2007-06-15

Botnets and the Convex Hull

Over the past few months I have worked on some computational geometry problems which required computing the Convex Hull for some set of points. I have been using it for some pattern recognition work and in doing so thought to myself, how could you map an IP address to a real vector space? And, if you could, is it possible to track an attacker or adversary? More importantly, can you estimate size or infer the location of a master in a botnet? Now, I realize that the location of a compromised host has no bearing on the location of the attacker. However, the latency between the compromised host and the attacker (or botnet master) does have a bearing on location. Likewise, there are a number of other useful metrics such as how recently the machine was compromised, the difference in times for two zombies to receive the same command, etc. Take one of these metrics, and assign it to each node you are aware of. Now use that metric as the distance to an arbitrary point P. Now compute the convex hull. Perform this same series of steps for each of the metrics you have chosen and overlay the convex hull for each metric. My assumption would be that your arbitrary point P could be identified in each one, and that may help identify a master. Also, it may help estimate the size of the botnet. The above writing is very hand wavy, I realize. However I'm curious if any work has been done until now to determine botnet topology via a similar mechanism. If anyone is aware, please let me know.

No comments: