Botnet Defense System: Observability, Controllability, and Basic Command and Control Strategy

This paper deals with the observability, controllability, and command and control strategy in the Botnet Defense System (BDS) that disinfects malicious botnets with white-hat botnets. The BDS defends an IoT system built over the Internet. The Internet is characterized by openness, but not all nodes are observable and controllable. We incorporated the concept of observability and controllability into the BDS design and theoretically clarified that the BDS can enhance its observability and controllability by utilizing its white-hat botnets. In addition, we proposed a Withdrawal strategy as a basic strategy to command and control white-hat botnets. Then, we modeled the BDS, adopted the Withdrawal strategy with agent-oriented Petri net PN2 and confirmed the effect through the simulation of the model. The result shows that even if considering observability and controllability, the BDS wiped out the malicious bots and reduced the white-hat bots to less than 1% as long as the white-hat worms were sufficiently infectious.


Introduction
The Internet of Things (IoT) has made remarkable progress and has brought benefits to our lives. On the other hand, IoT has created new threats to cyber security. In September 2016, the threat became a reality. A lot of IoT devices were misused to cause a massive and destructive Distributed Denial of Service (DDoS) attack. A new kind of malware called Mirai [1] was used to hijack them. Hijacked devices are called bots because they can be controlled remotely. The network of bots is called a botnet and is available to perform various cyber attacks such as DDoS attacks, digital scams and malicious cryptocurrency mining. IoT devices are known to be vulnerable. This is because many of them do not have sufficient resources to perform security functions and vendors may sacrifice security in order to compete on price or rush to market. To make matters worse, Mirai's authors released the source code [2]. This brought about the birth of many variants such as Okiru and Satori. As cyber space and real space are integrated, IoT botnets have become one of the major threats in today's society.
To deal with the threat of IoT botnets, there are several techniques such as detection, mitigation and spread prevention. These techniques can help mitigate the threat of botnets, but they cannot disinfect botnets that have spread already. It is known that the Mirai botnet can be removed by rebooting the infected devices because it penetrates only in the dynamic memory of the devices [3]. However, with the explosive growth of IoT devices, it is not practical to go around rebooting the infected devices. With the Botnet Defense System (BDS) [4], it has been proposed to use a botnet instead of humans to disinfect malicious botnets. The BDS builds a botnet itself and uses the botnet to disinfect the malicious botnet.
An IoT system is built on the Internet rather than a closed network. This enables the IoT system to utilize not only physical devices but also various services on the Internet. On the other hand, it is known that the Internet is difficult to monitor and manage due to its heterogeneity, geographic size and distributed management [5]. Therefore, this system configuration may take a risk on cyber security. To resolve this, botnet technology may 1.
The concept of observability and controllability was firstly introduced and discussed in the research area of botnet disinfection. 2.
The mechanism of command and control was clarified in terms of Petri nets [6] theoretically.

3.
A command and control strategy, named Withdrawal strategy, was proposed and the effect was quantitatively confirmed through simulation evaluation.
The rest of this paper is organized as follows: Section 2 introduces related work. Section 3 presents the concept and design of BDS. Section 4 presents the concept of observability and controllability introduced into the BDS and describes the mechanism to command and control the botnet under the observability and controllability. In addition, it provides the strategy of commanding and controling the botnet. Section 5 presents modeling of the proposed mechanism and the strategy with agent-oriented Petri net PN 2 [7] and shows the effectiveness through the simulation evaluation with the PN 2 model. Section 6 summarizes our key points and shows open problems to be dealt with in the future.

Related Work
Several countermeasure techniques have been proposed against botnet threats [8]. These can be broadly classified into three categories: detection, mitigation and spread prevention (see Figure 1 and Table 1).

