The Growing Model of Bot nets
XuefengLi
School of Computer Science and Technology
Tsinghua University
Beijing, 100084,China
lixuefeng05@mails.tsinghua.edu.cn
Abstac-Nowadays Botnets have been identifed as one of the
most serious threats to network security, especially the peer-to
peer (P2P)based Botnets. Security experts destroy the botnets by
target-attacking the weaknesses of high degree nodes or high
betweens edges of the botnets. To make this work, the security
experts need to know the features of the topology of botnets.
But, topics such as how botnets' topology is formed and what the
features of botnets' topology are are rarely studied up to now.
Inspired by the method of complex network, we propose the
growing model of botnets to try to resolve these questions. As
far as we know, the growing model of Botnets has not been
studied. Here, we focuse on the network metrics of Botnets,
present a growing model of Botnets and discusse the
performance of Botnets when their topology construction
parameters change.
I. INTRODUCTION
The attackers obtain the illegal benefts by commanding
the Bots to send Spam mails, get inforation such as license
keys or banking data on compromised machines, or launch
distibuted denial-of-service (DDoS) attacks against abita
targets. Recent developments show that botnets are not only
harmfl to companies ad consumers but ae also involved in
politically motivated activities. Lagely organized DDoS
attacks conducted by botnets in 2007 and 2008 cut of major
Goverent sites in Easter Europe fom the rest of te
Interet. This shows how the vast number of remotely
contolled machines has the potential to be used as a powerfl
weapon in a cyberwar rather than just being an annoying
phenomenon afecting only some individuals[I].
In paricular, the P2P-botnets have better survivability
and more powerfl fnctions [2,3] and ae the biggest threat to
the Interet. The storm-botnets was recorded to the world' s
biggest botnets[4]. During the peak of activity of the botnets,
up to 1.4 millions computers ca be infected and activived.
And it can infect and re-infect 900,000 of computers per
month. The other P2P-botnets have a simila scale and power,
which pose a big challenge to detection and defense. The
storm-botnets are estimated to have a size fom 20,000 to 5
million[3,4,5].
978-1-4244-6878-2/10/$26.00 2010 IEEE 414
Haixin Duan, Wu Liu, Jianping Wu
School of Computer Science and Technology
Tsinghua University
Beijing, 100084,China
{dxh, liuwu, jpwu}@ceret.edu.cn
Up to now, the reaches about botnets can be divided into
two major aspects. The main aspect is detecting the botnets
through the chaacters of botnets, such as fow characters[6],
behavior characters[7], and data packets chaacters[8]. These
detecting stategies are similar to the anti-virus sofware, so
they couldn' t detect the botets which have metamorhose
techniques, such as the storm-botnets, let alone the unknown
and the fture botnets.The storm-botnets can metamorphose
into multiple types during a hour, so to detect it entirely is
ver difcult.
The other aspect is detecting and defending against the
botnets through the theor of the vulnerability of complex
network by regading the botnets as an example of the
complex network. These studies focus on the inner rules of
botnets (topology characters), so they are more efective on
the unknown and fture botnets. To make this work, security
experts need to know the features of the topolog of botnets.
But in those studies, most of te experts just copy the method
of complex network and do not notice the chaacters of
botnets. We need answer these questions of how is the botnets
topology formed ad what are the features of the botnets
topolog frstly. Inspired by the growing models of complex
network, we propose the growing model of botnets and t to
answer these questions. We focus on the network metrics of
the botnets, present a growing model and discuss te
perforances of botnets when its topology constuction
paaeters changed.
This paper intoduces the method of complex network to
study the botnets(aim to the P2P-botnets) systematically.
Through te familia constuction mechanisms of botnets[9],
we analyze the mechanisms of botnets in the wild and in te
fture proposed by the security experts. We select the most
popular constuction mechanism of botnets: generation
mechanism model. Through the growing model of this kind
botnets, we discovered some inner topological chaacters of
botnets. Using our results, the security experts can propose te
efective scheme to detect, defend, evaluate and measure the
botnets.
As far as we know, the gowing model of botnets was
frst studied by us. In this paper, we make the following
contibutions:
The constuction mechanisms of the botnets in the
wild and in the fture.
The growing model of the botets wit the generation
constuction mechanism.
The performances of the botnets with the generation
constuction mechanism.
