Detecting a botnet in a network

We formalize the problem of detecting the presence of a botnet in a network as an hypothesis testing problem where we observe a single instance of a graph. The null hypothesis, corresponding to the absence of a botnet, is modeled as a random geometric graph where every vertex is assigned a location on a $d$-dimensional torus and two vertices are connected when their distance is smaller than a certain threshold. The alternative hypothesis is similar, except that there is a small number of vertices, called the botnet, that ignore this geometric structure and simply connect randomly to every other vertex with a prescribed probability. We present two tests that are able to detect the presence of such a botnet. The first test is based on the idea that botnet vertices tend to form large isolated stars that are not present under the null hypothesis. The second test uses the average graph distance, which becomes significantly shorter under the alternative hypothesis. We show that both these tests are asymptotically optimal. However, numerical simulations show that the isolated star test performs significantly better than the average distance test on networks of moderate size. Finally, we construct a robust scheme based on the isolated star test that is also able to identify the vertices in the botnet.


Introduction
Complex networks are often described in terms of a large number of vertices that are connected using the same underlying probabilistic mechanism.In practice, however, these networks might contain a small number of vertices that follow different connection criteria.Examples are fake user profiles in a social network or servers infected by a computer virus on the internet.We refer to such a set of anomalous vertices as a botnet.Typically a botnet represents a potentially malicious anomaly in the network, and thus it is of great practical interest to detect its presence and, when detected, to identify the corresponding vertices.Accordingly, numerous empirical studies have analyzed botnet detection problems and techniques, see [17,20,21,39] and the references therein.In this work we look at the problem from a statistical point of view, and characterize the difficulty of detecting a botnet based only on structural information from the observed network.
More precisely, we formalize this problem as an hypothesis testing problem where we observe a single instance of a random graph.Under the null hypothesis, this graph is a sample from a random geometric graph [22,36] on n vertices where every vertex is assigned a location on a d-dimensional torus and two vertices are connected when their Euclidean distance on the torus is less than a given radius.Under the alternative hypothesis there is a small number k of vertices, called the botnet, that ignore the geometric structure and instead connect to every other vertex with a prescribed probability.In other words, n − k vertices still connect based on the underlying geometry, while each of the k botnet vertices forms connections uniformly at random with every other vertex (botnet or not).In practice, botnets are built to imitate regular nodes in the network, and so we assume that the expected degree of every vertex is the same under the null and alternative hypothesis.This assumption rules out trivial scenarios where the botnet can be detected simply by looking at the edge density or degree structure.
Our contribution.We propose two different tests to detect whether an observed graph contains a botnet.The first test is a local test, based on the number of isolated stars that can be observed in the given graph.For convenience we refer to this test as the isolated star test.For a given vertex, its isolated star is the largest subset of its neighbors such that none of them are connected to each other by an edge.Hence, an isolated star is the largest independent set on the subgraph induced by the neighbors of a vertex.Under the null hypothesis, none of the vertices can become a large isolated star because the underlying geometry ensures that most neighbors are directly connected.However, because the botnet vertices are connected uniformly at random throughout the graph they are likely to become large isolated stars.
Our second test is based on graph distances in the observed graph and thus it has a more global nature.We refer to this test as the average distance test.Under the null hypothesis, vertices that are separated by a large Euclidean distance will also be separated by a large graph distance.However, under the alternative hypothesis, the botnet vertices typically create shortcuts, making many paths much shorter.Under appropriate assumptions, the effect of the shortcuts is large enough to significantly decrease the average graph distance.This phenomenon was first investigated by Watts and Strogatz [38].
Both of our methods can be used to test for the presence of a botnet.Our results show that a botnet can be detected, with high probability, when the expected number of edges connected to all botnet vertices is diverging (i.e., when the expected vertex degree diverges or when the botnet size is unbounded).Remarkably, this means that a single botnet vertex can be detected provided that the graph is not of bounded average degree.We also show that this result is optimal, meaning that it is impossible for any test to detect the presence of a botnet when the expected number of botnet edges is bounded.We complement our theoretical results for the n → ∞ asymptotic regime with numerical simulations that illustrate the performance of our tests on graphs of finite size.These results empirically show that the isolated star test performs much better than the average distance test, with the difference being more pronounced when the dimension of the underlying geometry is large.

