Immune-Based Botnet Defense System: Multi-Layered Defense and Immune Memory ^†

Abstract

This paper proposes a novel defense mechanism inspired by the bioimmune response to effectively eliminate botnets that repeatedly infect IoT networks and describes the development of an Immune-Based Botnet Defense System (iBDS), incorporating this mechanism. Focusing on the roles of antibodies and phagocytes in the immune response, the iBDS implements a multi-layered defense using two types of worms: antibody worms and phagocyte worms. When a malicious botnet infects a network, the resident phagocyte worms immediately infect and eliminate the bots and prevent the infection from spreading in its early stages. This provides an immediate response in a similar way to innate immunity. On the other hand, if a malicious botnet infects the network and the phagocyte worms are unable to infect the bots, the antibody worms, instead, infect the bots and change their vulnerabilities to help the phagocyte worms infect and eliminate them. This provides an adaptive response in a similar way to acquired immunity. In addition, when the same botnet is repeatedly infected, more antibody worms are used to produce a stronger response, similar to immune memory. The introduction of multi-layered defense and immune memory is an important novelty of this paper that is not found in traditional botnet defense system research. The experimental results from simulations and prototype implementations show that iBDS can effectively eliminate botnets that repeatedly infect IoT networks.

1. Introduction

In recent years, botnets have become a serious threat to cybersecurity [1]. A botnet is a network consisting of a large number of devices (bots) that are remotely controlled by a malicious attacker. The attacker uses the botnet to conduct a variety of cyber-attacks, including Distributed Denial of Service (DDoS) attacks, spamming, and cryptocurrency mining [2].

IoT networks are particularly at high risk of infection by botnets [3]. This is due to a complex combination of several factors. First, many IoT devices are released to the market without adequate security measures in the manufacturing stage and are therefore vulnerable. In particular, default passwords are often used without modification. This makes it easy for attackers to gain unauthorized access. Another major problem is that firmware and software updates for IoT devices tend to be delayed. Delayed updates leave out known vulnerabilities. This makes them easy targets for attackers. Another issue that cannot be overlooked is the fact that botnets are cheaper and easier to obtain than ever before. According to Kaspersky’s report [4], ready-made botnets sell for as little as USD 99 on the Dark Web and can be rented for USD 30 per month. The combined effect of these factors is that IoT networks are under constant and serious threat of botnet infection.

In the past, technologies such as intrusion detection systems [5,6] and firewalls [7,8] have been used to combat botnets. Although these techniques are effective in mitigating threats, they do not eliminate botnets that have already spread. Rebooting infected devices and applying vulnerability patches are essential for elimination, Ref. [9], but with the rapid growth of IoT devices, manual response is reaching its limits. A Botnet Defense System (BDS) [10] has been proposed as a promising approach to solve this problem. A BDS combats malicious botnets using white-hat botnets, embodying the principle of “fighting fire with fire.” This automatically eliminates malicious botnets without human intervention. However, traditional BDSs only address single infections and do not consider multiple infections. Simply addressing each infection individually would require rebuilding a white-hat botnet for each reinfection. A more efficient and effective response is needed.

In this paper, we propose a novel immune mechanism inspired by the immune response of the bioimmune system to effectively eliminate botnets that repeatedly infect IoT networks and describe the development of iBDS (Immune-Based Botnet Defense System) incorporating this mechanism. Focusing on the roles of antibodies and phagocytes in the immune response, iBDS implements a multi-layered defense using two types of worms: antibody worms and phagocyte worms. When a malicious botnet infects a network, phagocyte worms, which reside in the network, immediately respond, just as in innate immunity processes. If the phagocyte worms can infect the malicious bots, they directly infect and eliminate them. Otherwise, antibody worms, instead, infect the bots to help the phagocyte worms eliminate them, just as in the acquired immunity process. Concretely, the antibody worms change the vulnerabilities of the infected bots to enable the phagocyte worms to infect the bots. In addition, when the same botnet repeatedly infects the network, more antibody worms are used to produce a stronger response, just as in the immune memory process. The introduction of multi-layered defense and immune memory is an important novelty of this paper that is not found in traditional botnet defense system research. This allows iBDS to overcome the limitations of traditional BDS and provide an advanced defense to effectively eliminate botnets that repeatedly infect IoT networks.

We proposed an antibody-mediated immune mechanism in a BDS in a conference paper [11]. The mechanism is limited to only acquired immunity and, in addition, does not include immune memory. This study, which expands on the conference paper, makes the following new contributions: A multi-layered defense architecture and design called the iBDS system, which includes not only acquired immunity but also innate immunity; a mechanism of immune memory that provides a rapid and powerful response to reinfection; an analysis of its prototype implementation and the experimental results after using it.

The three main contributions of this paper are as follows:

• Proposal of an IoT Botnet Defense Mechanism mimicking the bioimmune system: Focusing on the roles of antibodies and phagocyte cells in the bioimmune system, we developed two types of worms, antibody worms and phagocyte worms, and proposed utilizing them to apply a multi-layered defense mechanism, consisting of innate immunity and adaptive immunity, in IoT botnet defense.
• Development of an immune memory function for repeated infections: For botnets that repeatedly infect systems, we developed an immune memory function. This function enables the system to respond more quickly and effectively, and it improves defense efficiency and robustness.
• Implementation and evaluation of an iBDS prototype: To demonstrate the concept of our proposed iBDS, we implemented a prototype. Its effectiveness has been confirmed through simulations and experiments in actual IoT environments.

