"A botnet is a network of compromised computers, or bots, commandeered by an adversarial botmaster. Botnets are responsible for many attacks, including spam, phishing, key logging, and denial of service. This project aims to develop techniques to model and measure botnet propagation and on-line population dynamics. Knowing the trend, size, and locations of the population of a botnet can help estimate the potential threat of a botnet, and select and prioritize the appropriate response actions.
Although Internet worms are often used to create botnets, there is fundamental difference between them. Worms are typically designed to infect as many machines as possible, and are in general "noisy" and easily detected (and thus removed); whereas botnets are designed to evade detection, and control and make use of the compromised machines for as long as possible. The existing worm models focus on the initial/short propagation phase of a worm. But a good botnet model needs to track the dynamics of botnet online population in the long run.
This project has three main tasks. The first is to develop diurnal models to track the grow-and-decline trend of botnet on-line population using factors such as time zones and distribution of vulnerable systems. The second is to develop sampling and measurement approaches including capture-and-recapture and DNS cache snooping to estimate the total population of a botnet. The third is to develop measures for threat assessment, e.g., its aggregated bandwidth and resilience to response, based on the system, location and topology information of the bots."
