Embed Size (px)
Citation preview
arX
iv:1
207.
5844
v1 [
cs.S
I] 2
4 Ju
l 201
2
SODEXO: A System Framework for Deployment and Exploitation ofDeceptive Honeybots in Social Networks
Quanyan Zhu, Andrew Clark, Radha Poovendran and Tamer Basar
Abstract— As social networking sites such as Facebook andTwitter are becoming increasingly popular, a growing numberof malicious attacks, such as phishing and malware, areexploiting them. Among these attacks, social botnets havesophisticated infrastructure that leverages compromisedusersaccounts, known asbots, to automate the creation of new socialnetworking accounts for spamming and malware propagation.Traditional defense mechanisms are often passive and reactiveto non-zero-day attacks. In this paper, we adopt a proactiveapproach for enhancing security in social networks by in-filtrating botnets with honeybots. We propose an integratedsystem named SODEXO which can be interfaced with socialnetworking sites for creating deceptive honeybots and leverag-ing them for gaining information from botnets. We establish aStackelberg game framework to capture strategic interactionsbetween honeybots and botnets, and use quantitative methods tounderstand the tradeoffs of honeybots for their deploymentandexploitation in social networks. We design a protection andalertsystem that integrates both microscopic and macroscopic mod-els of honeybots and optimally determines the security strategiesfor honeybots. We corroborate the proposed mechanism withextensive simulations and comparisons with passive defenses.
Keywords: social networks; cyber security; game theory; bot-net; malware propagation; Stackelberg games
I. I NTRODUCTION
Online social networks such as Facebook and Twitter areemployed daily by hundreds of millions of users to commu-nicate with acquaintances, follow news events, and exchangeinformation. The growing popularity of OSNs has led to acorresponding increase in spam, phishing, and malware onsocial networking sites. The fact that a user is likely to clickon a web link that appears in a friend’s Facebook message orTwitter feed can be leveraged by attackers who compromiseor impersonate that individual.
An important class of malware attacks on social networksis social botnets [1], [2]. In a social botnet, an infected user’sdevice and social networking account are both compromisedby installed malware. The compromised account is then usedto send spam messages to the user’s contacts, containinglinks to websites with the malware executable. As a result,compromising a single well-connected user could lead to
The research was partially supported by the AFOSR MURI GrantFA9550-10-1-0573, and also by an NSA Grant through the InformationTrust Institute at the University of Illinois.
Q. Zhu and T. Basar are with the Coordinated Science Laboratoryand Department of Electrical and Computer Engineering, University ofIllinois at Urbana-Champaign, Urbana, IL 61801 USA. Email:{zhu31,basar1}@illinois.edu
Andrew Clark and Radha Poovendran are with the Department ofElectrical Engineering, University of Washington, Seattle, WA 98195 USA.Email: {awclark, rp3}@u.washington.edu
hundreds or thousands of additional users being targetedfor spam, many of whom will also become members ofthe botnet and further propagate the malware. The mostprominent example of a social botnet to date is Koobface,which at its peak had infected 600,000 hosts [1].
Current methods for mitigating malware, including socialbotnets, in social networks are primarily based on URLblacklisting. In this defense mechanism, links that are sus-pected to contain spam or malware are added to a centralizedblacklist controlled by the owner of the social network. Aftera link has been blacklisted, the social networking site willno longer communicate with the IP address indicated by thelink, even if a user clicks the link [3].
While blacklisting can slow the propagation of malware,there remain several drawbacks to this approach. First, auto-mated methods for blacklisting links often fail to detect spamand malware; one survey suggests that 73% of maliciouslinks go undetected and are not added to the blacklist [4].Second, automated blacklisting creates the risk of validaccounts and messages being classified as spam, degradingthe user experience. Third, even for links that are correctlyidentified as pointing to malware, there is typically a largedelay between when links are detected and blacklisted. Onestudy estimates this delay as 25 days on average, while atthe same time most clicks on malware links occur within thefirst 48 hours of posting [5].
A promising approach to defending against social botnetsis through deception mechanisms. In a deceptive defense, thedefender generates fake social network profiles that appearsimilar to real profiles and waits to receive a link to malware.The defender then follows the link to the malware site,downloads the malware executable, and runs it in a quaran-tined, sandbox environment. By posing as an infected nodeand interacting with the owner of the botnet, the defendergathers links that are reported to the blacklist either beforeor shortly after they are posted, reducing the detection timeand increasing the success rate. Currently, however, thereisno systematic approach to modeling social botnets and theeffectiveness of deception, as well as designing an effectivestrategy for infiltrating the botnet and gathering information.
In this paper, we introduce an analytical framework forSOcial network DEception and eXploitation through hOn-eybots (SODEXO). Our framework has two components,deployment and exploitation. The deployment componentmodels how decoy accounts are introduced into the onlinesocial network and gain access to the botnet. The exploitationcomponent characterizes the behavior of the decoys and thebotnet owner after infiltration has occurred, enabling us to
model the effect of the decoy on the botnet operation.For the deployment component, we first develop a dynam-
ical model describing the population of a social botnet overtime. We derive the steady-state equilibria of our model andprove the stability of the equilibria. We then formulate theproblem of selecting the optimal number of honeybots inorder to maximize the information gathered from the botnetas a convex optimization problem. Our results are extendedto include networks with heterogeneous node degree.
We model the exploitation of the botnet by the honey-bots as a Stackelberg game between the botmaster and thehoneybots. In the game, the botmaster allocates tasks, suchas spam message delivery, among multiple bots based ontheir trustworthiness and capabilities. The honeybots face atrade-off between obtaining more information by followingthe commands of the botmaster, and the impact of thosecommands on other network users. We derive closed formsfor the optimal strategies of both the botmaster and hon-eybots usingStackelberg equilibrium as a solution concept.We then incorporate the utility of the honeybot owner underthe Stackelberg equilibrium in order to select an optimaldeployment strategy.
The paper is organized as follows. The related workis reviewed in Section II. In Section III, we describe thearchitecture of our proposed framework for deceptive de-fense. In Section IV, we model the exploitation phase of thebotnet, in which the honeybot gathers the maximum possibleinformation while avoiding detection by the botmaster. InSection V, we model the deployment and population dy-namics of the infected nodes and honeybots. Section VIdescribes the Protection and Alert System (PAS), whichprovides a unifying framework for controlling deploymentand exploitation. Section VII presents our simulation results.Section VIII concludes the paper.
II. RELATED WORK
Social botnets are becoming a serious threat for networkusers and managers, as they possess sophisticated infras-tructure that leverages compromised users accounts, knownas bots, to automate the creation of new social networkingaccounts for spamming and malware propagation [2].In [6], ahoneypot-based approach is used to uncover social spammersin online social systems. It has been shown that socialhoneypots can be used to identify social spammers with lowfalse positive rates, and that the harvested spam data containsignals that are strongly correlated with observable profilefeatures, such as friend information and posting patterns.Thegoal of [6], however, is not to infiltrate the botnet, but touse honeypots to differentiate between real and spam onlineprofiles.