The paper is organized as follows: After the introduction in Section 1, Section 2 provides an overview of the current state of bioimmune systems and cybersecurity research inspired by it, and it clarifies the issues and positioning that this research should address. Section 3 presents the basic concept of iBDS and the roles and coordination of two types of worms, antibody worms and phagocyte worms, that implement the concept. Section 4 presents a multi-layered defense mechanism composed of innate and acquired immunity and the function of immune memory to effectively eliminate botnets that repeatedly infect IoT networks. Section 5 presents the prototype implementation of iBDS and the experimental results in a real IoT environment. Based on simulation and prototype results, we evaluate the effectiveness of iBDS and discuss its current limitations and future improvements. Finally, Section 6 summarizes this research and discusses future work.

2. Bioimmune-Inspired Cybersecurity: Overview and Research Positioning

This section outlines the state of the art in bioimmune systems and bioimmune-inspired cybersecurity research and clarifies the issues and position of this paper.

2.1. Bioimmune System

The bioimmune system protects organisms from pathogens and other foreign substances. It consists of various organs and cells that recognize and eliminate invading pathogens. When a pathogen enters the body, the immune response is triggered. This is a series of defensive reactions initiated by the system. Immune responses are broadly divided into two categories: innate immunity and acquired immunity [12]. In innate immunity, phagocytes such as neutrophils are primarily responsible for eliminating pathogens. Innate immunity is characterized by a rapid onset of action. In contrast, antibodies play an important role in acquired immunity. Antibodies target pathogens by specifically binding to them and facilitating their elimination via phagocytes. This effect is called the opsonin action. Although acquired immunity takes more time to respond than innate immunity, it is characterized by adaptive defense. In addition, acquired immunity has a function of immune memory, which responds more strongly when a pathogen that has once infected the body re-invades. The immune response to the initial invasion of the pathogen is called the primary immune response, and the response to reinvasion is called the secondary immune response. These functions enable the organism to achieve a sophisticated defense mechanism to effectively eliminate pathogens that repeatedly infect the body.

2.2. Bioimmune-Inspired Cybersecurity Research Overview

In the field of cybersecurity, research is underway on technologies that use the mechanisms of the bioimmune system to protect computer systems from cyberattacks [13]. This approach differs from conventional security measures and is expected to be flexible enough to respond to a wide variety of threats. Representative techniques include the negative selection algorithm [14], the clonal selection algorithm [15], and the immune network algorithm [16].

Table 1. Cybersecurity inspired by the bioimmune system: The position of this study in comparison with related studies.

Research	Purpose	Contributution	Negative Selection	Clonal Selection	Immune Network	Immune Response
M.E. Pamukov et al. (2018) [17]	Detection	Integration of negative selection algorithm and neural networks	✓
M. Bereta et al. (2024) [18]	Detection	Integration of negative selection algorithm and unsupervised learning	✓
R. Chao et al. (2009) [19]	Detection	Proposal of a hybrid algorithm of negative selection and clonal selection	✓	✓
Q. Zhang et al. (2015) [20]	Detection	Integration of clonal selection algorithm and clustering		✓
C. Yang et al. (2023) [21]	Detection	Proposal of algorithm for leading global optimal solution in a clonal selection algorithm		✓
M. Rassam (2012) [22]	Detection	Integration of immune network algorithm and rough set theory			✓
D.H. Le (2021) [23]	Detection	Virus detection system based on immune network algorithm			✓
Y. Shi et al. (2022) [24]	Detection	Proposal of an unsupervised anomaly-detection method based on immune network			✓
BDS (2020) [10]	Elimination	Proposal of disinfection method for single infections of botnets
This paper iBDS	Elimination	Proposal of disinfection method for multiple infections of botnets				✓

summarizes the respective objectives and main contributions of the related studies and the techniques used.

The negative selection algorithm [14] is an algorithm inspired by the discrimination mechanism between “self” and “non-self” in the bioimmune system. First, it learns the behavior of a normal system as a “self” pattern. Then, when new data is input from the monitored system, it is checked to see whether it matches the learned “self” pattern. If it does not match, the data is detected as “non-self”, i.e., abnormal data. Pamukov et al. [17] proposed a lightweight intrusion-detection algorithm for IoT devices that combines a negative selection algorithm and a neural network. The algorithm has two layers. The upper negative selection algorithm layer learns only normal network behavior and generates a training dataset. The lower neural network layer performs the actual classification using the generated training dataset. This multi-layered structure frees IoT devices from computationally intensive training. Bereta [18] proposed a negative selection algorithm for unsupervised anomaly detection. It works on datasets with a small number of anomalies and improves performance with nearest neighbor sampling and ensembles. The algorithm performs well, especially in terms of reproducibility. This suggests that it is effective when it is important to detect all anomalies, even if false positives increase.

