Botnet Defense System: Concept, Design, and Basic Strategy

Abstract: This paper proposes a new kind of cyber-security system, named Botnet Defense System (BDS), which defends an Internet of Things (IoT) system against malicious botnets. The concept of BDS is “Fight fire with fire”. The distinguishing feature is that it uses white-hat botnets to fight malicious botnets. A BDS consists of four components: Monitor, Strategy Planner, Launcher, and Command and Control (C&C) server. The Monitor component watches over a target IoT system. If the component detects a malicious botnet, the Strategy Planner component makes a strategy against the botnet. Based on the planned strategy, the Launcher component sends white-hat worms into the IoT system and constructs a white-hat botnet. The C&C server component commands and controls the white-hat botnet to exterminate the malicious botnet. Strategy studies are essential to produce intended results. We proposed three basic strategies to launch white-hat worms: All-Out, Few-Elite, and Environment-Adaptive. We evaluated BDS and the proposed strategies through the simulation of agent-oriented Petri net model representing the battle between Mirai botnets and the white-hat botnets. This result shows that the Environment-Adaptive strategy is the best and reduced the number of needed white-hat worms to 38.5% almost without changing the extermination rate for Mirai bots.


Introduction
The Internet of Things (IoT) is a fundamental technology which brings about radical change in modern society, while being targeted as a springboard for cyber-attacks. A new kind of malware called Mirai [1] infects IoT devices and turns them into bots. The network of bots (botnet) becomes a springboard for Distributed Denial-of-Service (DDoS) attacks. In fact, Mirai botnet's DDoS attacks came true in September 2016 and knocked out Amazon, Twitter, and other major sites. IoT devices are explosively increasing and most of them are vulnerable. Since Mirai makes such IoT devices a hotbed, Mirai botnet's DDoS attacks tend to become massive and disruptive [2]. Four years have passed since Mirai appeared, but Mirai and its variants are still raging all over the world [3].
Mirai penetrates only to the dynamic memory of a device, therefore we can delete Mirai by rebooting the infected device [4]. However, Moffitt [5] reported that Mirai can reinfect the device within minutes unless the vulnerability is patched. IoT devices are explosively increasing. According to the Cisco's white book [6], more devices were connected to the Internet than people by the late 2000s and the number is predicted to reach 30 billion by 2023. Also, IoT devices are vulnerable. This is because they do not have resources to run security functions and their vendors may sacrifice security in the price competition and/or their rush to market. We must fix such vulnerabilities, but workforce tactics

Botnet and Mitigation Methods
Bots and botnets are not new technologies. A bot is a program that performs predefined tasks according to commands sent through the Internet. Some bots are good such as chat bots and trader bots, while others are bad such as spam bots and DDoS bots. A typical example of DDoS bots is Mirai. Mirai is a kind of worm that spreads copies of itself to IoT devices. Mirai infects IoT devices and turns them into bots. The network of bots (botnet) is used by attackers as a springboard for DDoS attacks [9].
Ogu et al. [10] surveyed the current status of the botnet threat. The survey covers the typology of botnets and their owners, the structure and life cycle of botnets, botnet attack modes and control architectures, existing countermeasure solutions and limitations, as well as the prospects of a botnet threat.
Bezerra et al. [11] proposed a host-based approach to detect IoT botnets, named IoTDS (Internet of Things Detection System). IoTDS monitors a device and collects its CPU use and temperature, memory consumption, and the number of processes. If the device detects any anomaly from the data, an alert of botnet detection is sent to the central server.
Manso et al. [12] designed and implemented a Software-Defined Intrusion Detection System. The system includes an IDS that automatically detects several DDoS attacks. Once the IDS detects an attack, it notifies a Software-Defined Networking controller to control networking devices. The system can timely detect a botnet exploitation, mitigate malicious traffic, and protect normal traffic. However, the above-mentioned systems do nothing for the detected botnets.

