A Probabilistic Analysis of Kademlia Networks

Kademlia is currently the most widely used searching algorithm in P2P (peer-to-peer) networks. This work studies an essential question about Kademlia from a mathematical perspective: how long does it take to locate a node in the network? To answer it, we introduce a random graph K and study how many steps are needed to locate a given vertex in K using Kademlia's algorithm, which we call the routing time. Two slightly different versions of K are studied. In the first one, vertices of K are labelled with fixed IDs. In the second one, vertices are assumed to have randomly selected IDs. In both cases, we show that the routing time is about c*log(n), where n is the number of nodes in the network and c is an explicitly described constant.Comment: ISAAC 201

The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet

International audienceBotnets constitute a serious security problem. A lot of effort has been invested towards understanding them better, while developing and learning how to deploy effective counter-measures against them. Their study via various analysis, modelling and experimental methods are integral parts of the development cycle of any such botnet mitigation schemes. It also constitutes a vital part of the process of understanding present threats and predicting future ones. Currently, the most popular of these techniques are “in-the-wild” botnet studies, where researchers interact directly with real-world botnets. This approach is less than ideal, for many reasons that we discuss in this paper, including scientific validity, ethical and legal issues. Consequently, we present an alternative approach employing “in the lab” experiments involving at-scale emulated botnets. We discuss the advantages of such an approach over reverse engineering, analytical modelling, simulation and in-the-wild studies. Moreover, we discuss the requirements that facilities supporting them must have. We then describe an experiment in which we emulated a close to 3000-node, fully-featured version of the Waledac botnet, complete with a reproduced command and control (C&C) infrastructure. By observing the load characteristics and yield (rate of spamming) of such a botnet, we can draw interesting conclusions about its real-world operations and design decisions made by its creators. Furthermore, we conducted experiments where we launched sybil attacks against the botnet. We were able to verify that such an attack is, in the case of Waledac, viable. However, we were able to determine that mounting such an attack is not so simple: high resource consumption can cause havoc and partially neutralise the attack. Finally, we were able to repeat the attack with varying parameters, in an attempt to optimise it. The merits of this experimental approach is underlined by the fact that it is very difficult to obtain these results by employing other methods