In [4], a zombie emulator is used to infiltrate the Koobfacebotnet to discover the identities of fraudulent and compro-mised social network accounts. The authors arrived at theconclusion that “to stem the threat of Koobface and therise of social malware, social networks must advance theirdefenses beyond blacklists and actively search for Koobfacecontent, potentially using infiltration as a means of early
Fig. 1. System architecture of honeybot deceptive mechanism in socialnetworks
detection.” This insight coincides with our proactive ap-proach for defending social networks using deceptive socialhoneybots.
Deception provides an effective approach for buildingproactively secure systems [7], [8]. Considerable amountof work can be found using deception for enhancing cybersecurity. In recent literature on intrusion detection systems,honeypots have been used to monitor suspicious intrusions[9], [10], and provide signatures of zero-day attacks [11].In[12], to enhance the security of control systems in criticalinfrastructure, deception has been proposed to make thesystem more difficult for attackers to plan and executesuccessful attacks. At present, however, there has been noanalysis on the impact of deception on malware propagationin social networks.
In order to establish a formal method to evaluate theperformance of deceptive social honeybots against botnets,we employ a game- and system- theoretic approach to modelthe strategic behaviors of botnets and the deployment andexploitations of honeybots. Such approaches have becomepivotal for designing security mechanisms in a quantitativeway [13]. In [14], an optimal control approach to modelingthe maximum impact of a malware attack on a communica-tion network is presented. In [15], the authors have proposedan architecture for a collaborative intrusion detection networkand have adopted a game-theoretic approach for designing areciprocal incentive compatible resource allocation compo-nent of the system against free-rider and insider attacks.
III. SYSTEM ARCHITECTURE
In this section, we introduce our honeybot-based defensesystem named SODEXO for protecting social networksagainst malicious attacks. Fig. 1 illustrates the architectureof SODEXO. Our framework consists of two components,namely, honeybot deployment (HD) and honeybot exploita-tion (HE). HD deals with the distribution of honeybots withinsocial networks and the deception mechanisms to infiltratethe botnet to learn and monitor the activities in botnets.HE aims to use the successfully infiltrated honeybots tocollect as much information as possible from the botnet. Thebehaviors of the two blocks are coordinated by a Protectionand Alert System (PAS), which uses the gathered informationto generate real-time signatures and alerts for the socialnetwork (Fig. 2).
Fig. 2. Architecture of the protection and alert system
The introduction of honeybots into a social network allowsa proactive defense and monitoring of the social networkagainst botnets. The SODEXO architecture bears its resem-blance to feedback control systems. The HE componentbehaves as a security sensor of the social network; PAS canbe seen as a controller which takes the “measurements” fromHE and yields a honeypot deployment strategy; and HD actsas an actuator that updates the honeypot policy designed byPAS. In the following subsections, we discuss in detail eachcomponent of SODEXO.
A. Honeybot Deployment (HD)
A honeypot is deployed by first creating an account ona social networking site. The account profile is designed toimitate a real user, as in [6]. Once deployed, the honeypotsends a set of friend requests to a set of randomly chosenother users. The honeypot continues sending friend requeststo random users until the desired number of neighbors,denotedd, has been reached. The honeypot monitors themessage traffic of its neighbors, which may include personalmessages, wall posts, or Twitter feeds, and follows anyposted link. If the link points to malware and has not beenblacklisted, then the honeypot becomes a member of thesocial botnet and proceeds to the exploitation stage.
B. Honeybot Exploitation (HE)
The HE component of SODEXO takes advantage of thesuccessfully infiltrated honeybots to gain as much infor-mation as possible from the botnet. The information isobtained in the form of command and control messages. Thehoneybots need to gain an appropriate level of trust from thebots and respond to the C&C messages while minimizingharm to the legitimate social network users and avoidinglegal liability. Honeybots work collaboratively to achieve thisgoal. In the case where honeybots are commanded to sendspam or malware to network users, they can send them toeach other to remain active in the botnet. Depending onthe sophistication of the botnet, honeybots can sometimesbe detected using mechanisms described in [16], [17]. Inthis case, a higher growth rate of honeybot population willbe needed to replace the detected honeybots. Hence, theperformance of HE heavily depends on the effectiveness ofHD, and in turn, HD should change its policy based onthe sophistication of botnets and the amount of informationlearned in HE.
C. Protection and Alert System (PAS)
The major role of PAS is to provide security policiesfor HD based on the information learned from HE. Fig. 2
Fig. 3. Illustration of the interactions between social networks and botnets
illustrates two major functions of PAS. The first step of PASis to process the messages and logs gained from honeybots.Using data mining and machine learning techniques, it ispossible that the structure of botnets can be inferred fromnetwork traffic information [18] and botnet C&C channels ina local area network can be identified [19]. These informationcan be used by the network administrator to detect thelocation of botmasters and remove them from the network.
The second important task of HD is to generate signaturesfor detecting malware and spam, which are then used toupdate the libraries of intrusion detection systems, blacklistsof spam filters, and user alerts or recommendations. Theprocess of reconfiguration of IDSs and spam filters can bedone either offline or real-time as in [20] and [21].
D. Botnet Propagation Model
Fig. 3 illustrates a mechanism used by botnets to infectsocial network users, which has been found in the Koobfacebotnet [2], [4]. The botnet maintains a fixed domain thatbots or zombies regularly contact to report uptime statisticsand request links for spamming activity. The bots aim toobtain fresh user accounts and send malicious messages.The bot messages contain a malicious URL obfuscatedby shortening services such as bit.ly or wrapped by aninnocuous website including Google Reader and Blogger.Clicking on the URL of these messages eventually redirectsto a spoofed Youtube or Facebook page that attempts to trickthe victim into installing malware masquerading as a Flashupdate. Unsuspecting users become infected by clicking onthese messages. Infected users are recruited to spam theirown social network friends, leading to a wide propagationof malware within social network users.
Once a user has been compromised, it makes frequentattempts to connect with one or more command control(C&C) bots to retrieve commands from the botnet for furtheractions. These commands are usually issued from anothercompromised computer for the purpose of concealing thebotmaster’s real identity [16], leading to a hierarchical botnetarchitecture. Fig. 4 illustrates the structure of a typicalbotnet,where a single botmaster sends messages to two C&C botsand then they send to bots.
IV. SYSTEM MODEL FOR HONEYBOT EXPLOITATION
In this section, we introduce a system model for hierar-chical botnets and employ a Stackelberg game frameworkto model the interactions between the botnet and infiltratinghoneybots.
A. Theoretical Framework
Consider a botmasterB that sends requests to a set of C&CbotsM = {1,2, · · · ,m} with m= |M |. Each C&C boti∈M
sends commands to a set of compromised bot nodesNi withni = |Ni|. We assume that the botnet is a three-level treearchitecture and, without loss of generality, we can assume∩i∈M Ni = /0 since a single bot controlled by multiple C&Cbots can be modeled using multiple duplicate bots. LetH bea honeybot that communicates with nodei∈M , i.e.,H ∈Ni.We assume that all honeybots work together as a team, andhence one honeybot nodeH under one C& C subtree canconceptually represent a group of collaborative honeypotswho have succeeded in infiltrating the same botnet.