White-Hat Worm
A white-hat worm is generally defined as a worm created for well-intentioned purposes. One of well-known white-hat worms is Hajime [13]. Like Mirai, Hajime infects IoT devices and turns them into bots. However, there is neither code nor capability for DDoS attacks in Hajime. Moreover, Hajime actually protects the devices against Mirai by blocking the ports that Mirai uses to infect. However, Hajime continues to stay at the infected device even after completing the defense against Mirai. Therefore, Hajime may be said to be gray-hat.
Molesky et al. [14] have proposed a new perspective in the use of white-hat worm technology. The point is that not only the manufacturers but also governments can use the technology to fix critical vulnerabilities of IoT devices. A white-hat worm infects the vulnerable device and applies the appropriate patch. Molesky states in Ref. [14] that legally, this could be enacted by including explicit terms within the Terms and Conditions agreement at the time of purchase and creates a contract with the consumer allowing for these actions to occur legally and without liability to the company. This suggests white-hat worm technology is applicable in practice. However, the role of the white-hat worm is restricted to fix vulnerabilities, not to exterminate malicious botnet.
Yamaguchi [7] defined a worm that drives out the Mirai botnet and deletes itself as a white-hat worm. It is characterized by two attributes: secondary infection possibility and lifespan. Secondary infection possibility is a probability that the worm can reinfect the devices infected by Mirai. This enables the worm to regain the device from Mirai. Lifespan is a temporal constraint that the worm can exist at a device. It forces the worm to destruct itself and to avoid staying on the device recovered. These characteristics make the white-hat worm radically different from Hajime.

PN 2 Model
Yamaguchi regarded the battle between Mirai and the white-hat worm as a multi-agent system and expressed it with agent-oriented Petri nets, called PN 2 . For the detail of Petri nets and PN 2 , refer to Refs. [8,9]. A PN 2 is intuitively a Petri net (known as environment net) whose tokens are again Petri nets (known as agent nets). Figure 1 shows a PN 2 model representing the battle. Figure 1a-e respectively show the agent nets representing devices device1, device3, Mirai, device device2 and the white-hat worm. Figure 1f shows the environment net representing an IoT system composed of three network nodes. Each place drawn as represents a network node. Each token drawn as b represents an agent such as Mirai, the white-hat worm, and an IoT device, which corresponds to one of the agent nets. Each node has one device. Device device1 at place P1 is infected by Mirai. Device device2 at place P2 is normal. Device device3 at place P3 is infected by the white-hat worm. Each transition drawn as 2 represents an action of one agent or an interaction among two or more agents. Whether an action can occur or not is decided based on the state of related agents. Red transitions of the environment net shown in Figure 1f show that they can occur. Let us induce the action represented by transition T214. This action means that the white-hat worm at P3 produces a copy of itself into P2, and the copy infects device2. Figure 2 shows the state after this action occurs. Please note that the action of transition T113 became disabled in order to occur. This means that the worm at P2 protects device2 from Mirai at P1.
Yamaguchi performed simulation evaluation with a tool known as PN2Simulator [15]. In Ref. [7], he revealed the following properties between a white-hat worm's capability (lifespan , secondary infection possibility ρ) and its effect: (i) if is short, the worm becomes extinct in course of time; (ii) if ρ is high, the worm is effective regardless of ; and (iii) if is long, the worm is effective even if ρ is low. However, there is no discussion about how to systematically launch the white-hat worm in response to Mirai's infection situation.

Concept and Design
We propose a cyber-security system, named Botnet Defense System (BDS), that defends IoT systems against malicious botnets. Attackers use botnets to attack IoT systems. Imitating this, defenders also might be able to use botnets to defend the systems. This so-called "Fight fire with fire" is the concept of BDS. BDS realizes this concept and enables defenders to fight malicious botnets with white-hat botnet.
The distinct feature of BDS is to make use of the white-hat worm and its botnet. This can innovatively increase the defense ability because the white-hat worm and its botnet can protect devices from malicious botnet and drive it out instead of humans having to do that. However, since they are autonomous agents, we need to manage them to produce appropriate effect. BDS plans a strategy in response to malicious botnet's type and infection situation and carries out the management according to the strategy.
We adopt component-based architecture to design BDS. This enables us to research and develop the functionalities using components as a unit and further to realize a required BDS quickly and flexibly by combining components. A BDS consists of four components: monitor, strategy planner, worm launcher, and command and control (C&C) server. The BDS operates according to the following procedure (See Figure 3): The monitor component watches over a specified IoT system. This activity itself may be done through white-hat worm. If detecting a malicious botnet, it investigates and reports the information such as the botnet type and its infection situation.

•
The strategy planner component makes a strategy against the malicious botnet based on the information reported by the monitor component.

•
The worm launcher component sends white-hat worms into the IoT system based on the strategy and constructs a white-hat botnet.

•
The C&C server component commands and controls the white-hat botnet to drive out the malicious botnet.
Please note that this procedure is executed repeatedly.