The rest of this paper is organized as followed. Section
II provides the related work. Section III describes our former
works about the construction mechanisms of botnets. Section
IV proposes the growing model of the botnets with the
generation construction mechanism in detail, ad obtains te
result of the botnets which have the power-law of degree
distibution by the mathematic testifing. Section V gives te
simulation results of the gowing model of the botnets. We
conclude the paper and discuss the fture works in Section VI.
II. RELATED WORK
Usually, the complex relations of the objects in the world
a described as te network, and the nodes of the network
denote the objects itself ad te edges of the network present
the relations of the objects. In the 1960s, Watts and Storgatz
proposed the small-world model, and Baabasi and Albert
gave the BA model which changed the cognition about te
complex network and introduced the new direction of te
complex networks studies. The WS-model gives the small
world characters of short average distance and lage clustering
coefciency. BA model gives the power law of the degee
distibutions of gowing network. As the example of complex
network, botnets' growing model includes the topology,
propagation mechanisms, construction mechanisms and te
performace. In order to understand the growing model of
botnets, we intoduce the related works in the following.
A. The topolog and performance of bot nets
In the majority of networks, a network' s fnction is
determined in a geat pat by the network' s topology. And
botnets are no exception. The initiator botnets has the sta
topology with the central control mechanism such as IRC
botnets, and the present botnets have the complex topology
with the distibute control mechanisms such as P2P-botnets.
The latter have more complex fnctions and are more
survivable, which makes it more difcult to detect and defend
against them. There ae various kinds of topology of botnets
and diferent opinions with regard to the classifing of the
topologies. Here we intoduce three methods of classifing,
ad elaborate the advantages and disadvantages of each of
them.
The frst one: classifcation based on the structure of
topology. In this kind of classifing, botnets ae classed into
four types: central topolog, distributed and unstructured
topology, distibuted and stctured topology, and hybrid
topology. The disadvantages of the structured topology of
415
botnets ae: the mismatch of Overlay between the gound
physical networks; the mismatch between responsibility ad
ability; the lage spending to maintain the structure. The
advantage is: they are more efective to route and have better
scalability.
The disadvantages of unstructured botnets are: the node
location is had to fnd; mismatch between gound physical
networks; node degree is not diferent, which could lead to a
bottleneck; the fooding distibuted to the command can make
many redundant messages to lead to the exposure of the node
of botnets.
The second one: classifcation based on the chaacters of
topology. David et al. in the paper[lO] classifed networks into
three types: small-world network, random network and scale
fee network. The small-world network of botnets has a small
diameter and high clustering, so it is ver efective in message
distibution fnctions. Random network of botnets has a good
robust when facing attacks. Te scale-fee network of botnets
is more robust when facing radom attacks, but is wea when
facing target attacks.
The third one: classifcation based the diferent
reliabilities of P2P botnets on curently existent P2P networks.
In the reference[11], Wang and others divide the stcture of
P2P networks into three categories: parasite, leeching and bot
only. Among them, parasite botnets have the following
advantages: they totally make use of curently existent P2P
networks so they have good camoufage chaacteristics; they
mainly have open codes so they are convenient to design ad
develop; they ae easy to mainain and they have good
perforance. Their disadvantages ae: their fexibility ae not
good because they use the existed P2P protocols; they rely
much on the fnction of paasite P2P networks. The leeching
networks have the similar advantages as the paasite ones.
Besides, they can develop other botnets tat satisf te
performance requirements of botnets of the contollers. These
two kinds of networks also have similar disadvantages.
Finally, the advantages of bot-only botnets are: the required
fnctions can be subtly realized; they have better operabilit;
technologies such as upgrading, tansformation and rootkit can
be better used. And their disadvantages are: their design and
development ae ver complicated; the maintenance of te
networks is quite costly; they can easily be inspected.
The fnction of botnets is closely related to their topology.
Security reseachers agree that the fnction of botnets has at
least three attibutes: capability, efciency ad survivabilit.
1) Capability, which is to say the capability of botnets in
accomplishing tasks is usually depicted by the scale of te
botnets. In [10], David and others propose to depict te
capability with giant-component online index taking into
consideration the dynamics of network nodes and te
networks' time zone efect. 2) Efciency. The efciency of
botnets is the time botnets need to upgrade and send orders.
Efciency is crucial to botets since sending orders and
upgrading in the shortest time when they face attacks or te
bot programs ae killed by virus killers is signifcant to te
botnets' completing missions. This attribute is mainly depicted
by botnets' mass index and network diameter. 3)
Survivability. We discuss curent survival technologies of
botnets and fture botnets structures with survival
technologies afer caring out a systematic research in [12].
