Comparison of the Mean-Field Approach and Simulation in a Peer-to-Peer Botnet Case Study

Peer-to-peer botnets, as exemplified by the Storm Worm, and the spreading phase of Stuxnet, are a relatively new threat to security on the internet: infected computers automatically search for other computers to be infected, thus spreading the infection rapidly. In a recent paper, such botnets have been modeled using Stochastic Activity Networks, allowing the use of discrete-event simulation to judge strategies for combating their spread. In the present paper, we develop a mean-field model for analyzing botnet behavior and compare it with simulations obtained from the Moebius tool. We show that the mean-field approach provides accurate and orders-of-magnitude faster computation, thus providing very useful insight in spread characteristics and the effectiveness of countermeasures.

[1]  Jean-Yves Le Boudec,et al.  A Generic Mean Field Convergence Result for Systems of Interacting Objects , 2007, Fourth International Conference on the Quantitative Evaluation of Systems (QEST 2007).

[2]  Jane Hillston,et al.  Bio-PEPA for Epidemiological Models , 2010, PASM@MASCOTS.

[3]  Marco Gribaudo,et al.  Analysis of On-off policies in Sensor Networks Using Interacting Markovian Agents , 2008, 2008 Sixth Annual IEEE International Conference on Pervasive Computing and Communications (PerCom).

[4]  William H. Sanders,et al.  The Möbius Framework and Its Implementation , 2002, IEEE Trans. Software Eng..

[5]  William H. Sanders,et al.  Stochastic Activity Networks: Formal Definitions and Concepts , 2002, European Educational Forum: School on Formal Methods and Performance Analysis.

[6]  Lixin Gao,et al.  How to lease the internet in your spare time , 2007, CCRV.

[7]  S. Gilmore,et al.  Automatically deriving ODEs from process algebra models of signalling pathways , 2005 .

[8]  Tamer Basar,et al.  Stochastic behavior of random constant scanning worms , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[9]  Boudewijn R. Haverkort,et al.  Automating the Mean-Field Method for Large Dynamic Gossip Networks , 2010, QEST.

[10]  Boudewijn R. Haverkort,et al.  Mean-Field Analysis for the Evaluation of Gossip Protocols , 2009, QEST.

[11]  William H. Sanders,et al.  Modeling Peer-to-Peer Botnets , 2008, 2008 Fifth International Conference on Quantitative Evaluation of Systems.

[12]  Thomas A. Henzinger,et al.  Hybrid numerical solution of the chemical master equation , 2010, CMSB '10.

[13]  Roberto Setola,et al.  Critical Information Infrastructure Security, Third International Workshop, CRITIS 2008, Rome, Italy, October 13-15, 2008. Revised Papers , 2009, Critical Information Infrastructures Security.

[14]  Allan Clark,et al.  State-Aware Performance Analysis with eXtended Stochastic Probes , 2008, EPEW.

[15]  Philip Heidelberger,et al.  Fast simulation of rare events in queueing and reliability models , 1993, TOMC.

[16]  Donald F. Towsley,et al.  Modeling malware spreading dynamics , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[17]  Marco Gribaudo,et al.  Disaster Propagation in Heterogeneous Media via Markovian Agents , 2008, CRITIS.

[18]  Stephen Gilmore,et al.  Analysing distributed Internet worm attacks using continuous state-space approximation of process algebra models , 2008, J. Comput. Syst. Sci..

[19]  Marco Gribaudo Analysis of Large Populations of Interacting Objects with Mean Field and Markovian Agents , 2009, EPEW.