Category Techniques
System (IDS) is widely used as a detection technique. There are two kinds of approaches to detection: signature-based and anomaly-based. Signature-based detection registers malicious patterns in a database and detects botnets by matching the registered patterns. Said et al. [9] investigated a syntactic method with string-based signatures and a semantic method with system-call-based signatures in the detection of Mirai. The evaluation results show that the semantic method shows better detection rate than the syntactic method and is resistant to simple obfuscation to disguise malicious properties. The signature-based approach has been adopted by open-source IDSs such as Snort [20] and Suricata [21]. On the other hand, anomalybased detection registers normal patterns in a database and detects botnets by classifying any deviation from the registered patterns. Bezerra et al. [10] proposed a host-based detection method utilizing one-class classifiers. This method focuses on a single device and extracts features from the device's behavior such as CPU utilization and memory consumption. The evaluation results show that one-class classifiers are enough to detect a different botnet and have a small impact on the device's utilization and energy consumption. Soe et al. [11] proposed a detection framework with a sequential architecture based on machine learning algorithms. The framework is characterized by adopting a correlated feature selection method to reduce the number of irrelevant features. This enables implementation in resource-constrained IoT devices. Meidan et al. [12] proposed a network-based detection method. This method extracts behavior snapshots of a targeted network and applies deep autoencoders to detect anomalous traffic.
The evaluation results show that the proposed method can accurately and instantly detect the attacks launched from a botnet. Hoang et al. [13] proposed a botnet detection model based on machine learning using Domain Name Service query data and confirmed that machine learning algorithms can be used effectively in botnet detection. Mihoub et al. [14] proposed an architecture composed of two components for detecting and mitigating DoS/DDoS attacks. The detection component is a multi-class classifier that adopts the Looking-Back concept and identifies the type of attack and the packet type used in the attack. Based on the result, the mitigation component applies the corresponding countermeasure. Shinan et al. [22] conducted a survey on various techniques for detecting botnets, including botnet attacks, machine learning and Software Defined Networking (SDN). They described graph-based features based on machine learning for bot detection in SDN as the most promising avenue. The mitigation technique aims to prevent and/or reduce the effect of botnet on the IoT system itself and/or victim systems (see Figure 1ii). It is often used in conjunction with detection techniques to respond to detected botnets. Manso et al. [15] proposed a software-defined IDS. When the system detects an attack, it uses an SDN controller to control the traffic. Ceron et al. [16] proposed an adaptive network layer to block or rewrite the traffic generated by botnets to invalid ones. Specifically, it makes it possible to block or rewrite the instructions sent from the botnet controller to the bots to make them invalid. Khattak et al. [17] proposed an open source tool, BotFlex, with an extensible module system. It aims to continually improve mitigation for botnets across the entire IT community. Researchers and companies can contribute to improving the mitigation by developing BotFlex modules.
The spread prevention technique aims to protect vulnerable devices against botnets (see Figure 1iii). It includes changing default passwords, and the removal of unnecessary software or unnecessary usernames. In Reference [3], the United States Computer Emergency Readiness Team (US-CERT) recommends users and administrators of IoT devices take preventive steps such as changing all default passwords to stronger ones, applying the latest security patches and monitoring the ports that Mirai exploits. Frank et al. [18] developed Python scripts that run on actual devices to prevent IoT devices from becoming Mirai bots. The first hardening script prevents the first infection, while the second script recognizes existing infections and prevents reinfection. Gopal et al. [19] proposed a whitelist-based solution to prevent the spread of Mirai and showed that they successfully blocked the Mirai malware through experiments.
These techniques can help mitigate the threat of botnets but cannot disinfect a botnet which has already spread. The botnet can be removed by rebooting the infected devices.
However, as the number of IoT devices increases explosively, it is not practical to deal with them by human tactics. This solution requires an innovative approach.

