TELKOM
NIKA Indonesia
n
Journal of
Electrical En
gineering
Vol. 12, No. 11, Novembe
r
2014, pp. 79
6
3
~ 796
9
DOI: 10.115
9
1
/telkomni
ka.
v
12i11.63
18
7963
Re
cei
v
ed Ma
y 23, 201
4; Revi
sed
Jun
e
29, 2014; Accepted July 1
0
,
2014
Resear
ch of the Communication Model of Botnet
Based on P2P
Gao Jian*, Yang Ming, Guo Chen
gqin
g
Pepl
e’s Pu
blic
Securit
y
Un
iver
cit
y
of Chi
na, C
h
in
a
Natio
nal com
p
uter net
w
o
rk a
nd inform
ation
securit
y
m
a
n
a
g
e
ment center,
Chin
a
*Corres
p
o
ndi
n
g
author, e-ma
i
l
: gaoj
ian
b
e
iji
n
g20
06@
16
3.co
m*
A
b
st
ra
ct
T
he co
mmun
ic
ation
mec
h
a
n
is
m of bot
nets is
a conc
er
n of security scho
l
ar
s, especia
lly b
a
sed o
n
peer to p
eer.
Botnet has
grad
ual
ly formed so
me
mature an
d cover
t
commu
n
icati
on cha
n
n
e
ls.
T
h
e
communic
a
tio
n
mec
han
is
m fo
r P2P botnet e
x
isting is cl
assi
fied into tw
o mode
ls: the Sen
d
co
mmun
icati
o
n
mo
de
l an
d the
Requ
est co
mmu
n
ic
ation
mo
del. W
e
pro
p
o
s
e an ev
alu
a
ti
on in
dex i
n
cl
u
d
in
g conc
eal
ment,
effectiveness, efficiency and robustn
ess
an
d
its
calcu
l
atio
n metho
d
. At the sa
me time
w
e
using the
s
e
eval
uatio
n i
n
d
e
x to si
mulat
e
, eval
uate
an
d
ana
lysis th
e t
w
o kinds
of
mode
ls, an
d stu
d
y the r
e
l
a
tion
shi
p
betw
een the
m
and the
botnet
basic ch
aracter
i
stics.
Ke
y
w
ords
:
Bo
tnet, peer to pe
er, evalu
a
tio
n
, communic
a
tio
n
mod
e
l
Copy
right
©
2014 In
stitu
t
e o
f
Ad
van
ced
En
g
i
n
eerin
g and
Scien
ce. All
rig
h
t
s reser
ve
d
.
1. Introduc
tion
A "botnet" is a network o
f
comp
romi
sed comp
uters (bots) that
ar
e
co
ntroll
ed by an
attacker (b
otmaste
r
s). Bot
nets
are
on
e
of the m
o
st
seriou
s th
re
ats to today'
s
Int
e
rnet; th
ey are
the ro
ot cau
s
e
of many
curre
n
t Internet atta
cks, su
ch as
ema
il
sp
am,
di
stributed denial
of
serv
i
c
e (
D
Do
S
)
at
t
a
ck
s,
cli
ck f
r
a
ud,
et
c.
E
a
rl
y Botnet mainly used
a centrali
ze
d
comma
nd a
n
d
control me
ch
anism. Su
ch
Botnet built comman
d
and
control ch
ann
el based on I
RC p
r
oto
c
ol, this
kind
of Botne
t
is rel
a
tively mature, a
nd
has
a we
a
k
secu
rity. Therefore, p
r
e
s
en
tly Botnet con
t
rol
techn
o
logy is grad
ually tra
n
sformed to
P2P; t
hey explore
d
di
strib
u
ted comma
n
d
and
cont
rol
via
P2P proto
c
o
l
to again
s
t the singl
e
point failure
probl
em a
nd incre
a
se
robu
stne
ss and
c
o
nc
ea
lme
n
t
.
2.
P2P Botn
et
Communica
tion Mechani
s
m
Comm
uni
cati
on me
ch
ani
sm i
s
an
i
m
porta
nt fun
c
tion m
odul
e in b
o
tnet, it also
determi
ne
s the netwo
rk top
o
logy, netwo
rk stab
ility and
the ability against attacks of botnet.