Strategies
The BDS uses a white-hat worm to build its botnet and then uses it to drive out the malicious botnet. The result would vary depending on the strategy adopted by the BDS. Therefore, strategy studies are essential to produce intended results. Strategies can be roughly divided into two categories: launch strategies and C&C strategies. Launch strategies specify how to launch a white-hat worm to build its botnet. C&C strategies specify how to command and control the botnet to drive out malicious botnets. In this paper, we focus on the launch strategies because their result influences planning of the C&C strategies.
We first formalize the launch strategies. Once the monitor component detects a malicious botnet, it reports the information such as its type and infection situation. We assume that the malicious botnet is Mirai and its infection situation is grasped by its infection rate R Mirai . R Mirai is given as where # nodes is the number of network nodes, # Mirai is the number of nodes infected by Mirai, i.e., the number of Mirai bots. The strategy planner component makes a launch strategy based on the value of R Mirai , the specification of the targeted IoT system, and the capability of an available the white-hat worm. An IoT system's specification is given as # nodes , the network topology N topology ∈ {Grid, Tree, · · · }, and the network density N density . N density is given as where # AC is the number of actual connections and # PC is the number of potential connections. A white-hat worm's capability is given as the worm's lifespan and secondary infection possibility ρ.
We give a formal definition of a launch strategy as follows.
Definition 1 (Launch Strategy). Let R Mirai be a Mirai's infection rate, (# nodes , N topology , N density ) be an IoT system's specification, and ( , ρ) be a white-hat worm's capability. Let # White be the number of the white-hat worm to launch. A launch strategy L is a mapping such that

All-Out Launch Strategy
In the beginning, we give a launch strategy called All-Out as a baseline in strategy studies. This is to launch as many white-hat worms as possible. The formal definition is given as follows.
Strategy 1 (All-Out Launch Strategy L All−Out ). For a Mirai's infection rate R Mirai , an IoT system's specification (# nodes , N topology , N density ) and a white-hat worm's capability ( , ρ), the All-Out launch strategy L All−Out is a mapping such that This launch strategy L All−Out is to dispatch the white-hat worm to all the nodes other than Mirai bots. Figure 4 shows an application example of L All-Out . This IoT system has a grid-topology network composed of 5 × 5 = 25 nodes, where the network density is 13.3% (=(2 × 40)/(25 × 24)), i.e., its specification (# nodes , N topology , N density ) = (25, Grid, 13.3%). Figure 4a shows the state when the BDS detected a Mirai botnet. There are six Mirai bots, i.e., # Mirai = 6. According to L All-Out , the number of the white-hat worm to launch is calculated as # White = # nodes − # Mirai = 19. The BDS dispatches the worm to 19 non-bot nodes as shown in Figure 4b.
Obviously, the number (# nodes − # Mirai ) of Equation (4) is the upper limit to launch. Therefore, when the BDS adopts this strategy, we can expect the white-hat worm and its botnet to expose the maximum effect against Mirai botnet. However, L All−Out forces the BDS to launch the upper number of the white-hat worm regardless of the Mirai's infection situation, the IoT system's specification, and the worm's capability. Extra white-hat worms would place an unnecessary load on the IoT system.
A too-large white-hat botnet may make control difficult because all the network nodes may be not always observable and controllable.

Few-Elite Launch Strategy
Let us take the white-hat worm's capability (lifespan , secondary infection possibility ρ) into consideration. As mentioned in Section 2.3, there are two conditions such that the worm becomes effective. One is ρ is high. The other is is long. We propose a launch strategy called Few-Elite by introducing these conditions. Strategy 2 (Few-Elite Launch Strategy L Few-Elite ). For a Mirai's infection rate R Mirai , an IoT system's specification (# nodes , N topology , N density ) and a white-hat worm's capability ( , ρ), the Few-Elite strategy L Few-Elite is a mapping such that where # elite is the number of the worm to launch when its capability is sufficient, α is a weight coefficient and θ is a threshold.
This launch strategy L Few-Elite is to launch only a limited number # elite if the worm has a high secondary infection possibility or a long lifespan. Otherwise, it launches as many worms as possible in the same as L All-Out . Figure 5 shows an application example of L Few-Elite . The IoT system used in this example and its infection situation are the same as that of Figure 4a. Assume that # elite = 5, α = 20 and θ = 120. Let an available worm's capability be (ρ = 75%, = 3 steps). According to L Few-Elite , the number of the white-hat worm to launch is calculated as # White = # elite = 5 because ρ + α = 75 + 20 × 3 > θ = 120 holds. The BDS launches only five worms as shown in Figure 5a. As another case, assume that the worm's capability is (ρ = 25%, = 3 steps). According to L Few-Elite , # White is calculated as # nodes − R Mirai # nodes = # nodes − # Mirai = 19 because ρ + α = 25 + 20 × 3 > θ = 120 holds. The BDS launches the upper number in the same as L All-Out as shown in Figure 5b.

