1. Introduction
In September 2016, unprecedented Distributed Denial-of-Service (DDoS) attacks knocked out Twitter, Amazon, and other major sites. They were launched by lots of Internet of Things (IoT) devices which were infected by a new kind of malware called
Mirai. Mirai infects IoT devices one after another and makes them a botnet to perform DDoS attacks [
1]. Mirai is spreading like wildfire and actually has infected over 300,000 IoT devices in 164 countries [
2]. This so-called
Mirai pandemic results from characteristics of IoT devices such as (i) increasing explosively, (ii) existing anywhere, and (iii) using easy-to-guess passwords. Thus, DDoS attacks brought by IoT devices tend to become massive and disruptive [
3].
There are some mitigation methods against Mirai. One method proposed by US Computer Emergency Readiness Team (US-CERT) [
4] is to reboot the device infected by Mirai. This is simple, but the device would be reinfected soon if it is not updated. A promising method is to use a kind of IoT worms called
Hajime as a vaccine against Mirai. Hajime infects IoT devices one after another and blocks ports that Mirai uses to infect [
5]. However, there are few quantitative evaluations of Hajime’s effect.
Since November 2017, the authors of Ref. [
6] have evaluated Hajime’s effect quantitatively. They regarded the battle between Mirai and Hajime as a multi-agent system and expressed it with agent-oriented Petri net called
Petri Nets in a Petri Net (PN
for short) [
7]. The evaluation result showed that Hajime protected IoT devices from Mirai’s infection. However, the devices became infected by Hajime instead. For now, unlike Mirai, Hajime does not have any DDoS capability. However, Hajime has a remote control mechanism, which is an unfavorable attribute.
IoT devices are increasing explosively. Thus, it is not realistic to manage their vulnerability against Mirai by human-wave tactics. In this paper, we propose a new approach that uses a white-hat worm to fight Mirai. We first extend Hajime to become the white-hat worm by introducing lifespan and secondary infectivity (the ability to infect a device infected by Mirai). Next, we construct a PN model representing the white-hat worm. Then, we evaluate the effect of the white-hat worm against Mirai through the simulation of the model.
The rest of this paper is organized as follows:
Section 2 surveys the related work.
Section 3 gives the design of the white-hat worm and its PN
model.
Section 4 presents the simulation for evaluating the effect of the white-hat worm against Mirai.
Section 5 summarizes our key points and gives future work.
3. White-Hat Worm
3.1. Analysis and Design
The number of IoT devices is exponentially increasing. This fact makes Mirai’s threat more serious. We need to manage their vulnerability against Mirai, but human-wave tactics are unrealistic because of the huge amount. In this paper, we propose a new approach that uses a white-hat worm to fight Mirai.
Hajime actually protects IoT devices from Mirai’s infection. However, a new problem appears here. Those devices became infected by Hajime instead. Is Hajime a white-hat worm? Once Hajime infects an IoT device, it displays a message for warning the user. At present, there is not any DDoS capability in Hajime. However, Hajime can add new capabilities on the fly, which is an unfavorable attribute. In addition, Hajime continues to stay at the infected device even though completing the defense against Mirai. From these reasons, Hajime is said to be gray-hat.
We extend Hajime to become a white-hat worm. The white-hat worm should not stay at the device once the protection completed. To achieve this, we introduce a concept of lifespan. The white-hat worm destructs itself when exhausting the lifespan. We also introduce a concept of secondary infectivity, which is the ability to infect a device infected by Mirai. This enables the white-hat worm to drive out Mirai.
3.2. Modeling
To express a battle between Mirai and the white-hat worm, we extend the PN
model
described in
Section 2.2. The extended PN
model is denoted by
and is shown in
Figure 4. The agent net
of
Figure 4b represents the state-transition of the white-hat worm. It is an extension of
of
Figure 1b. Transition
t3 labeled as
m_die represents a self-destruction action. Transition
t4 labeled as
h_2infect represents a secondary infection action.
The agent net
of
Figure 4a represents the state-transition of Mirai. It is the same structure as
. However, transition
t3 is labeled as
m_non_die and represents an action of doing nothing unlike the white worm’s self-destruction action. Transition
t4 is labeled as
m_2infect and represents a secondary infection action by the white-hat worm.
The agent net
of
Figure 4c represents the state-transition of an IoT device. It is an extension of
of
Figure 1c. For symbol
, its superscript “
” indicates the possibility of the white-hat worm’s secondary infection. That is, this white-hat worm does not have any secondary infectivity against Mirai.
has a branch structure at place
p3. Which transition
t3 or
t6 to fire is decided by dynamic binding. If this device is infected by Mirai,
t3 would fire. The upper cycle
p1t1p2t2p3t3p4t4p5t5p1 represents the behavior as a Mirai bot. If this device is infected by the white-hat worm,
t6 would fire. The lower cycle
p1t1p2t2p3t6p6t7p7t8p1 represents the behavior as a white-hat bot. Note that each cycle corresponds to
of
Figure 1c. In this example, the white-hat worm’s lifespan is assumed to be one step, of which the delay is represented by transition
t2.
t6 labeled as
delayL represents the white-hat worm’s self-destruction action. Note that the remaining time until reboot means the period of immunity provided by the white-hat worm.
Figure 4d shows the agent net
, where the possibility of this white-hat worm’s secondary infection is 100%. That is, the white-hat worm can always infect the device infected by Mirai. In
, the four states
and
mean that the device is a Mirai bot. Transitions
t9,
t10,
t11, and
t12 respectively represent the white-hat worm’s secondary infection actions. The firing of one transition results in the state
in which the white-hat worm infected the device instead of Mirai. Since those four transitions one-to-one correspond to all of the four states, the white-hat worm’s secondary infection becomes 100%. We can specify any possibility of the white-hat worm’s secondary infection by the presence of those transitions.