Related work.
Recently there has been an increasing interest in the development of statistical techniques and algorithms that exploit the structure of large complex-network data to analyze networks more efficiently.In particular, several recent papers have studied hypothesis testing for random graph models.In [1,2], the authors consider the problem of detecting a denser subset of vertices in an Erdős-Rényi random graph, or in an inhomogeneous random graph [4].
The setting of [10] is perhaps the closest to our setting.The authors consider the problem of deciding whether a given graph is generated by some underlying spatial mechanism.More specifically, in their model, the null hypothesis is an Erdős-Rényi random graph, and this is compared to a high-dimensional random geometric graph under the alternative.As the dimension tends to infinity, the two random graphs become indistinguishable, and they identify how large the dimension can be so that these models can still be distinguished.
The authors of [19] propose a test based on observed frequencies of small subgraphs to distinguish between an Erdős-Rényi random graph, seen as the null hypothesis, and a general class of alternative models that include stochastic block models and the configuration model.Similarly, [8] proposes a test to distinguish between mean-field models and structured Gibbs models.Finally, [25,32,35] investigate detection problems in a dynamical setting, where the goal is to detect changes in the graph structure over time.

Model formulation and results
In this section we formalize the problem of detecting a botnet in a network as an hypothesis testing problem for graphs.We are given a single observation of a random graph G = (V, E), where V = {1, . . ., n} is the vertex set of size |V | = n and E ⊆ {(i, j) ∈ V × V : i < j} is the random set of edges.We use i ↔ j to indicate that i, j ∈ V are connected.That is, we write i ↔ j when (i, j) ∈ E and i ↔ − j otherwise.In particular, G is a simple graph, so it does not contain any self-loops or multiple edges.
Under the null hypothesis, denoted by H 0 , the observed graph G is a realization of a d-dimensional random geometric graph G(n, d, p) on n vertices and with average edge probability p. Formally, let T d := [0, 1] d be the d-dimensional unit torus, with distance function This is simply the Euclidean distance on the unit (hyper-)cube with the ability to "wrap around" the boundaries.We refer to T d as the embedding space.For each vertex i ∈ V , let X i be a d-dimensional vector-valued random variable uniformly distributed on T d .We denote the components of this random vector by X i = (X i,1 , . . ., X i,d ) and note that these components are independent uniform random variables on the unit interval [0, 1].For a given edge probability p, two vertices i, j ∈ V are connected when D T (X i , X j ) ≤ r, where r is chosen such that the average edge probability equals p, that is P(D T (X i , X j ) ≤ r) = p.In other words, r is such that the probability of a random point X i landing in a ball of radius r is equal to p, which gives the explicit relation p = ( √ π r) d /Γ(d/2 + 1), where Γ(•) denotes the gamma function.Throughout the rest of this paper we assume that p → 0 as n → ∞, so the average degree is sub-linear in the graph size n.For further details on this model and many of its properties we refer the reader to [36].
The alternative hypothesis, denoted by H 1 , is similar except for a small subset of vertices called the botnet.These vertices ignore the geometric structure and simply connect to every other vertex independently with probability p. Formally, the observed graph under the alternative hypothesis is a realization from G(n, d, p; k), which is a random geometric graph on n − k vertices together with a subset of vertices B ⊆ V of size |B| = k, called the botnet.That is, each pair of vertices i, j ∈ V \ B is connected precisely when D T (X i , X j ) ≤ r.The remaining vertices in the botnet B are connected independently and with probability p to every other vertex in V .Note that, by construction, the expected number of edges under the alternative hypothesis is exactly the same as under the null hypothesis.
General assumptions and notation.Throughout the rest of this paper all unspecified limits are assumed to be taken as the graph size n tends to ∞.We also use standard asymptotic notation: Finally, we say that a sequence of events holds with high probability if it holds with probability tending to 1 as n → ∞.
Given two vertices i, j ∈ V , we write i ↔ j when these vertices are directly connected by an edge, and i j when there exists a path between these vertices.Furthermore, we assume that the dimension d ≥ 2 remains fixed, but the edge probability p and the botnet size k are allowed to depend on n, although this dependence is left implicit in the notation.We also require that p → 0 in such a way that np = Ω(1) because otherwise the resulting graphs will be such that most vertices are isolated.Finally, we assume that the botnet size k satisfies 1 ≤ k ≤ o(n).

