Collaborative Research: CT-ISG: Modeling and Measuring Botnets

合作研究：CT-ISG：僵尸网络建模和测量

• 批准号: 0627477
• 负责人: Wenke Lee
• 金额: $ 17.5万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2006
• 资助国家: 美国
• 起止时间: 2006-09-01 至 2009-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0627477&HistoricalAwards=false
• 关键词: Collaborative; Research; CT; ISG; Modeling

"A botnet is a network of compromised computers, or bots, commandeered by an adversarial botmaster. Botnets are responsible for many attacks, including spam, phishing, key logging, and denial of service. This project aims to develop techniques to model and measure botnet propagation and on-line population dynamics. Knowing the trend, size, and locations of the population of a botnet can help estimate the potential threat of a botnet, and select and prioritize the appropriate response actions.Although Internet worms are often used to create botnets, there is fundamental difference between them. Worms are typically designed to infect as many machines as possible, and are in general "noisy" and easily detected (and thus removed); whereas botnets are designed to evade detection, and control and make use of the compromised machines for as long as possible. The existing worm models focus on the initial/short propagation phase of a worm. But a good botnet model needs to track the dynamics of botnet online population in the long run.This project has three main tasks. The first is to develop diurnal models to track the grow-and-decline trend of botnet on-line population using factors such as time zones and distribution of vulnerable systems. The second is to develop sampling and measurement approaches including capture-and-recapture and DNS cache snooping to estimate the total population of a botnet. The third is to develop measures for threat assessment, e.g., its aggregated bandwidth and resilience to response, based on the system, location and topology information of the bots."

“僵尸网络是由敌对的僵尸主机控制的受感染计算机或机器人组成的网络。僵尸网络负责许多攻击，包括垃圾邮件、网络钓鱼、密钥记录和拒绝服务。这个项目的目的是开发技术来模拟和测量僵尸网络的传播和在线人口动态。了解僵尸网络人口的趋势、规模和位置可以帮助估计僵尸网络的潜在威胁，并选择适当的响应行动并确定优先级。虽然互联网蠕虫经常被用来创建僵尸网络，但它们之间有根本的区别。蠕虫通常被设计成感染尽可能多的机器，通常是“嘈杂的”，很容易被发现（因此被清除）；而僵尸网络的设计目的是逃避检测，并尽可能长时间地控制和利用受感染的机器。现有的蠕虫模型关注的是蠕虫的初始/短传播阶段。但是一个好的僵尸网络模型需要长期跟踪僵尸网络在线人口的动态。这个项目有三个主要任务。首先，利用时区和易受攻击系统分布等因素，建立僵尸网络在线人口增长和下降趋势的日模型。第二是开发采样和测量方法，包括捕获和重新捕获和DNS缓存窥探，以估计僵尸网络的总数。第三是制定威胁评估措施，例如，基于机器人的系统、位置和拓扑信息，其聚合带宽和响应弹性。”