#### Abstract

Peer-to-Peer (P2P) botnets have emerged as one of the most serious threats to Internet security. To effectively eliminate P2P botnets, in this paper, the authors present two novel dynamical models to portray the process of formation of P2P botnets, one of which is called microlevel model, the other is called macrolevel model. Also, the stability of equilibria is investigated along with the analysis of how to prevent the P2P botnet. Furthermore, by analyzing the relationship between infection rate and the proportion of the hosts with countermeasures, we obtain the mathematical expressions of effective immune regions and depict their numerical simulations. Finally, numerical simulations verify the correctness of mathematical analysis. Our results can provide the guidance for security practitioners to defend and eliminate P2P botnet at a cost-effective way.

#### 1. Introduction

A botnet is a network of thousands (or more) of compromised hosts under the control of a botnetmaster, which usually recruits new vulnerable computers by running all kinds of malicious software (malware), such as Trojan horses, worms, computer viruses, and so forth [1]. For a variety of nefarious purposes, a botnetmaster who operates a botnet controls remotely those zombie computers to pursuit various malicious activities, such as distributed denial-of-service attacks (DDoS), email spam, password cracking, and so forth [2]. Botnets have been turned out one of the most serious threat to Internet [3].

To effectively fight against botnets, researchers have endeavored to explore working mechanisms of botnets from different perspectives in the past few years (see [4–11]). These existing researches provide perfect insight into detection and elimination of botnets. Aiming at describing the dynamical characteristics of botnets, Dagon et al. [12] constructed a Susceptible-Infective-Recovered (SIR) model, which took into account the effect of time and location on malware spread dynamics. The model accurately characterizes the population growth of a botnet. Considering the interactions among botnets, Song et al. [1] presented the interaction game model among botnets to investigate the effect of the cooperation and the competition on the number of botnet individuals.

Most previous botnets as shown in Figure 1 use Internet relay chat (IRC) as a form of communication for centralized command and control (C&C) structure. Botnets based on C&C structure are easily checked and cracked by defenders; as well as the threats of botnets can be mitigated and eliminated if the central of C&C is unavailable [13]. In comparison, Peer-to-Peer (P2P) betnets as shown in Figure 2 employing a distributed command-and-control structure are more robust and more difficult for the security community to defend. Thus, P2P botnets, such as Trojan.Peacomm, Storm botnet [14], have emerged and gradually escalated in recent years. The threats of P2P botnets to Internet security have drawn widespread attention. Reference [15] presented a stochastic model of Storm Worm P2P botnet to examine how different factors, such as the removal rate and the initial infection rate, impact the total propagation bots. Kolesnichenko et al. developed a mean-field model to analyze P2P botnet behaviors [16]. In their seminal work, Yan et al. [17] mathematically elaborated the performance of a new type of P2P botnet—AntBot from perspectives of reachability, resilience to pollution and scalability. They also developed a P2P botnet simulator to evaluate the effectiveness of analysis. Furthermore, the authors suggested some potential defense schemes for defenders to effectively disrupt AntBot operations.

For security workers to be better prepared for potentially destructive P2P botnets, it is necessary for them to understand deeply factors that influence the formation of P2P botnets. Against this backdrop, in this paper, we utilize mathematical modeling method to investigate how immunizations affect the dynamical actions of P2P botnets. Our key contributions are summarized as follows: (i) we propose novel dynamical models which reflect the formation of P2P botnets; (ii) we derive mathematically the feasible region of immunization and depict their numerical simulations; (iii) we suggest a probable immune method for researchers and security professionals.

The remainder of the paper is organized as follows. Section 2 elaborates modeling mechanism. In Section 3, we derive the equilibria of models and prove their stabilities. In Section 4, we get the mathematical expressions of immune feasible regions and obtain the results of numerical simulations. In Section 5, we depict the numerical simulations to verify conclusions of Section 4. Section 6 concludes this paper with some conclusions.

