Hierarchical Models for Indirect Observation in Botnet Population Estimation: A Case Study Using Conficker-C

This proposal describes a model for the hourly number of peer-to-peer connection requests generated by a single machine in the Conficker-C botnet, as viewed by an observer who can monitor a fixed proportion of Internet address space. The goal of developing this peer-to-peer behavioral model is to estimate the number of infected machines in the botnet when machines cannot be directly observed. Network behavior is often observed through the filter of IP addresses, where the mapping between machines and addresses is not oneto-one. Because all machines in the botnet are infected with the same malicious code base, their malicious behavior can act as a more stable representative for a single machine than an IP address. Parameter estimation for a single infected machine can be achieved using informed priors and MCMC methods with Metropolis-within-Gibbs sampling to account for time-dependent heterogeneity in connection rates. For population estimation in the presence of indirect observation, a confusion matrix is introduced, that can be used to represent different mappings of machines to IP addresses commonly used in network infrastructure. We propose MCMC methods for addressing estimation of single-host parameters and population hyperparameters, as well as population estimation across a large set of independent networks. Section 1.1 and Section 1.2 motivate the population study and give an overview of the main challenges for applying traditional population estimation methodology to network phenomena. Section 2 introduces the Conficker-C population and the methods for observing it in more detail. Section 3 describes the model for observing a single infected machine, and introduces the framework for extending the single-host model to a network model. Section 4 describes data collection and proposes the steps to be taken for the completion of the dissertation.