We let pi j ∈R+ be the number of messages or commands(in bytes) per second sent from C&C boti to bot nodej ∈Ni.Likewise, p ji denotes the number of response messages persecond to C&C nodei ∈ M from node j ∈ Ni.
Each C&C nodei maintains a trust valueTi j ∈ [0,1]associated with a bot or honeybot nodej ∈ Ni. The trustvalues indicate the quality of response and performanceof bot nodes. The trust values also inherently model thedetection mechanisms in botnets, which have been discussedin [16], [22]. For botnets with such mechanisms, low trustvalues indicate the inefficiency of a bot or a high likelihoodof being a honeybot. For those without such mechanisms,we can takeTi j = 1, for all j ∈ Ni, i.e., equivalently seeingall bots are all equally trusted.
One C&C bot needs to send commands to a large pop-ulation of bot nodes. Hence, the goal of C&C boti ∈ M
is to allocate its communication resourcespi := [pi j, j ∈ Ni]to maximize the utility of its subtree networkUi : Rni
+ → R,which is the sum of utilities obtained from each botj, i.e.,
Ui(pi) = ∑j∈Ni
Ui j, (1)
whereUi j : R+ → R is the individual utility of C&C botifrom bot j ∈ Ni, which is chosen to be
Ui j(pi j) := Ti j p ji ln(αi pi j +1). (2)
The choice of logarithmic function in (2) indicates that themarginal utility of the C&C bot diminishes as the number ofmessages increases. It captures the fact that the bots havelimited resources to respond to commands, and a largervolume of commands can overwhelm the bots, which leads todiminishing marginal utility of nodei. αi ∈R++ is a positivesystem parameter that determines marginal utility.
The utility of C&C boti is also proportional to the numberof messages or responses per second from botj, indicatedby p ji ∈ R+. The number of response messages from botjindicates the level of activity of a bot. We can see that whenp ji = 0 or Ti j = 0 in (2), then boti is believed to be eitherinactive or fake, and it is equivalently removed from thesubtree of C&C nodej in terms of the total utility (1). NotethatTi j in (2) evaluates the quality of the responses whilep ji
evaluates the quantity. The product ofTi j and p ji capturesthe fact that the botnet values highly active and trusted bots.
We consider the following C&C bot optimization problem
(BOP) of every nodei ∈ M :
(BOP) maxpi∈R
ni+
Ui := ∑ j∈NiTi j p ji ln(αi pi j +1)
s.t. ∑ j∈Nici j pi j ≤Ci. (3)
The constraint (3) in (BOP) is a capacity constraint on thecommunications using C&C channel, whereCi is the totalcapacity of the channel. The costci j ∈ R++ is the cost onsending commands to bots. The cost is also dependent onthe size of messages from C&C boti to its controlled bots.It has been found in [4] that Twitter has larger volume ofspam messages than Facebook. This is due to the fact thatTwitter messages are often shorter than facebook messages,and hence the cost for commanding bots spamming withTwitter messages is relatively less than the one for Facebook.
Let Fi := {pi ∈ Rni+ : ∑ j∈Ni
ci j pi j ≤ Ci} be the feasibleset of (BOP). We letLi : Rni
+ ×R → R be the associatedLagrangian defined as follows:
Li(pi,λi) = ∑j∈Ni
Ti j p ji ln(αi pi j +1)+λi
(
∑j∈Ni
ci j pi j −Ci
)
(4)Since the feasible set is nonempty and convex, and theobjective function is convex inpi, it is clear that (BOP)is a convex program, and hence we can use the first-orderoptimality condition to characterize the optimal solutionto(BOP):
∂Li
∂ pi j= ∑
j∈Ni
αiTi j p ji
αi pi j +1+λici j = 0, (5)
which leads topi j =−
Ti j
λici j−
1αi
. (6)
Due to the monotonicity of logarithmic functions in (2), theoptimal solution is found on the Pareto boundary of feasibleset. Hence by letting∑ j∈Ni
ci j pi j =Ci, we obtain Lagrangianmultiplier λi from (6) as follows.
λi =−∑ j∈Ni
Ti j p ji
Ci +1αi
∑ j∈Nici j
. (7)
We make following assumptions before stating Theorem 1.
(A1) The productTi j p ji 6= 0 for all j ∈ Ni, i ∈ M .
Assumption (A1) states that all bots controlled by C&Cbot i are both active and trusted. This assumption is validbecause for a controlled botj that is either inactive (pi j = 0)or untrusted (Ti j = 0) can be viewed as the one excludedfrom the setNi. Hence Assumption (A0) is equivalent tothe statement thatNi contains all active and trusted bots.
Theorem 1: Under Assumption (A1), (BOP) admits aunique solution whenαi is sufficiently large.
pi j =
(
Ti j p ji
∑ j∈NiTi j p ji
)
(
Ci +1αi
∑ j∈Nici j
ci j
)
−1αi
. (8)
Proof: Assumption (A1) ensures that (BOP) is strictlyconvex inpi j for all j ∈Ni. Hence the result follows directlyfrom (6) and (7). Sinceαi is a system parameter, we canchooseαi sufficiently large so that the solution obtained in
(8) is nonnegative.
B. Stackelberg Game
In this section, we formulate a two-stage Stackelbergbetween honeybots and C&C nodes. Honeybots behave asleaders who can learn the behaviors of the C&C bots oncethey succeed in infiltrating the botnet and choose the optimalstrategies to respond to the commands from C&C bots.
The goal of honeypots is to collect as much informationas possible from the botmaster. We consider the followinggame between honeypots and a C&C bot. The honeypot nodeH firsts chooses a response ratepHi to the commands fromC&C bot i, and then C&C boti observes the response andchooses an optimal rate to send information to honeybotHaccording to (BOP). We make the following assumption onthe real bots in the network.
(A2) The real bots are not strategically interacting with theC&C bot i, i.e., they send messages to boti at a constantrate pi j, j 6= H, j ∈ Ni.
The above assumption holds because bots are non-humandriven, pre-programmed to perform the same routine logicand communications as coordinated by the same botmaster[19]. Under Assumption (A2), the strategic interactions existonly between honeybots and C&C nodes.
The honeypot nodeH has a certain cost when it respondsto the botnet. This can be either because of the potentialharm that it can cause on the system or due to the cost ofimplementing commands from the botmaster. We considerthe following honeypot optimization problem (HOP), wherenodeH aims to maximize its utility functionUH : R+×R→R+ as follows:
(HOP) maxpHi∈FH
UH(piH , pHi) := ln(piH + ξH)−β Hi pHi,
whereξH ∈ R++ is a positive system parameter;β Hi is the
cost of honeybotH responding to the bot nodei; pHi is themessage sending rate from honeybot nodeH to C&C bot iand pHi is the rate of C&C boti sending commands toH.
FH denotes the feasible set of the honeypot nodeH. Welet FH = {pHi,0≤ pHi ≤ pHi,max}, wherepHi,max∈ R++ isa positive parameter that can be chosen to be sufficientlylarge. The logarithmic part of the utility function (9) isused to model the property of diminishing returns of aninformation source. The value of receiving an additionalpiece of information from the C&C bot decreases as the totalnumber of messages received by the honeypot increases.