Detecting a botnet
In this section we obtain a necessary condition for detecting the presence of a planted botnet in the asymptotic regime n → ∞.Given an observed graph, we want to decide whether it was sampled from H 0 or from H 1 .To this end, define a test ψ as a function mapping G to {0, 1}, where ψ(G) = 1 indicates the null hypothesis is rejected (i.e., the test indicates that the graph contains a botnet), and ψ(G) = 0 otherwise.The worst-case risk of such a test is defined as where P 0 (•) denotes the distribution of the random geometric graph under the null hypothesis, and P B (•) denotes the distribution of a graph with the botnet B ⊆ V under the alternative hypothesis.
Our goal is to determine when can we distinguish H 0 and H 1 as the graph size n diverges.To this end we consider a sequence of tests (ψ n ) ∞ n=1 and we call such a sequence asymptotically powerful when it has vanishing risk, that is R(ψ n ) → 0 as n → ∞.Hence, a sequence of tests is asymptotically powerful when it identifies the underlying model correctly in the limit n → ∞.
Before we introduce our tests, we define the threshold (in terms of the model parameters) below which it becomes impossible for any test to be asymptotically powerful.We later show that above this threshold the isolated star test is asymptotically powerful.The average distance test is also asymptotically powerful in this regime, assuming some additional technical assumptions are satisfied.This threshold is given in terms of the parameters of the alternative model.Intuitively, it corresponds to the setting where the expected number of edges connected to all botnet vertices is bounded, which happens precisely when both the average degree np and the botnet size k are bounded.In this case, there is a positive probability that all botnet vertices are isolated.When this happens it becomes impossible to reliably distinguish the null and alternative hypothesis.This is formalized in the following theorem, the proof of which is postponed to Section 5.4:

Theorem 1. When npk = O(1) no test can be asymptotically powerful (i.e., all tests have risk that is strictly larger than zero).
In the rest of this section we present the two different tests that can detect the presence of a planted botnet in the regime npk → ∞.

Isolated star test
In this section we define a test that can detect whether an observed graph contains a planted botnet based on the presence of isolated stars.For a given vertex i ∈ V , let N (i) = {j ∈ V : (i, j) ∈ E} denote the subset of its neighbors.The isolated star S(i) ⊆ N (i), at vertex i ∈ V , is the largest independent set on the subgraph of G induced by N (i).In other words, every j ∈ S(i) is directly connected by an edge to i, and no pair of vertices in S(i) are directly connected (i.e., for every j, k ∈ S(i) we have (j, k) / ∈ E).Intuitively, under H 0 , the observed graph does not contain large isolated stars because of the underlying geometric structure.In fact, any isolated star under H 0 cannot be larger than the kissing number κ d , which is the maximum number of non-overlapping spheres of the same radius that can be placed tangent to some central sphere in dimension d.To see this, note that our model is equivalent to the model where every vertex is the center of a sphere of radius r/2, and two vertices are connected when their spheres touch or overlap.This means that, under H 0 , it is impossible to observe an isolated star that is larger than the kissing number κ d .For example, the kissing number for dimension d = 2 is κ 2 = 6, so it is impossible to have more than six vertices in a given neighborhood without some of them being connected, see Figure 1 for an example.
However, under the alternative hypothesis the observed graph can, and likely will, contain large isolated stars.In particular, a botnet vertex is quite likely to have an isolated star that is almost as large as its degree.Therefore, it will be likely to observe a few isolated stars that are larger than the kissing number κ d .Hence, we can scan the graph and compute the size of the isolated star at every vertex.Then we reject H 0 when we see an isolated star that is larger than the kissing number.Checking whether there exists a vertex that has an isolated star that is larger than the kissing number can be done in time, with d i the degree of vertex i ∈ V .This scales polynomially in the number of vertices.However, in practice this is not feasible on large graphs, unless all vertices have quite small degree.Instead we can use a greedy algorithm to obtain lower bounds on the size of an isolated star, for example as described in [6].Moreover, note that the kissing number κ d depends on the underlying dimension d, and the exact kissing number κ d is unknown for many dimensions.However, there exist good upper bounds which can be used instead.For dimensions d ≤ 24, the best known upper bounds can be found in [30], and for larger dimensions one could use the upper bound κ d ≪ 1.3233 d [28].
Next we present the main result of this section, where we give conditions for the isolated star test to be asymptotically powerful.The proof of this result is postponed until Section 5.1.

Theorem 2.
If npk → ∞ then the isolated star test from Definition 1 is asymptotically powerful, meaning that it has a risk converging to zero.