#### 2. Modeling P2P Botnets

Considering bot candidates and the network a botnet attaches itself to, we roughly divide P2P botnets into three categories [18]: (i) Parasite P2P botnet, in which all bot members are chosen from an existing P2P network; (ii) Leaching P2P botnet, which is a botnet that bot candidates are from vulnerable hosts throughout the Internet, but they will join in and depend on an existing P2P network; (iii) Bot-only P2P botnet, which refers to a botnet that occurs in an unattached network, and there are no nonmalignant peers except bots.

For parasite P2P botnet, once a vulnerable host is compromised by botnet malware, it will directly become a bot member and serve for the botmaster without further joining the botnet. Up to this trait, in Section 2.1, we present a deterministic mathematical model named “microlevel model” to reflect its dynamical features. However, many botmasters extend their scales to the whole Internet to recruit new zombies because the scale of *parasite botnet* is limited by the number of peers in an existing P2P network. For constructing this type P2P botnet, there are two steps: the first step is trying to infect new vulnerable hosts throughout the whole Internet, and the second step is new compromised hosts joining into network and connecting with other bots. In Section 2.2, we use a novel mathematical model, which we call “macrolevel model” to characterize their dynamical actions.

##### 2.1. The Microlevel Model

In this subsection, we employ the classical model, which has been widely used by many researchers to study Internet malware propagation [19–24], to characterize the dynamical behavior of *parasite P2P botnets*. Let , and be the numbers of hosts at time in stats , and , respectively. Let be the total number of hosts in a P2P network and be relatively stable, then we have
That is, given a P2P network with a total of hosts, any host in the network will be at a state of either , or , and the sum of all hosts in these states equals . In addition, unlike the traditional *SIR* model, our model includes the impact of real-time immunization to virus propagation.

As a result, the model we employ is as follows: where is the replacement rate of the hosts per hours; is infection rate per hour; is the state transition rate from to due to real-time immune measures; is the recovery rate from infected state to due to antivirus measures. It is easy to verify that the positive cone is a positive invariant set with respect to system (2.2), where .

In what follows, we consider the effect of immunization on computer virus propagation in the P2P network. In reality, it is reasonable for us to assume that some hosts have immune measures, others have not. Hence, in our model the total hosts can be partitioned into two subclasses: immune and no immune hosts. Let be the proportion of the hosts with immune measures . We make a simple assumption that immunization has no effect on the infected time. So, we need only to change infection rate . Let be the proportion of hosts with immune measures infected by infective hosts, and let be the proportion of hosts without immune measures infected by infective hosts. Therefore rewrite infection rate as Hence, the new differential equation model can be expressed as follows:

##### 2.2. The Macrolevel Model

In this subsection, we use a two-stage model to depict the dynamical action of *leeching P2P botnets*, in which botmasters recruit new bots from the whole Internet. The model monitors the four populations of susceptible (), stage-1-infected () hosts that are compromised but not connect with other bots, and stage-2-infected () hosts that are indeed bots and recovered (). We assume that the number of hosts on Internet is relatively stable, which is often adopted in other existing efforts [25, 26]. Let be the total number of hosts on Internet. Then our model can be formulated as follows:
where is the replacement rate of the hosts per hours, and is infection rate per hour, respectively, and is the state transition rate from to due to real-time immune measures, is the recovery rate from infected state and due to antivirus measures, respectively.

It is easy to verify the positive cone that is a positive invariant set with respect to system (2.5), where .

In what follows, we analyze the effect of immunization on dynamical characteristics of P2P botnets. Let be the proportion of the hosts that have immune measures . We make a simple assumption that immunization has no effect on the infected time. So, we need only to change infection rate and . Let be the proportion of hosts with immune measures in state infected by infective hosts ; let be the proportion of hosts with immune measures in state infected by infective hosts ; let be the proportion of hosts without immune measures in state infected by infective hosts , and let be the proportion of hosts without immune measures in state infected by infective hosts . Therefore rewrite infection rate and as Hence, the new macrolevel differential equation model is

#### 3. Model Analysis

To achieve the effective region of and , we first obtain the stable equilibria for systems (2.4) and (2.7).