The interactions between honeypotH and C&C nodei can be captured by the Stackelberg game modelΞS :=〈(i,H),(Ui,UH),(Fi,FH)〉, and Stackelberg equilibrium canbe used as a solution concept to characterize the outcome ofthe game.
Definition 1 (Stackelberg Equilibrium): Letπ∗
iH(·) : Rni+ → R+ be the unique best response of the
C&C bots to the response ratepHi of the honeypots.An action profile (p∗
i , p∗Hi) ∈ Fi × FH is a Stackelbergequilibrium if p∗
i = πiH(p∗Hi), and the following inequalityholdsUH(πiH(p∗Hi), p∗Hi)≥UH(πiH(pHi), pHi), ∀pHi ∈ FH .
Theorem 2: Under Assumption (A1), the nonzero-sumcontinuous-kernel Stackelberg gameΞS admits a Stackelbergequilibrium.
Proof: The utility function of C&C bot i is strictlyconvex for all pHi 6= 0 under Assumption (A1). SinceFH
andFB are compact sets, by Corollary 4.4 of [23], the gameadmits a Stackelberg equilibrium solution.
Under Assumption (A1), the unique best responseπiH(·)can be obtained from (8) for sufficiently largeαi as follows:
piH = πiH(pHi) =CH
(
TiH pHi
TiH pHi + I−H
)
−1αi
, (9)
where I−H = ∑ j 6=H, j∈NiTi j p ji is the number of responses
from real bots weighted by their trust values andCH :=Ci+
1αi
∑ j∈Nici j
ciH.
Letting ξH = 1/αi+ξH and substituting (9) in (HOP), wearrive at the following optimization problem faced by thehoneybot nodeH:
maxpHi∈FH
UH(πiH(pHi), pHi) :=
ln
(
CH
(
TiH pHi
TiH pHi + I−H
)
+ξH)
−β Hi pHi. (10)
Theorem 3: Under Assumptions (A1) and (A2), theStackelberg equilibrium solution(p∗
i , p∗Hi) of the gameΞS
is unique and can be found as follows:
p∗Hi =CH I−H
2TiH(CH + ξH)
√
1+4TiH(CH + ξH)
I−HCHβ Hi
−1
+I−HξH
TiH(CH + ξH), (11)
and p∗iH = πiH(p∗Hi) and p∗i j = πi j(pi j) for j 6= H, j ∈ Ni.Proof: The problem described in (13) is a convex
program with the utility functionUH convex in pHi andconvex setF . Hence the first-order optimality conditionyields
CH I−HTiH =
β Hi (I−H + pHiTiH)(CH pHiTiH +(I−H + pHiTiH)ξH), (12)
which is a quadratic equation to be solved forpHi and itsnonnegative solution of (12) is given in (11). SincepHi,max
is chosen sufficiently large and (11) is non-negative,p∗iH isa feasible solution. The equilibrium solution for boti hencefollows from (9).
In order to provide insights into the solution obtained in(11), we make the following assumptions based on commonstructures of the botnets.
(A3) The real bots controlled by C&C boti have identicalfeatures, i.e.,ci j = ci, pi j = pi and Ti j = Ti for all j 6=H, j ∈ Ni.
(A4) The size of the real bots controlled by C&C boti ismuch larger than the size of honeybots.
(A5) We let ξH = 0.
Assumption (A5) is valid due to the freedom of choosing
parameterξH in (HOP). Without loss of generality, we canlet ξH = 1
α i and henceξH = 0. Assumption (A3) holds ifreal bots controlled by C&C boti are of the same type, forexample, Windows non-expert Facebook users. These typeof users are commonly the target of botnets. Under (A3), wecan simplify the expressions in (11) and obtainCH = Ci
ci+ ni
αi,
I−H = nBi Ti pi.
Assumption (A4) is built upon the fact that one C&Cnode in botnets often controls thousands of bots and thesize of honeybots are often comparably small due to theirimplementation costs [24]. Under (A2), we haveI−H ≫pHiTiH , then (13) can be rewritten as
UH(πiH(pHi), pHi) = ln
(
CH
(
TiH pHi
I−H
)
+ ξH
)
−β Hi pHi.
(13)Corollary 1: Under Assumptions (A1), (A2) and (A4),
the Stackelberg equilibrium solution(p∗i , p∗Hi) of the game
ΞS is given by
p∗Hi =
(
1
β Hi
−I−HξH
CHTiH +TiHξH
)+
, (14)
where (·)+ = max{0, ·}; p∗iH = πiH(p∗Hi) and p∗i j = πi j(pi j)for j 6= H, j ∈ Ni.
Proof: From (A4), we can rewrite (12) by replacingI−H + pHiTiH with I−H . Since all the terms in (14) is bounded,we can letpHi,max be sufficiently large and arrive at (14). Theresult then follows from Theorem 3.
Corollary 2: Let the size of real bots under C&C benBi
and the size of the honeybots represented by super nodeHnH
i . Note thatni = nBi +nH
i . Under Assumptions (A1) - (A5),the Stackelberg equilibrium of the gameΞS is given by
p∗Hi =1
β Hi, p∗i j = πi j(pi j), (15)
for j 6=H, j ∈Ni, and the equilibrium solution of C&C nodei is composed of two terms given byp∗iH = p∗iH,S+ p∗iH,N , withthe first term independent ofnH
i ,
p∗iH,S =TiH
TiH +β Hi nB
i Ti pi
(
Ci
ci+
nBi
αi
)
−1αi
, (16)
and the second term dependent onnHi ,
p∗iH,S =nH
i TiH
TiH +β Hi nB
i Ti pi. (17)
Proof: The result immediately follows from Corollary1 using (A3) and (A5).
Remark 1: From Corollary 2, we can see that under As-sumption (A1), the equilibrium response strategy is inverselyproportional to the unit costβ H
i . We can see that the numberof command and control messages harvested from the botnetis affine in the number of successfully infiltrated honeybots.The growth rate of the number of messages is given by
r∗iH :=∂ p∗iH∂nH
i=
TiH
β Hi nB
i Ti pi +TiH. (18)
The growth rate is dependent of the trust valueTiH . Honey-bots can harvest more information from the botnet if they
Fig. 4. Illustration of a hierarchical social botnet
are more trusted. The growth rate is also dependent on thenumber of the real bots controlled by C&C boti. As nB
i →∞,the growth rater∗iH → 0, i.e., size of honeybots will not affectthe number of messages received by the network.
Trust values can change over time and can either modeledby a random process or by some assessment rules adopted bythe attacker. We can separate this into different subsectionsof discussion. We can also consider a dynamic optimizationproblem as well by having belief/trust as the state. This canbe done through using beta or Dirichlet distributions.
V. M ODEL OF HONEYBOT DEPLOYMENT AND BOTNET
GROWTH
In what follows, a macroscopic model of the dynamics ofthe number of bots at timet, denotedx1(t), and the numberof honeybots, denotedx2(t), is presented. We then formulatean optimization problem for determining the number ofhoneypot nodes to introduce into the network.
