Changes between Version 8 and Version 9 of BotnetExample

Timestamp:

Nov 4, 2010 4:55:58 PM (13 years ago)

Author:

sunshine

Comment:

--

BotnetExample

@@ -31 +31 @@
  * '''Timeline of events: '''
 
-   Definitions:
+   '''Definitions:'''
      
      each Inode i, some VNode v:
@@ -39 +39 @@
        s1 := {v.state = Infected}
 
-   Timeline:
+   '''Timeline:'''
   
-       e1 → if (e1.vulnerability == v.vulnerability) then s1
+       e1 -> if (e1.vulnerability == v.vulnerability) then s1
 
 
- * '''Invariants:''' There are some in definition of topology and timeline above. No additional ones are needed here.
+ * '''Invariants:''' No additional ones are needed here.
 
 === P2P w leader and C&C traffic metadescription ===
@@ -50 +50 @@
 * '''Logical topology:''' 
 
-   [[Image(peerobj.jpg)]]
+  Objects:
 
-   (in English: There must be two sets of hosts, at least two  peers and at least one leader. Nothing is said about relationship between sets so it's possible that there's an intersection between those that is non-empty. All objects here are of type Nodes.)
+    Peer extends Node
+
+    Peer := {Peer[] peers = {}, Leader leader = none }
+
+    Leader extends Peer
+
+    Leader := {Peer[] slaves = {}  }
+
+  Cardinality:
+
+    |Peer|,,>=2,,
+
+    |Leader|,,>=1,,
+
+  Relationships:
+
+
  * '''Timeline of events: '''
 
-   [[Image(peerwf.jpg, 60%)]]
+  Definitions:
 
-   (in English: Each  peer contacts some other peer asking them to peer with it - the contacted peer may reply with a "yes". In parallel with this a peer somehow learns about a leader. If a leader object is known to a given peer, the peer will send it a "hello" message. The leader will then send commands to the peers it knows and may get reports from them back.).
+    each Peer peer1, some Peer peer2: 
+ 
+      e1 := {type = WANNAPEER, origin = peer1, destination = peer2}
 
-   Note that I haven't defined what wannapeer, yespeer, leader, hello, cmd and report events are and I should define it in the common domain knowledge base. 
+      e2 := {type = YESPEER, origin = peer2, destination = peer1}
 
- * '''Invariants:''' There are some in definition of topology and timeline above. No additional ones are needed here.
+      s1 := {peer2.peers += peer1}
+
+      s2 := {peer2.peers += peer1}
+ 
+   each Peer x: 
+      
+      e3 := {type = LEADERIS, origin = p in x.peers, destination = x, Leader yourleader = leader}
+
+      s3 := {x.leader = leader}
+
+      e4 := {type = HELLO, origin = x, destination = x.leader} 
+
+      e5 := {type = CMD, origin = x.leader, destination = x, String cmd = c} 
+
+      e6 := {type = REPORT, origin = x, destination = x, String report = r} 
+
+  Timeline:
+
+      e1 -> [s1 and e2 -> s2] || e3 -> s3 -> e4 -> e5 -> [e6]
+
+
+ * '''Invariants:''' No additional ones are needed here.
 
 === Experiment design ===
@@ -67 +106 @@
 Now I'm a user who wants to design my experiment. I need to combine two metadescriptions and somehow tie them down to generator choices. To combine I need to specify how outputs of worm metadescription match inputs of P2P metadescription. I'll do something like this:
 
-   [[Image(wp2pcomb.jpg)]]
+  Worm w, P2P p2p
+ 
+    p2p.Peer := w.Infected
+
+    w || p2p
+
 
 i.e. each infected host becomes a peer.
 
-The system now needs to offer me several generators:
-
- * It should offer a topology generator and map the initial infected set, vulnerable set and leader set to the topology that gets generated.
- * It should offer event generator for each of the events: scan, yespeer, wannapeer, leaderis, hello, cmd and report. Specifically for scan, yespeer, wannapeer, hello, cmd and report it should offer traffic generators.  For leaderis it could either offer a traffic generator or an option to hardcode the leader ID into the peer software.
- * It should offer a malware generator for vulnerability x
-
-User either chooses each generator or agrees to use a default one for each choice. User can then manipulate the generators (their parameters) and the workflow. For example the user may add "patched" state after the "infected" one with the "patch" event to make the transition.
-