A Framework for Understanding Botnets

Abstract

Botnets have become a severe threat to the cyberspace. However, existing studies are typically conducted in an ad hoc fashion, by demonstrating specific analysis on captured bot programs or bot communication mechanisms so as to suggest means to counter them. Although suchstudies are important, another perhaps even more important problem that is largely left unaddressed is: How should we build a unified framework that can help us understand botnets in a systematic fashion? In this paper we make a first step towards the goal by presenting a framework, which especially suggests a general architecture that could be coupled with certain advanced techniques that have not been exploited in existing botnets. The framework also suggests a set of attributes that can be used to measure and compare botnets. Moreover, the dynamic nature of botnets (e.g., a victim machine may be powered-offduring some time intervals) implies that a botnet, and thus its attributes, are stochastic in nature. This means that a meaningful comparison between botnet attributes should be based on the concept of stochastic order.