Botnet Defense System (BDS)
Botnet Defense System (BDS) [4] is a cyber security system designed to disinfect a botnet that has already spread. The concept of BDS is "Fight Fire with Fire," i.e., the BDS responds to the malicious botnet with botnet technology. The BDS builds a white-hat botnet itself and uses the botnet to disinfect the malicious botnet. The white-hat botnet can spread autonomously and has the ability to get back devices from the malicious botnet [23]. Therefore, the BDS is expected to drastically increase defense capability against the malicious botnet. We illustrate the system configuration of the BDS in Figure 2. The left and right rounded rectangles, respectively, represent the BDS and the IoT system defended by the BDS. The BDS repeats the four-step process consisting of monitoring, strategic planning, botnet construction and botnet command and control (C&C) to defend IoT systems from malicious botnets.
Step 1 Monitoring: Monitor the IoT system and check if the system is infected by any malicious botnet. Once detecting the malicious botnet, the BDS investigates it and collects the information such as its type and spread status.
Step 2 Strategy Planning: Plan strategies for disinfecting the malicious botnet based on the information obtained in Step 1.
Step 3 Botnet Building: Build the white-hat botnet by sending white-hat worms [23] to the IoT systems according to the strategy.
Step 4 Botnet C&C: Command and control the white-hat botnet spreading autonomously for disinfecting the malicious botnet according to the strategy. Step 1: Monitoring Step 2: Strategy Planning Step 3: Botnet Building Step 4: Botnet C&C The inner graph (N, E) of the right rounded rectangle of Figure 2 represents the network configuration of the IoT system. Each node n (∈N), depicted as , represents a network node, each of which possesses a single device d. Each edge e (∈E) represents a connection among the network nodes. Different networks have different configurations. In this example, the network consists of 24 nodes n 1 , n 2 , · · · , n 24 and has a square lattice topology. The arc connecting the BDS to a network node represents a connection between the BDS and the node.
The BDS uses the white-hat worm proposed in Reference [23]. The white-hat worm infects and turns a device into a white-hat bot.
• Lifespan: The worm is only available for a limited time. It will destroy itself at the end of a given time. That is, the time period means the lifespan of the white-hat worm. Even after the worm self-destructs, the device remains a white-hat bot and is immune until being rebooted. • Secondary infectivity: The worm can infect the device that has already been a malicious bot and then clear the malicious bot from the device.
The BDS must build the white-hat botnet so that it has the upper hand over the malicious botnet. However, the white-hat botnet should be built as small as possible because it protects the IoT system but consumes its resources. Therefore, the BDS is required to build the white-hat botnet of an appropriate size depending on the type and spread status of the malicious botnet and the capabilities of available white-hat worms. The BDS can choose a strategy for building the white-hat botnet among the strategies: all-out, few-elite and environment-adaptive proposed in Reference [23].
Let us explain how the BDS works using the state transition shown in Figure 3 as an example. Figure 3a shows the state in which a malicious botnet is invading the IoT system. In Step 1, the BDS detected the malicious botnet and identified ten devices that have already become malicious bots in the system. The malicious bots are depicted as in Figure 3a. In Step 2, the BDS decided to adopt the few-elite strategy for disinfecting the malicious botnet because the BDS had a white-hat worm with a strong secondary infectivity. Figure 3b shows the state when the BDS built a white-hat botnet in Step 3. In accordance with the few-elite strategy, the BDS sent the white-hat worm only to two nodes n 10 , n 15 and built the initial white-hat botnet. The white-hat bots are depicted as in Figure 3b. After that, the malicious botnet and the white-hat botnet autonomously spread over the network. Figure 3c shows the state when the white-hat worm at n 15 secondarily infected the device d 19 at node n 19 that had already been a malicious bot. The malicious bot was cleared from d 19 . However, d 19 was turned into a white-hat bot instead. The white-hat botnet spread throughout the system while disinfecting the malicious botnet by secondary infection. Figure 3d shows a state in which the white-hat botnet has wiped out the malicious botnet. Step 1 Monitoring Step 2 Strategy Planning Step 3 Botnet Building Step 4 Botnet C&C Step 1 Monitoring

IoT System BDS
Step 2 Strategy Planning Step 3 Botnet Building Step 4 Botnet C&C IoT System BDS Step 1 Monitoring Step 2 Strategy Planning Step 3 Botnet Building Step 4 Botnet C&C Step 1 Monitoring

IoT System
Step 2 Strategy Planning Step 3 Botnet Building Step 4 Botnet C&C IoT System BDS 1 (d) Figure 3. A state transition of the BDS, which illustrates how the BDS works. (a) State when the BDS detected a malicious botnet, which consists of 10 bots ( ). The BDS decided to adopt the few-elite strategy [23] for disinfecting the malicious botnet; (b) State in botnet building of Step 3. The BDS sent white-hat worms to the 10th and 15th nodes and built a white-hat botnet composed of two bots ( ); (c) State when the white-hat botnet spread by infecting the 19th device that had already been a malicious bot; (d) State in which the white-hat botnet wiped out the malicious botnet. However, many white-hat bots still stay on.

Observability, Controllability, and Command and Control Strategy
The IoT system defended by the BDS is built on the Internet. The Internet is characterized by openness but not all parts of the Internet are communicable. Restricting communication between networks enhances cyber security. However, it may become an obstacle to the operation of cyber security systems including the BDS.
Botnet technology has accelerated its evolution since the release of the Mirai source code and has spawned a variety of variants. The purpose of the variants is no longer limited to DDoS attacks, but also extends to electronic scams, and illicit cryptocurrency mining. Noteworthy is the proxy function provided by a variant called OMG. It enables the infected IoT device to act as a pivot point between networks [24]. Here, it is important to note that the BDS uses botnets. Incorporating such a message transfer function into the white-hat botnet enables the BDS to further enhance the ability of the BDS.

Observability and Controllability by BDS
We introduce the concepts of observability and controllability. In a network defended by the BDS, we define the observability and controllability between the BDS and nodes as follows.
Definition 1 (Observability and controllability by BDS). In a network defended by the BDS, let n be a node in the network.