##### 3.1. The Microlevel Model Analysis

In this subsection, we will solve the equilibria of system (2.4) and investigate their stability.

The first two equations in system (2.4) do not depend on the third equation, and therefore this equation may be omitted without loss of generality. Hence, system (2.4) can be rewritten as Now, we analyze system (3.1) by finding its equalibria. Steady states of system (3.1) satisfy the following equation: Solving the system (3.2), we can conclude that system (3.1) always has a virus-free equilibrium (DFE) . Furthermore, define is called the basic reproduction number. If , then system (3.1) has a virus-epidemic equilibrium .

Lemma 3.1. *DFE is locally asymptotically stable when and unstable when .*

*Proof. *The characteristic equation of system (3.1) near is
Solving (3.4), we can get . Obviously, DFE is locally asymptotically stable when and unstable when .

Further, we have the following theorem.

Theorem 3.2. *DFE is global asymptotically stable if .*

*Proof. *Learn from the first equation of system (3.1)
Thus,
When , one can get
We choose Lyapunov function to be the form
The time derivative of along system (3.1) is given by
The theorem is proven.

Next, we will analyze the stability of virus-epidemic equilibrium of system (3.1).

Theorem 3.3. *If , then the virus-epidemic equilibrium of system (3.1) is locally asymptotically stable.*

*Proof. *The characteristic equation of system (3.1) at is given by
which equals
where . Obviously, in accordance with the relationship between roots and coefficients of quadratic equation, all eigenvalues of (3.11) have negative real parts. Thus, is locally asymptotically stable when .

Theorem 3.4. *If , then the virus-epidemic equilibrium is globally asymptotically stable.*

*Proof. *Consider the following Lypunov function [26]
which is always positive in . Moreover, the function satisfies
Thus, we prove that the endemic equilibrium is globally asymptotically stable.

##### 3.2. The Macrolevel Model Analysis

In this subsection, we will solve the equilibria of system (2.7) and investigate their stability.

The first two equations in system (2.7) do not depend on the third equation, and therefore this equation may be omitted without loss of generality. Hence, system (2.7) can be rewritten as The equalibria of system (3.14) are determined by setting . There is always a virus-free equilibrium (DFE) . Furthermore, define If , system (3.14) has a virus-epidemic equilibrium , where

Lemma 3.5. *DFE of system (3.14) is locally asymptotically stable when and unstable when .*

*Proof. *The characteristic equation of system (3.14) near DFE can be written as follows:
The above equation has a negative real part characteristic root and roots of
where .

It is easy to verify that is always positive. Obviously, when is positive. In accordance with the relationship between roots and coefficients of quadratic equation, there are no positive real roots of (3.18). Hence, DFE of system (3.14) is locally asymptotically stable when and unstable when .

Further, the following theorem holds.

Theorem 3.6. *DFE of system (3.14) is global asymptotically stable if .*

*Proof. *From the first equation of system (3.14), we obtain
Thus,
When , we have
Consider the Lyapunov function
which is always positive in where . Moreover, in the case of system (3.14), the function satisfies
So, the DFE is globally attractive. Combining Lemma 3.5, we have DFE is globally asymptotically stable.

Next, we will analyze the stability of virus-epidemic equilibrium of system (3.14).

The characteristic equation of system (3.14) near endemic equilibrium is given by which corresponds to where + .

According to Hurwitz criteria Hence, we can get the following theorem.

Theorem 3.7. *Let . if and hold, then the virus-epidemic equilibrium of system (3.14) is locally asymptotically stable.*

#### 4. Control Strategies of P2P Botnets

Theorems 3.2 and 3.6 indicate that P2P botnets will be eliminated if reasonable antivirus strategies are taken (represented by the formulations of and ). Here, we will investigate effective methods eliminating P2P botnets by deriving the feasible region of and .

