Machine Learning White-Hat Worm Launcher for Tactical Response by Zoning in Botnet Defense System

Malicious botnets such as Mirai are a major threat to IoT networks regarding cyber security. The Botnet Defense System (BDS) is a network security system based on the concept of “fight fire with fire”, and it uses white-hat botnets to fight against malicious botnets. However, the existing white-hat Worm Launcher of the BDS decides the number of white-hat worms, but it does not consider the white-hat worms’ placement. This paper proposes a novel machine learning (ML)-based white-hat Worm Launcher for tactical response by zoning in the BDS. The concept of zoning is introduced to grasp the malicious botnet spread with bias over the IoT network. This enables the Launcher to divide the network into zones and make tactical responses for each zone. Three tactics for tactical responses for each zone are also proposed. Then, the BDS with the Launcher is modeled by using agent-oriented Petri nets, and the effect of the proposed Launcher is evaluated. The result shows that the proposed Launcher can reduce the number of infected IoT devices by about 30%.


Introduction
The Internet of Things (IoT) has become an exciting technology in the world, and it has grown into the largest platform of millions of IoT devices interacting with each other to improve our daily lives. However, such a popular IoT can also be used as a potential tool for uploading malicious entities. These entities use IoT vulnerabilities caused by various constraints such as limited resources and weak security to access legitimate devices and can further take various forms of attack [1]. For example, distributed denial of service (DDoS) in IoT networks is a very popular malicious attack, which disrupts the normal traffic of the target server by launching multiple consecutive requests from distributed IoT devices, eventually causing the server to crash [2][3][4].
Mirai, a malware capable of launching DDoS attacks, is also accountable for the largest record of attack traffic to date, targeting a French-managed service provider and up to 15 million IoT devices at a maximum speed of 1 Tbps [5]. The most remarkable thing is that the source code of Mirai was published by its author [6]. This may give chances for unethical behavior on the Internet. So far, the devices infected by Mirai have already reached 164 countries; the speed of spread is amazing. It is estimated that the number of deployed IoT devices will be about 20-30 billion by 2030 [7].
Faced with such a huge number of IoT devices, one method is to use a kind of whitehat worm, such as Hajime, to fight Mirai [8]. The white-hat worm has two attributes, the lifespan and the secondary infection possibility [9]. These two attributes ensure that the white-hat worms can destroy themselves after the Mirai bots are eliminated by them. Yamaguchi [10] proposed a promising network security system called the Botnet Defense (1) The concept of zoning is introduced to grasp malicious botnets' spread with bias over IoT networks. (2) Tactical response by zone is proposed to build and operate white-hat botnets efficiently and effectively against the malicious botnets. (3) The effect of our white-hat Worm Launcher for BDS is confirmed through simulation evaluation with agent-oriented Petri nets. The result show that the proposed Launcher can reduce the number of infected IoT devices by about 30%.
The rest of this paper is organized as follows. Section 2 introduces the previous work and the BDS. Section 3 describes the zoning and the tactics to respond by zoning. Section 4 describes the simulation evaluation. Section 5 summarizes the results obtained in this paper and gives future work.

