Modeling Peer-to-Peer Botnets

Peer-to-peer botnets are a relatively new yet rapidly growing Internet threat. In the year since its introduction in January 2007, the Storm Worm peer-to-peer botnet has become the largest botnet on the Internet. Unlike previous botnets operating over IRC channels, the Storm Worm botnet uses a decentralized peer-to-peer network to communicate among the bots and to control their computing power. While a centralized control structure can be toppled relatively easily by finding and disconnecting the head, a decentralized control structure is much harder to dismantle. Given this reality, security researchers must find new ways to defend against peer-to-peer botnets. Toward that aim, we have developed a stochastic model of peer-to-peer botnet formation to provide insight on possible defense tactics. We use the stochastic model to examine how different factors impact the growth of the botnet. Simulation results from the model evaluate the effectiveness both of prevention measures and of detection and disinfection methods. In this way, the simulation results from our peer-to-peer botnet model provide guidance for the design of future anti-malware systems.