Botnet Takedown Initiatives: A Taxonomy and Performance Model

Botnets are a persistent threat to all Internet users. They are networks of computers infected with malicious software that are connected over the Internet and can be instructed to carry out specific tasks – typically without the owners of those computers knowing it (Nadji et al., 2013; Plohmann et al., 2011; Whitehouse, 2014). Those who control botnets use them to steal identities, personal and financial information, illicitly gain access to bank accounts; distribute spam e-mails; shut down websites by overwhelming them with traffic (i.e., distributed denial-of-service or DDoS attacks); launch new custom-made botnets; or spread malware and ransomware (Cremonini & Riccardi, 2009; Plohmann et al., 2011; Zeidanloo et al., 2010).


Introduction
Botnets are a persistent threat to all Internet users.They are networks of computers infected with malicious software that are connected over the Internet and can be instructed to carry out specific tasks -typically without the owners of those computers knowing it (Nadji et al., 2013;Plohmann et al., 2011;Whitehouse, 2014).Those who control botnets use them to steal identities, personal and financial information, illicitly gain access to bank accounts; distribute spam e-mails; shut down websites by overwhelming them with traffic (i.e., distributed denial-of-service or DDoS attacks); launch new custom-made botnets; or spread malware and ransomware (Cremonini & Riccardi, 2009;Plohmann et al., 2011;Zeidanloo et al., 2010).
Over the last 20 years, botnets have developed "from a subject of curiosity to highly sophisticated instruments" for illegal activities (Czosseck et al., 2011).Botnets increase the computing resources available to cybercriminals exponentially without revealing their identities (Feily et al., 2009;Whitehouse, 2014).Stealth, resilient, and cost-effective botnets have been designed to operate using general overlay networks such as those offered by Skype (Nappa, et al., 2010).
Botnets are difficult to track, disrupt, and dismantle because they operate in various time zones, languages, and laws (Abu Rajab et al., 2006;Schaffer, 2006).Botnet takedown initiatives refer to the actions that lead to the identification and disruption of the botnet's commandand-control infrastructure.The literature on botnet takedowns includes studies on accelerating the botnet takedown process (Nadji et al., 2013), employing botnet takedown methods (Dagon et. al., 2007;Freiling et al., 2005), minimizing botnet profitability (Tiirmaa-Klaar et al., 2013a), and detecting botnets (Dittrich, 2012;Nappa et al., 2010;Zeidanloo et al., 2010;Zhao et al., 2009).Studies have also looked at the managerial implications of botnet takedowns (Borrett et al., 2013;Scully, 2013), botnet lifecycles (Kok & Kurz, 2011), botnet types (Czosseck et al., 2011;Dagon et al., 2007), and practices to prevent and respond to botnet threats (Plohmann et al., 2011).However, there is no comprehensive database of botnet takedowns available to researchers and practitioners, nor is there a theoretical model to help predict the success or failure of future takedown initiat-Botnets have become one of the fastest-growing threats to the computer systems, assets, data, and capabilities relied upon by individuals and organizations worldwide.Botnet takedown initiatives are complex and as varied as the botnets themselves.However, there is no comprehensive database of botnet takedowns available to researchers and practitioners, nor is there a theoretical model to help predict the success or failure of future takedown initiatives.This article reports on the author's ongoing research that is contributing to both of these challenges and introduces a set of hypotheses relating to the performance of botnet takedown initiatives.In addition to researchers, the article will be of particular interest to personnel in technical, legal, and management functions of organizations interested in improving the quality of their communications and accelerating decision making for the purpose of launching and operating botnet takedown initiatives.It will also be of interest to entrepreneurs who wish to launch and grow cybersecurity ventures that provide solutions to botnet and malware threats.
Men rise from one ambition to another: first, they seek to secure themselves against attack, and then they attack others.

" "
Botnet Takedown Initiatives: A Taxonomy and Performance Model

Reza Shirazi
ives.This article reports on the author's ongoing research that is contributing to both of these challenges and introduces a set of hypotheses relating to the performance of botnet takedowns.