Previous Work
Recent related studies on botnets can be roughly divided into two categories according to their purposes: detection and mitigation.
With the popularity of artificial intelligence (AI), the detection mechanisms of malicious network attacks are keen to use AI technology [13]. Nagisetty and Gupta [14] used four different deep learning models to construct a framework in the IoT backbone network to identify malicious network traffic. Soe et al. [15] proposed a high-performance attack detection system with three different machine learning (ML) algorithm sequential classifiers. Gupta et al. [16] proposed a deep-reinforcement-learning (DRL)-based detection framework with a dataset that contains IoT traces. Qu et al. [17] proposed an evaluation method based on percolation theory to quantify the security risk in a power CPS network. Qu et al. [18] also proposed a hybrid detection method with improved AKF and GRU-CNN to detect false data injection attacks. Wang et al. [19] proposed a new method to automatically mine attack patterns from measurement data and information alarm logs. Vishwakarma et al. [20] proposed a honeypot-based framework with machine learning techniques, which shows a high performance on zero-day DDoS attacks. In addition, the detection model usually needs to rely on reliable datasets, and some researchers also pay attention to the generation of network datasets or simulators. Guerra-Manzanares et al. [21] proposed an IoT dataset for ML-based detection frameworks, which includes actual malicious network traffic in a medium-sized IoT. Adan et al. [22] designed an Internet of Things attack simulator, which shows how Mirai works in DDoS attacks. Other botnet detection frameworks also include a blockchain-based mechanism [23][24][25] and an SDN-based mechanism [26].
Botnet mitigation measures are also very important. This aims to mitigate the threats from the DDoS. Gopal et al. [27] thought of a white-list-based solution to prevent the spread of Mirai and confirmed the blocking function against botnets through experiments. Manso et al. [28] proposed an intrusion detection system through a software layer, and it can launch a software-defined network controller to control the traffic when the system detects an attack. This can reduce the traffic and makes it possible to maintain normal traffic when an attack happens. Ceron et al. [29] proposed a method to handle the network traffic caused by IoT malware. The method can characterize the malware behaviors and modify the traffic through the network layer to limit malicious activities.
We briefly summarize the attributes and limitations of the above detection and mitigation methods in Tables 1 and 2. The previous studies only focused on the detection methods or mitigation measures; they are not able to exterminate existing botnets.

Botnet Defense System
The BDS is a network security system based on the concept of "fight fire with fire". It uses white-hat botnets to fight against malicious botnets like Mirai. Figure 1 illustrates the configuration of the BDS and an IoT system defended by the BDS. The upper part represents the structure of the BDS. It consists of four parts: Monitor, Strategy Planner, Worm Launcher, and C&C Server. The lower part represents the IoT system. The inner graph represents the network of the system. Each vertex represents a network node, and each node has a single device. Each edge represents a connection between network nodes. A black circle ( ) and a white circle ( ) respectively represent a malicious bot and a white-hat bot. When the Monitor detects a malicious botnet, the Worm Launcher will send the white-hat worm according to the strategy specified by the Strategy Planner. Yamaguchi also put forward three basic strategies. These strategies can adjust the number of white-hat worms according to not only the ability of the worms, but also the structure of the network. However, there is no discussion on the placement of white-hat worms; it should be reasonably considered and configured.  Pan et al. [12] proposed a machine learning white-hat Worm Launcher for the BDS. It basically has two phases: decision and placement. The first phase uses a feedforward neural network (FNN) to decide an appropriate placement tactic. The second phase uses a multitask learning model to predict white-hat worms' appropriate position based on the predicted tactic. Furthermore, this Launcher takes a divide-and-conquer approach so that it can be adapted to large-scale IoT networks. The procedure of the Launcher is given as Procedure 1. The Launcher divides a given network into subnetworks. For each subnetwork, it predicts a tactic and, then, the white-hat worms' placement based on the tactic.
Input: Mirai bots' distribution D Mirai in network N, machine learning model M 1 to decide tactics, machine learning model M 2 to place white-hat worms Output: White-hat worms' placement D W for D Mirai Step 1: Divide Stage 1: Divide N into n subnetworks N 1 , N 2 , · · · , N n by network scale Step 2: Conquer Stage 2: for each subnetwork N i in N 1 , N 2 , · · · , N n do 3: Use M 1 to decide a tactic T i for N i

4:
Use M 2 to make white-hat worms' placement D W i on N i based on T i 5: end for Step 3: Combining Stage 6: Combine D W 1 , D W 2 , · · · , D W n with the whole placement D W 7: Output D W and stop.
We illustrate the procedure with an example shown in Figure 2. Twenty devices are infected by Mirai in a 10 × 10 grid network. As a preparation, we trained two machine learning models, i.e., the FNN model M 1 and the multitask learning model M 2 , for a small network. The small network actually corresponds to the subnetwork divided in the procedure: • Step 1 divides the network into subnetworks by the network scale. Assume n = 4 in this example. That is, the 10 × 10 network is divided into four 25 × 25 subnetworks. • Step 2 predicts a tactic with M 1 and, then, the white-hat worms' placement based on the tactic with M 2 for each subnetwork. • Step 3 combines the predictions of all subnetworks into the final white-hat worm's placement.

