes would be deducted from the infected host and added into recovered machines. In addition, when the recovered hosts become susceptible, the transmitted volume would be deducted from recovered machines. Volume of the recovered machines changes by the increase of time. The equation is shown below.. dR dt.   1 ( p 2 ) I   2 (1  p 2 ) I   R. (10).  Susceptible equation: As we can see from the equations above, once the susceptible hosts are infected, the different transmitted volumes would be deducted from the susceptible machines. In addition, when the recovered hosts become susceptible, the transmitted volume would be added to susceptible machines. Volume of the 29.

(41) susceptible machines changes by the increase of time. The equation is shown below. dS dt.    1 ( p1 ) sI   2 (1  p1 ) sI   R. (11). In this chapter, we introduced SIR model. Based on this model, we proposed two models take defense strategy into account. However, we cannot judge whether which strategy is relatively effective for defending. Therefore, in the next chapter, we design several simulation experiments and conduct numerical analyses to find a better strategy for defenders.. 30.

(42) Chapter 4. Simulation Results. In chapter 3, we developed two defense models against BotNet. Our models were built based on a number of assumptions which can only be tested by simulations. Therefore, in this chapter, we use MATLAB as our simulation tool to study the behavior of defense strategies; According to [34], [35], we understand that in recent years, the average number of BotNet is 20,000 even though that the potential vulnerable population is much bigger than the average. Therefore, we assume the potential vulnerable population of a BotNet is 200,000 (ten times bigger than the average number) and the BotNet stops growing after it reaches the size of 20,000. All simulations in this chapter are conducted using 200,000 nodes. Each time unit in all simulations is considered as one day. In each simulation, we have 400 days in total. Besides, we assume that there is only one infected host at the very beginning of the simulation. In the following sections, we will demonstrate and discuss the results of each simulation.. 4.1.. Original System. We define our original system as the system that has no any specific defense strategies implemented. In this simulation, we consider the SIRS model as our original 31.

(43) system model; we estimate our. and. by looking into the reproduction rate. As we. can see in equation (4), the BotNet grows if the denominator ( numerator. . Since. at any given time,. and. ) is larger than. is the proportion of susceptible machine. So, we know that remains smaller than 1. That is to say, the value of denominator. is a weakening . Thus, if the BotNet grows, we know that the weakening than . In other word, we can deduce that. must be larger than. We can see from another perspective. Let’s assume that. is larger. if the BotNet grows.. is smaller than . Hence, we. know that there will be impossible that our reproduction rate is larger than one even when we have the largest denominator. In other words, during the propagation, we will see only one phenomenon, the BotNet gradually dies out. However, According to [36], the observed data shows that there’s an obvious peak during the propagation. Therefore, again, we are sure that. must be larger than . As we know,. incorporates the. contact number between the susceptible and infected machines together with the probability of transmission. With the complexity in reality, we have countless combinations of. that can describe the endemic of BotNet. However, the complexity is. not our present concern. Therefore, for simplicity, we only make sure that in our simulation, the BotNet becomes endemic. With the above reason, we assume that. is. 0.5 which means each infected host has a fix number 1 of contact per day and the probability of being infected is 50%. And the value of 32. is given as 0.1. As for , under.

(44) normal circumstances, the value of. is extremely small since few people would. reinstall their operating system when their machines are safe and steady. Hence, we think, in average,. is much small than. and the value is given 0.01.. Table 4-1 Summary of parameter values in original system Parameter. Value 0.5 0.1 0.01. 5. 2. x 10. Number of Hosts. 1.5 Susceptible Host 1. Infected Host Recovered Host. 0.5. 0 0. 50. 100. 150. 200 250 Time t (day). 300. 350. 400. Figure 4-1 Original system. The above figure demonstrates the number of each state (susceptible, infected, and recovered) during the propagation. By using the SIRS model and the appropriate 33.

(45) estimated parameter values, we found that the results can help us to capture some phenomenon during the propagation. As shown in the figure, first, the simulation results show that in the latter period of the propagation, the number of recovered hosts is relatively larger than susceptible hosts and infected hosts since most of the users recovered their hosts from infected. Second, the simulation result shows that in the latter period of the propagation, before the BotNet extinct, there might be a period that both the number of the susceptible and infected hosts approaches to steady state and is relatively much smaller than the number of recovered hosts. Finally, as shown in the figure, the number of infected hosts has more than one peak (outbreak). That is to say, the result has successfully captured the phenomenon of the future outbreaks due to events like re-infection. However, in compare with other peaks during the propagation, the first one is the most severe. Therefore, as illustrates in the figure, we can conclude that the impact of the first outbreak plays a key role on the propagation of BotNet.. Although the value accuracy of each phenomenon might have biases since our parameters are estimated. For example, the outbreak day might be earlier or later, the amplitude of the outbreak might be milder and the period of the outbreak might be shorter or longer etc. However, we think the phenomenon discussed above is reasonable and well-explained. Hence, despite of these biases, we believe that the model’s forecast 34.