•
n is said to be observable by the BDS if the BDS can check whether there is any bot at n. If there is a connection from n to the BDS, the BDS can check whether there is any bot at n. • n is said to be controllable by the BDS if the BDS can send a white-hat worm to n. If there is a connection from the BDS to n, the BDS can send a white-hat worm to n.
Let us illustrate the concept of the observability and controllability by the BDS with an example shown in Figure 4. In this example, the network has the same structure as Figure 3, i.e., it consists of 24 nodes n 1 , n 2 , · · · , n 24 and has a square lattice topology. The difference between them is observability and controllability. In this example, the BDS has connections from and to nodes n 1 , n 2 , · · · , n 12 . This means that those nodes are observable and controllable, while the others n 13 , n 14 , · · · , n 24 are unobservable and uncontrollable. We apply a black diagonal lines pattern meshing to the unobservable and uncontrollable nodes in Figure 4. Figure 4a shows the state when the BDS detected the malicious botnet. The BDS can check whether there is a bot only at the observable nodes n 1 , n 2 , · · · , n 12 . As a result, the BDS found only 5 of 10 bots at nodes n 1 , n 2 , n 4 , n 6 and n 11 .
The BDS adopted the few-elite strategy in Step 2 and used two white-hat worms to build the malicious botnet in Step 3. One worm was sent to the same node n 10 as the former example. The other was sent to another node n 7 different from the previous example because the BDS can only send it to a controllable node. Figure 4b shows the state when the BDS built a white-hat botnet in Step 3.

Observability and Controllability by White-Hat Bot
The BDS is characterized by using a white-hat botnet to defend the network. Each bot is given the same ability to observe and control network nodes as the BDS. However, the nodes that it can observe and control are limited to its neighbors. Definition 2 (Observability and controllability by white-hat bot). In a network (N, E) defended by the BDS, let n and n be nodes in (N, E) where n has a white-hat bot w.
• n is said to be observable by w if w can check whether there is any bot at n . If there is a connection from n to n, i.e., (n , n)∈E, w can check whether there is any bot at n . • n is said to be controllable by w if w can send a white-hat worm to n . If there is a connection from n to n , i.e., (n, n )∈E, w can send a white-hat worm to n . Step 1 Monitoring Step 2 Strategy Planning Step 3 Botnet Building Step 4  Step 1 Monitoring Step 2 Strategy Planning Step 3 Botnet Building Step 4 Botnet C&C Step 1 Monitoring Step 2 Strategy Planning Step 3 Botnet Building Step 4 Botnet C&C Step 1 Monitoring Step 2 Strategy Planning Step 3 Botnet Building Step 4 Botnet C&C  Let us consider Figure 4b again. The BDS launched white-hat bots at two controllable nodes: n 7 and n 10 . For node n 7 , its adjacent nodes n 3 , n 6 , n 8 , n 11 are observable and controllable nodes by the white-hat bot at node n 7 . On the other hand, for node n 10 , its adjacent nodes n 6 , n 9 , n 11 , n 14 are observable and controllable nodes by the white-hat bot at node n 10 . Note that n 14 is unobservable and uncontrollable by the BDS.