Decide Place
Decide Place

Decide Place
Decide Place

Place
Step 1 Step 2 Step 3 Figure 2. The operation of Procedure WORM-LAUNCHER. After dividing a given 10 × 10 network into four 25 × 25 subnetworks, for each subnetwork, the Launcher predicts the placement of white-hat worms by machine learning models.

Zoning
The Mirai botnet is not always spread uniformly over the network. There may be some bias in the distribution of the Mirai bots. The BDS should deal with the Mirai botnet based on its bots' distribution. We define a density of bots in some area of the network as follows. Definition 1. (Bots density) Given a distribution of bots on a network, for a specific area of the network, the density δ of the bots is given as follows: We introduce the concept of zoning to the BDS. The BDS divides a given IoT network into some zones and plans a tactic for each zone. Note that the zoning depends not on the network scale, but on the Mirai bots' density. We can expect the BDS to predict a tactic appropriate for the bots' density in each zone and to build a white-hat botnet effectively and efficiently.
For zoning, we used a density-based clustering algorithm called density-based spatial clustering of applications with noise (DBSCAN) [30]. Density-based clustering extracts areas that have a higher density than the rest as clusters. DBSCAN takes two parameters: ε and minPts. ε is the radius from a point. minPts is the minimum number of points needed to form a dense region. Given a set of points, DBSCAN classifies each point into three categories: Core, Border, and Noise. Core points are points with at least minPts neighbors within ε. Border points are points with no more than minPts neighbors within ε, but with Core points within ε. Noise points are points with no neighbors within ε. Finally, DBSCAN creates clusters from a collection of Core points and Border points. We formalize DBSCAN as follows.

Definition 2.
(DBSCAN) For a set P of points, a radius ε from a point, and the minimum number minPts of points needed to form a dense region, DBSCAN is given as a mapping: where C 1 , C 2 , · · · , C m are clusters of the points.
The reason for using DBSCAN is that it can find non-linearly separable clusters unlike k-means or Gaussian mixture EM clustering. It can find even a cluster that is surrounded by others. This is very important for zoning. Another reason is it is easy to control since there are only two parameters.
Combining clusters with a similar density, we define an obtained area as a zone.
Definition 3. (Zone) Let C be any cluster obtained by DBSCAN and δ(C) be the bot density of C. For some range of bots density, a zone is the union of cluster C such that δ(C) is in the range.
We used the following three zones in this paper: • Danger Zone Z Danger : contains a cluster C such that δ is δ Danger ≤δ(C)≤δ Danger (=100%). Almost all devices in this zone are infected by Mirai. • Safe Zone Z Sa f e : contains a cluster C such that δ Sa f e (=0%) ≤δ(C)≤δ Sa f e . Almost no devices in this zone are infected. • Unknown Zone Z Unknown : contains a cluster C such that δ is δ Sa f e <δ(C)<δ Danger . The devices in this zone are at risk of being infected.
We propose a procedure for zoning, which divides the given network into the three zones. The procedure is given as Procedure 2. Simply put, we ran DBSCAN twice for zoning. The first is for finding the Danger Zone, where a point represents the position of an infected device. The second is for finding the Safe Zone, where we regard a point to represent the position of a normal (uninfected) device. The remaining areas are incorporated into the Unknown Zone. if δ(C) ≥ δ Danger then 6: Z Danger ← Z Danger ∪ C. Step 2: Finding Safe Zone 9: P normal ← {the point of each normal device in D normal in the space of N}. 10: C normal 1 , C normal 2 , · · · , C normal n ← DBSCAN(P normal , ε normal , minPts normal ). 11: Z Sa f e ← ∅. 12: for each cluster C in C normal 1 , C normal 2 , · · · , C normal n do 13: if δ(C) ≤ δ Sa f e then 14: 15:

end if 16: end for
Step 3: Finding Unknown Zone Step 4 18: Output Z Danger , Z Sa f e , Z Unknown and stop.
The DBSCAN algorithm is known to have difficulty determining the parameter values for a dataset with large density differences. To solve this problem, we decided to run the DBSCAN algorithm many times, depending on the density. In fact, Procedure DBSCAN-BASED-ZONING runs the DBSCAN algorithm twice.
We illustrate the proposed zoning procedure with an example shown in Figure 3. Figure 3a represents the Mirai bots' distribution in a 10 × 10 grid network. In this example, we set ε Mirai = 1 and minPts Mirai = 3. This means that if Mirai has infected a device and it is surrounded by more than two neighbors, we regard them to be in danger because they form a cluster. Meanwhile, we set ε normal = 1 and minPts normal = 5. This means that if an uninfected device is surrounded by four uninfected devices, we regard them to be safe because there is no risk of infection. We can determine these values according to the security policy and network configuration. For example, if ε Mirai = 1 and minPts Mirai = 2, we identify Danger Zones with greater sensitivity. This may launch more white-hat bots than necessary. On the other hand, if ε Mirai = 1 and minPts Mirai = 5, we identify Danger Zones with lower sensitivity. This may build weak a white-hat botnet. There is a trade-off between the detection and the disinfection ability. These parameters provide adaptability to balance between them: • Step 1 finds the Danger Zone. As a result of DBSCAN with ε Mirai = 1 and minPts Mirai = 3, we obtain two clusters C Mirai • Step 2 finds the Safe Zone. As a result of DBSCAN with ε normal = 1 and minPts normal = 5, we obtain one cluster C normal 1 (blue area in the left of Figure 3b). For δ Sa f e = 0, since δ(C normal 1 ) = 0% ≤ δ Sa f e , the cluster becomes the Safe Zone, i.e., Z Sa f e = C Mirai 1 .

•
Step 3 finds the Unknown Zone. The remaining areas comprise Z Unknown (yellow areas of Figure 3b).

•
Step 4 outputs Z Danger , Z Sa f e , Z Unknown as the Danger, Safe, and Unknown Zones.

Tactics by Zone
We propose tactics for sending white-hat worms by zone to build the white-hat botnet efficiently and effectively. The tactic for each zone is as follows.

Surrounding Tactic T Surrounding for Danger Zone
In the Danger Zone, Mirai bots are clumped. The BDS should confine those Mirai bots within the zone. The surrounding tactic [31] places white-hat worms around the zone and prevents the Mirai bots from spreading. See Figure 4.

Protecting Tactic T Protecting for Safe Zone
In the Safe Zone, there are few Mirai bots. Therefore, the BDS should prevent the Mirai botnet from entering this area. The protecting tactic [32] places white-hat worms on the border of the area to protect them like a firewall and prevent the bots from entering. See Figure 5.

Machine Learning Tactic T ML for Unknown Zone
This tactic places white-hat worms according to the result of the machine learning models. See Figure 6. We used a multitask learning model to implement this tactic in the same way as the second phase of [12].