(46) on the trends of BotNet propagation is worth referenced. Therefore, based on the parameter values set in this section, in the next section, we deduce parameter values for barrier precaution strategy model and patching strategy model.. 4.2.. Barrier Precaution System. In this section, we discuss implementing barrier precaution strategy in the original system. Based on the parameter values set in the previous section, parameter values for barrier precaution strategy can be deduced as follows. In original system, the probability of being infected for susceptible hosts is 50%. For the strong barrier precaution hosts, this probability should be much lower than the original system and is given as 10%. Therefore, transmission rate. for hosts that use strong barrier is 0.1 (1 x 0.1).. ,. transmission rate for good barrier precaution hosts is given as 0.4 (1 x 0.4) since the probability of being infected is a little bit lower than the original system.. ,. transmission rate for weak barrier precaution hosts is given as 0.9 (1 x 0.9) since it is very likely to be infected. In the barrier precaution system, there will be no impact on infected hosts; therefore, recovery rate remains the same also the same as in the original system.. 35. . The value of. is.

(47) In. barrier. precaution. system,. we. have. three. sub-systems.. They are. Strong/Good/Weak barrier precaution systems. For example, strong barrier precaution system describes the system that most of the susceptible hosts use strong barrier precaution. Therefore, in our simulation, in the system of strong barrier precaution, we assume the proportion of strong barrier precaution hosts is larger than the proportions of good and weak barrier precaution hosts. Further, we set the proportions of the good and the weak barrier precaution hosts to be equal. In other words, in the system of strong barrier precaution,. . Same logic, other system, for example, good barrier. precaution system. and weak barrier precaution system. . With this in mind,. is given as 0.5,. and. are given as 0.25 in the system. of strong barrier precaution. In the system of good barrier precaution, 0.5,. and. is given as 0.5,. is given as. are given as 0.25. Finally, in the system of weak barrier precaution, and. are given as 0.25.. Table 4-2 Summary of parameter values in barrier precaution system Parameter. Value 0.1 0.4 0.9 0.1 0.01. 36.

(48) Table 4-3 Summary of parameter values in various barrier precaution system System Strong Barrier. 0.5. 0.25. 0.25. Good Barrier. 0.25. 0.5. 0.25. Weak Barrier. 0.25. 0.25. 0.5. 4. 12. x 10. Original System. Number of Infected Hosts. 10. Strong Barrier Precaution 8. Good Barrier Precaution Weak Barrier Precaution. 6 4 2 0 0. 50. 100. 150. 200 250 Time t (day). 300. 350. 400. Figure 4-2 Barrier precaution systems vs. Original system 4. 12. x 10. Original System. Number of Infected Hosts. 10. Strong Barrier Precaution Good Barrier Precaution. 8. Weak Barrier Precaution 6 4 2 0. 20. 40. 60. 80 100 Time t (day). 120. 140. Figure 4-3 Horizontal zoom-in of the first peaks in figure 4-2 37. 160.

(49) 4. x 10. Original System. Number of Infected Hosts. 2.5. Strong Barrier Precaution Good Barrier Precaution 2. Weak Barrier Precaution. 1.5. 1 0. 50. 100. 150. 200 250 Time t (day). 300. 350. 400. Figure 4-4 Vertical zoom-in of the second peaks in figure 4-2. In figure 4-2, we first provide an overview of the BotNet propagation with barrier precaution strategies vs. the original system. Then, in order to see the simulation results in figure 4-2 more carefully, we provide horizontal zoom-in of the first outbreaks (figure 4-3) and vertical zoom-in of the second outbreaks (figure 4-4). In figure 4-3, we can see that in compare with the original system, the good barrier precaution strategy decreases the volume of the first outbreak. Further, we can also see that the strong barrier precaution strategy decreases more volume of the first outbreak than good barrier precaution strategy. On the contrary, the strategy of weak barrier precaution does not decrease the volume of the first outbreak; instead, it makes the outbreak even more serious. In figure 4-3, it also illustrates the occurrence time of the first outbreaks. We 38.