A. Botnet and honeypot growth models
The bots are assumed to send spam messages, containinglinks to malware, with rater. Each message is sent to eachof the d neighbors of the bot, whered is the average nodedegree. Hence in each time intervaldt, rd dt spam messagesare sent. Since the number of valid nodes isN − x1(t),the number of messages reaching valid nodes is equal tord N−x1(t)
N dt.The number of nodes that become bots depends on the
behavior of the valid users and the number of links thathave been blacklisted. Each user clicks on a spam link withprobability q. If the link has been blacklisted, then the userwill be blocked from visiting the infected site; otherwise,theuser’s account is compromised and the device becomes partof the botnet.
To determine the probability that a link has been black-listed, we assume that each bot is independently given a setof k malicious links, out ofM links total. The probabilitythat a given link has been given to a specific honeybot istherefore k
M . Hence the probability that a link has not beenblacklisted is the probability that that link has not been givento any honeybot, which is equal to
(
1− kM
)x2. We assumethat:
(A6) The number of links given to each honeybot,k, satisfiesk ≪ M.
Under (A6),(
1− kM
)x2 can be approximated by(
1− kx2M
)
.Finally, we assume that the infected devices are discovered
and cleaned with rateµ1. This leads to dynamics
x1(t) = rdqx1
(
1−kx2
M
)
N − x1
N− µ1x1. (19)
Honeybot nodes are inducted into the botnet in a similarfashion. We make the following assumptions regarding thehoneybot population:
(A7) The number of honeybots that are not part of the botnet,denotedz, is constant.
(A8) The number of honeybots is small compared to the totalnumber of users, so thatzz+N ≈ z
N .
Assumption (A7) can be guaranteed by creating new, un-infected honeybots when existing honeybots infiltrate thebotnet. As with real users, honeybot nodes cannot followlinks that have been blacklisted; however, unlike real users,honeybot nodes will attempt to follow any link with proba-bility 1. The botmaster detects and removes honeybots withrate µ2. The honeybot population is therefore defined by
x2(t) = rdx1
(
1−kx2
M
)
zN− µ2x2. (20)
Proposition 1: The dynamics defined by (19) and (20)have two equilibria, given by(x1,x2) = (0,0) and
x∗1 =Nµ2M(rdq− µ1)
rdqµ2M+ rdkzµ1, x∗2 =
(
rd − µ1q
)
z
rdkzM + µ2
. (21)
Proof: Equation (19) reaches equilibrium ifx1 = 0 orif rdq
(
1− kx2M
)
N−x1N − µ1 = 0. If x1 = 0, then (20) reaches
equilibrium whenx2 = 0.If rdq
(
1− kx2M
)
N−x1N − µ1 = 0, solving for x1 yields
x1 = N
(
1− µ1
rdq(
1−kx2M
)
)
. Substituting into (20) gives the
equilibrium of (21).The quantityrdq corresponds to the rate at which new
nodes are inducted into the botnet, whileµ1 is the rate atwhich nodes are cleaned and exit the botnet. Thus ifrdq <µ1, then the number of bots converges to zero, whilerdq >µ1 implies that the number of bots converges to a nonzerosteady-state value.
Since network security policies are typically updated in-termittently, while the dynamics of (19) and (20) convergerapidly, we base our subsequent analysis on the steady-state values ofx1 and x2, and derive the optimal numberof honeybots to introduce into the system in steady-state.In order to prove that this problem is well-defined, we firstexamine the stability properties of each equilibrium in thefollowing theorem.
Theorem 4: If µ1 > rdq, then(x1,x2) = (0,0) is asymp-totically stable. Ifµ1 < rdq, then (x∗1,x
∗2) is asymptotically
stable in the limit asM → ∞, N → ∞.Proof: An equilibrium point of a nonlinear dynam-
ical system is asymptotically stable if its linearization isasymptotically stable at that point [25, Theorem 3.7]. The
linearization of (19) and (20) around(0,0) is given by
A00 =
(
rdq− µ1 0rdzN −µ2
)
.
If µ1 > rdq, then−A00 is diagonally dominant, and hencehas eigenvalues with positive real part [ref]. The eigenval-ues of A00 therefore have negative real part, implying thatthe linearization around(0,0) is asymptotically stable. ThelinearizationAx∗1x∗2
around(x∗1,x∗2) is given by
Ax∗1x∗2=
(
a11 a12
a21 a22
)
, where
a11 = µ1−rdqN
(
µ2M+ µ1kzq
µ2M+ rdkz
)
·
(
−N +2µ1rdkz+ µ2M
rdqµ2M+ rdkzµ1
)
,
a12 =−rdqkN
M
(
1−µ1rdkz+ µ2M
rdqµ2M+ rdkzµ1
)
·
(
µ1rdkz+ µ2Mrdqµ2M+ rdkzµ1
)
,
a21=rdzN
(
µ2M+ µ1kz/qµ2M+ rdkz
)
,
a22 =−rdkzM
(
1−µ1rdkz+ µ2M
rdqµ2M+ rdkzµ1
)
− µ2.
To prove thatAx∗1x∗2has eigenvalues with negative real part,
we examine−Ax∗1x∗2. The second row is clearly diagonally
dominant, since the diagonal element is positive and theoff-diagonal element is negative. The first row is diagonallydominant if
−rdqkN
M
(
1−µ1rdkz+ µ2M
rdqµ2M+ rdkzµ1
)(
µ1rdkz+ µ2Mrdqµ2M+ rdkzµ1
)
< µ1+ rdq
(
µ2M+ µ1kzq
µ2M+ rdkz−
2µ1rdkz+ µ2Mrdqµ2M+ rdkzµ1
)
. (22)
In the limit as M → ∞, the left-hand side of (22) con-verges to zero while the right-hand side reduces toµ1 +
rdq(
1− 1rdqN
)
, which is positive forN sufficiently large.Hence −Ax∗1x∗2
is diagonally dominant, and therefore haseigenvalues with positive real part, implying that(x∗1,x
∗2) is
a stable equilibrium point.
B. Computation of system parameters
The parameterµ2 determines the rate at which honeypotnodes are discovered and removed by the botmaster, andhence can be calculated by observing the lifetime of deployedhoneypots (see Section VI). Similarly, the number of receivedmessagesp and the costτ can be estimated by averagingover the set of deployed honeypots over time. The fraction ofmalicious links k
M that are given to a single bot or honeypotis estimated by using the assumption that links are distributed
independently and uniformly at random by the botmaster, sothat the probability that a given link has been received bya honeypot is
(
1− kM
)x2. This probability can be estimatedby analyzing the set of malicious links received by newhoneypots, which combined with knowledge ofx2 enablescomputation ofk
M . The rate at which spam messages are sentby bots, denotedr, is estimated by the number of instructionmessages received by the honeypots.
The parametersµ1 andq, equal to the rate at which botsare removed from the botnet, and the fraction of maliciouslinks that are followed by users, depend on user behavior.These parameters can be estimated using existing data setsof user behavior [26]. Furthermore, to obtain an upper boundon the effectiveness of the botnet, the parameterq can beset equal to 1, implying that a valid user always clicks anylink to the malware executable (the worst case). The averagenode degree,d, is estimated based on existing analyses ofthe degree distribution of social networks [27].