Average distance test
In this section we define a test that can detect whether an observed graph contains a planted botnet based on the difference in graph distances under the null and alternative hypothesis.Here we require that p is large enough to ensure that the graph is connected with high probability.
Given two connected vertices i, j ∈ V , let D G (i, j) be the graph distance between i and j.That is, D G (i, j) is the length of the shortest path in the graph G that connects i to j.Also, we define the average graph distance as Under the null hypothesis, the observed graph is a random geometric graph and therefore the average graph distance will be large.To see this, consider first the average Euclidean distance between two uniformly chosen points on the torus.This can be lower bounded by where the final step follows by symmetry and is simply the expectation of the maximum of d uniform random variables on [0, 1/2].Hence, two uniformly chosen vertices have an expected Euclidean distance of at least d/(2d + 2) on the torus.Then, consider the following lower bound on the average graph distance, which holds with high probability because we assumed that the graph is connected with high probability and because every edge can only connect two vertices when they are within distance r, so D G (i, j) ≥ D T (X i , X j )/r.Note that, the right-hand side of (3) can be seen as a U-statistic.Therefore, using [26, Theorem 5.2], we obtain Hence, Chebyshev's inequality ensures that n with probability tending to one.Therefore, using (2) and (3), we obtain for any ε > 0 the following with high probability lower bound As we show below, the average graph distance is significantly smaller under the alternative hypothesis.Therefore, we consider the following test based on the average graph distance in the observed graph: Definition 2. Fix ε > 0. The average distance test rejects the null hypothesis for a given graph G when This brings us to the main result of this section, which identifies when the average distance test is asymptotically powerful.We postpone the proof of this theorem to Section 5.2.Theorem 3. If npk → ∞ and p is large enough to ensure that the subgraph induced by all non-botnet vertices is connected with high probability, then the average distance test from Definition 2 is asymptotically powerful.
Note that the assumption of connectedness implies that np ≥ Ω(log(n)) [36], and together with the fact that k ≥ 1 this implies npk → ∞.We include the latter condition to be able to compare the theorem above to Theorem 2. The requirement of connectivity is only a technical assumption that we make to considerably simplify the proof.This leads us to conjecture that Theorem 3 also holds under the milder condition that p is large enough to ensure the existence of a giant component.This is also supported by our numerical simulations.

Unknown dimension and connection radius
Computing the isolated star test requires knowledge of the dimension d of the embedding space, and the average distance test requires the knowledge of the dimension d as well as the connection radius r.In this section we show how to estimate these parameters from the observed graph.
To estimate the dimension d we use the clustering coefficient [13].This is defined as the probability that two random neighbors of a given vertex are themselves connected.Under the null hypothesis, the clustering coefficient can be computed analytically and the resulting quantity only depends on the dimension d.Using [24, see (15)], for distinct i, j, k ∈ V , we obtain where Beta(•, •) denotes a random variable with a beta distribution.Moreover, for a given graph, the clustering coefficient can be estimated by 1≤i,j,k≤n ½{i↔j,i↔k,j↔k} 1≤i,j,k≤n ½{i↔j,i↔k} To estimate the dimension d we can estimate the clustering coefficient C d using (6) and then invert the relation in (5) to obtain an estimate for the dimension d.This method of estimating the dimension gives a consistent estimator, under the null as well as the alternative hypothesis.This is shown in the following lemma, which we prove in Section 5.5.

Lemma 1. Using the clustering coefficient to estimate the dimension d is consistent under both the null and alternative hypothesis, in the sense that both
The average distance test also requires knowledge of the connection radius r.
To estimate this, we use that the edge probability p is given by where Γ(•) denotes the Gamma function.For a given graph, the edge probability can be estimated by To obtain an estimate of the connection radius r, we can estimate the edge probability using (8) and then invert the relation in (7), using our estimate of d, to obtain an estimate for the connection radius r.This method gives a consistent estimator of p = p n , as the next lemma shows.We postpone the proof of Lemma 2 to Section 5.6.Since the radius r is given in terms of a continuous function of p in (7), this also shows that r/r P0 − → 1 and r/r PB − → 1 by the continuous mapping theorem.Therefore, our estimate for the connection radius r is also consistent under the null and alternative hypotheses.