Observability and Controllability by BDS via White-Hat Botnet
Some nodes in the network are observable and controllable by the BDS, while others are not. The white-hat botnet can autonomously spread and expand even to nodes unobservable and uncontrollable by the BDS. The BDS can use the spread white-hat botnet to expand the scope that the BDS can observe and control.
The BDS has the ability to exchange messages with a white-hat bot that is at a node observable and controllable by itself. A white-hat bot is also given the same ability as the BDS. Definition 3 (Message exchange ability). In a network (N, E) defended by the BDS, let n and n be nodes in (N, E) that have a white-hat bot w and w , respectively.
• w can exchange messages with the BDS if n is observable and controllable by the BDS. • w can exchange messages with w if n is observable and controllable by w.
A message received from a certain white-hat bot can be transferred to another whitehat bot. This message transfer allows a white-hat bot to exchange messages with another white-hat bot that is at a node unobservable and uncontrollable by itself. We define a relation between white-hat bots to express that they can exchange messages through the message transfer.
Definition 4 (Link relation between white-hat bots). In a network defended by the BDS, let w and w be white-hat bots on the network. w is said to be linked with w if w can exchange messages with w through the message transfer via the white-hat botnet.
We will depict a link relation between linked white-hat bots as a red dashed line ( ). We give a necessary and sufficient condition to determine if two white-hat worms are linked. Property 1. In a network (N, E) defended by the BDS, let n and n be nodes in (N, E) that have a white-hat bot w and w , respectively. w is linked with w if and only if there is a path ρ between n and n such that every node on ρ has a white-hat bot (see Figure 5). This message transfer mechanism enables the BDS to expand the scope that the BDS can observe and control. The observability and controllability by the BDS via the white-hat botnet is defined as follows.
Definition 5 (Observability and controllability by BDS via white-hat botnet). In a network defended by the BDS: • Let u be a node unobservable by the BDS. u is said to be observable by the BDS via the white-hat botnet if the BDS can check whether there is any bot at u via the white-hat botnet. • Let u be a node uncontrollable by the BDS. u is said to be controllable by the BDS via the white-hat botnet if the BDS can send a white-hat worm to u via the white-hat botnet.
We give a necessary and sufficient condition to determine if a given node unobservable (or uncontrollable) by the BDS is observable (or controllable) by the BDS via the white-hat botnet. Property 2. Let (N, E) be a network defended by the BDS (see Figure 6).
(i) Let u be a node of (N, E) unobservable by the BDS. u is observable by the BDS via the white-hat botnet if and only if there is a white-hat bot w by which u is observable and a white-hat bot w at a node n observable by the BDS such that w is linked with w . (ii) Let u be a node of (N, E) uncontrollable by the BDS. u is controllable by the BDS via the white-hat botnet if and only if there is a white-hat bot w by which u is controllable and a white-hat bot w at a node n controllable by the BDS such that w is linked with w . This property can be reformulated with the structural characterization of Property 1 as follows. Corollary 1. Let (N, E) be a network defended by the BDS (see Figure 6). (i) Let u be a node of (N, E) unobservable by the BDS. u is observable by the BDS via the white-hat botnet if and only if there is a path ρ between u and a node n observable by the BDS such that every node on ρ has a white-hat bot except u. (ii) Let u be a node of (N, E) uncontrollable by the BDS. u is controllable by the BDS via the white-hat botnet if and only if there is a path ρ between u and a node n uncontrollable by the BDS such that every node on ρ has a white-hat bot except u.

Proof. See Appendix A.3.
Let us consider Figure 4c. In this state, the white-hat botnet spread even to n 14 , n 15 , n 18 and n 20 unobservable and uncontrollable by the BDS and drove out all the malicious bots except at n 24 . The white-hat bots can be divided into three groups by message link depicted by red dashed lines.
The first group is the bots at n 1 , n 2 , n 3 , n 4 and n 7 (see the right upper part of Figure 4c). We can confirm that those bots are linked to each other by using Property 1 because for any pair of those nodes, there is a path between them such that every node on the path has a white-hat bot. The BDS can directly command and control all the bots of this group because those bots are at nodes observable and controllable by the BDS.
The second group is the bots at n 10 , n 14 , n 15 and n 18 (see the right middle part of Figure 4c). Only n 10 is observable and controllable by the BDS, the others are not. The BDS can only directly command and control the bot at n 10 but not others. However, the bots at n 10 are linked with the other bots. From Property 2, n 14 , n 15 , n 18 and their adjacent nodes, which are represented by a yellow dot pattern in the figure, are observable and controllable by the BDS via the white-hat botnet. This can be confirmed by using Corollary 1 because for any u of those nodes, there is a path between u and n 10 such that every intermediate node on the path has a white-hat bot. This means that the BDS can indirectly command and control the bots of n 14 , n 15 and n 18 .
The last group is the bot at n 20 (see the right lower part of Figure 4c). n 20 is unobservable and uncontrollable by the BDS. Furthermore, since this bot is not linked with the other white-hat bots, n 20 is not observable and controllable by the BDS via the white-hat botnet from Property 2. Therefore, the BDS cannot command and control the bot. As the result, although this bot discovered a malicious bot at n 24 , the BDS could not know of its existence.

Basic Command and Control Strategy
A white-hat botnet autonomously spreads and therefore requires strategical command and control by the BDS to achieve a given goal.
Different goals require different strategies. The white-hat botnet is known as a doubleedged sword. It defends the IoT system against malicious botnets but itself consumes the system's resources. Therefore, it should not stay at the system after disinfecting the malicious botnet.
We set this as a goal and propose a strategy to achieve the goal as follows.

