A worm infects some vulnerable hosts, they organize into a P2P botnet with some botmaster and start exchanging C&C traffic. Experimenter wants to observe the evolution of the botnet and the amount of traffic that master receives. There are two classes of experiments here that need to be combined together:

  1. an experiment where worm spreads and infects vulnerable hosts
  2. an experiment where some hosts organize into P2P network and somehow elect a leader who then sends commands to them and they may send reports back

Example 1: Botnet

This example used two metadescriptions. Let's go through each of them. This example is written in [CurrentlyProposedLanguage].

Worm spread metadescription

define Worm:

Logical topology:

Objects:

VNode extends Node

VNode := {state = Vulnerable, Vulnerability vulnerability = x}

INode := VNode {state = Infected}

Cardinality:

|INode|>=1

|VNode|>=1

Relationships:

Timeline of events:

Definitions:

each Inode i, some VNode v:

e1 := {type = SCAN, origin = i, destination = v, vulnerability = x }

s1 := {v.state = Infected}

Timeline:

e1 -> if (e1.vulnerability == v.vulnerability) then s1

Invariants: No additional ones are needed here.

P2P w leader and C&C traffic metadescription

define P2P:

Logical topology:

Objects:

Peer extends Node

Peer := {Peer[] peers = {}, Leader leader = none }

Leader extends Peer

Leader := {Peer[] slaves = {} }

Cardinality:

|Peer|>=2

|Leader|>=1

Relationships:

Timeline of events:

Definitions:

PEERREQUEST extends REQUEST

PEERREPLY extends REPLY

each Peer peer1, some Peer peer2:

e1 := {type = PEERREQUEST, origin = peer1, destination = peer2}

e2 := {type = PEERREPLY, origin = peer2, destination = peer1}

s1 := {peer2.peers += peer1}

s2 := {peer2.peers += peer1}

each Peer x:

e3 := {type = LEADERIS, origin = p in x.peers, destination = x, Leader yourleader = leader}

s3 := {x.leader = leader}

e4 := {type = HELLO, origin = x, destination = x.leader}

e5 := {type = CMD, origin = x.leader, destination = x, String cmd = c}

e6 := {type = REPORT, origin = x, destination = x, String report = r}

Timeline:

e1 -> [s1 and (e2 | matches(e2,e1)) -> s2] | | e3 -> s3 -> e4 -> e5 -> [e6]

Invariants: No additional ones are needed here.

Experiment design

Now I'm a user who wants to design my experiment. I need to combine two metadescriptions and somehow tie them down to generator choices. To combine I need to specify how outputs of worm metadescription match inputs of P2P metadescription. I'll do something like this:

define Botnet: import Worm w, P2P p2p

Logical topology:

Objects:

each p2p.Peer p and each w.Infected i

p := i

Cardinality:

Relationships:

Timeline of events:

Definitions:

Timeline:

timeline(w) | | timeline(p2p)

Invariants: No additional ones are needed here.

i.e. each infected host becomes a peer.

Last modified 11 years ago Last modified on Nov 5, 2010 4:00:22 PM