White-Hat Worm Launcher by Zoning
Combining the zoning procedure and the tactics for sending white-hat worms by zone, we propose a new white-hat Worm Launcher that can make tactical responses for the divided zones. The procedure of the Launcher is given as Procedure 3. The first step uses Procedure DBSCAN-BASED-ZONING to divide a given network into three zones, i.e., the Danger, Safe, and Unknown Zones. The second step makes the placement of white-hat worms according to the tactic for each zone, i.e., the surrounding tactic for the Danger Zone, the protecting tactic for the Safe Zone, and the machine learning tactic for the Unknown Zone. The third step combines those results for the whole placement.
We illustrate the proposed procedure with an example shown in Figure 7. The network and Mirai bots' distribution are the same as the example of Figure 3:

•
Step 1 divides the network into three zones by using Procedure DBSCAN-BASED-ZONING. As stated before, we obtain the result of zoning shown in Figure 3b.

•
Step 2 places white-hat worms in each zone. Each zone takes a different tactic, i.e., the surrounding tactic for the Danger Zone, the protecting tactic for the Safe Zone, and the machine learning tactic for the Unknown Zone. • Step 3 combines those results for the whole placement. Step 1: Zoning Stage 1: Z Danger , Z Sa f e , Z Unknown ← DBSCAN-BASED-ZONING(N, D Mirai , D normal ).
Step 2: Placing Stage 2: for each zone Z in Z Danger , Z Sa f e , Z Unknown do 3: Place white-hat worms as follows: 4: if Z is Z Danger then 5: Use the surrounding tactic and store the placement result in D W Danger . if Z is Z Sa f e then 8: Use the protecting tactic and store the placement result in D W Sa f e . 9: end if 10: if Z is Z Unknown then 11: Use the machine Learning tactic and store the placement result predicted by M 2 in D W Unknown . Step 1 Step 2 Step Procedure ZONING-BASED-WORM-LAUNCHER can run in a few seconds on a PC with an Intel Core i7 2.6 GHz and 16 GB RAM. Zoning in Step 1 takes about one second. Step 2 decides the placement of white-hat bots for each zone. Zoning omits predictions by the learning model in some zones and allows for a significant reduction in computation time. As a result, it can run in one second. Combining in Step 3 hardly takes any time.

Experiment
We modeled the BDS with the proposed zoning-based Worm Launcher by using an agent-oriented Petri net PN 2 and, then, carried out experiments to evaluate the effect of the Launcher through the simulation of the PN 2 model. For the detail of the modeling by PN 2 , refer to [9].
We configured a 10 × 10 grid network N and considered four kinds of initial distributions of Mirai. The first three distributions and the result of zoning are illustrated in Figure 8: • Distribution 1: Has a low density of Mirai bots in the whole network, i.e., δ(N) = 31%. This is illustrated in Figure 8a. The infected network is divided into 25% Danger Zone, 50% Safe Zone, and 25% Unknown Zone. • Distribution 2: Has a medium density of Mirai bots in the whole network, i.e., δ(N) = 37%. This is illustrated in Figure 8b. The infected network is divided into 25% Danger Zone, 25% Safe Zone, and 50% Unknown Zone. • Distribution 3: Has a high density of Mirai bots in the whole network, i.e., δ(N) = 56%. This is illustrated in Figure 8c. The infected network is divided into 50% Danger Zone, 25% Safe Zone, and 25% Unknown Zone. • Distribution 4: Set to be random. It has almost the same density as Distribution 1, i.e., δ(N) = 30%; unlike Distribution 1, all the Mirai bots are placed randomly. We used the tool PN2Simulator [33] for the simulation. We took Mirai's infection rate R Mirai as a quantitative index. R Mirai is given by R Mirai = # Mirai /# device , where # Mirai is the number of devices infected by Mirai and # device is the number of all devices in N. The other simulation parameters are given as follows: • Lifespan = 2; • Delay time δ = 7 until rebooting; • Secondary infection probability ρ = 50%.