The co
mmun
i
cation me
ch
anism
s of existing P2P botnet can be
summa
rized
for the
Req
u
e
s
t me
cha
n
ism
an
d Send m
e
cha
n
ism. T
h
e Re
que
st
mech
ani
sm
is ba
se
d o
n
“publi
s
h/
sub
s
crib
e”, atta
cker
sen
d
com
m
and
s to a
serve
r
d
e
finite in a
d
vance
,
all the bot
will
acce
ss
co
m
m
and from t
he serve
r
. T
he Sen
d
me
cha
n
ism
is
a
kind
of a
c
tive se
nd
com
m
and
mech
ani
sm, all the bot just passively waiting for
ord
e
rs from othe
r bot, whe
n
a
bot received
the
orde
r, it will send comma
n
d
to other bot
s.
In con
c
entrated botnet, Re
que
st mech
a
n
ism is
widel
y used. In bo
tnet base
d
o
n
HTTP,
the com
m
an
d
will be i
s
sue
d
on a
web
si
te, all the
bots are p
r
edefi
ned, pe
riodi
cally visit the site
to access co
mmand, which is the typica
l reque
st me
chani
sm.
Comp
are wit
h
the Requ
e
s
t mech
ani
sm, Send mecha
n
ism i
s
more
compl
e
x. In
Send
mech
ani
sm
b
o
tnet, all the
bot ju
st
wait
pa
ssive
ly fo
r re
ceiving
co
mmand,
wh
e
n
receiving t
h
e
orde
r, the ord
e
r is forwa
r
de
d to all of its
neigh
bor n
o
d
e
s.
We can se
e that Req
uest
mech
ani
sm a
nd
Send me
chani
sm botne
t have the followin
g
different:
(1) In normal
state, all the Requ
est type bot
s pe
riod
ically sen
d
q
uery me
ssag
e to get
comm
and; an
d the Send type bots i
s
just
waiting to re
ceive the co
mmand.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 12, No. 11, Novem
ber 20
14: 79
63 – 796
9
7964
(2) Wh
en co
mmand
s
a
r
e
re
ceived, all
t
he Requ
est
type bots e
x
ecute th
e comman
d
immediately, they don’t do
other op
erations;
send ty
pe bots
execute t
he com
m
and too, at
the
same time th
ey also put fo
rwa
r
d the
co
mmand to all
of its neighb
o
r
node
s.
(3)
Req
u
e
s
t type bot
s may
se
nd q
uery
messag
e
with
the no
rmal
P2P nod
es,
an
d Send
type bots se
n
d
comm
and o
n
ly with other bots.
3.
P2P Botn
et
Communica
tion Model
(1)
Send Comm
unication m
odel
The P2P bot
net usin
g Se
nd co
mmuni
cation mod
e
l mostly ba
sed
on inde
pend
ent P2P
proto
c
ol. Be
cause the
mai
n
pu
rp
ose of
the existi
n
g
P
2
P botn
e
t is t
o
sha
r
e
file,
P2P
nodes
send
informatio
n to the P2P network and qu
ery the keywor
d that use
r
intereste
d
in to acce
ss fil
e
s.
This
commu
n
i
cation me
ch
anism d
o
e
s
n
o
t meet the Send commu
ni
cation mo
del,
so P2P botn
e
t
usin
g Sen
d
communi
catio
n
mod
e
l n
eed
to de
sign
P2
P comm
uni
ca
tion protocol i
n
orde
r to a
d
apt
its own a
r
chitecture. The
h
y
brid P2P bot
net putt
ed fo
rward by
Wan
g
[1], Super b
o
tnet propo
sed
by Ryan
Vog
t
et al [2]. an
d the P2P
b
o
tnet
propo
sed in
the
se
cond
ch
apter are
i
nde
pen
d
ent
proto
c
ol itself, divide node
s into two
ca
tegor
ie
s: the
sup
e
r n
ode
and the o
r
di
nary no
de. T
h
e
Send
comm
u
n
icatio
n me
chani
sm i
s
u
s
ed bet
wee
n
t
he supe
r n
o
d
e
s,
so thi
s
pa
per
call
ed Se
nd
comm
uni
cati
on model.