The environment net
of
Figure 4e represents the same IoT network as
Figure 1d. However, place
P3 possesses a token representing the white-hat worm instead of Hajime. This means that the white-hat worm infects
device3. The state of
Figure 4e is written as follows:
3.3. Simulation
We can simulate the battle between Mirai and the white-hat worm by using the PN
model proposed in
Section 3.2.
Figure 5 shows an execution of
. Note that
is shown in
Figure 4e. In
, there are four firable transitions
T103,
T113,
T214, and
T303. Let us fire
T113. It means that Mirai infects
device2. This results in a new state
shown in
Figure 5a.
In , there are four firable transitions T103, T203, T212, and T303 because
For T103, T203, or T303, x:delay can be bounded with t2 in .
For T212, x:m_2infect, y:h_2infect and z:2infect can be respectively bounded with t4 in at P2, t4 in at P3 and t9 in at P2.
Let us fire
T212. It means the white-hat worm’s secondary infection for
device2 infected by Mirai, i.e., the white-hat worm at
P3 removes Mirai from
P2 and produces a copy of itself into
P2, and the copy infects
device2. This results in a new state
shown in
Figure 5b.
In , there are four firable transitions T103, T112, T203, and T303 because
For T103, T203, or T303, x:delay can be bounded with t2 in .
For T112, x:m_2infect, y:h_2infect and z:2infect can be respectively bounded with t4 in at P1, t4 in at P2 and t9 in at P1.
Let us fire
T203. It means that the white-hat worm exhausts the lifespan of one step. This results in a new state
shown in
Figure 5c.
In
, there are four firable transitions
T103,
T112,
T205, and
T303. For
T205,
x:m_die and
y:delayL can be respectively bounded with
t3 in
at
P2 and
t6 in
at
P2. Let us fire
T205. It means that the white-hat worm destructs itself. This results in a new state
shown in
Figure 5d. Note that
device2 is still a bot and provides immunity against Mirai until it is rebooted.
4. Simulation Evaluation
We performed an experiment to evaluate the effect of the white-hat worm. In this experiment, we used the PN
model representing a lattice-structured network composed of 25 (=
) nodes, i.e.,
= 25. Each node has one device.
Figure 6 illustrates the model.
Let us first focus on the white-hat worm’s lifespan. We measured Mirai’s infection rate
given by Equation (
1) and the white-hat worm’s infection rate
after 1000 steps.
is given by
where
is the number of devices infected by the white-hat worm. The parameters are as follows:
The delay time until rebooting = 7 or 11 steps,
The initial number of devices infected by Mirai = 12,
The initial number of devices infected by the white-hat worm = 5,
The white-hat worm’s lifespan ℓ = 1, 3, or 5 steps,
The white-hat worm’s secondary infection possibility = 100%.
The simulation results are shown in
Table 2.
Table 2a shows Mirai’s infection rate
and the white-hat worm’s infection rate
when the delay time
until rebooting
.
Table 2b shows
and
when
. Each value is the mean of
or
for 10,000 trials. The grayed cell means that the value is getting worse than the initial one.
Figure 7a,b respectively illustrate the tables. The horizontal axis shows the white-hat worm’s lifespan
ℓ. The vertical axis shows
and
. In both cases,
was rapidly decreasing with increasing
ℓ. In contrast,
started at zero when
and increased with increasing
ℓ. This means that, if the lifespan is short, it successfully reduces the white-hat worm’s remaining.
Next, let us focus on the white-hat worm’s secondary infectivity. We measured and after 1000 steps by varying the following parameters.
The white-hat worm’s secondary infection possibility = 0, 25, 50, 75, or 100%
The other parameters are the same as the previous simulation.
The simulation results are shown in
Table 3 and
Table 4.
Table 3a,b respectively show
when
and 11.
Table 4a,b respectively show
when
and 11. Each value is the mean of
or
for 10,000 trials. The grayed cell means that the value is getting worse than the initial one.
Figure 8a,b respectively illustrate
when
and 11. The horizontal axis shows the white-hat worm’s secondary infection possibility
. The vertical axis shows
.
was decreasing with increasing
. Note that the decreasing rate depends on the lifespan
ℓ.
Figure 9a,b respectively illustrate
when
and 11. The horizontal axis shows
. The vertical axis shows
.
was increasing with increasing
and reached a ceiling. Note that the increasing rate depends on
ℓ. The result means that, if
is low, the white-hat worm’s effect depends on
ℓ. If
is high, the worm is effective without depending on
ℓ.
The effect of the white-hat worm would be influenced by the other factors, e.g., the number of nodes, the connectivity of the nodes, and so on. To investigate how much the number of nodes affects the effect, we performed another experiment. In this experiment, we used the PN model representing a larger lattice-structured network. The network consists of 36 () nodes, i.e., = 36. We measured and after 1000 steps. The parameters are as follows:
The initial number of devices infected by Mirai = 18,
The initial number of devices infected by the white-hat worm = 7.
The other parameters are the same as the previous simulation.
The simulation results are shown in
Table 5 and
Table 6.
Table 5a,b respectively show
when
and 11.
Table 6a,b respectively show
when
and 11. Each value is the mean of
or
for 1000 trials. The grayed cell means that the value is getting worse than the initial one.
Figure 10 and
Figure 11 respectively illustrate
Table 5 and
Table 6. The horizontal axis shows the white-hat worm’s secondary infection possibility
. The vertical axis shows
or
.
was decreasing with increasing
, while
was increasing with increasing
and reached a ceiling. However, the changing rates depend on
ℓ. Comparing the results for
and 36, we see that the trend is similar. We can say that secondary infectivity and lifespan are more important factors than the number of nodes.