Strategy 1 (Withdrawal Strategy). Remove the white-hat botnet immediately by the BDS itself.
This strategy will be applied when the white-hat botnet has disinfected the malicious botnet. In addition, it may be applied when

•
The white-hat botnet is bloated and has too much waste compared to the benefits; or • The white-hat botnet is too weak to disinfect the malicious botnet and should be rebuilt.
Let us consider Figure 4c again. In this state, no malicious bot remains any longer in the area observable by the BDS directly and indirectly. That is, as far as the BDS knows, the whitehat botnet disinfected all the malicious bots. The BDS will command self-destruction to the white-hat bots according to the Withdrawal strategy. This command reached the white-hat bots not only at controllable nodes n 1 , n 2 , n 3 , n 4 , n 7 , n 10 , but also at uncontrollable nodes n 14 , n 15 and n 18 linked with the bot at n 10 . Figure 4d shows the state after those bots self-destructed. Note that the white-hat bot at n 20 remains because it has not received the self-destruction command. As shown in this example, the BDS can be expected to extend its command and control capability into areas were it cannot observe or control by using the white-hat botnet.

Simulation Evaluation
In this section, we present the quantitative evaluation of the observability, controllability and basic C&C strategy proposed in the previous section. Molesky states in Reference [25] that the use of white-hat worm technology can be legally enacted by including explicit terms within the Terms and Conditions agreement at the time of purchase. This suggests that white hat worm technology is applicable in real situations. We have also implemented a prototype of BDS that defends 24 Raspberry Pi Zero units and have confirmed that our approach works in a real-world environment. However, because of the complex behavior of BDS, we take a simulation-based approach to its evaluation in this paper.
We first model the behavior of the BDS with an agent-oriented Petri net, called Petri-Nets in a Petri Net (PN 2 ). The PN 2 model enables us to observe the evolution of the BDS over time. We perform two experiments to evaluate the proposal from different perspectives. One is a special case that has hierarchical observability and controllability based on the network structure. The other is a general case in which observability and controllability are decided at random.

Modeling and Simulation
In the evaluation, a key behavior of the BDS is the battle between malicious and whitehat botnets. The battle can be regarded as a multi-agent system, i.e., the devices (these may be bots) and the network, respectively, correspond to agents and an environment that the agents act on. PN 2 is a mathematical and graphical modeling tool to study multi-agent systems. A PN 2 consists of two levels of Petri nets: agent-nets and an environment net. An agent net represents the behavior of an agent. The environment net contains those agent nets as tokens and represents the interaction among the agents. For the details of modeling, refer to Reference [23]. The feature of PN 2 is that its model is a mathematical description as well as a graphical representation and is also executable. The last two features help to make the behavior of the model easier to understand. Playing the key role are tokens. With tokens, the PN 2 model serves as a "game board" and the system behavior becomes "token games".
We have developed a tool called PN2Simulator that can edit, simulate and analyze PN 2 and we use it to study the behavior of BDS interactively. Figure 7 shows a screenshot of the PN2Simulator, which displays the PN 2 model representing the state shown in Figure 4b. The left side of the screen represents the environmental net, while the right side represents the agent nets. The environment net is an extension of Petri nets. It consists of two types of nodes called places and transitions. Places are drawn as circles ( ) and transitions are drawn as boxes ( ). Each place represents a network node. The 4 × 6 places in total are arranged as 4 × 6 in the same way as the nodes in Figure 4b. Places can hold tokens. Tokens are drawn as ellipses ( ). Each token represents an agent such as an IoT device, a malicious worm or a white-hat worm and is labeled with the corresponding agent's name. Let us consider place P1 (top left). P1 holds two tokens representing a device and a malicious worm. This indicates that the device was infected by the worm and has been a malicious bot. Next, let us consider place P5 (below P1). P5 holds only one token representing the device. This means that the device is not infected by any worm and is normal. Then, let us consider place P10 (to the lower right of P5). P10 stores two tokens representing a device and a white-hat worm launched by the BDS. This means that the device was infected by the white-hat worm and has been a white-hat bot.
Each transition represents an interaction between agents. Recall that each token corresponds to an agent net. A transition in an environment net fires synchronously with transitions in one or more agent nets. This synchronization represents an interaction between the corresponding agents. The conditions for firing are described by labels, not transition identifiers. Therefore, the agent nets involved in firing are determined by dynamic coupling by labels. The PN2Simulator highlights transitions that can fire in red. Transition T123 is fireable. This indicates that the malicious worm at P1 is trying to infect the device at P5. A firing of this transition results in a copy of the malicious worm at P5. Then the copy turns the device at P5 into a malicious bot. For more information on the firing rule, refer to Ref. [23].

Evaluation Indicators
We use the following two indicators in the evaluation.