Environment-Adaptive Strategy
Mirai and the white-hat worm use the network of an IoT system to spread themselves. Therefore, their spread is influenced by the network. We should introduce the influence to a strategy. The IoT system's specification is given as (Number of network nodes # nodes , Network topology N topology , Network density N density ). We focus on N density . This is because some networks have a different topology but the same density, and Ref. [7] indicated that # nodes is not important than the worm's capability. We propose a launch strategy called Environment-Adaptive to compensate for the influence from the network. Strategy 3 (Environment-Adaptive Launch Strategy L Env-Adaptive ). For a Mirai's infection rate R Mirai , an IoT system's specification (# nodes , N topology , N density ) and a white-hat worm's capability ( , ρ), the Environment-Adaptive strategy L Env-Adaptive is a mapping such that L Env-Adaptive : (R Mirai , (# nodes , N topology , N density ), ( , ρ)) where 2 # nodes is the minimum density of connected networks composed of # nodes nodes and β is a weight coefficient.
This launch strategy L Env-Adaptive is to launch # elite worms if the worm's capability is sufficient and only if the network density is not low. Otherwise, the upper number is launched. Figure 6 shows an application example of L Env-Adaptive . Let us consider two IoT systems. They have the same number of nodes (# nodes = 25) but have different network topology. One has the grid topology as shown in Figure 6a. The other has the tree topology as shown in Figure 6b. Let α = 20 and θ = 120 as well as the previous example. Assume that an available worm's capability is (ρ = 75%, = 3 steps). This worm has a sufficient capability because ρ + α = 75 + 20 × 3 > θ = 120 holds. Assume that # elite = 5 and β = 1.2. The threshold of network density is calculated as β 2 # nodes = 9.6%. First, let us consider the case of the grid topology. Since # AC = 2 √ # nodes ( √ # nodes − 1) = 40, N density is calculated as 2×40 25×24 = 13.3% by Equation (2). According to L Env-Adaptive , # White is calculated as # elite = 5 because the worm's capability is sufficient and N density = 13.3% > β 2 # nodes = 9.6%. The BDS launches only five worms as shown in Figure 6a. Next, let us consider the case of the tree topology. Since # AC = # nodes − 1 = 24, N density is calculated as 2×24 25×24 = 8.0% by Equation (2). According to L Env-Adaptive , # White is calculated as the upper number because N density = 8.0% > β 2 # nodes = 9.6%. Even though the worm has sufficient capability, the BDS launches the upper number to compensate the influence from the network as shown in Figure 6b.

Simulation Evaluation
We evaluated BDS and the proposed launch strategies through the simulation of the PN 2 model representing the battle between Mirai botnet and the white-hat botnet.

Simulation
We performed a simulation experiment to evaluate BDS and the strategies with PN2Simulator [15]. The PN 2 model described in Section 2.3 can represent the dynamic behavior under various conditions. Figure 7 shows how to translate an IoT network into a PN 2 model. This network's specification is (# nodes , N topology , N density ) = (25, Tree, 8.0%). Let us examine the 9th node. This node connects to four nodes: the 4th, 8th, 10th and 14th nodes. Each colored connection corresponds to the part of the PN 2 with the same color. Next, let us examine the 19th node. This node does not connect to the 14th node. Therefore, this would be translated into the model without the part colored in red.
We used R Mirai as the index to evaluate BDS and its strategies. The value of R Mirai varies with the progress of simulation. Therefore, we write it as a function R Mirai (t) of step number t, and set t = 0 when a BDS detects a Mirai botnet and launches the white-hat worms. For example, R Mirai (0) denotes Mirai's infection rate when the BDS detects the Mirai botnet. R Mirai (1000) denotes Mirai's infection rate after 1000 steps. In the same way, we define # Mirai (t) and # White (t), where # White is the number of nodes infected by the white-hat worm, i.e., the number of the white-hat bots.   We measured R Mirai (1000) by changing the following parameters.

