Scomf and SComI botnet models: The cases of initial unhindered botnet expansion

Botnets have become platforms to launch distributed denial-of-service attacks and coordinate massive e-mail spam campaigns, to name just a few of botnet-related nefarious activities. Apart from the wired networks, the increasingly Internet-enabled cellular wireless networks are also vulnerable to botnet attacks; a situation which motivates a thorough study of botnet expansion and the mathematical models thereof. In this paper, we propose the following two Continuous-Time Markov Chain-based models for prediction of the botnet size in the initial phase of botnet lifecycle: SComF for the case of finite number of susceptible nodes (suitable for a botnet expanding in a closed environment such as an administrative domain, or a LAN) and SComI for the case of infinite number of susceptible nodes (suitable for a botnet expanding in the larger Internet). Having access to such models would enable security experts to have reliable size estimates and therefore be able to defend against an emerging botnet with adequate resources. We derive the probability distributions for both models and provide some numerical results as well as a simulation study accompanying the numerical analysis of the SComF model using the GTNetS network simulator.