Identifying the botnet
When a test rejects the null hypothesis, we would also like to identify the vertices that are part of the botnet.To this end, let B ⊆ V be an estimator of the vertices in the botnet.We assume that the size of the botnet |B| = k is known and that | B| = k.To measure the performance of our estimator we use the risk function where is the symmetric difference between an estimator B of the botnet and the true botnet B. The reason for the normalization in ( 9) is that | B △ B| could be unbounded, while 0 We say that a method achieves exact recovery when R est ( B) → 0, and partial recovery when R est ( B) → α for α ∈ (0, 1).In other words, partial recovery corresponds to identifying a positive proportion of the botnet vertices while exact recovery corresponds to identifying the majority of the botnet vertices.Note that, partial recovery is most interesting when the botnet size diverges.To see this, consider partial recovery of a single botnet vertex k = 1, in this case R est ( B) = P B ( B = B).That is, the botnet vertex is identified correctly only a fraction of the time, and remains unidentified otherwise.
Intuitively, our procedure identifies a botnet vertex when that vertex has a large enough isolated star |S(i)|.However, in this case, non-botnet vertices could have an isolated star that is larger than the kissing number κ d , because it is connected to one or more botnet vertices.Therefore, in order to control the number of false positives, we introduce a parameter ξ n > 0 to artificially increase the threshold κ d that was used when detecting the presence of a botnet.This leads to the following definition of the isolated star estimator: Definition 3. Let κ d be the kissing number in dimension d.The isolated star estimator is with ξ n given by where ε > 0 is arbitrary, and W 0 (•) denotes the Lambert-W function [12].
Comparing this estimator with the isolated star test from Section 2.1.1,we see that the detection threshold is increased by ξ n .In fact, we have chosen ξ n to be slightly larger than the maximum number of botnet vertices that are likely to connect to any non-botnet vertex.In other words, the addition of ξ n ensures that the number of false positives remains vanishingly small.
The performance of our test depends crucially on the asymptotic behavior of the expected number of edges npk that are connected to any botnet vertex.We will concisely refer to these as botnet edges.Intuitively, when npk grows slowly, the botnet edges do not influence the largest isolated star of a typical vertex and thus ξ n is a constant.On the other hand, when npk is large, the largest isolated star of a typical vertex grows with n and consequently ξ n also increases with n.
More precisely, we show that when npk ≤ n β with β ∈ (0, 1) our method always achieves at least partial recovery.This corresponds to the most common situation where there is a small botnet in a sparse graph.In this case, ξ n can be shown to converge to a constant, and thus every vertex with an isolated star that is only slightly larger than the kissing number κ d is considered a botnet vertex.On the other hand, if npk grows linearly in n or faster, then the typical size of the largest isolated star is significantly larger than the kissing number κ d and additional technical assumptions are required for our method to achieve at least partial recovery.We make the above considerations precise in the main result of this section, which is presented below.
Then the isolated star estimator from Definition 3 has exact recovery if np → ∞, and partial recovery otherwise.
Note that, when taken together, conditions (i)-(iii) describe all possible asymptotic behaviors of npk, but additional technical assumptions are required when npk ≥ n 1−o (1) .The proof of Theorem 4 is given in Section 5.3.

Simulations
We have shown that the tests introduced in the previous sections are asymptotically powerful when npk → ∞.In this section, we study the finite sample performance of these tests using simulations in order to compare their efficiency in practice.Both our tests have a vanishing type-1 error, so they will almost always correctly identify a graph without a botnet.Therefore, the focus of these simulations is on the type-2 error, which indicates how often a planted botnet is detected when it is actually present.
For the simulations, we assume no knowledge about the underlying dimension d or the connection radius r.We present two approaches to determine the threshold for rejecting the null hypothesis.For our first approach, we estimate the graph parameters with the consistent estimators described in Section 2.1.3and use these to compute the thresholds as explained in Sections 2.1.1 and 2.1.2.For our second approach, we find the rejection threshold using Monte Carlo calibration.Results using the first approach can be seen in Figure 2, and results using the second approach are in Figure 3.This shows that the isolated star test outperforms the average distance test in most cases, especially when the dimension d or the average degree np is large.
The isolated star test has good performance when the average degree np is larger than the threshold at which we reject the null hypothesis (i.e., the kissing number κ d in Figure 2, or the threshold found by Monte Carlo calibration in Figure 3).The reason for this is that the isolated star test rejects the null hypothesis when the graph contains a large enough isolated star, which is much more likely to exist when the average degree np is also large.
The performance of the average distance test is also related to the average degree np of the graph.To understand this, note that the botnet vertices can create shortcuts between vertices that are far away in the embedding space.When the average degree np is large, there is a higher probability that more shortcuts are created, which in turn decreases the average graph distance.
Finally, we note that both tests have better performance when the dimension d is small.This is expected because the effect of the underlying geometry disappears as d → ∞, as was shown in [10].

Isolated star test
Average distance test

Discussion
In this section we remark on our results and discuss some possible directions for future work.