C. Extension to heterogeneous networks
Typical social networks follow a non-uniform degreedistribution. We present a model for the bot and honeypotpopulation dynamics as follows. LetNd denote the totalnumber of users with degreed, and letxd
1(t) andxd2(t) denote
the number of bots and honeypots with degreed at time t.The average degree of the network is equal tod. We makethe assumption that:
(A9) The average degree of the infected users is equal to theaverage degree of the social network as a whole.
The total number of spam messages sent by bots in timeinterval dt is equal tordx1 dt, each of which has not beenblacklisted with probability
(
1− kx2M
)
. The probability thatthe recipient of a message has degreed and has not beeninfected is equal to
Pr(degreed, not infected) =Nd − xd
1
Nd
dNd
dN=
(Nd − xd1)d
dN.
This implies that the dynamics ofxd1(t) are given by
xd1(t) =
rdqN
x1
(
1−kx2
M
)
(Nd − xd1)− µ1xd
1, (23)
whereNd is the number of user accounts of degreed.
Similarly, the probability that the recipient of a spammessage is a honeypot node of degreed that has not beeninfected yet is
z∗dN , wherezd is the number of honeybots of
degreed that have not joined the botnet, leading to dynamicsof xd
2(t) described by
xd2(t) =
rdN
x1
(
1−kx2
M
)
z∗d − µ2xd2. (24)
Proposition 2: The dynamics (23) and (24) have equilib-
rium points atxd1 = xd
2 = 0 for all d and
xd∗1 =
rdq
1−krdz
(
1− µ1rdq
)
z
rkzdz + µ2M−
µ1
rdq
+ µ1
−1
(25)
·
rdq
1−krdz
(
1− µ1rdq
)
z
rkzdz + µ2M−
µ1
rdq
,
xd∗2 =
rdµ2
1−krdZ
(
1− µ1rdq
)
z
rkzdZ + µ2M−
µ1
rdq
zd . (26)
Proof: Summing (23) overd yields
x1(t) =x1drq
N
(
1−kx2
M
)
(N − x1)− µ1x1,
which implies that in steady-state we have
x∗1 = N
1−µ1
rdq(
1− kx2M
)
. (27)
Similarly, summing ˙xd2(t) over d results in
x2(t) =rx1
N
(
1−kx2
M
)
zdZ − µ2x2,
which combined with (27) givesx∗2 =rdz(
1−µ1rdq
)
rkzdzM +µ2
. The steady-
state value (26) can be obtained from (24). Similarly,xd∗1 can
be obtained from (23).
VI. M ODELING OF PROTECTION AND ALERT SYSTEM
(PAS)
PAS is a coordination system that strategically deployshoneybots and designs security policies for social networks.In this section, we focus on optimal reconfiguration of hon-eybots as illustrated in Fig. 2. We introduce a mathematicalframework for finding honeybot deployment strategies basedon system models described in Sections IV and V.
A. Relations between HD and HE
We have adopted a divide-and-conquer approach in Sec-tions IV and V, and have modeled the behavior of eachsystem independently. However, the interdependencies be-tween HD and HE are essential for PAS to make optimalsecurity policies for the social network. The HE model inSection IV describes strategic operations of honeybots at amicroscopic level while the HD model in Section V providesa macroscopic description of the population dynamics of botsand honeybots. These two models are interrelated throughtheir parameters together with the feedback control fromPAS.
The interactions between bots and honeybots in the HEmodel occur on a time scale of seconds. The analysis ofStackelberg equilibrium in Section IV captures the steady-state equilibrium after a repeated or learning process of thegame. Hence the equilibrium can be reached on a time scaleof minutes. On the other hand, the population dynamics
in HD model evolve on a larger time scale (for example,days). Hence, we can assume that the Stackelberg game hasreached its equilibrium when the populations evolve at amacroscopic level. Decisions made at PAS are on a longertime scale (for example, weeks) because the processing ofcollected information, learning of bots and honeybots insocial networks, and high-level decision on security policyin reality demand considerable amount of human resourcesfor coordination and supervision.
1) Trust Values and Detection Rate: The trust valuesTi j
used in HE model are related to the macroscopic detectionand removal rateµ2 in HD model. As we have pointed outearlier, zero trust values are equivalent to the removal ofhoneybots from the botnet. Hence we can adopt a simpledynamic model to describe the change ofTi j over a longertime period (say, days). We letT 0
i j be the initial conditionof the trust value. The evolution ofTi j over the macroscopictime scale can be modeled using the following ODE:
Ti j(t) =−µ2Ti j(t), Ti j(t0i j) = T 0
i j . (28)
Note that honeybots have different initial timet0i j. Hence
from (28), we obtain
Ti j(t) = e−µ2(t−t0i j), t ≥ t0i j, (29)
i.e., the trust values exponentially decay with respect to theremoval rate. a threshold can be set on. From (29), we canobtain the mean life time of a honeybot is 1/µ2. Macroscopicparameterµ2 can be estimated by the rate of change ofworking honeybots in the botnet, which can is known tothe system, whileTi j is a microscopic parameter and is oftenunknown directly to honeybots. With the ODE model in (28),we can useµ2 to estimateTi j.
2) Honeybot and Bot Populations: In Section V, thepopulations of bots and infiltrating honeybots are denotedby x1 and x2, respectively, whereas in Section IV, the botsize under C&C bot isnB
i . Under a hierarchical structureof botnet, illustrated in Fig. 4, the total bot and honeybotpopulationsx1,x2 are given by
x1 =m
∑i=1
nBi , x2 =
m
∑i=1
nHi . (30)
If all C&C bots are assumed to be identical, i.e.,nBi = nB, i ∈
M ,nHi = nH , i ∈ M , thenxi = mnB, andxi = mnH
3) Activity Level of Bots: The rate ¯pi in (18) indicatesthe activity level of bots when they respond to or pollinformation from C&C nodei. This level of activity isoften correlated with parameterr, the rate of sending outspamming messages to the social network. Assume that allC&C bots are assumed to be identical, i.e., ¯pi = p, i ∈ M ,then we can let ¯p = αr, where ¯p is in messages/sec,r is inmessages/sec andα ∈ R++ is a unitless positive parameter.
B. Cross-Layer Optimal Honeybot Deployment
In what follows, we first derive the optimal honeybotdeployment when the benefit from each honeypot is mea-surable. We then combine the analysis of Sections IV and
V to determine the optimal honeybot deployment, takinginto account the behavior of the deployed nodes during theexploitation phase.
The goal of the honeypot operator is to maximize thenumber of blacklisted links that are reported to the socialnetwork. Based on the analysis of Corollary 2, we assumethat the number of blacklisted links is proportional to thenumber of honeypot nodes in the botnet in steady-state,x∗2.The variable is the number of honeypot nodes that have notyet been inducted into the botnet,z. This leads to a utilityfunction given byVH(z) = px∗2(z)− τ(x∗2 + z), where p andτ represent the benefit (information gathered) and cost ofmaintaining a single honeypot node. Substituting (21) yields
VH(z) = p
(
rd − µ1q
)
z
rdkzM + µ2
− τ
(
rd − µ1q
)
z
rdkzM + µ2
+ z
=(p− τ)
(
rd− µ1q
)
z
rdkzM + µ2
− τz. (31)
The value ofz that maximizes (31) is given by the followingproposition.