(50) can see that the stronger the strategy of barrier precaution, the latter their occurrence time of the first outbreak. In compare with the original system, both the good and the strong barrier precaution strategies delay (strong barrier precaution strategy delays longer than good barrier precaution strategy) the occurrence time of the first outbreak. On the contrary, in compare with the original system, the weak barrier precaution strategy shifts the occurrence time of the first outbreak to an earlier date. Overall, the strong barrier precaution strategy is the most effective way to reduce the volume of the first outbreak and to delay the first outbreak’s occurrence time.. Despite the impact of second outbreak is less severe than first outbreak, second outbreak still can cause some losses to victims. Therefore, in figure 4-4, it illustrates the strategies’ impacts on second outbreak. In this figure, we can see that in compare with the original system, the good barrier precaution strategy decreases the volume of the second outbreak. Further, we can also see that the strong barrier precaution strategy decreases more volume of the second outbreak than good barrier precaution strategy. On the contrary, the strategy of weak barrier precaution has the largest volume of the second outbreak than all other strategies and the original system. In figure 4-4, it also illustrates the occurrence time of the second outbreaks. We can see that the stronger the strategy of barrier precaution, the latter their occurrence of the second outbreaks. In 39.

(51) compare with the original system, both the good and the strong barrier precaution strategies delay the occurrence time of the second outbreak. On the contrary, the weak barrier precaution strategy shifts the occurrence time of the second outbreak to an earlier date. Meanwhile, in the latter period of the propagation, the number of infected hosts of all strategies and the original system approaches to steady state. As we can see in the figure, the stronger the strategy of barrier precaution, the smaller the volumes of their steady state. In a nutshell, the strong barrier precaution strategy has better performances in any aspect (outbreak volume, occurrence time of outbreak, volume of steady state) in compare with other barrier precaution strategy. Therefore, we suggest defenders to consider using strong barrier precaution strategy rather than good and weak barrier precaution strategy while combating BotNet.. 4.3.. Patching System. In this section, we discuss implementing patching strategy in the original system. Based on the parameter values set in the previous section, parameter values for patching strategy can be deduced as follows. In the original system, the probability of being infected for susceptible hosts is 50%. For susceptible hosts that are patched, this probability should be much lower than the original system and is given as 1%. 40.

(52) Therefore, transmission rate,. , for susceptible hosts that are patched is 0.01 (1 x 0.01).. , transmission rate for susceptible hosts that are not patched is the same as in original system and is given as 0.5. In the patching system, the strategy also has impact on infected hosts. Therefore, the probability of recovering for infected hosts is high and is given as 99%. Hence, transmission rate given as 0.99.. for infected hosts that are patched is. , transmission rate for infected hosts that are not patched is the same. as in original system and is given as 0.1. The value of. is the same as in original. system. In the patching system, we assume patch is developed and implemented at the first day of propagation and we patch 15% of hosts for both the susceptible and infected.. Table 4-4 Summary of parameter values in patching system Parameter. Value 0.01 0.5 0.99 0.1 0.01 0.15 0.15. 41.

(53) 4. Number of Infected Hosts. 10. x 10. Original System Patching System. 8 6 4 2 0 0. 50. 100. 150. 200 250 Time t (day). 300. 350. 400. Figure 4-5 Patching system vs. Original system. In the figure above, it illustrates the patching strategy’s impact on original system. We can see that the first outbreak volume in patching system is about 1/5 of the first outbreak volume in the original system. And the second outbreak volume in patching system is about 1/2 of the second outbreak volume in the original system. In other words, in compare with the original system, the patching strategy decreased huge volumes of the first and the second BotNet outbreak. This figure also illustrates that patching system delayed the occurrence time of the first outbreak for about one month after the first outbreak occurred in the original system. Also, the patching system delayed the occurrence time of the second outbreak for about two months after the second outbreak occurred in the original system. That is to say, in compare with the 42.

(54) original system, the patching strategy successfully delayed the first and the second outbreak. Meanwhile, we found that at the end of the propagation, the patching system decreased large amount of the steady state volume in the original system. Therefore, in this scenario, we conclude that patching strategy has excellent performance on combating BotNet.. 4.4.. Barrier Precaution System vs. Patching System. In previous sections, we have demonstrated that our model successfully shows reasonable results for different strategies. With this confidence, in this section, we tried to discuss and to find which strategy is better than the other. Before any comparison, the comparison criteria are needed. As discussed in chapter 2, we all know both strategies have impacts on susceptible hosts. In the strategy of barrier precaution, we chose strong barrier situation as representative to compare with patching strategy. Strong barrier situation’s impact on susceptible hosts is 0.375 (. ). In order. to compare two strategies, we make them have the same impacts on susceptible. In other words, in patching strategy, the proportion of susceptible hosts that are patched is. . By doing so, both of their impacts (average transmission rate) on. susceptible hosts will all be 0.375. The proportion that the infected hosts install patch 43.