The longer botnets' lifecycle, the worse the damage they ca
cause (and the higher the efciency of them for te
contollers). Therefore, botnets' survivability will be a major
fnction considered by fture developers and protectors of
botnets.
B. The propagation models of botets
Botnets ae malicious networks. The measurement of the
paameters of the existent botets is a big challenge. Security
reseachers hope they can assess and predict the paeters
during the spreading process and the lifecycle of the botnets.
The research of botnets' theor models can help researchers to
do this. At the moment, researchers have made much progess
in this feld. In the reference [22], Dagon and others
constcted spreading models of botnets which were inherited
fom the spreading models of net wors. Since the spreading
of botnets is contolled ad sub-network address ae
prioritized in the selection of spreading tagets, ad taking into
consideration that the computers are non-sensitive afer being
ted of and there' s a aea-preference factor in the spreading
process, the authors provide a botnets spreading model based
on time zones. Compaed with data of actual botnets, te
models have better precision. In the reference [23], Elizabet
and other reseachers analyzed and simulated the infuence of
all paameters on the scale ad vulnerability of botnets with
the help of stochastic activit networks (SAN) created by
Mobius sofware and through simulation analysis of P2P
botnets by this net models. By chaging the input paeters,
this model can refect some statistic chaacters of diferent
categories of botnets.
III. THE CONS1RUCTION MECHANISMS OF BOTNETS
Network performances such as network efciency and
survivability depend to a large extent on its topolog.
Reseach of the gowth model of botnets is ver valuable, for
the gowth model daws the botnets' s property features'
changing process duing its growing. When we get a sample
of botnets, we could get to know its topology through te
growth model and ofer theoretic support to the study and
establishment of the testing ad defending plan of the botnets.
The spreading of botnets is conducted actively: Remote
systems are automatically attacked and exploited, mails ae
sent to tick the reader into opening malicious programs or
web pages which actively exploit the visiting computer. Te
new infected hosts need to join the botnet by joining
mechanisms like web cache, bootstap ad nodes list. And the
topology of botnets is fored by its constuction mechanisms.
Current topologies of botnets ae no longer center-contol
type, but distibuted types of P2P network with the DHT
constucted topology, the non-constucted topology and
hybrid topology.
We studied and analyzed the constuction mechaism of
botnets in [9]. The botnets construction mechanisms are te
key factors to form the topology of it. So we can see that the
growing model of the botnets is decided by the construction
mechanisms. Not the same as the complicated nature network,
such as web networks, paper citing networks and social
416
networks , the botnets ae much more contollable. The
botnets' s performace and growing model can only be
determined afer their constction mechanisms have been
confIrmed during their design process.
From the defnition of botnets constuction mechanism, it
is constructed by 4 units (the bot propagating mechanism, the
bot joining mechanism, the botnets' s topology constuction
mechanism and the perforance of botnets). In [9], it
foration describes the botnets construction mechanism. A
botnet constuction mechanism can be used by four tuples for
presentation:
Botnets constuction Mechanism : : =<P, J, C, T >,
the tuples ae described in detail as:
p c Pr where Prop is the set which includes all
viable bots propagating mechanisms, and P is the subset of
Prop used in botnets construction mechanism;
J
c
J
1
where Join is the set which includes all
viable bots joining mechanisms, and J is the subset of Join
used in botnets constuction mechanism;
C
c
C
"0J1
where Construction is the set which
includes all viable bots Topology Construction mechanisms,
and C is the subset of Construction used in botnets
constuction mechanism;
log Y, where Topology is the set includes
all viable topologies, and T is the subset of Topology which is
constucted in botnets construction mechanism.