The followi
ng
main cha
r
a
c
t
e
risti
cs of Se
nd com
m
uni
cation model i
s
,
a) Use ind
e
p
ende
nt proto
c
ol.
b) The
cla
ssif
i
cation of no
d
e
s.
c) Th
e Send
comm
uni
cati
on mechani
sm is used in the su
per n
o
d
e
layer.
All nodes in
the Send-Co
mmuni
cation
-Model a
r
e di
vided into two types as
shown in
Figure 1. Re
d mean
s a Super-Nod
e, white mean
s a
n
Ordin
a
ry-Node. Supe
r-n
ode in the m
odel
is both a
s
a
serve
r
an
d a
client. The n
e
twork
h
a
s a
double
-
laye
r stru
cture ch
ara
c
teri
stic, e
a
ch
Ordin
a
ry-No
d
e
only need
maintena
nce and a sm
a
ll a
m
ount of sup
e
r-nod
e co
nn
ection
s.
This i
s
very
benefi
c
ial to
improve th
e flex
ibility of th
e botnet
s, re
duces th
e m
e
ssag
e
pro
c
e
ssi
ng ti
me, and
red
u
ce
s
routin
g
numbe
r
of n
ode
s involve
d
in th
e p
r
o
c
ess, al
so
red
u
ce
s
netwo
rk traff
i
c betwe
en
node
s. In the netwo
rk t
opolo
g
y of
Send-Com
m
unication-Mo
del,
Ordin
a
ry-No
d
e
s o
n
ly com
m
unicate wit
h
Supe
r-No
d
e
s, an
d the S
uper-Nod
es a
r
e respon
sibl
e for
forwa
r
di
ng th
e task. Since the formati
on of differe
nt comm
uni
cation me
cha
n
ism
s
an
d n
ode
sele
ction, the
s
e botn
e
ts m
a
ke u
p
differe
nt topologie
s
.
Figure 1. Send Network M
odel
(2) Requ
est
Co
mmunicatio
n
model
The P2P botnet usin
g type of commu
n
i
cation
mo
stl
y
based o
n
existing P2P protocol.
Distri
buted
structu
r
e
d
P2P
netwo
rks exi
s
ting
are: Pa
stry, Tap
e
st
ry, Cho
r
d,
CAN a
nd K
ade
mlia
[8]. Structure
d
solve the
manag
eme
n
t mode of th
e
netwo
rk, u
s
i
ng DHT alg
o
r
ithm for rout
ing.
DHT
(Di
s
trib
u
t
ed Ha
sh Tab
l
e) algo
rithm i
s
throu
gh di
stributed h
a
sh function ma
p keyword in
pu
t
to a node, an
d then co
nne
cted the n
ode
throug
h the
spe
c
ific
routi
ng algo
rithm. Network nod
e i
s
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Re
sea
r
ch of the Com
m
unication Mo
del
of Botnet Based on P2P (G
ao Jia
n
)
7965
assign
ed a u
n
ique n
ode i
dentifies
(No
de ID), t
he
re
sou
r
ce obj
ect
gene
rate
s a
uniqu
e re
so
u
r
ce
identifier by h
a
sh al
go
rithm
(Obje
c
t ID),
and the
reso
urces
are
sto
r
ed in n
ode
with the sam
e
or
simila
r NID,
whe
n
que
ryin
g, positioni
ng
t
he same me
thod to node
storin
g the re
sou
r
ce.
The de
sign
ers of P2P botnet [7] can easily us
e the
P2P protocol mech
ani
sm to reali
z
e
the Requ
est
comm
uni
cati
on. Desi
gne
r ca
n in
se
rt
the b
o
tnet
co
mmand,
som
e
predefin
ed
file
name o
r
the hash value in
to the reco
rd
s asso
ciat
ed
with the keyword. All node
s peri
odi
cally find
the ha
sh val
u
e, or th
e file,
whe
n
find th
e
co
rrespondi
n
g
re
co
rd, d
o
wnload th
e
re
cord
and
rel
a
ted
comm
and
s to
the local. Mo
st P2P netwo
rk
usin
g t
he
Kademlia
pro
t
ocol o
r
Kad
e
mlia protocol
on
simila
r. Ove
r
bot [3] d
e
sig
ned
by Gu
en
ther Sta
r
nb
er
ger et al, i
s
u
s
ing
the K
a
d
e
mlia
proto
c
o
l
to
reali
z
e the communi
catio
n
and co
ntrol function.