(55) remains. . In the first simulation, we assume that patch is released and. implemented at the first day of propagation.. 4. Number of Infected Hosts. 8. x 10. Strong Barrier Precaution Patching System. 6. 4. 2. 0 0. 50. 100. 150. 200 250 Time t (day). 300. 350. 400. Figure 4-6 Patching system vs. Strong barrier precaution system. In the above figure, it illustrates the impacts of patching strategy and the strong barrier precaution strategy on original system. We can see that the first outbreak volume in patching system is about 1/6 of the first outbreak volume in strong barrier precaution system. And the second outbreak volume in patching system is about 1/3 of the second outbreak volume in strong barrier precaution system. In other words, the patching system decreased more volume of both the first and the second outbreak in compare with the strong barrier precaution system. This figure also illustrates that patching system delayed the occurrence time of the first outbreak for about 1 month after the first 44.

(56) outbreak occurred in the strong barrier precaution system. Also, the patching system delayed the occurrence time of the second outbreak for about 1.5 month after the second outbreak occurred in the strong barrier precaution system. That is to say, in compare with the strong barrier precaution system, the patching strategy delayed the first and the second outbreak for a longer period. Meanwhile, the patching system decreased more volume of steady state than the strong barrier precaution system. In a nutshell, patching strategy performs better in any aspect (volume and occurrence time of outbreaks and volume of steady state) than strong barrier precaution system. By interpreting the simulation results, we inferred the reason that patching strategy performs better than strong barrier precaution strategy is because patching strategy has the power to affect infected hosts which strong barrier precaution strategy doesn’t have. Therefore, we suggest defender to use patching strategy rather than use strong barrier precaution strategy while defending BotNet.. 4.5.. Different Implementation Day in Patching. System. In previous sections, we assume that patch is developed and implemented at the first day of the propagation. However, in reality, patches are developed usually after the 45.

(57) disasters occurred. Therefore, we set different days to implement patch strategy. These days are day 20, day 30, day 40 and day 50. They are respectively 15 days, 5 days before the first peak and 5 days, 15 days after the highest volume of the first outbreak occurred (day 35) in the original system. 4. Number of Infected Hosts. 10. x 10. Original System Patching System (implt. at day 20) Patching System (implt. at day 30). 8 6 4 2 0 0. 50. 100. 150. 200 250 Time t (day). 300. 350. 400. Figure 4-7 Patching system (implement at day 20 and day 30) 4. 10. x 10. Number of Infected Hosts. Original System 8. Patching System (implt. at day 40) Patching System (implt. at day 50). 6 4 2 0 0. 50. 100. 150. 200 250 Time t (day). 300. 350. Figure 4-8 Patching system (implement at day 40 and day 50) 46. 400.

(58) Figure 4-7 displays the simulation results of strategy implement at different days before the highest volume of the first outbreak occurred (day 35) in the original system. When the patching strategy is implemented at day 30, in compare with the original system, this strategy not only decreased the volumes of all outbreaks but also delayed the second outbreak. Further, this figure also displays that when the patching strategy is implemented at day 20; it decreases more volume of all outbreaks and delayed the second outbreak for a longer period than implement at day 30. However, the volume of its steady state (implement at day 30) has no significant difference in compare to implementation at day 20. In a nutshell, figure 4-7 shows that the earlier the implement day, 1) the better the performance of the patching strategy, 2) the earlier the number of infected hosts approaches to the steady state.. Figure 4-8 shows the simulation results of strategy implement at different days after the highest volume of the first outbreak occurred (day 35) in the original system. When the patching strategy is implemented at day 40 and day 50, their highest volume of the first outbreak has no difference in compare with the original system. However, when the number of the infected hosts reaches the highest volume, the strategy that was implemented at day 40 has a faster rate of decline in compare with strategy that was implemented at day 50. Meanwhile, despite their little impacts on the first outbreak, 47.