Discussion
First, let us discuss the case of the grid topology. Let us see Table 1. This shows the result when # Mirai (0) = 6, i.e., R Mirai (0) = 24.0%, and (# nodes , N topology , N density ) = (25, Grid, 13.3%). R Mirai (1000) decreased with the increase of # White (0). It also decreased with the increase of secondary infection possibility ρ. Comparing Table 1a-c and seeing the influence of lifespan , we found that R Mirai (1000) decreased with the increase of . Next, let us see Table 2. This shows the result when the initial number of Mirai bots is twice as much as Table 1. Each value became slightly bigger because the initial number of Mirai bots increased but the trend was the same.
Let us discuss the effect of the proposed strategies. R Mirai (1000) almost monotonously decreased with the increase of # White (0). This result backs up L All-Out 's validity. However, white-hat bots are a so-called double-edged sword. They defend the IoT system against Mirai bots, but they waste the system's resources if they stay there even after exterminating all the Mirai bots. L Few-Elite and L Env-Adaptive can reduce # White (0) than L All-Out . In Table 1, the yellow highlighted cells show the results when only 5 worms were launched instead of 19 ones. When the worm's lifespan is short (See Table 1a), i.e., = 1, all the strategies launched 19 worms because the worm's capability was decided to be insufficient according to Equation (7). When = 3 and ρ ≥ 75% (See Table 1b), L Few-Elite and L Env-Adaptive launched only five worms. Those strategies reduced # White (0) from 19 to 5 only after increasing R Mirai by at most 2.2%. When = 5 and ρ ≥ 25% (See Table 1c), L Few-Elite and L Env-Adaptive reduced # White (0) from 19 to 5 almost without changing R Mirai . Moreover, as shown in Table 2, even though the initial number of Mirai bots is twice, if a given worm has enough capability, L Few-Elite and L Env-Adaptive reduced # White to five only with increasing R Mirai by at most 1.0%. From the above, we can say that L Few-Elite and L Env-Adaptive are effective for the IoT systems with the grid topology.
Next, let us discuss the case of the tree topology. Let us see Table 3. This shows the result when # Mirai (0) = 6, i.e., R Mirai (0) = 24.0%, and (# nodes , N topology , N density ) = (25, Tree, 8.0%). R Mirai (1000) decreased with the increase of # White (0), ρ or . However, in comparison to the result of Table 1, the reduction rate of R Mirai (1000) significantly reduced. This means that the network with low density restrains the white-hat bots' activities. Next, let us see Table 4. This shows the result when the initial number of Mirai bots is twice as much as Table 3. In the same way as the case of the grid topology, each value became slightly bigger, but the trend was the same.
Next, let us discuss the effect of the proposed strategies. In Tables 3 and 4, the yellow highlighted cells show the results when only 5 worms were launched. As with the case of the grid topology, L Few-Elite reduced # White (0) to five based on the worm's capability only. Meanwhile, L Env-Adaptive did not reduce # White (0) under that condition because the network density is low, i.e., N density = 8.0% > 1.2 2 # nodes = 1.2 2 25 = 9.6%. We should discuss the advantage and disadvantage. For instance, let us see the result when ell = 3 and ρ = 75% in Table 3b. L Few-Elite reduced # White (0) to five. However, R Mirai (1000) increased by 30.7%. So did the other highlighted cells. We think that five worms was too few to produce enough effect under the restriction caused by the network with low density. From the above discussion, we can say that L Env-Adaptive is reasonable for the IoT systems with the tree topology.

Conclusions
In this paper, we proposed the concept, design and basic strategies of Botnet Defense System (BDS). Imitating "Fight fire with fire", we advocated the concept of BDS, "Fight botnet with botnet". When a BDS detects a malicious botnet, it plans a strategy against the botnet. Based on the planned strategy, the BDS sends a white-hat worm and builds its botnet on the IoT system. The BDS uses the white-hat botnet to exterminate the malicious botnet. We adopted component-based architecture and composed BDS from four components. Next, we studied a strategy to launch white-hat worms. We formalized a launch strategy and proposed three kinds of concrete strategies. The All-Out strategy is a baseline in strategy studies and sends white-hat worms to all the non-bot nodes. The Few-Elite strategy can reduce white-hat worms according to its capability. The Environment-Adaptive strategy can adjust the number of white-hat worms based on not only the worm's capability but also the IoT system's specification. We modeled the battle between Mirai botnets and the white-hat botnets with agent-oriented Petri net PN 2 and evaluated BDS and the proposed strategies through the simulation of the PN 2 model. The simulation result shows that the Environment-Adaptive strategy is the best and reduced the number of needed white-hat worms to 38.5% almost without changing the extermination rate for Mirai bots.
In future work, we will propose C&C strategies and combine them with the proposed launch strategies.