The first version of the Storm botnet
[4]
descri
bed i
n
the pre
c
e
d
in
g ch
apters u
s
ing
Overn
e
t proto
c
ol to
comm
uni
cati
on, Overn
e
t is a
routing p
r
oto
c
ol based on P
2
P distrib
u
ted
hash tabl
e (DHT
) of Kade
mlia.
In the Requ
e
s
t comm
uni
cation mod
e
l, there
a
r
e ma
ny proto
c
ol
s that node
s can use:
Pastry, Tap
e
s
try, Ch
ord,
CAN
and Ka
demlia, curre
n
tly most P2
P botnet u
s
i
ng the Ka
de
mlia
proto
c
ol [1
0], so
this cha
p
ter
only re
sea
r
ch the
netwo
rk
com
m
unication
model
ba
sed
on
Kademlia p
r
o
t
ocol [11, 12]
. The basi
c
a
r
chite
c
tu
re of
Requ
est co
mmuni
cation
model sho
w
s in
Figure 2, i
n
Figure 2
re
d
mean
s
zom
b
i
e
no
de
s, and
white
mea
n
s normal P2P
node
s, n
ode
is
norm
a
l P2P. The attacke
r
will insert
comm
and a
n
d
som
e
pre
d
e
fined file n
a
me into re
cord
related
with keywords
of a node. Othe
r
zombi
e
no
de
s pe
riodi
cally
query the n
a
m
e of the file to
get the comm
and [9].
Figure 2. Req
uest Commu
nicatio
n
Mod
e
l
4.
Comparis
on and An
aly
s
is of Model
(1) Simulation
tools
Use the Pe
ersim
simulato
r to sim
u
late t
he Requ
est
communi
catio
n
mod
e
l on
th
e use of
Kademlia
pro
t
ocol. Pee
r
si
m is p
a
rt of t
he BISON [5
] proje
c
t, its
goal i
s
com
m
on P2P b
o
tnet
simulato
r, to simulate the dynamic
P2P prot
ocol
network, according to G
P
L. It suppo
rts
st
ru
ct
ur
ed
an
d un
st
ru
ct
u
r
e
d
P
2
P
n
e
t
w
o
r
k
sim
u
lation,
usi
ng
Java
developm
ent, su
ppo
rts t
w
o
simulatio
n
ways: discrete
event simul
a
tion (e
ve
nt-based) and cycle
sim
u
lati
on
(Cycle
-ba
s
ed
),
the discrete
event simulat
i
on can
simul
a
te the
unde
rlying transport layer, with high sim
u
lati
on
pre
c
isi
on, the
cycle sim
u
la
tion does n
o
t take in
to accou
n
t the layer ben
eath the cove
r, hig
h
simulatio
n
efficien
cy and l
a
rge
scale, h
a
ve
a good
scala
b
ility. Cycle-ba
sed m
o
de is ba
se
d on
CDSim
ulator class in th
e pee
rsim.
c
d
s
im pa
ck
ag
e
,
simplified
and omit de
tails; with g
ood
scalability an
d can supp
ort up to ten m
illion level nodes; doe
s no
t suppo
rt transmi
ssi
on lay
e
r
simulatio
n
(di
r
ect
dialog
ue
with no
de
s a
nd pr
otocols);
doe
s not
su
pport
con
c
u
r
rent pro
c
e
s
sin
g
.
The event-ba
s
ed mo
del is base
d
on the EDSimula
tor cla
ss in t
he pee
rsim.e
dsim pa
ckag
e,
stron
g
practi
cability; suppo
rt the tran
spo
r
t laye
r sim
u
l
a
tion; cycle
-
b
a
se
d mod
e
l d
e
velopme
n
t can
be run
und
er the event
-ba
s
ed
en
gine; t
he effici
en
cy is n
o
t high,
suppo
rts
up to
one
hun
dre
d
thousand lev
e
ls no
de
s.
