Empirical Evidence for Non-equilibrium Behaviors within Peer-to-Peer Structured Botnets

Abstract

Although we have become adept at taking-down individual botnets, the global botnet threat has remained largely unabated, particularly if one considers the more recent generation of peer-to-peer (P2P) structured botnets. A potential formal explanation for this dichotomy is that P2P botnets simply fail to behave as statistically equilibrium systems, (i.e., as systems possessing singular statistical steady-states). Equilibrium assumptions have been commonly applied in the construction of botnet defenses, but these assumption have gone untested. This work shows empirically via standard Monte Carlo packet-level simulations that well studied Kademlia P2P botnet protocol can easily produce both statistically non-stationary and non-ergodic behaviors once the Internet routing processes are modeled. Moreover, it is shown that by re-tuning a botnet's run-time parameters a botmaster can make the botnet behave as a non-stationary process from the defender's perspective. More formally, this work provides empirical evidence that network level botnet detection features need not be measure invariant as has generally been presupposed.