The clonal selection algorithm [15] is an algorithm inspired by the theory of clonal selection. According to this theory, when an antigen enters the body, B cells with antibodies compatible with that antigen are selected, proliferate (clone), and produce large numbers of antibodies. More specialized detectors are produced for the detected abnormality, increasing the ability to respond. Chao et al. [19] proposed a malware-detection system that combines negative selection and clone selection. In particular, the clone selection algorithm is used to increase the diversity of the detector set and improve the ability to detect unknown malware. They show that clone selection plays an important role in improving the detection and generalization performance of malware-detection systems. Zhang et al. [20] proposed a fuzzy clustering method based on the clonal selection algorithm to improve the accuracy and stability of anomaly detection in network security management. Taking advantage of the characteristics of the clonal selection algorithm, the method prevents the clustering process from falling into a local optimal solution and promotes the search for the global optimal solution. This enables efficient detection of anomaly patterns from large and complex data. Yang et al. [21] proposed an algorithm to solve the problem of random updates in the clone selection algorithm, leading to concentration on the local optimal solution. The proposed improved algorithm efficiently directs antibodies to the global optimal solution by introducing a crowding factor and removing crowded low-affinity antibodies. This optimization of antibody updating could contribute to finding more efficient and accurate optimal solutions in complex problems such as botnet detection.

The immune network algorithm [15] is an algorithm inspired by the immune network theory of the bioimmune system. According to this theory, the immune system is viewed as a network of interacting cells rather than as a collection of individual immune cells. Multiple detectors work together, and the entire network responds to threats. Based on the immune network theory, de Castro et al. [16] proposed an immune network algorithm, aiNet. aiNet dynamically changes its network structure according to the interaction between antigens and antibodies. It has been applied to solve various problems such as clustering and pattern recognition. Rassam et al. [22] proposed a clustering method using aiNet to reduce false alarms in anomaly-based IDS. The method first extracts important features from the dataset using rough set theory to reduce redundant information. Then, aiNet is applied using the reduced features to cluster the attack patterns. Experimental results show that using only important features improves the detection rate of IDSs, indicating that aiNet is effective in detecting unknown attack patterns. Le et al. [23] proposed a smart virus-detection system that can classify files as benign or malware with a highly accurate detection rate. The approach is based on aspects of artificial immune systems, using artificial immune networks as a pool for creating and developing virus detectors that can detect unknown data. The method is able to achieve an average detection rate of 99.08% with a very low false positive rate. Shi et al. [24] proposed a new model called UADAIN, which is an unsupervised anomaly detection approach based on aiNet. First, they cluster the network data with aiNet and find the cluster centers of each cluster. Next, these cluster centers are roughly divided into normal and abnormal groups. Then, when new data arrives, it detects whether it is abnormal or not by determining which group it is closer to. The self-learning ability and dynamic network structure of aiNet are suggested to adapt to unknown abnormal patterns, resulting in a high detection rate and low false positive rate.

2.3. Uniqueness of This Research

In addition to bio-inspired approaches, three primary methods are widely used for botnet countermeasures: detection, mitigation, and prevention of spread. Detection techniques identify the presence of botnets on a network. Key approaches include signature-based, anomaly-based, honeypot-based, and machine learning–based methods. Recently, machine learning has played an increasingly important role in identifying complex botnet patterns. Recently, AlSobeh et al. [25] proposed Time-Aware Machine Learning (TAML) for Android malware detection and emphasized the importance of time in addressing evolving malware threats. Mitigation techniques reduce or block traffic generated by malicious botnets. De Caldas Filho et al. [26] proposed a distributed architecture composed of host-based IDPS (Intrusion Detection and Prevention Systems), network-based IDPS, and an orchestrator. The orchestrator uses federated learning to generate defensive rules in response to detected threats and distributes them to IoT devices to stop attacks at their source. Spread prevention techniques halt the propagation of existing botnets, with firewalls playing a crucial role. While rule-based detection is currently prevalent, research into behavior-learning detection using machine learning is advancing. However, existing models face challenges regarding performance improvement and the explainability of their predictions. Kundu et al. [27] addressed this by developing a new deep learning model with the capability of explaining its decisions for botnet detection and classification.

In reviewing the current state of cybersecurity research, it is clear that previous studies have focused primarily on malware detection. However, the purpose of this research is to eliminate malware. This fundamental difference in goals clearly distinguishes this research from existing research. Furthermore, previous studies have used techniques that mimic various aspects of the bioimmune system, such as negative selection, clonal selection, and immune networks. In contrast, this study aims to improve cybersecurity by developing a new technique that focuses on immune responses. In other words, it differs from previous studies in the technology used. In addition, iBDS addresses the more realistic and complex challenge of effectively disinfecting botnets that repeatedly infect IoT networks. Traditional BDSs only address single infections and do not account for multiple infections. Rebuilding a white-hat botnet for each reinfection may not be efficient. In contrast, iBDS targets multiple infections and aims to efficiently and effectively disinfect malicious botnets that are infected multiple times. This will reduce the cybersecurity threats caused by multiple infections, which are difficult to deal with using traditional disinfection methods, and contribute to establishing a stronger defense system.

3. Basic Concept of iBDS and Cooperation Between Phagocyte Worms and Antibody Worms

With the explosion of IoT devices, botnet attacks have become a serious threat, and IoT devices are not only numerous but also widely distributed and vulnerable, making them prime targets for cyber attacks. Attackers exploit these vulnerabilities to repeatedly infect botnets. Even if rebooting the device can temporarily eliminate the bots, unless the underlying vulnerability is fixed, the bots will reinfect within minutes, making manual intervention no longer practical. The effective elimination of botnets that repeatedly infect IoT networks is a matter of urgency.