Peersim d
o
e
s
not have it
s
own Im
pleme
n
tati
on of a
n
y P2P prot
ocol
. But on the P
eersim
home
pag
e, there
is a l
o
t
of Peer
sim
source P
2
P p
r
otocol
provid
ed
by th
e u
s
er, so it i
s
si
mply
achi
eve prot
ocol an
d re
placed proto
c
ol be
ca
u
s
e
of extensible and plug
g
able co
mpo
n
ent
stru
cture cha
r
acte
ri
stics. Ro
u
nd-ro
bin
simulatio
n
m
ode
ca
n a
c
h
i
eve 10
0000
0 overl
a
y no
de
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 12, No. 11, Novem
ber 20
14: 79
63 – 796
9
7966
scale
s
, do be
tter statistical function
s, ro
und-ro
bin
si
mulation do
cument in more detail, discrete
event simulati
on, and di
stri
buted sim
u
lat
i
on is not sup
ported.
(2) Robu
stn
ess
There are a l
o
t of tools th
at attack
net
work by
m
a
li
ciou
s
softwa
r
e, in the ea
rl
y it rarely
con
s
id
er th
e
robu
stne
ss
of the n
e
two
r
k.For
exampl
e, an
attacke
r
use
s
t
r
ino
o
t
o
control a
la
rge
numbe
r of in
fected ho
sts,
launch attack distri
but
ed
denial of se
rvice, but the robu
st of the
netwo
rk i
s
very poor. The
netwo
rk b
a
se
d on
Send co
mmuni
cation
model ha
s g
ood ro
bu
stne
ss
becau
se of th
e P2P archite
c
ture. S. Saroiu et al
foun
d in the re
se
arch of Gnut
ella network that
the netwo
rk h
a
s a strong
robu
stne
ss, when shut down 60%
of the node
s, the en
tire netwo
rk will
be de
stroyed.
In a simulate
d environ
me
nt, supe
r no
de in Send
comm
uni
cati
on model i
s
still use
d
rand
om sele
ction of its nei
ghbo
r list, assumin
g
that all node
s do
not have self-re
pair fu
ncti
on,
namely in the closed
will no lon
ger attempt to
connect to
other
nodes. A
num
ber
of super
nodes
still accounted for all t
he
nodes 15%, ordinary node
s
accounted for 85%, t
he bot
net si
ze 10000.
Ran
dom
clo
s
ed 10
00
-80
0
0
nod
es,
an
d cal
c
ul
ate t
he remaini
n
g
node
s
of th
e deg
re
e. T
h
e
degree of su
per no
de di
re
ctly affects th
e entire net
work to
pology,
in the re
sea
r
ch of robu
stne
ss;
we h
a
ve verif
i
ed the diffe
rences
betwe
en no
de
s an
d average
de
gree
of no
de
dire
ctly affect
the
robu
stne
ss of
the whole
ne
twork. On
av
erag
e
size
of
a pa
rticul
ar
botnet, this
chapter do
es f
i
ve
experim
ents;
get the average value
s
o
f
five exper
imental re
sult
s. In Figure
3, there a
r
e
the
averag
e deg
ree is re
sp
ecti
vely 2, 4, 8.
Figure 3. Rob
u
stne
ss Anal
ysis of Send
Comm
uni
cati
on Model
As see
n
from
Figure 3, wh
en the si
ze o
f
network is
con
s
tant, the
robu
stne
ss
become
stren
g
then
wi
th the in
crea
se of n
ode
averag
e d
egree
. In the Sen
d
comm
uni
cati
on mo
del,
wh
en
the node re
moval 80%, the achievabl
e rate of t
he remai
n
ing n
o
des
still can
rea
c
h mo
re than
70%.
In the sim
u
la
tion process
of task com
m
uni
cation, maintena
nce of
comm
uni
cation
an
d
efficien
cy, every sim
u
latio
n
pro
c
e
s
s is
relati
vely ind
epen
dently, and the la
st si
mulation h
a
s no
effec
t
to the
s
i
mulation this
time. In
the
ro
bu
st an
alysis p
r
o
c
ess to the
Re
que
st comm
uni
cat
i
on
model
usi
n
g
Kademlia
pro
t
ocol, first
se
t the
c
onfigu
r
ation
file, p_
idle=0, p_
re
m=1,
p_a
dd
=0,
gene
rate
s the
Kademlia net
work with 8
0
0
0
node
s. Among them
The
default v
a
lue
of p_i
dle is 0; means
the po
ssibility of the node
maintain the
original
state in a sin
g
le execution
process;
The default value of p_re
m
is 0.5; means
the po
ssibility of existing node fail
ure in a
singl
e execution pro
c
e
s
s;
The default value of p_ad
d is 0.5; means the
po
ssi
bility of
the new nod
es joi
n
in the
singl
e execution pro
c
e
s
s.