Different null hypothesis.
Our results show that it is possible to detect an arbitrarily small planted botnet, provided that npk → ∞.However, these results hinge on the underlying geometric structure of the model.Many other network models have been developed that are based on a different geometry than the one assumed by our model [3,5,9,14,29].Therefore, it would be interesting to see what the effect of the underlying geometry is, and to what extent our results can be extended to models that have a different underlying geometric structure.
Our tests and analytical approach is fairly robust against minor changes in the underlying geometry.For instance, our results remain true when the embedding space is a slightly deformed torus or sphere, or the points are distributed in the embedding space in a slightly non-uniform way.However, when the changes in geometry are more drastic we expect the nature of the results to change.In particular, when the geometry causes the resulting graph to become a small world we expect the average distance test to fail, and when the geometry causes considerable inhomogeneity in vertex degrees we expect the isolated star test to fail.
Smaller isolated stars for higher power.The isolated star test rejects the null hypothesis when the largest observed isolated star is bigger than the kissing number κ d , which automatically ensures that the type-1 error is zero.However, for dimensions d > 2, the typical largest isolated star in a random geometric graph is much smaller than the kissing number κ d .For example, numerical simulations suggest that in dimension d = 4, the size of the typical isolated star is smaller than 10, whereas the kissing number is κ 4 = 24 [30,33].This suggests that, depending on the significance level, one might use a much smaller threshold value, which would greatly increase the power of the test.
One possible way to achieve this is to calibrate the test using a Monte Carlo approach, as we did in Section 3.However, this is a computationally expensive approach which could be avoided with better knowledge of the behavior of isolated star sizes in higher dimensions.

Diverging dimension.
From a theoretical perspective it would be interesting to know whether our results can be extended to the setting where the dimension d is diverging together with the graph size n, similar to the problem considered in [10].For the isolated star test, we can use the following bound on the kissing number κ d ≪ 1.3233 d [28].In this case, the same arguments as in the proof of Theorem 2 suggest that the isolated star test is asymptotically powerful when 1 ≪ np ≪ n 1/3 and However, a better understanding of the distribution of isolated stars in graphs with large underlying dimension could significantly improve this result and possibly show that the isolated star test can still be applied even when the dimension grows much faster than (11).

Proofs
This section is devoted to the proofs of the results stated in Sections 2.1 and 2.2.

Proof of Theorem 2: Isolated star test is powerful
As explained in Section 2.1.1,the isolated star test has zero type-1 error (i.e., it always correctly identifies a random geometric graph without a botnet).Therefore, to show that the isolated star test is asymptotically powerful, we must show that under the alternative hypothesis, the probability of having an isolated star larger than the kissing number κ d tends to one.This is done in two steps.First, let deg V \B (i) be the non-botnet degree of a vertex i ∈ V .That is, deg V \B (i) denotes the number of non-botnet neighbors of i.Then, we show that any botnet vertex i ∈ B, with deg V \B (i) ≥ κ d + 1, will form an isolated star of size |S(i)| ≥ κ d + 1 with high probability.Second, we show that, with high probability, there exists a botnet vertex that has arbitrarily large non-botnet degree.Given a botnet vertex i ∈ B, define the event D(i) := {deg V \B (i) ≥ κ d + 1}.Then, conditionally on the event D(i), let {v 1 , . . ., v κ d +1 } be a subset of κ d + 1 non-botnet neighbors of i.We reveal these vertices one at a time.For every vertex v j revealed this way, let q j be the probability that v j is not connected to any of the previously revealed vertices given that all these previously revealed vertices are themselves not connected.For j ∈ [κ d + 1] = {1, . . ., κ d + 1} we obtain where we note that, because i ∈ B is a botnet vertex, conditioning on the event D(i) does not affect the distribution of the vertex locations (i.e., these remain uniform random variables on the torus).Furthermore, observe that ( 12) becomes an equality precisely when the torus distance between every pair of previously revealed vertices is larger than 2r.Then, a lower bound on the probability that i ∈ B forms an isolated star of size at least κ d + 1 is given by where the convergence to 1 follows because p → 0 and κ d is constant.Hence, any botnet vertex i ∈ B with deg V \B (i) ≥ κ d + 1 will form an isolated star of size |S(i)| ≥ κ d + 1 with probability tending to one.
For the second part of the proof, we will show that there indeed exists a botnet vertex i ∈ B with deg V \B (i) ≥ κ d + 1.First observe that for all i ∈ B the non-botnet degrees deg V \B (i) are independent random variables distributed as Bin(n − k, p).Moreover, by the Stein-Chen method [11,27], it follows that and k → ∞.When (n − k)p → ∞ every botnet vertex will eventually have non-botnet degree larger than κ d + 1 with high probability.On the other hand, if (n − k)p = Θ(1) then by (14) there is a positive probability that deg V \B (i) ≥ κ d + 1, independently for each botnet vertex i ∈ B, and since k → ∞ there exists a botnet vertex with non-botnet degree larger than κ d + 1 with high probability.Finally, combining this with (13) shows that the graph will contain an isolated star larger than κ d + 1 with high probability.