We propose a new defense mechanism inspired by the biological immune response and an immune-based botnet defense system (iBDS) that incorporates this mechanism. Focusing on the roles of antibodies and phagocytes in immune responses, iBDS implements a multi-layered defense using two types of worms: antibody worms and phagocyte worms. When a malicious botnet infects a network, the resident phagocyte worm immediately infects and exterminates the bot, preventing the initial spread of infection. This produces an immediate response similar to that of natural immunity. On the other hand, if a malicious botnet infects the network and the phagocyte worm is unable to infect the bots, the antibody worm will instead infect the bots and change their vulnerability so that the phagocyte worm can infect and get rid of them. This results in an adaptive response similar to acquired immunity. Furthermore, if the same botnet is repeatedly infected, more antibody worms are used, generating a stronger response, similar to immune memory. Because these worms spread autonomously across the network, malicious bots can be eliminated without human intervention. iBDS provides an efficient and sustainable solution to the challenge of repeated botnet infections in IoT networks.

This section describes the basic concept of iBDS and the roles and cooperation of the two types of worms: phagocyte worms and antibody worms.

3.1. Basic Concept of iBDS

iBDS is a cybersecurity system designed to effectively eliminate malicious botnets that repeatedly infect IoT networks. It is characterized by a multi-layered defense mechanism inspired by the cooperation between antibodies and phagocyte cells in the bioimmune system.

iBDS utilizes the following two types of worms.

• Phagocyte worms: These worms directly eliminate malicious botnets. They infect malicious bots and remove malicious worms from them.
• Antibody worms: These worms help phagocyte worms eliminate malicious botnets. When phagocyte worms cannot directly infect malicious bots, antibody worms, instead, infect the bots and change their vulnerabilities to allow phagocyte worms to infect them.

iBDS provides a multi-layered defense through the collaboration of phagocyte and antibody worms. When a malicious botnet infects the network, phagocyte worms provide the first layer of defense against the botnet. Since phagocyte worms reside on the network, they can immediately infect and disinfect its malicious bots to stop the spread of the botnet in its early stages. If the phagocyte worms cannot infect the bots, the antibody worms provide the second layer of defense against the botnet. Antibody worms infect the malicious bots instead of the phagocyte worms and change their vulnerabilities. This enables phagocyte worms to infect and disinfect them. In addition, iBDS introduces the concept of immune memory to strengthen defense against reinfection. If the same botnet infects the network again, a stronger response is triggered by the deployment of more antibody worms.

iBDS works according to the following five steps, and Steps 2 through 5 are repeated until the end of the operation (see Figure 1).

• Deploy phagocyte worms: iBDS deploys phagocyte worms on the IoT network and establishes a resident phagocyte botnet.
• Detect malicious botnet: iBDS continuously monitors the network to detect a malicious botnet that an attacker creates using malicious worms.
• Plan strategy: iBDS plans a strategy to effectively eliminate the detected malicious botnet.
• Deploy antibody worms: iBDS deploys the antibody worm and builds an antibody botnet based on the developed strategy.
• Command and control botnets: iBDS commands and controls the antibody and phagocyte botnets to effectively eliminate the malicious botnet.

3.2. Design of Phagocyte Worms and Antibody Worms

We design phagocyte and antibody worms and their interactions as a multi-agent system. This design provides the basis for explaining how those worms contribute to a multi-layered defense.

Each worm has a role and a lifecycle as follows: Malicious worms that repeatedly infect IoT networks and cause cyberattacks multiply indefinitely and can only be removed by phagocyte worms. Phagocyte worms do not multiply but reside in the network like innate immunity, directly eliminating malicious botnets and immediately preventing the spread of infection in its early stages. In contrast, antibody worms are deployed as needed with a time limit to assist in eliminating botnets that phagocyte worms cannot infect. Antibody worms also do not multiply and are removed by phagocytic worms when their lifespan expires or when bound malicious worms are removed, but they generate a stronger response (as in the immune memory process) against repeated infections.

Specificity is important in the immune system. In iBDS, specificity is expressed in terms of security holes and exploits. For a security hole $h_i$, let $x_i$ denote an exploit that takes advantage of $h_i$. A single vulnerability consists of one or more security holes, and all corresponding exploits are required to exploit it. Formally, let H and X, respectively, denote the sets of security holes and exploits. Exploiting a vulnerability $V=\{h_1,h_2,\cdots ,h_n\}$ ($\subseteq H$) requires the exploits $\{x_1,x_2,\cdots ,x_n\}$ ($\subseteq X$).

A device d has zero or more vulnerabilities. The set of vulnerabilities of d is denoted by $V\left(d\right)$($\in 2^H$). For example, a device may have the set of vulnerabilities $\{\left\{h_1\right\},\left\{h_2\right\},\{h_3,h_4\}\}$, where the vulnerability $\{h_3,h_4\}$ consists of two security holes. Exploiting this vulnerability requires two exploits: $x_3$ and $x_4$.

A worm w has one or more exploits and can alter the set of vulnerabilities of an infected target. $X\left(w\right)$ ($\subseteq X$) denotes the set of exploits that w has. $V^{-}\left(w\right)$ ($\in 2^H$) denotes the set of vulnerabilities that w removes from the target. $V^{+}\left(w\right)$ ($\in 2^H$) denotes the set of vulnerabilities that w adds to the target. The worm has a lifespan, denoted by $\ell \left(w\right)$ ($\in \mathbb{N}\cup \{\infty \}$), that defines how long it can survive, and it self-destructs when its useful life expires.