•
Infection rate of malicious bots at simulation step t: where -# node is the number of nodes, i.e., devices, in the given network; -# mal (t) is the number of malicious bots in the whole network at t. This breaks down into: · # obs mal (t) is the number of malicious bots on the nodes observable by the BDS at t; · # in-obs mal (t) is the number of malicious bots on the nodes indirectly observable by the BDS via the white-hat botnet at t; · # unobs mal (t) is the number of malicious bots on the nodes unobservable by the BDS even via the white-hat botnet at t .
• Infection rate of white-hat bots at simulation step t: where -# wh (t) is the number of white-hat bots in the whole network at t. This breaks down into: · # obs wh (t) is the number of white-hat bots on the nodes observable by the BDS at t; · # in-obs wh (t) is the number of white-hat bots on the nodes indirectly observable by the BDS via the white-hat botnet at t; · # unobs wh (t) is the number of white-hat bots on the nodes unobservable by the BDS even via the white-hat botnet at t.
The smaller the values of both R mal and R wh the better. In particular, R mal should be zero, which means the malicious botnet is wiped out.

Hierarchical Case
We first target a case in which observability and controllability are given based on the network structure. Figure 8 illustrates the network. This network has a two-level hierarchy and consists of one upper-level network and four lower-level networks. The upper-level network consists of 36 nodes that are both observable and controllable by the BDS, while each lower-level network consists of 16 nodes that are neither unobservable nor uncontrollable by the BDS. Therefore, the number # obs node of nodes observable and controllable by the BDS in the whole network is 36. Each lower-level network is connected to only the upper-level network by a single connection. This single connection is intended to reduce the potential for the spread of infection between networks.  The given network can be systematically translated into a PN 2 model. Intuitively, each node of the network corresponds to a single place in the environment net of the PN 2 model. A single node may have multiple connections. A single connection is represented by the same colored parts of the net. If there is no certain connection, we would simply omit the corresponding part. For example, let us consider the 37th node. It has four connections leading to the 27th, 36th, 38th and 47th nodes. Therefore, those connections are represented by using all the colored parts of Figure 8. On the other hand, let us consider the 27th node. It has only three connections. Therefore, the corresponding red part is omitted.
A single trial of simulation follows the steps below.

1.
Let t = 0 when the BDS detects a malicious botnet and launches white-hat worms to build a white-hat botnet. Let 0 − and 0 + , respectively, denote before and after launching the white-hat worms. Assume the malicious botnet consists of 20 bots, i.e., # mal (0 − ) = 20 and they are placed at random in the whole network.

2.
The BDS adopts the few-elite strategy and randomly sends 10 white-hat worms to observable nodes, i.e., # wh (0 + ) = # obs wh (0 + ) = 10. Figure 9a shows an example of the state at 0 + . Assume the white-hat worms have the capabilities below.

•
Lifespan is 3, 4 or 5 steps • Possibility of secondary infection ρ is 50% Assume each device reboots at 11 steps after infection.

3.
When t = 10, 000, the BDS adopts the Withdrawal strategy and commands the white-hat botnet to self-destruct. Let 10, 000 − and 10, 000 + , respectively, denote before and after sending the self-destruction order. Figure 9b shows an example of the state at 10, 000 − .

(c) Lifespan = 5 Steps
Step t  Figure 10 illustrates the result. Figure 10a is for t = 10, 000 − . The horizontal axis shows and the vertical axis shows the mean of bots. It is a stacked bar graph. The red bar represents the number of malicious bots and can be divided into # obs mal (10, 000 − ), # in-obs mal (10, 000 − ) and # unobs mal (10, 000 − ). The blue bar represents the number of white-hat bots and can be divided in the same way as the red bar. When = 3, the malicious bots increased from 20.00 (= # mal (0 − )) to 67.39 (= # mal (10, 000 − )). This is because the white-hat worm with a short lifespan died soon and therefore is difficult to spread in the hierarchical network. Figure 10b shows the state when t = 10, 000 + . Even if the BDS commanded the white-hat botnet to self-destruct, 67.39 malicious bots and 3.08 white-hat bots (total 70.47 bots) remained. On the other hand, when = 4, the malicious bots decreased from 20.00 to 2.81. This means the white-hat botnet with such a long lifespan is useful to disinfect the malicious botnet. However, the white-hat bots increased from 10.00 (= # wh (0 + )) to 73.28 (= # wh (10, 000 − )). After that, the BDS commanded the white-hat botnet to self-destruct and removed 62.87 (= # obs wh (10, 000 − ) + # in-obs wh (10, 000 − )) white-hat bots. This means the BDS removed 85.8% of the white-hat bots, including those in the unobservable networks. Furthermore, when = 5, the BDS wiped out all the malicious bots and then removed 76.34 white-hat bots. This means 90.32% of white-hat bots were removed. Let us evaluate the two indicators, the infection rate of malicious bots R mal and the infection rate of white-hat bots R wh . The BDS reduced R mal from 20% (= R mal (0 − )) to 0% (= R mal (10, 000 + )) and also reduced R wh from 10% (= R wh (0 + )) to 8.18% (= R wh (10, 000 + )) if = 5. Almost the same trend occurred for = 4. These results show that even in the case in which observability and controllability are given hierarchically, the Withdrawal strategy works effectively if the white-hat worm has enough infectivity ( ≥ 4 in this example).