There is n
o
d
e
failure i
n
the co
urse of t
he
exe
c
ution,
this pap
er
reco
rd the
nu
mber
of
inquiry ho
ps i
n
the experim
ental impl
em
entation, as
shown in Figu
re 4.
0
0.
2
0.
4
0.
6
0.
8
1
1
1
0
100
1000
2000
3000
4000
5000
6000
7000
8000
the
number
of
nodes
removed
D=8
D=4
D=2
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Re
sea
r
ch of the Com
m
unication Mo
del
of Botnet Based on P2P (G
ao Jia
n
)
7967
Figure 4. Rob
u
stne
ss of Send Com
m
uni
cation Mo
del
-query Hop
The laten
c
y of query is sho
w
n in Figu
re
5.
Figure 5. Rob
u
stne
ss of Send Com
m
uni
cation Mo
del
-query Late
n
cy
As sho
w
n in
the experim
e
n
ts, with the in
crea
sing n
u
m
ber of failure node, the
hop
s of
node q
uery a
nd que
ry latency also incre
a
se.
(3) Efficiency
In the Send
comm
uni
cati
on mo
del, when
re
ceive t
he comma
nd
, the su
per n
ode
will
forwa
r
d th
em
to the neigh
bor, while th
e ordi
nary n
ode
s pe
riodi
cally visit the sup
e
r n
ode
s
to
obtain the
co
mmand. T
h
e
r
efore, its efficiency d
epe
nd
s o
n
two
fact
ors, th
e first i
s
the
num
ber of
sup
e
r no
de
s forwa
r
ding,
and the se
co
nd is the c
ycle of ordina
ry nodes a
c
cess. In study of
efficien
cy evaluation ind
e
x
in this chapter, we
fou
nd that the
botnet diame
t
er is one of
the
importa
nt factors affe
cting
the supe
r no
de forwardi
n
g
times. In the analysi
s
re
sults of Gn
utella
topologi
cal a
nalyze
d
by D.Stutzbach et al. [6],
t
he si
ze of existin
g
Gnutella net
work
can
rea
c
h
8000
00, dia
m
eter i
s
1
1
.
Due
to the
structu
r
e
of
G
nutella m
ode
l, most of th
e no
des can
be
rea
c
he
d any node
s within
6 hop
s. Most
of t
he Gnutella su
per n
o
de co
ntain
s
about 30
sup
e
r
node
s; ordi
na
ry node ge
ne
rally contai
ns
3 sup
e
r no
de
s.
In the
simulated environm
ent,
super node in Send
communi
cation model i
s
still used
rand
om sel
e
ction of its neighb
or list, each
sup
e
r n
ode ha
s 30
neigh
bors, a
nd ordi
nary
node
contai
ns
only
3 super nodes. A num
ber of supe
r
nodes
still accounted for
15%, ordinary nodes
accou
n
ted fo
r 85%, the n
u
mbe
r
of nod
es from
1
000
to 10000. F
o
r si
ze of a
particula
r bot
net,
this p
ape
r
d
oes three
experim
ents, fo
r the
thre
e
experim
ental;
we
calculat
e the
maxim
u
m
netwo
rk di
am
eter and ave
r
age diam
eter.
The exper
im
ental re
sult is sho
w
n in Fig
u
re 6.
30
35
40
45
50
55
60
65
70
75
7600
7650
7700
7750
7800
7850
7900
8000
Ho
pco
unt(av
g
)
Ho
pco
unt(max
)
Network
Size
(
#Node
)
2000
2500
3000
3500
4000
4500
5000
5500
7600
7650
7700
7750
7800
7850
7900
8000
Latency(max)
Latency(avg)
Network
Size(#Node)
latency(msec)
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 12, No. 11, Novem
ber 20
14: 79
63 – 796
9
7968
Figure 6. Net
w
ork Di
amete
r
of Send Co
mmuni
cation
Model
In Req
u
e
s
t communi
catio
n
model
usi
n
g Kademli
a p
r
otocol, all no
des
get the
comman
d
by perio
dicall
y reque
sting
the keyword informatio
n.