There are three types of interactions between a worm and a device or bot: infection, separation, and disinfection.

The action by which a worm enters a device and becomes a bot is called infection. A worm w is said to be able to infect a device d if w has all the exploits necessary to exploit one of the vulnerabilities of d, i.e., if $\exists V\in V\left(d\right),\forall h_i\in V,x_i\in X\left(w\right)$. When w infects d, they form a bot, denoted by $d◁w$. To prevent the other worms from infecting the bot, w changes $V\left(d\right)$ to $V(d◁w)=V\left(d\right)\setminus V^{-}\left(w\right)\cup V^{+}\left(w\right)$. In addition, a worm can infect an existing bot and become a part of it. When n worms $w_1$, $w_2$, ⋯, and $w_n$ sequentially infect a device d, the resulting bot is represented as $d◁w_1◁w_2\cdots ◁w_n$, and its vulnerability set $V(d◁w_1◁w_2\cdots ◁w_n)$ is given recursively as follows:

$$V(d◁w_1◁w_2\cdots ◁w_n)=\left\{\begin{array}{cc}V\left(d\right)\setminus V^{-}\left(w_1\right)\cup V^{+}\left(w_1\right)\hfill & \mathrm{if} n=1\hfill \\ V(d◁w_1◁w_2\cdots ◁w_{(n-1)})\setminus V^{-}\left(w_n\right)\cup V^{+}\left(w_n\right)\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

A worm $\omega$ is said to be able to infect a bot $d◁w_1◁w_2\cdots ◁w_n$ if $\omega$ has all the exploits necessary to exploit one of the vulnerabilities of $d◁w_1◁w_2\cdots ◁w_n$, i.e., if $\exists V\in V(d◁w_1◁w_2\cdots ◁w_n),\forall h_i\in V,x_i\in X\left(\omega \right)$. When w infects $d◁w_1◁w_2\cdots ◁w_n$, they form a bot, denoted by ${\displaystyle d◁w_1◁w_2\cdots ◁w_n◁\omega }$.

A worm that last infected a device may not stay on that device but may move to another device and cause a new infection. The action by which a worm moves from one infected device to another is called separation. However, if a worm has infected a malicious bot, it cannot separate from the bot because the priority is to remove its malicious worms. A worm $\omega$ in a bot $d◁w_1◁w_2\cdots ◁w_n◁\omega$ is said to be able to separate from $d◁w_1◁w_2\cdots ◁w_n◁\omega$ if none of $w_1,w_2,\cdots ,w_n$ are malicious worms. When $\omega$ separates from $d◁w_1◁w_2\cdots ◁w_n◁\omega$, the resulting bot is $d◁w_1◁w_2\cdots ◁w_n$.

The action by which a phagocyte worm removes malicious worms from the infected bot is called disinfection. This action differs from the others and is unique to phagocyte worms. Since the malicious worms are bound to antibody worms, the phagocyte worm removes all the antibody worms as well as the malicious worms. A phagocyte worm p in a bot $d◁w_1◁w_2\cdots ◁w_n◁p$ is said to be able to disinfect ${\displaystyle d◁w_1◁w_2\cdots ◁w_n◁p}$ if one of $w_1,w_2,\cdots ,w_n$ is a malicious worm. When p disinfects $d◁w_1◁w_2\cdots ◁w_n◁p$, the resulting bot is $d◁p$.

Malicious worms and antibody worms can take infection and separation actions. In addition to these actions, phagocyte worms can take disinfection action.

4. Innate and Acquired Immunity and Immune Memory of iBDS

This section describes the innate and acquired immunity and immune memory of iBDS, which are achieved through the cooperation of antibody worms and phagocyte worms.

4.1. Innate Immunity

When a malicious botnet infects an IoT network, iBDS responds immediately with resident phagocyte worms. This provides a rapid response similar to the innate immunity of the bioimmune system. Conventional BDS, on the other hand, builds a new white-hat botnet each time a malicious botnet infects an IoT network and eliminates the malicious botnet. This has resulted in a lack of efficiency. In previous research [28], Yamaguchi et al. proposed a strategy in which a white-hat botnet resides in an IoT network and responds immediately to an infection, and they demonstrated its effectiveness through simulations. The innate immunity of iBDS was inspired by the strategy of previous research. However, the white-hat botnets in the previous research were designed to multiply, whereas the phagocyte botnets in iBDS are not. This is because iBDS aims to provide acquired immunity and immune memory by maintaining a constant number of phagocyte worms and by introducing antibody worms on demand.

We illustrate how the innate immunity in iBDS works using the example shown in Figure 2. A device $d_1$ has the vulnerability set $V\left(d_1\right)=\{\left\{h_1\right\},\left\{h_2\right\},\left\{h_3\right\},\left\{h_4\right\}\}$. The specifications of the worms used in this example are shown in

Table 2. Worm specifications.