Proposition 3: The optimum value ofz is given by
z∗ = M
−µ2+√
(p− τ)(rd− µ1q )µ2/τ
rdk
. (32)
Proof: DifferentiatingVH(z) with respect toz yields
∂VH
∂ z=
(p− τ)(
rd− µ1q
)
µ2
(
rdkM z+ µ2
)2 − τ.
By inspection,∂VH∂ z is a strictly decreasing function ofz, so
that VH(z) is strictly concave. Setting this expression equalto zero implies (32).
Remark 2: Eq. (32) has several implications for the de-sign of honeybot systems. First, for malware that propagatesrapidly (corresponding to a largerd value), fewer honeybotsare needed, since the malware will quickly spread to thedeployed honeybot. Second, ifµ2 is large, then honeybots arerapidly detected and removed by the botmaster, and hencethe cost of deploying honeybots outweighs the benefits.
The utility function (31) can be augmented by incorporat-ing the impact on the exploitation phase. In particular, (18)implies thatp = 1
1+βH
i x∗1T irTiH
, which we write asp = 11+ζx∗1
≈
1ζx∗1
when the number of bots is sufficiently large. The utilityfunctionVH can then be written as
VH =
(
1ζx∗1
− τ)
x∗2− τz (33)
An efficient algorithm for maximizing (33) can be derivedusing the following theorem.
Theorem 5: The problem of selectingz to maximizeVH
0 20 40 60 80 1000
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5x 10
5
Time elapsed (days)
Num
ber
of in
fect
ed n
odes
Botnet population for different honeypot configurations
z= 0
z= 5
z= 10
z= 15
1 2 3 4 5 6 7 8 9 100
5
10
15
20
25
Messages per honeypot, p
Opt
imal
num
ber
of h
oney
pots
Honeypot deployment based on cost and benefit
τ=1
τ=2
τ=3
τ=4
0 20 40 60 80 1000
0.5
1
1.5
2
2.5x 10
5
Time (days)
Num
ber
of in
fect
ed n
odes
Effect of degree distribution on infection rate
γ= 2.1
γ= 2.3
γ= 2.7
(a) (b) (c)
Fig. 5. Simulation of our framework for a network ofN = 106 users, where each user has probabilityq = 0.01 of following a malicious link, message aresent at a rate of 0.4 messages per bot per day, and infected nodes are cleaned after 5 days on average. (a) Effect of increasing the number of honeypot nodeson the botnet population. Deployment of a small number of honeypots can greatly reduce the number of bots present. Note that the population convergesquickly to its equilibrium value. (b) The optimum number of bots based on (32) for different costsτ and benefitsp. The total number of honeypots remainssmall for each case. (c) Effect of degree distribution on thebotnet population for number of honeypotsz = 5. Each network is scale-free, with exponentγvarying between networks. A higher connectivity results ina larger number of bots.
in (33) is equivalent to
maxθ ,φ ,x∗2,z
1ζ
−rdqθ 2
Nrdqφ − µ1+
M/4k
N(rdq(
1−kx∗2M
)
− µ1)
−τx∗2− τz, (34)
s.t. θ = x∗2−M2k
,
φ = 1−kx∗2M
, (35)
x∗2 ≤
(
rd− µ1q
)
z
rdkzM + µ2
, (36)
1ζ
rdqµ2M+ rdkzµ1
(rdq− µ1)µ2M≥ τ,
z ≥ 0, 0≤ x∗2 ≤ N,
which is a convex program.
Proof: The optimization problem of selectingz tomaximizeVH can be written as
maximize(
1ζx∗1(z)
− τ)
x∗2(z)− τz
z ∈ R+
(37)
If 1ζx∗1(z)
− τ < 0, then the objective function is monotonedecreasing inz, leading to an optimal valuez = 0. To avoidthis, we require 1
ζx∗1(z)≥ τ, leading to constraint (37). Using
(21), we have
x∗2ζx∗1
=
(
x∗2−kx∗2
2M
)
rdq
N(
rdq(
1−kx∗2M
)
− µ1
) =rdq(
− kM
(
x∗2−M2k
)2+ M
4k
)
N(
rdq(
1−kx∗2M
)
− µ1
) .
(38)Substitutingθ =
(
x∗2−M2k
)
and φ =(
1−kx∗2M
)
leads to theobjective function
VH(x∗2,z,θ ,φ) =
1ζ
−rdqθ 2
Nrdqφ − µ1+
M/4k
N(rdq(
1−kx∗2M
)
− µ1)
−τx∗2− τz (39)
Since quadratic over linear and inverse functions are convex,the first two terms of (39) are concave, and henceVH is
concave.Finally, the fact that the objective function is increasing
as a function ofx∗2 and decreasing as a function ofz impliesthat the constraint (36) holds with equality at the optimum,so that the relationship betweenx∗2 andz in (21) is satisfied.This constraint is convex due to Proposition 3.
The convex optimization approach presented in Theorem5 is used to select a honeybot deployment strategy in orderto maximize the level of infiltration into the botnet andthe amount of data gathered during the exploitation phase.Once inducted into the botnet, the honeybots follow theStackelberg equilibrium strategy of Section IV and use thecollected data to generate malware signatures and createURL blacklists. The parameters of (33) are updated inresponse to changes in botnet behavior observed during theexploitation phase.
VII. S IMULATION STUDY
We evaluated our proposed method using Matlab sim-ulation study, described as follows. A network consistingof N = 106 nodes was generated, with degreed = 100(consistent with observations of the average degree of socialnetworks [27]). The rate at which malware messages aresent is given byr = 0.4 messages per bot day, and therate at which nodes are disinfected and removed from thebotnet is µ1 = 0.2, an average lifetime for each bot of 5days. These statistics are based on the empirical observationsof [4]. Based on [5], we estimate that the probability of a userclicking on a spam link is given byq = 0.01. It is assumedthat the fraction of malware links given to each bot is equalto k/M = 0.01. The rate at which honeybots are detected andremoved is equal toµ2 = 0.5. In each case, we assume thatthere are 50 infected nodes and 0 honeybots present in thenetwork initially.
The population dynamics of the bots, described by (19)and (20), are shown in Fig. 5(a). Each curve represents thenumber of infected users over time for a different level ofhoneybot activity, as described by the parameterz. In eachcase, the number of bots converges to its equilibrium value.The top curve (solid line) assumesz = 0, i.e. no decep-tion takes place and malicious links are detected throughblacklists only. Employing deception through honeybots
significantly reduces the botnet population, even when thenumber of honeybots is small relative to the population size.As additional honeybots are added, the botnet populationcontinues to decline. However, the marginal benefit of addinga honeybot decreases as the number of honeybots growslarge.
The optimum number of honeybots depends on the cost ofintroducing and maintaining honeybots, denotedτ, as wellas the benefitp from each honeybot, as described in (32).The optimum number of honeybots is given in Fig. 5(b).As the cost of introducing new honeybots is reduced, theoptimal number of honeybots increases. In each case, theoptimum number of honeybots remains small, at around 25nodes, relative to the total network population of 106 nodes.