Efficiency refers to time that spen
d on th
e
comm
and
se
nt to eve
r
y n
ode i
n
the
n
e
twork and
e
a
ch
no
de
obt
ains comma
n
d
, whi
c
h
is the
maximum tim
e
of each node to search
keywords
. In
the experi
m
ent, we still use network wit
h
1000 to 80
00
node
s, the maximum que
ry latenc
y and
average i
s
shown in Figu
re 7.
Figure 7. Req
uest Commu
nicatio
n
Mod
e
l Query Tim
e
Figure 8. Req
uest Commu
nicatio
n
Mod
e
l Query Hop
s
1000
1500
2000
2500
3000
3500
4000
1000
2000
3000
4000
5000
6000
7000
8000
laten
c
y
(
a
vg)
l
a
tency(max
)
Network
Size(#Node)
latency(msec)
20
25
30
35
40
45
50
55
60
1000
2000
3000
4000
5000
6000
7000
8000
Ho
pco
unt(av
g
)
Ho
pco
unt(max
)
Network
Size(#Node)
Hopcount
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Re
sea
r
ch of the Com
m
unication Mo
del
of Botnet Based on P2P (G
ao Jia
n
)
7969
Duri
ng the
experim
ent, the
query h
o
p
s
that the no
de
s re
qui
red a
r
e re
co
rde
d
, the qu
ery
hop
s that th
e
nod
es re
quired to
so
m
e
e
x
tent also
sh
ow th
e effici
e
n
cy of th
e n
e
t
work, the
ho
p
cou
n
tless an
d efficien
cy is high
er, the
hop is m
o
re
and efficie
n
cy is lower.
We use the a
b
o
ve
para
m
eters, the relatio
n
shi
p
betwe
en ho
ps an
d netwo
rk
size i
s
sho
w
n in Figu
re
8.
5. Conclu
sion
Based
on
the
re
sea
r
ch
an
d stu
d
y of b
o
t
nets o
n
h
o
w to evalu
a
te
a botn
e
t, and
wh
at a
botnet a
s
se
ssment
co
ndu
cted i
n
-d
epth
re
sea
r
ch
, we propo
se
a
com
p
rehen
sive set of P
2
P
botnetsth
e
ev
aluation i
nde
x system: hi
d
den, effi
cie
n
cy, effectivene
ss and
ro
bu
stness. And th
e
two main types of P2P botnets model
s: Send Req
u
e
s
t commu
nica
tion model
and
comm
uni
cati
on model ha
s been eval
uated and a
nalyze
d
. In the simul
a
tio
n
pro
c
e
ss m
a
inly
analyzes the
efficiency a
nd rob
u
stn
e
ss of two
a
s
pe
cts, com
b
ined
with botnet import
ant
cha
r
a
c
teri
stics: the botn
e
t size, diamete
r
, aver
a
ge d
e
g
ree,
re
spe
c
ti
vely, were
studied fo
r so
me
importa
nt ind
e
xes of
botn
e
t ba
sed
on
peer to pe
er,
and
co
ncern
of mitigating
the de
structi
v
e
effect of botnets [13, 14].
Ackn
o
w
l
e
dg
ements
This wo
rk
wa
s sup
porte
d by
12
th
fivetechn
o
logy
sup
port Prog
ram
of China
(G
rant No.
2013BAK02B
05), the People’s Publi
c
Security Univer
city of China research
project (Grant No.
2013
JXDY
22
), Con
s
tru
c
tion of network
se
curity
online lea
r
ning pl
atform (Gra
nt No.
2014
JKF0
11
43).
Referen
ces
[1]
Ping W
a
n
g
, L
e
i W
u
, R
y
an
Cun
n
in
gh
am, and C
liff C. Zou.
Hon
e
yp
ot Detectio
n in A
d
vanc
ed Botn
e
t
Attacks
. In Inte
rnatio
nal Jo
urn
a
l of Informatio
n
and
C
o
mp
uter Securit
y
(IJICS). 2010; 4(1
)
: 30-51.
[2]
R
y
an V
ogt, Jo
hn A
y
cock, M
i
chae
l Jac
obso
n
.