Worm	Exploit	Vulnerability to Be	Vulnerability to Be	Lifespan
$\mathit{w}$	$\mathit{X}\left(\mathit{w}\right)$	Removed ${\mathit{V}}^{-}\left(\mathit{w}\right)$	Added ${\mathit{V}}^{+}\left(\mathit{w}\right)$	$\mathsf{\ell }\left(\mathit{w}\right)$
$\alpha$-type malicious worm	$\left\{x_1\right\}$	$\left\{\left\{h_1\right\}\right\}$	∅	∞
$\beta$-type malicious worm	$\left\{x_2\right\}$	$\left\{\left\{h_2\right\}\right\}$	∅	∞
$\epsilon$-type phagocyte worm	$\{x_2,x_5\}$	$\{\left\{h_1\right\},\left\{h_2\right\},\left\{h_3\right\},\left\{h_4\right\},\left\{h_5\right\}\}$	∅	∞
$\lambda$-type antibody worm	$\left\{x_3\right\}$	$\{\left\{h_2\right\},\left\{h_3\right\}\}$	$\left\{\left\{h_5\right\}\right\}$	15 steps

. At startup, iBDS deployed an $\epsilon$-type phagocyte worm $p_1^{\epsilon }$ on the network and has made it resident. An attacker attempts to infect $d_1$ with an $\alpha$-type malicious worm $m_1^{\alpha }$. Since $m_1^{\alpha }$ has the exploit $x_1$, which corresponds to the vulnerability $\left\{h_1\right\}$ of $d_1$, $m_1^{\alpha }$ can infect $d_1$. Once $m_1^{\alpha }$ infects $d_1$, they form a malicious bot $d_1◁m_1^{\alpha }$, and its vulnerability set results in $V(d_1◁m_1^{\alpha })=\{\left\{h_2\right\},\left\{h_3\right\},\left\{h_4\right\}\}$. On the other hand, the phagocyte worm $p_1^{\epsilon }$ has the exploit $x_2$, which corresponds to the vulnerability $\left\{h_2\right\}$ of $d_1◁m_1^{\alpha }$, so $p_1^{\epsilon }$ can infect $d_1◁m_1^{\alpha }$. Once $p_1^{\epsilon }$ infects $d_1◁m_1^{\alpha }$, they form a phagocyte-bound malicious bot $d_1◁m_1^{\alpha }◁p_1^{\epsilon }$. Finally, $p_1^{\epsilon }$ disinfects this bot by removing $m_1^{\alpha }$.

We conducted a simulation experiment to examine the responses and effects of innate immunity in iBDS. For the simulations, we used an extended version of the BDS simulator, BDSsim [29], which includes the immune mechanism proposed in this paper. BDSsim describes the BDS behavior in Python 3 code. It allows us to model and simulate complex iBDS behavior using the Python ecosystem of Mesa [30], an agent-based framework, and NetworkX [31], a graph analysis library.

The simulation parameters are as follows. The network is a complete graph with 100 nodes. Each node has a single device, and each device d has a set of vulnerabilities $V\left(d\right)=\{\left\{h_1\right\},\left\{h_2\right\},\left\{h_3\right\},\left\{h_4\right\}\}$. Two types of worms appear: the $\alpha$-type malicious worm and the $\epsilon$-type phagocyte worm. Their specifications are listed in Table 2. The malicious worm multiplies with a probability of 3% at each step, while the phagocyte worm does not. This value was selected for initial system verification. Each worm repeats a maximum of 10 attempts at each step until infection is successful. These values were selected for initial system verification.

The simulation enacts the following actions in the presented scenario.

• At startup: iBDS makes 10 $\epsilon$-type phagocyte worms resident on the IoT network.
• Step 5: The attacker infects the network with 10 $\alpha$-type malicious worms. This represents the first attack.
• Step 30: The attacker infects the network again with 10 $\alpha$-type malicious worms. This represents the second attack.

The evaluation measure is the number of worms or bots. In particular, the fewer malicious worms or bots, the higher the evaluation. Ideally, the number should be zero.

Figure 3 shows the results of a simulation of 100 cases. Figure 3a is an area-stacked graph showing the average number of worms divided by the category of malicious worms (red) and phagocyte worms (blue). The box-and-whisker plots are overlaid to show the statistical variability of the simulation results, and the symbol ∘ represents an outlier. The outliers represent the change in the number of worms when the malicious bots multiply extremely. Figure 3b is an area-stacked graph showing the average number of bots divided by the category of malicious bots (red) and phagocyte bots (blue).

Figure 3a shows that the resident phagocyte worms immediately eliminated the repeatedly infected malicious worms. After startup, iBDS made 10 phagocyte worms that reside in the network. Since the phagocyte worms do not multiply, their number remains constant. In Step 5, the attacker infected the network with 10 malicious worms for the first attack. The phagocyte worms immediately infected and eliminated the malicious bots. Due to the autonomous behavior of the worms, the elimination process differed slightly in each case. iBDS eliminated the malicious worms by Step 11 (6 steps after infection) in most cases, except for special cases corresponding to outliers. Furthermore, the malicious worms were eliminated by Step 12 (7 steps after infection) in all cases. The elimination process for the second attack followed a similar trend and was completed within the same time frame. Figure 3b shows that the malicious bots were eliminated without delay. No phagocyte-bound malicious bots appear to be produced, but this is because phagocyte worms immediately eliminate the bots. These results demonstrate that as long as the phagocyte worms can infect the malicious bots, iBDS can effectively address repeated botnet infections on the same scale.