Simulation Result
We compared the proposed Launcher with the Launcher of [12]. The notable difference between them having or not having zoning, i.e., the proposed Launcher has zoning, while the Launcher of [12] has no zoning. The simulation results can be seen in Table 3. Each value represents the mean of R Mirai at 1, 10, 100, 1000, and 10,000 steps for 1000 trials. In every distribution and step, the infection rate of the Launcher with zoning had to a lower value than the Launcher without zoning. Figure 9 charts these results to make it easier to compare these Launchers. From the graphs, we found that in the early stage, the Launcher with zoning removed significantly more Mirai bots than the Launcher without zoning. Especially in the case of Distribution 1, which contains 50% Safe Zone, the protecting tactic effectively prevented the devices in the zone from infection. However, the white-hat botnet behaves autonomously. Thus, the formation will collapse with the passage of time, and therefore, the effect of the initial launch position will disappear. This implies that the tactic has a time limit for its effect.   In addition, from the graph of Figure 9d, the random distribution resulted in a similar tendency as the other distributions. That is, the infection rate curve with zoning is steeper than without zoning, which means that the infection rate decreases more significantly. We confirmed that the proposed Launcher can also show performance in a general environment and effectively remove Mirai bots. Table 4 shows the positioning of this study among the related research. Most of the related research focuses on detecting botnets and mitigating the threat, while only the last three research works focus on exterminating existing botnets. The three research works deal with the BDS, but propose different Launchers. The Launcher of [10] gives only a basic functionality, which sends white-hat worms to the infected network. That is, it places worms at random and does not specify concrete nodes. On the other hand, the Launcher of [12] specifies nodes to launch. This Launcher learns how to place white-hat worms based on machine learning. The Launcher also divides the given network into small networks and increases the accuracy of the prediction. The Launcher proposed in this paper introduces the concept of zoning and applies tactics for each zone. In general, there is a bias in the distribution of Mirai bots. Therefore, the given network should be divided by the Mirai bots' density rather than by network scale in a uniform manner. The proposed Launcher divides the given network into zones based on density and can use appropriate tactics depending on the density. Step With Zoning Without Zoning (c) (d) stage, which showed that the white-hat botnet can effectively prevent the Mirai botnet from spreading as a "wall". On the other hand, although it is not easy to isolate randomly distributed Mirai bots, our proposed Launcher showed excellent performance in the case of a random distribution. In general, the proposed Launcher can effectively reduce the Mirai infection rate and reduce the number of infected devices in the network. Zoning helps us make it easier to consider tactics because we separated the phenomenon. In addition, zoning saves time and cost during the design and runtime. This is important because machine learning often requires much computational time and cost. The proposed Worm Launcher was designed to be scalable. In this paper, we used a 10 × 10 network to illustrate the proposed method. However, we can apply it to a network with a different size. At this time, we only have to perform padding or use the divide-andconquer step given in our previous paper as the preprocess. This preprocess hardly takes any time. Actually, we performed a preliminary experiment using a larger network with 20 × 20 nodes and confirmed that the proposed Launcher is efficient. From the above, it can be said that the proposed Launcher is adaptable to large-scale networks.

Conclusions
In this paper, we proposed a novel machine learning white-hat Worm Launcher for tactical response by zoning in the Botnet Defense System. We first introduced the previous work and the BDS. Next, we proposed a new concept of zoning to grasp malicious botnets' spread with bias over IoT networks. We also proposed three tactics to respond to each zone. Then, we confirmed the effect of the proposed white-hat Worm Launcher through a simulation evaluation with agent-oriented Petri net models. The result showed that the proposed Launcher is effective and can reduce the number of infected IoT devices by about 30% overall.
In this paper, we focused on the case of the Mirai botnet infecting only once. However, the Mirai botnet may infect many times. Whenever the Mirai botnet appears, we should nip it in the bud as early as possible. However, when a few Mirai bots are scattered, the proposed Launcher may not work well because all of the network is identified as a Safe Zone. To resolve this problem, we can use several approaches. For example, we can predict future infection situations and make a proactive response based on the prediction. We also can make a white-hat botnet resident to continually disinfect Mirai bots [34].