Analyse et perturbation d'un écosystème de fraude au clic

RÉSUMÉ La publicité en ligne est devenue une ressource économique importante et indispensable pour de nombreux services en ligne. Cependant, on note que ce marché est particulièrement touché par la fraude et notamment la fraude au clic. Ainsi, en 2015, il est estimé que, dans le monde, les annonceurs allaient perdre plus de sept milliards de dollars américains en raison de la fraude publicitaire. Les méthodes de luttes actuelles contre la fraude publicitaire sont concentrées sur la détection de logiciels malveillant et le démantèlement des réseaux de machines zombies qui y sont associés. Bien qu’indispensables pour limiter le nombre d’infections, ces démantèlements ne diminuent pas l’attrait pour cette fraude. Il est donc indispensable de s’attaquer en plus à l’incitatif économique. Pour cela, nous avons d’une part essayé de mieux comprendre l’écosystème de la fraude au clic et d’autre part évalué des possibilités de perturbations de cet écosystème afin de diminuer l’attractivité de la fraude. Dans un premier temps, nous avons collecté des données réseau générées par un logiciel malveillant de fraude au clic, Boaxxe. Ces données sont des chaînes de redirection HTTP qui montrent les liens entre les différents acheteurs et revendeurs d’une publicité, c’est-à-dire la chaîne de valeur. Celles-ci commencent au moteur de recherche d’entrée, opéré par des fraudeurs, passe à travers plusieurs régies publicitaires et termine sur le site d’un annonceur, celui ayant acheté le trafic. Dans un second temps, nous avons agrégé les données collectées afin de constituer un graphe montrant les relations entre les différents noms de domaine et adresses IP. Ce graphe est ensuite consolidé, grâce à des données de source ouverte, en regroupant les noeuds réseaux appartenant au même acteur. Le graphe ainsi obtenu constitue une représentation de l’écosystème de la fraude au clic de Boaxxe. Dans un troisième temps, nous avons évalué différentes stratégies de perturbation de l’écosystème. L’objectif de la perturbation est d’empêcher la monétisation de trafic généré par Boaxxe, c’est-à-dire d’empêcher le transit du trafic du moteur de recherche vers le site de l’annonceur. Il s’avère que la stratégie la plus adaptée à notre problème est celle utilisant la méthode du Keyplayer. Nous avons ainsi montré qu’il était possible de protéger un nombre important d’annonceurs en supprimant un faible nombre d’intermédiaires. Enfin, nous discutons des possibilités de mise en pratique de l’opération de perturbation. Nous insistons sur le fait qu’il est important de sensibiliser les annonceurs à la fraude afin qu’ils puissent prendre des mesures contraignantes envers les régies publicitaires les moins scrupuleuses.----------ABSTRACT Online advertising is a growing market with global revenues of 159.8 billion dollars in 2015. Thus, it is a good target for fraudsters to make money on. In 2015, it is estimated that, globally, advertisers were defrauded of more than seven billion dollars. The security community is concerned by this kind of fraud, known as click fraud, and a lot of research aims to limit it. Current methods are more focused on studying malware binaries and performing botnet take-downs. These operations are useful to limit the propagation of malware and to protect users from known threats. However, it does not have an impact on the economic incentives of perpetrating click fraud. In order to diminish the attractiveness of the fraud we first tried to better understand the click-fraud ecosystem and then evaluate disruption strategies on this ecosystem. Firstly, we collected network traces generated by a well-known click-fraud malware, Boaxxe. This data are HTTP redirection chains showing the links between all the intermediaries involved in the reselling of an ad. This constitutes the value chain. The redirection chains begin at a doorway search engine, operated by fraudsters, pass through several ad networks and land on an advertiser web site, that bought the traffic. Secondly, we aggregated the data collected into a single graph. It shows the relationships between the domain names and IP addresses involved in the Boaxxe fraud. We then consolidate this graph by merging all the network nodes operated by a single organization by leveraging information obtained from open sources. Thus, the graph is a representation of the fraud ecosystem. Thirdly, we evaluated disruption strategies on this ecosystem. The aim is to stop the monetization of the traffic generated by Boaxxe. This is equivalent to stopping the traffic going from the doorway search engine to the web sites of the advertisers. Among the strategies tested, the most suitable for our problem was the Keyplayer strategy. We showed that it is possible to protect numerous advertisers from this fraud by disrupting the ecosystem graph. Finally, we discuss how to perform the disruption operation in practice. We focus on increasing the level of awareness of advertisers that could have a strong position to limit click fraud. One way in which they could do so is by implementing controls to make sure they are not maintaining business relationships with unscrupulous ad networks

Analytical Lifecycle Modeling and Threat Analysis of Botnets

Botnet, which is an overlay network of compromised computers built by cybercriminals known as botmasters, is the new phenomenon that has caused deep concerns to the security professionals responsible for governmental, academic, and private sector networks. Botmasters use a plethora of methods to infect network-accessible devices (nodes). The initial malware residing on these nodes then either connects to a central Command & Control (C&C) server or joins a Peer-to-Peer (P2P) botnet. At this point, the nodes can receive the commands of the botmaster and proceed to engage in illicit activities such as Distributed Denial-of-Service (DDoS) attacks and massive e-mail spam campaigns. Being able to reliably estimate the size of a botnet is an important task which allows the adequate deployment of mitigation strategies against the botnet. In this thesis, we develop analytical models that capture the botnet expansion and size evolution behaviors in sufficient details so as to accomplish this crucial estimation/analysis task. We develop four Continuous-Time Markov Chain (CTMC) botnet models: the first two, SComI and SComF, allow the prediction of initial unhindered botnet expansion in the case of infinite and finite population sizes, respectively. The third model, the SIC model, is a botnet lifecycle model which accounts for all important node stages and allows botnet size estimates as well as evaluation of botnet mitigation strategies such as disinfections of nodes and attacks on botnet's C&C mechanism. Finally, the fourth model, the SIC-P2P model, is an extension of the SIC model suitable for P2P botnets, allowing fine-grained analysis of mitigation strategies such as index poisoning and sybil attack. As the convergence of Internet and traditional telecommunication services is underway, the threat of botnets is looming over essential basic communication services. As the last contribution presented in this thesis, we analyze the threat of botnets in the 4G cellular wireless networks. We identify the vulnerability of the air interface, i.e. the Long Term Evolution (LTE), which allows a successful botnet-launched DDoS attack against it. Through simulation using an LTE simulator, we determine the number of botnet nodes per cell that can significantly degrade the service availability of such cellular networks