4.2. Acquired Immunity

When a malicious botnet infects an IoT network and phagocyte worms cannot infect its bots, iBDS uses antibody worms to help the phagocyte worms eliminate the botnet. This provides an adaptive response similar to acquired immunity in the bioimmune system. Specifically, the antibody worms infect the malicious bots instead of the phagocyte worms and change their vulnerability. This enables the phagocyte worms to infect and disinfect these bots. Acquired immunity is based on adaptations that help organisms survive environments with many pathogens. It is more efficient to develop specialized worms for each botnet than to develop a single all-purpose worm. Furthermore, distributing the roles of targeting and phagocytosis between antibody and phagocyte worms maintains a consistent number of phagocyte worms while introducing antibody worms as needed. This results in a more adaptive defense mechanism.

We illustrate how the acquired immunity in iBDS works using the example shown in Figure 4. The device and worm specifications are the same as in the example of the innate immune process in Figure 2. At startup, iBDS creates an $\epsilon$-type phagocyte worm $p_1^{\epsilon }$ that is resident in the network. An attacker infects a device $d_1$ with a $\beta$-type malicious worm $m_1^{\beta }$, which is a different type than in the previous example. Since $m_1^{\beta }$ has the exploit $x_2$, which corresponds to the vulnerability $\left\{h_2\right\}$ of $d_1$, $m_1^{\beta }$ infects $d_1$. They form a malicious bot $d_1◁m_1^{\beta }$, and its vulnerability set results in $V(d_1◁m_1^{\beta })=\{\left\{h_1\right\},\left\{h_3\right\},\left\{h_4\right\}\}$. Note that the phagocyte worm $p_1^{\epsilon }$ cannot infect $d_1◁m_1^{\beta }$ because it does not have an exploit for any vulnerability of $d_1◁m_1^{\beta }$. Now, iBDS deploys a $\lambda$-type antibody worm $a_1^{\lambda }$ on the network. Since $a_1^{\lambda }$ has the exploit $x_3$, which corresponds to the vulnerability $\left\{h_3\right\}$ of $d_1◁m_1^{\beta }$, $a_1^{\lambda }$ infects $d_1◁m_1^{\beta }$. They form an antibody-bound malicious bot $d_1◁m_1^{\beta }◁a_1^{\lambda }$, and its vulnerability set results in $V(d_1◁m_1^{\beta }◁a_1^{\lambda })=\{\left\{h_1\right\},\left\{h_4\right\},\left\{h_5\right\}\}$. Since $p_1^{\epsilon }$ has the exploit $x_5$, which corresponds to the vulnerability $\left\{h_5\right\}$ of $d_1◁m_1^{\beta }◁a_1^{\lambda }$, $p_1^{\epsilon }$ infects $d_1◁m_1^{\beta }◁a_1^{\lambda }$. They form a phagocyte-bound antibody-bound malicious bot $d_1◁m_1^{\beta }◁a_1^{\lambda }◁p_1^{\epsilon }$, and its vulnerability set results in $V(d_1◁m_1^{\beta }◁a_1^{\lambda }◁p_1^{\epsilon })=\varnothing$. Finally, $p_1^{\epsilon }$ disinfects the bot by removing $m_1^{\beta }$.

The acquired immunity of iBDS has the function of immune memory, which results in a stronger response upon reinfection by a malicious botnet. The response to the initial infection is called the primary immune response, while the response to reinfection is called the secondary immune response. This section focuses on the primary immune response, and the next section discusses the secondary immune response.

We determine the number of antibody worms that iBDS deploys in the primary immune response based on the number of malicious bots detected by iBDS. However, since malicious bots multiply, their number increases over time. To account for this increase, we define the number of antibody worms to deploy as the product of the number of malicious bots and a safety factor.

Definition 1 

(Number of antibody worms to be deployed in primary immune response). Let $\#m$ be the number of malicious bots detected by iBDS. The number of antibody worms to be deployed in the primary immune response is $\#m·s$, where s ($\ge 1$) is a safety factor.

We conducted a simulation experiment to examine the responses and effects of acquired immunity in iBDS. The simulation parameters are the same as in the previous simulation except for the following. The $\beta$-type malicious worm multiplies with a probability of 3% at each step, while the $\lambda$-type antibody worm and the $\epsilon$-type phagocyte worm do not. We set the safety factor for determining the number of antibody worms to $s=2$. This value was selected for initial system verification. The simulation enacts the following actions in the presented scenario.

• At startup: iBDS makes 10 $\epsilon$-type phagocyte worms that are resident on the IoT network.
• Step 5: The attacker infects the network with 10 $\beta$-type malicious worms.
• Step 10: iBDS detects 10 ($=\#m$) malicious bots and deploys 20 ($=\#m·s$) $\lambda$-type antibody worms as the primary immune response.

