tailieunhanh - My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging

Note that when node 7 produces a tuple that joins with the static table, three transmissions result; this is the same as if the original data was sent up the routing tree in the naïve or single-node case. In the worst case, there would have been two extra tuples: if node 5 produced a tuple which joined with a tuple on node 7 a total of 4 transmis- sions would have been performed. In general, no more than 2 + depth transmissions will be required, as any pair of nodes in the same group differ by no more. | My Botnet is Bigger than Yours Maybe Better than Yours why size estimates remain challenging Moheeb Abu Rajab JayZarfoss Fabian Monrose Andreas Terzis Computer Science Department Johns Hopkins University Abstract As if fueled by its own fire curiosity and speculation regarding botnet sizes abounds. Among researchers in the press and in the classroom the questions regarding the widespread effect of botnets seem never-ending what are they how many are there what are they used for Yet time and time again one lingering question remains how big are today s botnets We hear widely diverging answers. In fact some may argue contradictory. The root cause for this confusion is that the term botnet size is currently poorly defined. We elucidate this issue by presenting different metrics for counting botnet membership and show that they lead to widely different size estimates for a large number of botnets we tracked. In particular we show how several issues including cloning temporary migration and hidden structures significantly increase the difficulty of determining botnet size with any accuracy. Taken as a whole this paper calls into question speculations about botnet size and more so questions whether size really matters. 1 Introduction It is widely accepted that botnets pose one of the most significant threats to the Internet. For the most part this belief has been supported by the conjecture that at any moment in time there is a large collection of well-connected compromised machines that can be coordinated to partake in malicious activities at the whim of their botmaster s . Indeed the potential threat of botnets comprising several hundred thousands bots has recently captured the headlines of the press 11 18 but the question of size itself continues to be a point of debate among the research community. In particular the question of how we arrive at size estimates or more importantly just what they mean remains unanswered. As a case in point while earlier studies . 4 5