A Taxonomy of Botnet Structures.

We propose a taxonomy of botnet structures, based on their utility to the botmaster. We propose key metrics to measure their utility for various activities (e.g., spam, ddos). Using the performance metrics, we consider the abil- ity of different response techniques to degrade or disrupt botnets. In particular, our models show that for scale free bot- nets, targeted responses are particularly effective. Further, botmasters' efforts to improve the robustness of scale free networks comes at a cost of diminished transitivity. Bot- masters do not appear to have any structural solutions to this problem in scale free networks. We also show that ran- dom graph botnets (e.g., those using P2P formations) are highly resistant to both random and targeted responses. We evaluate the impact of responses on different topolo- gies using simulation. We also perform some novel mea- surements of a P2P network to demonstrate the utility of our proposed metrics. Our analysis shows how botnets may be classified according to structure, and given rank or priority using our proposed metrics. This may help direct responses, and suggests which general remediation strategies are more likely to succeed. We must therefore consider the structural and organiza- tional potential of botnets. Similar to how previous work detailed key aspects of individual classes of worms (57), this paper provides a taxonomy of botnet organization, and their utility for various malicious activity. We believe that future botnet research will share a common goal of reducing the utility of botnets for botmasters. This raises important questions: How are botnets utilized? What metrics should be used to measure the effectiveness of remediation on such networks? Recent work by Rajab, et al. (47) noted the need for the botnet research community to better define metrics. Their study examined problems in estimating botnet populations. This paper argues that other metrics (bandwidth, communi- cations efficiency, robustness) require a similar thoughtful examination. This paper therefore proposes a taxonomy of botnet topologies, based on the utility of the communication struc- ture and their corresponding metrics. Section 2 details met- rics for measuring botnet uses, and describes the structural organization of botnets. In Section 3, we demonstrate how to perform measurement of selected metrics, and analyze experimental response techniques designed to address par- ticular classes of botnets. We note how our work relates to other areas of inquiry in Section 4. Since this area of re- search is new and rapidly changing, we conclude with sug- gestions for future work in Section 5. Our contribution is the following: we identify a small number of likely structural forms for botnets, based on a utilitarian analysis. We propose metrics for measuring a botnet's effectiveness, efficiency, and robustness. Our anal- ysis of models and real world observations suggests that some botnet structures are more resilient than others to dif- ferent types of remediation efforts. This analysis can guide future inquiry into how to best address the botnet problem.