Home Explore Help
Sign In
leon.boeck
/
ID2T-toolkit-BotnetTraffic
forked from SPIN/ID2T-toolkit
2
0
Fork 0
Files Issues 0 Wiki
Page: Choosing an Interval from the Abstract Communication Input File
Adding padding to the packets
Additional Plots
Calling the attack
Choosing an Interval from the Abstract Communication Input File
DB Table for Degree Statistics of each IP Address
DB Table for Extended Conversation Statistics
Ephemeral Ports assigment
Generate Random Ports
Home
Input of a CSV or XML File Containing Abstract Botnet Communication
Mapping IP Address to ASN
Mapping IPs to IDs
Mapping of PCAP Packets to Input CSV XML Messages
Supported Attack Parameters
Test for deterministic output
Timings of Messages and their Responses
botnet_comm_processor
Choosing an Interval from the Abstract Communication Input File
Dustin Born edited this page 6 years ago

Introduction

A user can input a CSV/XML file that contains abstract Membership Management Communication of a botnet. The file has to satisfy specific requirements, as can be seen here. Per default the file resources/MembersMgmtComm_example.xml is used. Now, a communication interval of the specified attack.duration seconds (default: length of the input PCAP) has to be selected from all abstract messages contained in the CSV/XML. There are multiple strategies to select this interval, as can be seen below. Using the attack parameters listed here a user can choose his or her preffered selection strategy. Finally, the messages are processed further and then injected into the PCAP.
In the following, fitting interval describes an interval that is not longer than the desired duration and contains at least the desired amount of communication initiating bots (bots that send requests).

Random Interval Selection

Using random interval selection, a fitting interval is searched for at random. If a fitting interval could not be found within 5 attempts, no packets are injected.

Optimal Interval Selection

Introduction

The algorithm of this strategy iterates over all abtract messages to find the optimal, i.e. most communicative, interval. The iteration is handled similar to a Sliding Window approach.

Iterating over all Messages

The iteration uses two indices: a bottom index and a top index. The top index is constantly increased which triggers the processing of a new message every time. The increase of the top index is stopped, once the time period of the interval is bigger than the desired attack time, which is either directly input by the user or is set to the duration of the PCAP by default. Now the bottom index has to "catch up". For this it is increased until the time period of the interval between bottom and top index is smaller than or equal to the desired duration. Every time the bottom index is increased, the information the message at that index contains is (mostly) discarded from the knowledge of the algorithm. After the bottom index has caught up, the top index starts increasing again. This is done until all messages have been processed.

Processing a Message

When NAT is not present, the goal of the algorithm is to find a fitting interval that contains the most communication. As explained above, the algorithm iterates over all messages. During the iteration, a state of the amount of messages contained in the current interval is kept. Once this interval is too big whereby all messages of it have been processed, three cases can happen:

  • This interval has less communication than the current most communicative interval. Therefore nothing happens.
  • This interval has an equal amount of communication compared to the current most communicative interval. Here, The current interval is appended to the list of most communicative intervals.
  • This interval has more communication than the current most communicative interval. Here, the list of most communicative intervals is cleared, the most recently processed interval becomes the most communicative interval and now is the sole member of the list of most communicative intervals.

After all messages have been processed, the chosen interval is randomly chosen from the list of most communicative intervals. Thereafter, the IDs that will be mapped to bots are randomly chosen as well. The number of bots is 1 per default, but a user can specify a custom number using the parameter bots.count.

Custom Interval Selection

Using custom interval selection, a user can specifiy the selected interval. If it contains more communication initiating bots than specified, the specified number of bots is selected at random. There are three ways, a user can use this feature with these parameters:

Specifying a start index only

If a user only specifies a start index, the algorithm selects the interval that starts at this index and ends whenever the specified interval duration is exceeded with the next message. If this interval does not contain enough initiator bots, the interval is discarded and no packets are injected. If it contains too many, the bots are chosen at random again, just as above.

Specifying an end index only

If a user only specifies an end index, the algorithm selects the interval that ends at this index and starts whenever the specified interval duration is exceeded with the prior message. If this interval does not contain enough initiator bots, the interval is discarded and no packets are injected. If it contains too many, the bots are chosen at random again, just as above.

Specifying both, a start and end index

If a user specifies a start and end index, the selected interval starts and ends with the respective indices. Here though, if the selected interval does not contain enough initiator bots, the messages are injected regardless.

Delete Page

This will delete the page "Choosing an Interval from the Abstract Communication Input File". Please be certain.

No
Yes