TABLE I THE CONSTRUCTION MECHNISM OF BOTNETS
botnets bot bot joining botnets's the
propagating mechanism topology performance
mechanism construction of bot nets
mechanism
Siapper ( Vulnerabilit feedack bot list Bot
2002) [13)
eloit transor connecvit
fat,
efciec
Low
SurvvabUt
Sinit (2003) Browser randm randm scan Low
(14) Eloi scan efciec,
good hidng
Phatbot ( Vulnerabilit Bae on WASTE efciec,
2004) (2)
eloit WASTE strong survve
Nugacbe ( eail ecL Hard-coded Bot lit Inidal lit,
2003) (15)
mothod bot lit efciec
Storm (2007 eail Bot l Overnet efciec,
) [1,3.4,5)
stong
Survvabiit
SUPER- Vulnerabilit Popagadng Geedc Low
BOTNETS(17) eloit ec. feedack mechanism efcec ,
stong
SurvvabUt
HONEYPOT- VulnerabUt Popagadng Geedc Low
AWAY eloit ec. feedack mechanism efciec ,
BOTNETS(18)
stong
Survvabiit
HYBRI Vulnerabiit Popagadng Genedc efcec, ,
BOTNETS(16) eloit ec. feedack mechanism stong
Survvabilit
In the gowing model of botnets, te propagation
mechanisms determined the gowing rate. The gowth rate of
botnets was researched by Dagon in the time-zones
model[22]. But the botnets' topology is decided by their
topology constuction mechanisms mainly. In order to focus
on the botnets topological reseach, we do not consider te
botnets' propagation mechanisms and nodes joining
mechanisms, but only take into consideration the botnets' s
topology construction mechaisms. The Botnets' topolog
constction strategies mainly include: random scanning;
manual intervention; genetic mechanism; paasitic in benign
system.
In this paper, we just choose te genetic mechanism as the
topology constuction mechanism to reseach for the reason of
it has the following advantages: frst, the genetic mechanism
needn't to bootstap the process; second, the genetic
mechanism applies to the most propagation strategies; third,
the genetic mechanism has great fexibility; and the last, the
genetic mechanism is more security. Therefore, the genetic
mechanism as the topology constuction mechanism in a
distibuted botnets will be applied by the fture botnets more
and more. The fture botnets may be like the instances at te
[17, 18,19], which use genetic mechanism or a vaiant for.
Therefore, the reseach on the growing model of botnets with
the genetic mechanism has certain signifcance. In te
following, we will elaborate on the gowing model in details.
IV. THE GROWING MODEL OF BOTNETS WITH GENETIC
MCHANISM
The constuction procedure of genetic mechanism as the
following: Step 1, each node has a fxed list of neighbors, afer
the host A infected the host B, then it send its neighbor lists to
B and replaced a node in the list of A with B. Step 2, if host A
infected the host B which was infected before, them exchange
pa nodes in each list. Because the probability of re-infected
events is ver small[24], so we ignore the factor in our
mathematics model. But this step is the one method of
improving to the performances of botnets which discussed te
back of this paper. Under thees presuppositions, we describe
the growing model of the botnets with the genetic mechanism
as following:
Suppose the number of vulnerable hosts is N, the initial
b f b
= m
A .
th
.
f ghb num er 0 otnets IS , m IS e SIZe 0 nel ors
list. The m+ 1 hosts connected each other and formed a
complete graph, so each node have m neighbors. Suppose te
number of new infected host in the time step t is
A(J)
. For
the simply, we think the
A(J)
has a proportion to the total
number n(t) of botnets at te time t, and the proportion
coefcient record as r. The number of the frst infected hosts
is
, and the total number of botnets changed to
(A
)
; the number of the second infected hosts is
(A
)
th
1
b f b
(A)
th
o
, e tota num er 0 otnets IS m IS
time, ... , the number of infected hosts in the time step i is
417
(A)
,
'
(A)
,
and the total number of botnets is
0
,
now.
Suppose the number of the infected hosts in the time step i
in the neighbors list of all nodes is
D(J,1)
afer the time step
t, this number also fgure out te total in-degee of the botnets.
So, in the initial botnets, the total number in-degee of te
. ..
1
d
D( ,)= m
Whl th
.
. d th mltia no es IS . 1 e e new mlecte e
host which joins the botnets, and it replaces its old neighbor.
Here the in-degee total number of the t-nd infected hosts is:
D(J,J)= A =
(A)
'
(
1
)
For the reason that new infected hosts in the time step t
connect to the m old nodes individually, afer the time step t,
the in-degee number added is
mD(J,J)
. The probability of
connection to the old nodes has the ratio
(J,1)
, so the
number of the infected hosts in the time step i in the neighbors
list of all nodes
D(J,1)
is:
J,1)
=
JJ,1) , J,1)mU
,J
) JJ,1)QJ,1)
(2)
Where,
(
,
)=
(J - J,
1)
J,(
1-1
D(J-J,)
and,
j=O
,
(
t=I, ... ; i=O, ... , t-1) (3)
Q(
,
)=
D ( J J)
J,(
'
D(J-J,)
j=O
,
(
t=I, ... ; i=O, ... , t-l (4)
and,
D( ,)= m
(5)
D( 1,1)= A
,
=
(A )
'
1: 0)
(6)
With the formulae upside, we obtain:
1-1
D(JA,1)=
(A
)1-1
i=O
m
(
7)
By the (2),(3),(4),(5),(6),(7)
And
D(1,1)= A
,
=
(A)
'
1: 0)
We obtain:
D(
,
)
(A
_
)D(JA, 1)
J,(
m
=
(A )
'
(A_
!..