General Case
We consider another case in which observability and controllability are given regardless of the network structure. This can be regarded as a general case. The network has a square lattice topology and consists of 10 × 10 nodes. Given the total number of observable and controllable nodes, we decide the observability and controllability for each node at random. The given network can be systematically translated into a PN 2 model in the same way as the previous case. Figure 11 shows an example of state-transition in this case. Figure 11a shows an example of the state at 0 + . In this example, 30 nodes are both observable and controllable. The malicious botnet infected 20 nodes at random regardless of observability and controllability. The white-hat worms were launched at 10 of 30 observable and controllable nodes such as the 21st and 24th nodes. Figure 11b shows an example of the state at 10, 000 − . The BDS disinfected the malicious botnet but has left 26 white-hat bots on the network. The BDS will command self-destruction to the white-hat botnet according to the Withdrawal strategy. This results in 24 of 26 bots being removed.

Malicious Bots White-Hat Bots
Step 10, 000 − Step 10, 000 + Step 10, 000 − Step 10, 000 + Let us evaluate the two indicators R mal and R wh in the general case. If ≥ 4, the BDS reduced R mal from 20% (= R mal (0 − )) to 0% (= R mal (10, 000 + )) and also reduced R wh from 10% (= R wh (0 + )) to less than 1% (= R wh (10, 000 + )). Even if = 3, the values of both indicators were reduced from the initial. These results show that even in the case in which observability and controllability are given regardless of the network structure, the Withdrawal strategy works well in the general case, as long as the white-hat worms are sufficiently infectious.

Discussion
We show the positioning of this study within the relevant studies in Table 4. Most of the related studies deal with the detection, mitigation and spread prevention techniques of malicious botnets. As mentioned in Section 2, these existing techniques are useful in mitigating botnet threats. However, they did not intend to disinfect botnets that have already spread. In contrast, the last three references aim to disinfect malicious botnets. Reference [23] proposed the concept and the system design of BDS to use white-hat botnets to disinfect malicious botnets. It also proposed a basic launcher and strategies to build the white-hat botnet. Reference [26] proposed an improved launcher adopting machine learning. The launcher learns how to build white-hat botnets appropriate to the infection status of the malicious botnet and can disinfect given botnets effectively. Thus, building white-hat botnets has been studied well. On the other hand, command and control of built botnets have not been much discussed. In this paper, we introduced the concept of observability and controllability to enable the consideration of communications between BDS and botnets over the Internet. Observability and controllability over botnets have not been discussed at all so far. We proved that BDS can extend the observability and controllability by means of the white-hat bots' message transmission. In addition, we proposed the Withdrawal strategy as a basic C&C strategy. No C&C strategy has been proposed so far. The Withdrawal strategy is a simple one, but it demonstrates the potential of actively controlling white-hat botnets to further enhance the defense capabilities.
IoT systems are open systems. As nodes can be dynamically added or removed, BDS may not be able to observe or control all nodes. This means that observability and controllability are limited and may create cyber security risks in botnet detection and command and control. Combining BDS with white-hat botnets can reduce this limitation. BDS can use self-propagating botnets to indirectly observe and control nodes that BDS cannot directly observe or control through the message link over the botnet. As a result, BDS can detect and remove botnets even if the network configuration of an IoT system changes.
learning works well with multi-agent systems and is expected to dynamically optimize strategies without human intervention. (iv) Not only technical but also ethical, legal and social issues (ELSI), empirical testing and system implementation.
These challenges will provide new impetus and make this research area even more exciting.
Funding: This research was funded by JSPS KAKENHI Grant Numbers JP19K11965 and JP22K12028.

Conflicts of Interest:
The author declares no conflict of interest.