Skip to content

botnet_comm_processor

Jens Keim edited this page Apr 15, 2019 · 1 revision

Introduction

As part of the Membership Management Communication Attack the user can input a file containg abstract botnet communication, as described here. What first needs to be done is parsing the input CSV/XML file into program structure. This can be done very efficiently with this module. If needed, the parsed abstract messages can be written to an XML file that follows the structure described here. Secondly, this module provides the backbone needed to efficiently select an interval of messages from the input CSV/XML file. For this, there are several algorithms as described here. The functions provided in this module are then used by the CommunicationProcessor Python module to select the final interval out of all suitable intervals adhering to the selection strategy. The selected interval is then further processed and finally injected into the PCAP.

Description

The specific functions provided by this module can be seen in code_boost/src/cxx/botnet_comm_processor.h. The way the different algorithms work is neatly described here. What needs to be noted here is that for the optimal algorithm, multiple threads are used to further increase efficiency. The number of threads used equals to the number of logical cores available on the executing system.

Why C++

The simple answer to this question is efficiency. Parsing big Membership Management Communication CSV files takes too long with Python. Therefore this module provides a functionality to do this more efficiently. On top of that, finding an interval with the optimal algorithm takes an even longer time in Python, which turned out to be unbearable for comfortable usage. Hence, this is the main reason this module exists. With this module, for e.g. one scenario, the time for parsing a CSV file and finding an interval went down from >15 min to 2.5-3 min. Even though this still seems long, it is manageable considering this scenario is rather rare. Putting this extreme case aside, it goes without saying that an improvement from 1 min to 5-10s in a more common scenario is worth the extra C++ code. Finally, the XML Parser for Membership Management Communication was also moved to C++ for consistency reasons and to have all related functionalities within one file.