)
I
-i
m
(
8)
For the number of the i-nd time step infected host
(A)
'
. .
IS 0 , so theIr average m-degree IS:
d(J,1)= (A_
!.
y-i
m
(9)
Think about the distibution
P
J
(
I
,
i
)
of
d
(J,1)
,
we have:
(A
)'
=
(A rf
(
l-i
)
J
(10)
At last, we obtain the average in-degee distibution of
double logaithmic as:
1nr
In(A )
1nP
J
(
I
,
i
)
=
In(A )
1n
d
(J, 1)
In(A-)
m
( 11
P- .
While
d(I,I)
is the cumulate-distribution, the in-degree
distibution of genetic mechanism of botnets is power-law
distibution.
V. THE SIMULATION
We now examine the analytical results on the growing
model of botnets with genetic constuction mechanism. In our
simulations, we change the number of bots (i.e., N) fom 1000
to 30,000, and change the growth rate (i.e., r) fom O.oI to 3.
We then study the metrics of Botnets (such as: the in-degree
distibution, the shortest distance and the clustering
coeffcient) while its topology constction paameters
changed through simulations.
A. The in-degee distribution of the botnet
Figure 1 gives the comparison between our model and the
simulation, in which the tail of simulation curve has an ofset
since the m+ 1 initial nodes ae connected by a large number of
infected hosts. Since the initial nodes have high in-degee, te
botnets can be destoyed by target attacks.
418
Figure 1. The in-degree distribution of the botnet
B. The shotest distance of the botnet
The average shortest distance is the importat statistic
feature of complex networks. The average shortest distance
1
between ever two nodes in the network d is called the
average shortest distance, or the diameter of network. The
feature of small-world networks is: if the average degee is
fxed, the average shortest distance increases with the
logaithmic of the size of botnets or slower. Networks that
have this feature ae called small-world networks.
For the genetic mechanism of the botnets is formed in
the T time step, the shortest distance between the two random
nodes is not larger than 2T. So 2T is the network' s biggest
diameter. Easy to prove that te size of botnet N related to te
time step T has the relation as:
N
=
(A )
T . While the N
goes to unlimited, we ca get
T = In N / In(A )
.
1
Obviously, we have d <2T. Obviously, botnets that ae
constucted with the genetic mechanism has the feature of
small-world networks. Take into consideration the relation
between the shortest distance and the increase ratio r: when
the shortest distance increases while the N increases. Figure 2
describes the relation between them.
5
o L-
o 0.2 0.4 0.6 0.8 1.2 1.4 1.6 1.8
Figure 2. The shortest distace of the botnet
C The clustering coefcient of the botnet
Clustering coefcient is a statistic metric that describes the
clustering features of networks. Curently, there are various
defmitions of clustering coeffcient and here we use the Watts'
d f
. .
T N d
.
'f' d
.
k
d h
k
e mitlOn. 0 0 e I , I Its egree IS
I
, an t e ' amount
of neighbor-nodes have
E
;
edges , then the clustering
c=
2E
;
coefcient of node i is defmed as :
I
k
;
(
k
;
-1)
, and the
clustering coefcient C of the whole network with N nodes is:
1 N
C=-IC;
N
;=1
. Trough genetic mechanism growth model
simulation, we got the relationship between nodes amount ad
clustering coefcient below, see fgure 3:
0.5
0.45
0.4
0.35
0.3
o 0.25
0.2
..
0.15
0.1
,
0.05
o
o 0.5
N=5000
-N=10000
N=20000
-N=30000
1.5 2.5
Figure 3. The clustering coefcient of the botnet
We can see that, by a simple genetic mechanism to
constuct the botnets topolog, the performance is not
guaranteed. So if you need to use this method to constuct a
botnet, some other mechanisms are needed to add to the
procedure in order to increase the balance of the network
connection.
VI. CONCLUSION
In this paper, we study the growing model of the botnet
with the genetic mechanism ad evaluate the correctness of it
through simulations. We obtain the metrics of the topolog
which var fom the coefcients of the botnets construction
mechanism change. For the genetic mechanism, we can only
discover the simple inherited mechaism by simulation, ad
the performances of the topology constucted in this way ae
not good. So we need add some other mechanisms to improve
the basic mechanism.