Developing a Database of Botnet Takedown Initiatives
As of late 2014, a readily accessible comprehensive database on botnet takedown initiatives was not available.
Responding to the need to develop such a resource, a Google search (using keywords such as "botnet takedown", "botnet disruption", and "botnet dismantled") was conducted, which returned data from various sources, including: recent hearings on crime and terrorism (e.g., Whitehouse, 2014); lists of botnets that appear in large public websites (e.g., Wikipedia, 2014); websites of major IT firms (e.g., Microsoft), cybersecurity institutes (e.g., Symantec), and news agencies; and academic journals and conference proceedings.
Based on the data from these sources, a preliminary database of 19 botnet takedown initiatives was created.
The database is being developed and maintained by the Technology Innovation Management program (TIM; tim program.ca)at Carleton University in Ottawa, Canada, and it will be made publicly available once it is sufficiently mature.Table 1 summarizes the botnets and malware listed in the database, including each botnet's name (alias), its date of discovery, the date its takedown initiative began, its estimated size, and its purpose or tasks performed.However, the full database captures the following additional dimensions about the botnets and their associated takedown initiatives: unique features, means of dissemination, vulnerabilities exploited, responsible entity, impact, takedown leader, takedown process, involvement of authorities, legal issues, and timeline of key dates.As research progress and understanding of consequential dimensions grows, these dimensions will be refined.

Botnet Takedown Performance Model
Informed by the evolving database on botnet takedown initiatives described in the previous section, this study proposes a botnet takedown model to enable diverse, proficient individuals working in IT organizations to understand botnet takedown initiatives.Because there are no existing models to explain the performance of botnet takedowns, Ferrier's (2001) model of the drivers and consequences of competitive aggressiveness on business was used as a starting point to construct an effective barrier against the economic growth of botnets.
Ferrier's process model of competitive interaction aims to describe characteristics of forces that influence competitive aggressiveness and the consequential organizational performance.Building on Ferrier's (2001) study, the new two-part model is summarized in Figure 1.