Proof of Theorem 3: Average distance test is powerful
As given in (4), we have the high probability lower bound Therefore, the average distance test has vanishing type-1 error (i.e., it will correctly identify a geometric random graph with no botnet with high probability).To show that this test is asymptotically powerful, we are left to show that the type-2 error also vanishes.This is done by showing that, under the alternative, there is a botnet vertex that creates a shortcut between most pairs of non-botnet vertices, as shown in Figure 4. Using this, we show that, with high probability, the average graph distance is at most o(1)/r, which is much smaller than the threshold in (4).For a non-botnet vertex i ∈ V \ B, let B(X i ; δ n ) denote the ball of radius δ n := (V d log(np)) −1/d around the location X i , where V d := π d/2 /Γ(d/2+1) denotes the volume of a d-dimensional unit ball.Also, let A i ⊆ V \B denote the non-botnet vertices with location in B(X i ; δ n ), that is .
Therefore, using the relative Chernoff bound [23, see (7)] or [31,Theorem 4.5], for any ξ > 0, we obtain Now, let l ∈ B be an arbitrary botnet vertex, and consider the probability that there exists a vertex i ′ ∈ A i that connects to the botnet vertex l.This gives where the convergence to 1 follows because np/ log(np) → ∞.To continue, we use an existing result relating the torus distance and the graph distance [7,15,16,18,34].Translated to our notation, this result is as follows: Theorem (see [18,Theorem 3] or [16,Theorem 8]).There exists a constant K independent of n such that for any connected pair of vertices i, j ∈ V with D T (X i , X j ) ≫ log(n) n r d−1 we obtain D G (i, j) ≤ K D T (X i , X j )/r with high probability.
Define the event C := {G V \B is connected}, where G V \B denotes the subgraph induced by all non-botnet vertices.Note that P B (C) → 1 by assumption.Then, given the event C, the result above guarantees that there exists a path of length at most O(δ n )/r between i and every i ′ ∈ A i .Hence, for a given i ∈ V \ B, Then, by definition of δ n and applying (15) twice, we obtain for an arbitrary pair of non-botnet vertices i, j ∈ V \ B and botnet vertex l ∈ B, By observing that every botnet vertex connects to several non-botnet vertices with high probability (as explained at the end of the proof of Theorem 2), the above can be strengthened to also include the botnet vertices, and show that the distance between any given pair of vertices is at most o(1)/r with high probability.This brings us to the central result of this proof, namely that for an arbitrary pair i, j ∈ V it follows that We continue by showing that the diameter of the graph G is at most O(1)/r with high probability.To this end, we first consider the diameter of G V \B , this gives (17) where the convergence to 1 follows from the theorem stated above (see also [18,Corollary 6]).Similarly to what we did above, this can be extended to the diameter of G by showing that every botnet vertex connects to at least one non-botnet vertex.Let l ∈ B denote an arbitrary botnet vertex, then Hence, using (17) and (18), we obtain Finally, it follows from the dominated convergence theorem and ( 16) that E B [½{diam(G)≤O(1)/r} D avg G (G)] = o(1)/r.Combining this with ( 19) and Markov's inequality we obtain, for any a > 0, This shows that the average distance test is asymptotically powerful.

Proof of Theorem 4: Isolated star estimator performance
We need to show that R est ( B) → 0, for the estimator B from Definition 3. First, we decompose the risk R est ( B) as We start by showing that the second term in (20) vanishes.Note that, for any non-botnet vertex i ∈ V \ B, the size of its isolated star |S(i)| is bounded by the kissing number κ d plus the amount of botnet vertices connected to it.Therefore,

2|B|
j∈V \B where the convergence to 0 follows from the definition of ξ n in (10).In fact, the definition of ξ n was chosen precisely to ensure this convergence.
To complete the proof, we analyze the first term on the right-hand side of (20).Let i ∈ B be an arbitrary botnet vertex, then Now, using the same argument as in (13), we obtain which converges to 1 provided that ξ 2 n p → 0. Combining the above, we obtain where i ∈ B is an arbitrary botnet vertex.Therefore, the isolated star estimator has exact recovery when ξ 2 n p → 0 and P B deg(i) > κ d + ξ n → 1, and partial recovery when ξ 2 n p → 0 and P B deg(i) > κ d + ξ n = Ω(1).To show this, we consider the three different cases from the theorem statement.