Army of
Bo
tnets
. In Proc. of the
200
7
Net
w
ork
an
d
Distribut
ed S
y
s
t
em Securit
y
S
y
mp
osi
u
m (ND
SS). 2007.
[3] LasseT
r
olleB
o
r
up.
Peer-to-Pe
er botnet: a ca
se study on W
a
le
dac
. Mathe
m
atical Mo
del
li
ng. 200
9
[4]
W
e
i Yu, Phili
p Co
yer Bo
ye
r, SriramCh
ell
a
p
pan, an
d Do
ng
Xu
an.
Peer-to
-
Peer Syste
m
-base
d
Acti
v
e
Worm Attacks: Modeli
ng
and An
alysis
.
Proc. of the IEEE Inte
rnational Co
nferenc
e on
Commun
i
cati
o
n
s (ICC). 2005.
[5] http://
w
w
w
.
gnu.org/soft
w
a
re/bison/
[6] Bittorrent.
http://
w
w
w
.
bittorrent.com/
[7]
Mohe
eb A
bu
Raja
b, Ja
y Z
a
r
f
oss,
F
abian M
onros
e, an
d A
ndre
a
s T
e
rzis.
A mu
ltifacete
d
ap
pro
a
ch t
o
und
erstan
din
g
the b
o
tnet p
h
e
n
o
m
e
non
. Pr
o
c
. of the 6th A
C
M SIG- COMM Confer
enc
e
on Inter
net
Measur
emen,
Rio d
e
Jan
e
iro,
Brazil. 200
6.
[8] Eric
Rescorla.
Introducti
on to
Distribut
ed Ha
sh T
ables
. IAB Plen
ar
y
,
IET
F
65.
[9]
G GU, J Z
hang, W
Lee. BotSniffer:
Detecti
ng Botn
et Co
mma
n
d
and
Co
ntrol Ch
an
nels
in Netw
or
k
Traffic
. Proc.
Of NDSS, 2008.
[10]
Julia
n B Grizzard, Vikram Sharma, Chris
Nun
ner
y, Bren
t Byun
gHo
on
Kang, Dav
i
d D
ago
n.
Peer-to-
Peer Botnets:
Overview
and Case Study
.
Proc. of
the 1st USENIX
W
o
rkshop o
n
Hot T
opics in
Und
e
rstand
in
g Botnets (HotBo
ts
’07), Cambri
dge, MA. 200
7.
[11]
Ping W
a
ng,
Lei
W
u
, Baber
Asl
a
m, Cliff C. Zo
u.
A Syste
m
ati
c
Study o
n
Pe
er-to- Peer
Bot
nets
. In Proc.
of the
Intern
ation
a
l
Co
nferen
ce o
n
Comp
uter C
o
mmun
i
ca
tions
an
d N
e
tw
o
r
ks (ICC
CN
’0
9), S
a
n
F
r
ancisco, CA.
2009.
[12]
Z
HUGE Jia
n
-W
ei, HAN
Xin-
Hui,
Z
H
OU Y
o
ng-L
i
n, YEZ
hi-
Y
uan, Z
O
U W
e
i
. R
e
se
a
r
ch and
De
ve
lo
pm
en
t
of Botnets
.
Journal Of Softwar
e
. 2005; 3
7
(1): 31-3
7
.
[13]
Soma
ye
h Solta
n
i, Se
ye
d Amin
Hossei
n
i S
eno
, Ma
r
y
am
Nez
hadk
amal
i, Ra
hmat Bud
i
arto.
A surve
y
o
n
real
w
o
r
l
d
bot
nets a
n
d
det
e
c
tion m
e
cha
n
i
s
ms.
Internati
ona
l Jo
urn
a
l
of Infor
m
atio
n
an
d N
e
tw
ork
Security (IJINS)
. 2014; 3(2): 1
16-1
2
7
[14]
Nishik
ant C
D
han
de. Bot
net
Pr
eventi
on Str
a
tegi
es for S
o
cial
Ne
t
w
ork
u
s
ers: Cases
a
nd R
e
me
dies.
Internatio
na
l Journ
a
l of Infor
m
atics a
nd C
o
mmu
n
icati
on T
e
chn
o
lo
gy (IJ-ICT
)
.
2013; 2(1)
: 46-50
Evaluation Warning : The document was created with Spire.PDF for Python.