Botnet Takedown Initiatives: A Taxonomy and Performance Model
Reza Shirazi

Reza Shirazi
The first part of the model examines how the volume, diversity, duration, and unpredictability of the botnet takedown are influenced by the characteristics of the botnet controller (i.e., the individuals and systems that run the botnet), the characteristics of the takedown initiative, and the efficacy of the legal environment.The second part of the model examines how the characteristics of the takedown attack influence the performance of the botnet takedown initiative (assessed as improvement and collateral damage).The dimensions used to measure botnet takedown performance are consistent with the approach to accelerate takedown process proposed by Nadji and colleagues (2013).
Takedown attack dimensions 1. Volume: the number of uninterrupted action events that comprise each takedown initiative.The actions events can be legal (i.e., a court or enforcement authorities are involved), technology (i.e., hardware or software is used), capacity (i.e., the domain of effectiveness of legal or technology actions), promotion (i.e., actions to gather more supports and users' participation for attack initiatives), and service (i.e., required by end users of compromised devices before and after attack) 2. Diversity: the extent to which the sequence of actions of a takedown initiative is comprised of actions of many different types.For example, a low-diversity attack initiative would be one where all 10 actions are technology related, where as a high-diversity attack initiative would include actions of many types.
3. Duration: the time elapsed from the beginning to the end of the botnet takedown initiative.
4. Unpredictability: the extent to which the sequential order of the novel actions in the botnet takedown initiative is dissimilar from previous takedown initiatives on the same botnet or other botnets from the botnet controller's perspective.
Botnet controller characteristics 1. Motivation: a statement that explains why the botnet controllers do what they do.Czosseck and colleagues (2011) conclude, "botnets have developed from a subject of curiosity to highly sophisticated instruments for illegally earning money".
2. Botnet structure: refers to whether the botnet has a command-and-control infrastructure, a peer-to-peer infrastructure, or a mixture of the two.Most botnets use a command-and-control infrastructure (Nadji et al., 2013), but regardless of what type of network is used to communicate between nodes, when a network of bots is available, they all follow the instructions from a command-and-control server (Freiling et al., 2005).
3. Past performance: measured by the size of the botnet.
Past studies have employed various definitions of botnet size due to cloning, temporary migration, and hidden structure issues (Abu Rajab et al., 2007).
4. Time to takedown start: the time elapsed from when the botnet was first discovered to the time when the botnet takedown initiative is launched.
Takedown initiative characteristics 1. Organizational heterogeneity: the diversity of a takedown organization's demographics, knowledge, and experience.Ferrier (2001) suggests that homogeneity results in a persistent and dominant logic and cognitive strategy, but the heterogeneity that comes with different types of demographics, knowledge, and experience enables organizations to generate more complex and unpredictable strategic actions, facilitate better problem sensing, and match complex competitive challenges.
2. Past performance: the number of botnets that the members of the initiative have taken down in the past.
3. Investment: refers to the investment a takedown organization makes in security measures.
4. User participation: the number of users and organizations that need to act to bring the botnet down.
Legal environment efficacy 1. Botnet takedown order: the order in which a legal authority gives permission to law enforcement units to shutdown or seize botnet elements.Watters and colleagues (2013) investigated legal activities by the Internet Corporation for Assigned Names and Numbers (ICANN) as one of the tools to prevent botnet attacks and found that ICANN lacks the ability and interest in ensuring data integrity is maintained as a priority.They advocate that ICANN should reform its policies, procedures, and standards to exert influence and authority on registrars.
2. Mechanisms to prevent benefits from botnets: examples include approaches focused on scaling and metric values and the "walled garden" technique

Botnet Takedown Initiatives: A Taxonomy and Performance Model
Reza Shirazi (i.e., restricting convenient access to non-approved information and applications).In examining scaling and metric values of activities between hosts and resources, Tiirmaa-Klaar and colleagues (2013b) identified various benefits, including effective mitigation of various attacks and activities.However, the techniques also caused extensive damage such as blocking legitimate activities and impacting user acceptance.In examining the walled garden technique, they identified critical side effects because it was not accepted by all customers of internet service providers and led to difficult legal situations.Although some negative impacts were identified, this model highlights how up-to-date and dynamic prevention rules and policies (beyond public awareness) make botnets less attractive and profitable.
3. Botnet controller prosecution: empowers the takedown attack and protects the cyberspace from similar attacks and should decrease the duration of takedown attack.
Takedown performance 1. Improvement: results from the takedown initiative, such as reducing the volume of spam traffic, reducing the number of data breaches, or reducing the number of infected machines.
2. Collateral damage: the number of organizations that were negatively affected due to execution of the botnet takedown initiative.

Hypotheses
The

Conclusions
In support of enhancing botnet takedown performance, this article has provided two contributions: i) an overview of a preliminary database of botnet takedown initiatives and ii) a theoretical model to help predict the success or failure of future takedown initiatives.
This work is relevant to researchers, policy makers, and industry professionals.In particular, personnel in technical, legal, and management functions of organizations interested can use the suggested model to improve the quality of their communications by using similar taxonomy and accelerate decision making for the purpose of launching and operating botnet takedown initiatives.Also, these findings will be relevant to entrepreneurs who wish to launch and grown cybersecurity ventures that provide solutions to botnet and malware problems.
The preliminary database and proposed model mark the beginning of a potentially fruitful avenue of research.The database needs to be augmented and refined; the model and its associated hypotheses need to be tested.As our knowledge improves, the intention is that the empirical data and the model constructs will evolve and cybersecurity experts will become more efficient in taking down botnets through various means.

Table 1 .
Summary of botnets and malware listed in the preliminary database of takedown initiatives www.timreview.caBotnetTakedown Initiatives: A Taxonomy and Performance Model