Case (ii):
From our assumption it follows that n −o(1) ≤ kp ≤ o(log(n/k)).Using W 0 (x) → ∞ when x → ∞, we obtain Hence, it follows that ξ 2 n p ≤ o(log(n/k) 2 ) log(n/k) −2 → 0.Moreover, from the assumptions for this case it follows that np ≫ log(n/k) → ∞, and therefore Hence, the isolated star estimator has exact recovery.

Proof of Lemma 1: Dimension estimator is consistent
Here we will show that the numerator converges in probability to C d , and the denominator converges in probability to 1. Since the computations regarding the denominator are largely similar to those of the numerator these will be omitted for brevity, and we will focus on the numerator.
Let X ijk = ½{i↔j,i↔k,j↔k}/p 2 and X = n −3 1≤i,j,k≤n X ijk , then X is precisely the numerator in (22).Consider the first moment of X, this is given by Moreover, the second moment of X can be computed by splitting between the number of common vertices in the two triangles involved.This gives Under the alternative hypothesis, the proof is largely similar.Because the botnet size k = o(n) is small, it can be seen that the first and second moment of X converge to the same values, and therefore X PB − → C d .Finally, we can again apply the continuous mapping theorem to show that our estimator for the dimension is consistent under the alternative hypothesis.

Proof of Lemma 2: Connection probability estimator is consistent
We start by showing that p/p P0 − → 1.Using the estimator p from (8) it follows directly that E 0 p/p = 1.Therefore, we are left to compute where we obtained the second equality by splitting between the case where i = i ′ and j = j ′ , and the case where i = i ′ and j = j ′ .Moreover, the final step followed from the assumption p ≥ Ω(1/n).Therefore, it follows that Var 0 ( p/p) = E 0 ( p/p) 2 − E 0 p/p 2 = o(1), and hence p/p P0 − → 1 by Chebyshev's inequality.Moreover, for any distinct triplet i, j, k ∈ V , p = P 0 (i ↔ j) = P B (i ↔ j) , p 2 = P 0 (i ↔ j, i ↔ k) = P B (i ↔ j, i ↔ k) .
Hence, performing the above computations under the measure P B shows that p/p PB − → 1 as well.

Definition 1 .
Let κ d be the kissing number in dimension d.The isolated star test rejects the null hypothesis for a given graph G when max i∈V |S(i)| > κ d .

Lemma 2 .
Using p to estimate p = p n is consistent both under the null and alternative hypothesis, in the sense that both p/p P0 − → 1 and p/p PB − → 1.

Figure 2 :
Figure 2: Power of the isolated star test and the average distance test.The threshold for rejecting the null hypothesis is as described in Sections 2.1.1 or 2.1.2,using estimated model parameters as described in Section 2.1.3.The parameters are: graph size n = 10000, botnet size k = 10, and each simulation was repeated 5000 times.

Figure 3 :
Figure 3: Power of the isolated star test and the average distance test.The threshold for rejecting the null hypothesis is obtained by Monte Carlo calibration that ensures respectively α = 0.05 and α = 0.001 type-1 error.The parameters are: graph size n = 10000, botnet size k = 10, and each simulation was repeated 5000 times.

Figure 4 :
Figure 4: Example of botnet vertex l ∈ B creating a shortcut between vertices i, j ∈ V \B.
We start by showing that C d P0 − → C d , and from this it follows that d P0 − → d by the continuous mapping theorem and because (5) is continuous.Using (6) we obtain C d (G) = n −3 1≤i,j,k≤n ½{i↔j,i↔k,j↔k}/p 2 n −3 1≤i,j,k≤n ½{i↔j,i↔k}/p 2 .

n 3 p 2 =
(1 + o(1)) C 2 d ,where the final step follows from the assumption that p ≥ Ω(1/n).Hence,Var 0 ( X) = E 0 [ X2 ] − E 0 [ X] 2 = o(1), and therefore it follows by Chebyshev's inequality that X P0 − → C d .This shows that the numerator of(22) converges in probability to C d and the denominator of (22) converges in probability to 1, so we haveC d P0 − → C d .Finally, it follows from the continuous mapping theorem that d P0 − → d, and we conclude that our estimator for the dimension is consistent under the null hypothesis.