First, we derive the feasible region of . Substituting (2.3) into (3.3), we have According to the meaning of , we can quantify the lower limit for an effective immunity . When , it is easy to get We define the “immune effective region” as follows

Corollary 4.1. *If and satisfies , then it is possible to eliminate botnets within P2P networks. Otherwise, if or , then immunization can only reduce the scale of P2P botnets. *

Similarly, one will get the feasible region of . Substituting (2.6) into (3.15), one can obtain

According to the meaning of , one can quantify the lower limit for an effective immunization . When , one has Define “immune effective region” as follows.

Corollary 4.2. *If and satisfies , then it is possible to eliminate P2P botnets on Internet. Otherwise, if or , then immunization can only reduce the scale of P2P botnets.*

The numerical solution of obtained from (4.2) is plotted with different value of and fixed values of , and in Figure 3. Similarly, Figure 4 depicts the numerical solution of obtained from (4.5) with different value of and fixed values of and .

#### 5. Numerical Simulations

To validate the accuracy of obtained from (4.2), we simulate system (2.4) with the following parameters: , and (i) , where ; (ii) , where . Initial values are set to , and , respectively. Figures 5 and 6 show the simulation results with the above two sets of parameters, respectively, which are consistent with theoretical prediction.

Similarly, we verify the accuracy of obtained from (4.5) by simulating system (2.7). The following parameter values are adopted: , , and (i) , where ; (ii) , where . Initial values are set to , and , respectively. Simulation results in Figures 7 and 8 are consistent with theoretical prediction.

For investigating the effect of different replacement rate on , we depict simulation results of in Figure 9, in which we set , and , that is, replacement time is one year, nine months, a half year, and three months. Other parameters are the same to Figure 3.

Similarly, for investigating the effect of on , we set , , and ; other parameters are the same to Figure 4. The simulation result is depicted in Figure 10.

Figures 9 and 10 reflect the fact that decreasing the replacement rate of computers can enhance the effectiveness of immunizations. This finding contributes to management and maintenance of networks at a cost-effective way.

#### 6. Conclusions

As a kind of new form of botnets, P2P botnets have attracted considerable attention. In this paper, the authors explore two novel dynamical models. The first is a micro-level model which describes the dynamical behavior of *Parasite P2P botnets*. The Second is the macro-level model which characterizes the dynamical action of *Leaching P2P botnet*. Throughout the paper, we focus on the effect of immunization on dynamics of P2P botnets. Through detailed mathematical analysis, the feasible region of immunization has been derived. In addition, we simulate the feasible region of immunization by using different parameter values. Furthermore, the correctness of feasible region has been verified.

The thresholds of immunizations have demonstrated that antivirus strategies have great influence on the dynamics of P2P botnets. More specifically, in feasible regions of immunizations, the spread of computer viruses will be stopped, and the botnet will be cracked. In contrary, immune measures merely decrease the scale of hosts infected by computer viruses, and the botnet will survive. In addition, our results also show that the replacement rate of computers will affect the threshold of immunizations.

Our investigations can provide insight on the effectiveness of various antivirus measures (e.g., antivirus products and user education). According to the thresholds of (4.2) and (4.5), secure organizations can make cost-effective countermeasures to work well in practice. Our study is only limited to unstructured P2P networks, such as Gnutella. Taken a step further, our models are adapted to topology-independent malware, such as file-sharing worms, viruses, Trojans, and so on. In the future, we will concentrate our attentions on the propagation model of topology-aware malware.

#### Acknowledgments

This work was supported in part by the National Natural Science Foundation of China under Grant 60973114, Grant 61170249, and Grant 61003247, in part by the Natural Science Foundation project of CQCSTC under Grant 2009BA2024, and in part by the State Key Laboratory of Power Transmission Equipment and System Security and New Technology, Chongqing University, under Grant 2007DA10512711206.