| As a high-level attack evolved from a traditional form of malicious code, botnet provides a hidden, flexible, and efficient one-to-many command and control mechanism, so it has been widely accepted by the attackers and used to achieve to steal the sensitive information, launch the distribution of denial of service attack and send spam and other offensive purposes. In view of the serious threat to Internet users at home and abroad caused by botnets, the in-depth understanding of botnet operation mechanism and the future development trend are significance to research work of botnet. Therefore, the further research for new botnet model is the focus direction of the study int the field of botnets for some time in the future.According to the command and control mechanisms, botnet can be divided into centralized botnet models, stochastic botnet models, and botnet models based on the P2P. But the botnet models are inevitable to have a variety of disadvantages. After summarized the advantages and disadvantages of the current botnet models, combined with the characteristics that the current botnets becoming more and more small-scale, decentralized, and professional and taken full advantage of the current advantages of botnet models, we raises a new botnet model - hierarchical botnet model with "Multiple Tree" structure.The hiearchical botnet model with "Multiple Tree" structure uses the tree structure, and the nodes in the model are divided into S-Bot and N-Bot. S-Bot is in charge of running commands from the attackers and forwardding the command to the lower nodes. But N-Bot just runs the command from S-Bot. With the network conditions changing, S-Bot and N-Bot may transform into each other in certain conditions. Each S-Bot has a node list, which contains a record of the relevant information of all of the lower N-Bots, such as IP addresses, ports and so on. When S-Bots receives the attacker's command, they forward the command to the lower bots initiatively according to its own node list, rather than waiting for the connections from N-Bots. In addition, data transmission direction in the botnet model is one-way and top-down. This makes the attacker safe and botnets more hidden. The hiearchical botnet model with "Multiple Tree" structure is similar with centralized botnet models, but has better scalability and survivability than latter, which uses multi-layer and multi-level commands and control servers which split the defense's attention and focuses on a point for the attacker. In fact, a huge number of command and control servers are the reason for better survivability of the new model. Then, we raise the relevant the construction algorithms to build the network and the communication algorithms for internal communications. Construction algorithm uses random scanning iteratively via using the SPREAD which is the degree of the model and makes the victim hosts to be the members of the botnet, while the communication uses three techniques: symmetric key cryptography, asymmetric key encryption, personalized listening port. In order to ensure local information safe, the control lists in S-Bots use symmetric key encryption. There are two ways for the key distribution: one, hard-coded in the bot code, which can be used as the default key; another, changing the key to ensure that botnet information security through the attacker's command. The data transmitted between bots uses asymmetric key encryption mechanism, in which the private key is based on the type of vulnerabilities and the public key is pre-set in bot code by hard-coded. When the S-Bots forward the command to the lower bots , they use the private key to encrypt the data, the bots can decrypt the data use the public key which has been encoded in the program code.Subsequently, we analyse the botnet models comparatively on the network topology and model performance. The former contains network connectivity which includes three aspects: the nature of strength, the nature of asymmetry and the nature of status ,and the logical structure. While the latter includes the speed of propagation and toughness of the model. Through this comparative analysis, it proves the advantages of the new model with its applicability and effectiveness in theory.Through analysis and comparison, there are still shortcomings in the new botnet model, so we raise an improved hierarchical botnet with "Multiple Tree" structure. In the improved model, we implement the necessary monitor algorithm which makes the model doesn't have N-Bots no more and all of the nodes contain the lower zombie computers. In the intuitive view, the size of the improved botnet model is more than the pre-improved model in the same height, and the number of the bots increases in the improved botnet model in the same layer. In addition, compared with the pre-improved model, S-Bots and N-Bots don't converted into each other no longer .Now, each bot in the improved model contains a node list rather than only S-Bots having the lists in the original model. At last, the improved botnet can grow unlimitedly to a significant scale because of the monitor algorithm.In the improved hierarchical botnet with "Multiple Tree" structure, we make the model self-learning and self-renewal through monitor algorithm. Also, the botnet can maintain stability and robustness in a certain degree.In the subsequent topological and performance analysis, the improved hierarchical botnet with "Multiple Tree" structure has made a great progress than the pre-improved, it has a larger load of bots and a smaller height. Compared to the pre-improved model, the newer model has a faster transfer rate and a stronger toughness.It argues in the simulation at the end of this article that the hierarchical botnet with "Multiple Tree" structure has medium transfer rate , the optimal stability of transfer rate and a medium toughness. While the improved model has better transfer rate and the best toughness than the pre-improved. It is shown that the the hierarchical botnet with "Multiple Tree" structure and the improved one has a better availability, robustness, and effectiveness than current botnet model. |
PDF Full Text Request