(59) both strategies still have impacts on other outbreaks and the volume of steady state during the propagation. As shown in the figure, in compare with the original system, both strategies not only decreased the volumes of second outbreak but also delayed the second outbreak. In a nutshell, figure 4-7 shows the latter the implement day, 1) the worse the performance of the patching strategy, 2) the latter the number of infected hosts approaches to the steady state. Despite the implementations after the first outbreak have impacts on the number of infected hosts; however, the overall impact is not as significant as implementation before day 35. Therefore, we suggest that defenders should implement patching strategy as soon as they can to get the maximum effectiveness of this strategy.. 4.6.. Different Proportions of Patch Implementation. in Susceptible and Infected Hosts. In previous section, we know that the simulation results have shown us that patching strategy performs better than barrier precaution strategy. However, in reality, due to the limitation of resources, defenders may need to find an optimal way to implement patch. Therefore, in this section, we discuss that to patch susceptible hosts or infected hosts, which one gets better performance? Therefore, simple analyses are 48.

(60) conducted to investigate this question. Our analyses were conducted by change one parameter value (the input of the model) at one time while others remain the same so as to see how this change of value affect the output of the model and further, to identify the most influential parameter. In the first analysis, we reduce susceptible hosts) and. (proportion of patch. (proportion of patch infected hosts) respectively from 15% to. 10% to see how this will impact on the number of infected hosts. Then we reduce from 15% to 13% and 10% respectively and compare the results with reduce. from. 15% to 13% and 10% respectively.. 4. 4. x 10. Number of Infected Hosts. p1 = 0.10, p2 = 0.15 p1 = 0.15, p2 = 0.10. 3. p1 = 0.15, p2 = 0.15 2. 1. 0 0. 50. 100. 150. 200 250 Time t (day). 300. 350. 400. Figure 4-9 Reduce proportions of patch installed in susceptible and infected hosts to 10%. 49.

(61) 4. 3. x 10. p1 = 0.10, p2 = 0.15 p1 = 0.13, p2 = 0.15 p1 = 0.15, p2 = 0.15. Number of Infected Hosts. 2.5 2 1.5 1 0.5 0 0. 50. 100. 150. 200 250 Time t (day). 300. 350. 400. Figure 4-10 Reduce proportion of patch installed in susceptible hosts to 13% and 10% 4. Number of Infected Hosts. 4. x 10. p1 = 0.15, p2 = 0.10 p1 = 0.15, p2 = 0.13 p1 = 0.15, p2 = 0.15. 3. 2. 1. 0 0. 50. 100. 150. 200 250 Time t (day). 300. 350. 400. Figure 4-11 Reduce proportion of patch installed in infected hosts to 13% and 10%. In figure 4-9, we can see that when we reduce. from 15% to 10%. the highest volume of the first outbreak is about 1.6 times than the 50.

(62) highest volume of the first outbreak in the original system. .. And the highest volume of the second outbreak is about 1.5 times than the one in the original system. Further, when we reduce. from 15% to 10%. the highest volume of the first outbreak is about 1.2 times than the highest volume of the first outbreak in the original system. And the highest volume of the second outbreak is about 1.1 times than the one in the original system. In other words, in compare with the original system, we found reducing proportion in more outbreak volume than reducing the same amount of proportion in. increases . Meanwhile,. in compare with the original system, we also found reducing proportion in. brings. the occurrence time of the outbreaks much earlier than reducing the same amount of proportion in. . Further, in figures of 4-10 and 4-11, we can see that, when. reduced to 13%. and 10%. is. , the value. differences between the first outbreaks are more significant than the differences when reducing. to 13%. and 10%. general, the simulation results show that an impact on effective than an impact on. . In (infected hosts) is more. (susceptible hosts). Therefore, we suggest the defenders. that before implementing, the defenders should conduct researches to find the most infectious departments or unit under their jurisdiction. In that way, the defenders can combat more BotNet with fewer resources. 51.

(63) Chapter 5. Conclusion and Future Research. The rapid advance of Internet and host technology has brought this society a more convenient and efficient way for coordinating online resources. However, this also brought us a more server threat, the BotNet. Therefore, defenders need a more efficient and effective way to defend BotNets. With this in mind, in this research, based on SIR model and the analogies of defense strategies between biological diseases and BotNet, we proposed two models that take defense strategies into accounts. We conduct numerical analysis to understand the strengths and the weaknesses of these strategies so as to help defenders to choose and to deploy the strategies more efficiently and effectively.. With appropriate parameters inferences, we first simulate BotNet’s propagation in the original system. In this system, no any specific defense strategies are implemented. The simulation results shows 1) in the latter period of the propagation, the number of recovered hosts is relatively larger than the number of the susceptible hosts and infected hosts. This reflects the same phenomenon as other Internet threats that in the latter period of the propagation; most of the users recovered their hosts from infected. 2) In the latter period of the propagation, there might be a period that both the number of the 52.