The effect of a heterogeneous degree distribution is shownin Fig. 5(c). The degree distribution was chosen to be scale-free, so that the probability that a node has degreed wasproportional tod−γ . Hence a higher value ofγ corresponds toa less-connected network. The parameterγ had a significantimpact on the rate of propagation of the botnet, even throughfor the chosen values ofγ the average degrees of the threenetworks were similar.
VIII. C ONCLUSION
In this paper, we studied the problem of defending againstsocial botnet attacks through deception. We considered adefense mechanism in which fake honeybot accounts aredeployed and infiltrate the botnet, impersonating infectedusers. The infiltrating honeybots gather information fromcommand and control messages, which are used to formmalware signatures or add spam links to URL blacklists.We introduced a framework for SOcial network Deceptionand EXploitation through hOneybots (SODEXO), whichprovides an analytical approach to modeling and designingsocial honeybot defenses. We decomposed SODEXO intodeployment and exploitation components.
In the deployment component, we model the populationdynamics of the infected users and honeybots, and showhow the infected population is affected by the number ofhoneybots introduced. We derive the steady-state populationsof infected users and honeybots and prove the stability ofthe equilibrium point. In the exploitation component, weformulate a Stackelberg game between the botmaster and thehoneybots and determine the amount of information gatheredby the honeybot in equilibrium. The two components arecombined in the Protection and Alert System (PAS), whichchooses an optimal deployment strategy based on the ob-served behavior of the botnet and the information gatheredby the honeybots. Our results are supported by simulationstudies, which show that a small number of honeybotssignificantly decrease the infected population of a large socialnetwork.
REFERENCES
[1] J. Baltazar, J. Costoya, and R. Flores, “The real face of koobface: Thelargest web 2.0 botnet explained,”Trend Micro Research, vol. 5, no. 9,p. 10, 2009.
[2] G. Keizer, “Worm spreads on facebook, hijacks users’ clicks,” Com-puterworld, December 2008.
[3] “Twitter FAQ for developers.”https://dev.twitter.com/docs/faq.[4] K. Thomas and D. Nicol, “The Koobface botnet and the rise of social
malware,” in5th International Conference on Malicious and UnwantedSoftware (MALWARE), 2010.
[5] C. Grier, K. Thomas, V. Paxson, and M. Zhang, “@spam: the under-ground on 140 characters or less,” inProc. of the 17th ACM conferenceon Computer and communications security, pp. 27–37, 2010.
[6] K. Lee, J. Caverlee, and S. Webb, “Uncovering social spammers: socialhoneypots + machine learning,” inProc. of the 33rd internationalACM SIGIR conference on Research and development in informationretrieval, pp. 435–442, 2010.
[7] J. W. Caddell,Deception 101 - Primer on Deception. Strategic StudiesInstitute, 2004.
[8] “The Department of Defense Dictionary of Military and AssociatedTerms,”
[9] J. Yuill, D. Denning, and F. Feer, “Using deception to hide things fromhackers: Processes, principles, and techniques,”Journal of InformationWarfare, vol. 5, no. 3, pp. 26–40, 2006.
[10] J. John, A. Moshchuk, S. Gribble, and A. Krishnamurthy,“Studyingspamming botnets using botlab,” inProc. of the 6th USENIX sympo-sium on Networked systems design and implementation, pp. 291–306,2009.
[11] G. Portokalidis, A. Slowinska, and H. Bos, “Argos: an emulatorfor fingerprinting zero-day attacks for advertised honeypots withautomatic signature generation,”SIGOPS Oper. Syst. Rev., vol. 40,pp. 15–27, Apr. 2006.
[12] M. McQueen and W. Boyer, “Deception used for cyber defense ofcontrol systems,” inHuman System Interactions, 2009. HSI ’09. 2ndConference on, pp. 624 –631, may 2009.
[13] M. Manshaei, Q. Zhu, T. Alpcan, T. Basar, and J.-P. Hubaux, “Gametheory meets network security and privacy,”ACM Computing Survey,vol. 45, September 2013 (to appear).
[14] M. H. R.Khouzani, S. Sarkar, and E. Altman, “Maximum damagemalware attack in mobile wireless networks,” inProc. of the 29th con-ference on Information communications (INFOCOM’10), San Diego,California, USA, 2010.
[15] Q. Zhu, C. Fung, R. Boutaba, and T. Basar, “A game-theoreticapproach to knowledge sharing in distributed collaborative intrusiondetection networks: Fairness, incentives and security,” in Proc. of 50thIEEE Conference on Decision and Control and European ControlConference (CDC-ECC), pp. 243–250, 2011.
[16] P. Wang, L. Wu, R. Cunningham, and C. C. Zou, “Honeypot detectionin advanced botnet attacks,”International Journal of Information andComputer Security, vol. 4, no. 1, pp. 30–51, 2010.
[17] C. C. Zou and R. Cunningham, “Honeypot-aware advanced botnetconstruction and maintenance,” inProc. of the International Confer-ence on Dependable Systems and Networks, DSN ’06, (Washington,DC, USA), pp. 199–208, IEEE Computer Society, 2006.
[18] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting botnet commandand control channels in network traffic,” inProc. of the 15th AnnualNetwork and Distributed System Security Symposium (NDSS’08),February 2008.
[19] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: Clusteringanalysis of network traffic for protocol- and structure-independentbotnet detection,” inProc. of the 17th USENIX Security Symposium(Security’08), 2008.
[20] Q. Zhu and T. Basar, “Dynamic policy-based ids configuration,” inProc. of the 48th IEEE Conference on Decision and Control (CDC),pp. 8600 –8605, 2009.
[21] Q. Zhu and T. Basar, “Indices of power in optimal ids default con-figuration: theory and examples,” inProc. of the Second internationalconference on Decision and Game Theory for Security, GameSec’11,(Berlin, Heidelberg), pp. 7–21, Springer-Verlag, 2011.
[22] W. Ping, B. Aslam, and C. C. Zou, “Peer-to-peer botnets:The nextgeneration of botnet attacks,” inStavroulakis, P. and Stamp, M. (Eds),Handbook of Information and Communication Security, (Washington,DC, USA), pp. 335–350, Springer Press, 2010.
[23] T. Basar and G. J. Olsder,Dynamic Noncooperative Game Theory.SIAM Series in Classics in Applied Mathematics, 1999.
[24] N. Provos and T. Holz,Virtual honeypots: from botnet tracking tointrusion detection. Addison-Wesley Professional, first ed., 2007.
[25] H. Khalil, Nonlinear Systems. Macmillan Publishing Company NewYork, 1992.
[26] C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker,V. Paxson, and S. Savage, “Spamalytics: An empirical analysis ofspam marketing conversion,” inProc. of the 15th ACM conference onComputer and communications security, pp. 3–14, ACM, 2008.
[27] M. Gjoka, M. Kurant, C. Butts, and A. Markopoulou, “Practicalrecommendations on crawling online social networks,”IEEE Journalon Selected Areas in Communications (JSAC), vol. 29, pp. 1872–1892,October 2011.