REFERENCES
[I] F. Leder, T. Werer, and P. Martini. Proactive Botnets
Counteneasures-An Ofensive Approach. In Cooperative Cyber
Defence Centre of Excellence Tallinn, Estonia, March 2009
419
[2] J Stewart, "Phatbot Trojan Analysis",
http://www.secureworks. comlresearchlthreatslphatbotl. March IS, 2004
[3] S Gaudin. Ston Won Botnets More Powerfl Than Top
Supercomputers.
http://www.infonationweek. comlnews/interetishowArticle.html?arti
c1eID=201804S28
[4] K. 1. Higgins. The world's biggest botnets.www.darkreading.com.
November 9, 2007
[S] R. Lemos. How 'ston won' wreaked havoc with malwaredefenses.
www.symantec.com. Mach 6, 2007
[6] C Hyunsaq, et al. Botnets Detection by Monitoring Group Activities
in DNS Trafc. Computer ad Infonation Technology, 2007. CIT
2007.
[7] YL Xie, et al. Spamming Botnets: Signatures and Characteristics. In
ACM Sigcomm, 2008
[8] G Gu, et al. BotMiner: Clustering Analysis of Network Trafc for
Protocol- and Structure-Independent Botnets Detection. In USENIX
Security Symposium, July 2008
[9] X. Li, HX. Duan,W.Liu JP.Wu, "Understading the Construction
Mechanism of Botnets," uie-atc, pp.508-S12, Symposia ad Workshops
on Ubiquitous, Autonomic and Trusted Computing, 2009
[10] D. Dagon, G. Gu, C. Lee, ad W. Lee. A Taonomy of Botnets
Structures. In Annual Computer Security Applications Conference
(ACSAC), 2007
[II] P Wang, Lei Wu, Baber Aslam, Clif C. Zou, "A Systematic Study on
Peer-to-Peer Botnets," ieccn, pp.I-8, 2009 Proceedings of 18th
Interational Conference on Computer Communications and Networks,
2009
[12] X. Li, HX. Dua, JP.Wu," Research on the Botnets Survivability", the
6th China Conference on Infonnation and Communications
Security(CCICS2009)
[13] http://www.symantec.comlavcenter/reference/analysis.slapper. won.pd
f
[14] Stewart J, Sinit P2P Trojan Analysis"
http://www.secureworks. comlresearchlthreatslsinitl. December 8, 2003
[IS] Stewart J, SpamTbru Trojan Analysis",
http://www.secureworks. comlresearchithreatsiSpamThru. October 18,
2006
[16] Mary Landesman,
http://ativirus.about.comlod/virusdescriptions/p/nugache.htm
[17] P Wang, S Sparks, CC Zou. An advaced hybrid peer-to-peer botnets.
In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets
(HotBots 2007). 2007
[18] R Vogt, J Aycock, M Jacobson. Any of bot nets. In: Proc. of the 14th
Annual Network & Distributed System Security Conf(NDSS). 2007.
[19] CC Zou, ad Cunningha R. "Honeypot-aware advanced botnets
construction and maintenance," in Proceedings of Interational
Conference on Dependable Systems and Networks (DSN), June 2006
[20] Z Chen, Chao Chen, Qian Wang, "Delay-Tolerant Botnets," ieccn,
pp.l-6, 2009 Proceedings of 18th Interational Conference on
Computer Communications ad Networks, 2009
[21] G. Stamberger, C. Kruegel, and E. Kirda, "Overbot - a botnets protocol
based on kademlia," in Proc. of the 4th Int. Conf. on Security and
Privacy in Communicaion Networks (SecureComm '08), September
2008
[22] D Daon, CC Zou, W Lee. Modeling botnets propagation using time
zones. In: Proc. of the 13th Annual Network and Distributed System
Security Symp. (NDSS 2006). 2006.
http://www. isoc.orgiisoc/conferences/ndssl06/proceedings/papers/mode
ling_ botnets _ propagation. pdf.
[23] E. Ruitenbeek ad W. Saders. Modeling peer-to-peer botnets. In
Proceedings of the Sth Interational Conference on Quatitative
Evaluation of Systems (QEST '08), pages 307-316, September 2008.
[24] P Wang, S Sparks, CC Zou. An advaced hybrid peer-to-peer botnets.
In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets
(HotBots 2007). 2007.