(64) susceptible and infected approaches to steady state and is relatively much smaller than the number of recovered hosts. 3) We found there is more than one outbreak during the propagation since we are likely to have events such as re-infection. And the result shows that the impact of the first BotNet outbreak plays a key role on the propagation of BotNet since in compare with others, the first one is the most severe. Despite the results might have some biases since the parameters are estimated, however, the simulation results of the original system show us reasonable explanations of the BotNet propagation. Therefore, we think the model’s forecast on the trends of BotNet propagation is worth referenced.. With this confidence, based on the simulation of the original system, we deduced the parameters in the simulation of barrier precaution strategies. The simulation results show that among three strategies (strong, good, weak) of barrier precaution, the strong barrier precaution strategy has better performances on impacting the volume of outbreaks and the volume of the steady state. Therefore, we suggest defenders to consider using strong barrier precaution strategy rather than good and weak barrier precaution strategy while combating BotNet.. 53.

(65) We then simulate the propagation of BotNet with patching strategy implemented. The simulation results show that, in compare with the original system, the patching strategy not only delays the occurrence time of outbreaks but also decreases volumes of the outbreaks. Moreover, when the number of infected hosts approaches to the steady state, this strategy successfully decreases the volume. Therefore, in this simulation, we found patching strategy has excellent performance on combating BotNet.. After knowing results of the simulation of both strategies (patching strategy and strong barrier precaution strategy), we discussed which strategy performs better than the other. Before any comparison, the comparison criteria are needed. Hence, we control both strategies’ impacts on susceptible hosts to be equal since theses two strategies all have impacts on susceptible hosts. The simulation results shows that the patching system decreases more volume of the outbreaks in compare with the strong barrier precaution system. The simulation also demonstrates that patching system has a latter occurrence time of outbreaks than the strong barrier precaution system. Further, we also found the patching system decreased more volume of steady state than the strong barrier precaution system. Therefore, we suggest defenders to use patching strategy rather than use strong barrier precaution strategy while defending BotNet.. 54.

(66) With the understanding that patching strategy performs better than strong barrier precaution strategy. We perform simulations to see how different implement days affect the performance of patching strategy. We chose two days before and after the highest volume of first outbreak occurred (day 35) in the original system respectively to implement patching strategy. The simulation results shows that implementation before day 35, the earlier the implement day, 1) the better the performance of the patching strategy, 2) the earlier the number of infected hosts approaches to the steady state. The results also shows that implement after day 35, the number of the infected hosts reflect the same behaviors as implementations before day 35. Despite that implementation after day 35 can still impact the number of infected hosts; however, the impact is not as significant as implementation before day 35. Therefore, we suggest that defenders should implement patching strategy as soon as they can to get the maximum effectiveness of this strategy.. In reality, due to the limited resources, defenders may need to find an optimal way to implement patch. Thus, we discuss that to patch susceptible hosts or infected hosts which one gets better performance? Simple analyses were conducted to investigate this question. By reducing equal amount of proportion on patch susceptible hosts and infected hosts respectively, the results shows that the impact of patch infected host is 55.

(67) more effective than patch susceptible host. Moreover, the results also show that the value differences between the first outbreaks when the proportion of patch infected hosts is reduced to 13% and 10% are more significant than the differences when reducing the proportion of patch susceptible hosts to 13% and 10%. Therefore, we suggest defenders that before implementing, they should conduct researches to find the most infectious departments or unit under their jurisdiction so as to get the maximum effectiveness of this strategy.. We anticipate our research to be a starting point for more sophisticated in modeling and analyzing the effectiveness of defense strategies against BotNet. In the following, we provide directions for future research in this area: 1) Hybrid defense strategies. In our research, we study only the impact of implementing single strategy. However, in reality, multiple strategies could be implemented simultaneously. Therefore, a hybrid defense strategy is a possible direction for future researches. 2) Costs consideration in strategy implementation, in our research, we study only the performances of defense strategy. However, the implementation costs for each defense strategy should be considered in the model. This can help defender to find optimal solutions from economic perspective. 3) Real data collection, in our research, all parameters is estimated with reasonable consideration. However, we feel it is important to collect data 56.