Figure 5 shows the results of a simulation of 100 cases. Figure 5a shows that phagocyte worms eliminated malicious worms by introducing antibody worms. After iBDS created 10 resident phagocyte worms at startup, the attacker infected the network with 10 malicious worms in Step 5. The phagocyte worms cannot infect their malicious bots because they have no effective exploit. On the other hand, since the malicious worms multiply, they increase gradually. In Step 10, iBDS detected 10 malicious bots and deployed 20 antibody worms on the network. The antibody worms infected malicious bots and modified their vulnerabilities. As a result, the phagocyte worms infected the antibody-bound bots and disinfected the malicious bots. iBDS eliminated the malicious worms by Step 17 (12 steps after infection) in most cases, except for special cases corresponding to outliers. Furthermore, the malicious worms were eliminated by Step 22 (17 steps after infection) in all cases. The remaining antibody worms self-destructed due to their lifespan in Step 25. As shown in Figure 5b, unlike the innate immune response, the acquired immune response produced antibody-bound malicious bots. However, they existed for only a short time because they were quickly infected and disinfected by phagocyte worms. These results indicate that, although acquired immunity takes slightly longer than innate immunity, it can adapt phagocyte worms to malicious bots by introducing appropriate antibody worms, even when the phagocyte worms alone cannot infect the malicious bots. In this experiment, we were able to eliminate the bad bots in all 100 cases. However, this does not mean that we can eliminate them in every potential case. Increasing the value of the safety factor of the immune response can increase the extermination ability. The value of the safety factor will be determined by considering the number of malicious bots and their infection rate. The method of determining the safety factor is a future issue.

4.3. Immune Memory

iBDS responds more strongly when a malicious botnet infects an IoT network again in a similar way to the immune memory of the bioimmune system. Specifically, iBDS deploys more antibody worms in the secondary immune response than in the primary immune response to rapidly eliminate the malicious bots before they can multiply.

We illustrate how the immune memory of iBDS works using the example shown in Figure 6. This follows the example of acquired immunity shown in Figure 4. That is, the attacker infected a device $d_1$ with a $\beta$-type malicious worm $m_1^{\beta }$, but iBDS disinfected the malicious bot $d_1◁m_1^{\beta }$ using an $\epsilon$-type phagocyte worm $p_1^{\epsilon }$ by introducing a $\lambda$-type antibody worm $a_1^{\lambda }$. Now, the attacker infects $d_1$ again with the same type of malicious worm $m_2^{\beta }$ as the first attack. This represents the second attack. As a secondary immune response, iBDS deploys the same type but twice as many antibody worms, $a_2^{\lambda }$ and $a_3^{\lambda }$, as the primary immune response. The probability that these antibody worms infect the malicious bot $d_1◁m_2^{\beta }$ increases twice. Therefore, $p_1^{\alpha }$ can disinfect the bot more quickly than the primary immune response.

We determine the number of antibody worms that iBDS deploys in the secondary immune response. Immune memory increases the number of antibody worms in the secondary immune response compared to the primary immune response. To account for this increase, we define the number of antibody worms in the secondary immune response as the product of the number in the primary immune response and a boost factor.

Definition 2 

(Number of antibody worms to be deployed in secondary immune response). Let $\#m$ be the number of malicious bots detected by iBDS. The number of antibody worms to be deployed in the secondary immune response is $\#m·s·k$, where s ($\ge 1$) is a safety factor for the primary immune response, and k ($\ge 1$) is a boost factor indicating how much the secondary response is amplified relative to the primary one.

We conducted a simulation experiment to examine the responses and effects of immune memory in iBDS. The simulation parameters are the same as in the previous simulation. We set the safety factor to $s=2$, and the boost factor to $k=1.5$. These values were selected for initial system verification. The simulation enacts the following actions in the presented scenario.

• At startup: iBDS makes 10 $\epsilon$-type phagocyte worms that are resident on the IoT network.
• Step 5: The attacker infects the network with 10 $\beta$-type malicious worms as the first attack.
• Step 10: iBDS detects 10 ($=\#m$) malicious bots and deploys 20 ($=\#m·s$) $\lambda$-type antibody worms as the primary immune response.
• Step 30: The attacker infects the network again with 10 $\beta$-type malicious worms as the second attack.
• Step 35: iBDS detects 10 ($=\#m$) malicious bots and deploys 30 ($=\#m·s·k$) $\lambda$-type antibody worms as the secondary immune response.

Figure 7 shows the results of a simulation of 100 cases. Figure 7a shows that the secondary immune response eliminated malicious bots more quickly than the primary response by introducing more antibody worms. The response up to Step 25 is the same as that shown in the previous simulation results. In Step 30, the attacker infected the network again with 10 $\beta$-type worms as the second attack. The resident phagocyte worms cannot infect their malicious bots because they have no effective exploit. In Step 35, iBDS detected 10 malicious bots and deployed 30 $\lambda$-type antibody worms on the network as the secondary immune response. This was 1.5 times the number of antibody worms in the primary immune response. Consequently, the antibody worms had a greater chance of binding to the malicious bot, and the phagocyte worms quickly disinfected the antibody-bound malicious bots. iBDS eliminated the malicious worms by Step 40 (10 steps after infection) in most cases, except for special cases corresponding to outliers. Furthermore, the malicious worms were eliminated by Step 44 (14 steps after infection) in all cases. The remaining antibody worms self-destructed due to their lifespan in Step 50. Figure 7b shows that antibody-bound malicious bots form more quickly and are therefore removed earlier than in the primary immune response. These results indicate that iBDS can quickly eliminate malicious botnets by deploying more antibody worms in the secondary immune response than in the primary immune response when the same botnets are infected again.

While the immune memory function of iBDS provides robust protection against reinfection by known botnet types, addressing the behavior of highly sophisticated attackers remains a significant challenge. Future work will explore ways to enhance iBDS to counter advanced tactics such as worm polymorphism, advanced C2 evasion techniques, and fast flux DNS. This will be accomplished by integrating advanced machine learning techniques to enable real-time anomaly detection and predictive analysis of attacker strategies. The development of a variety of “antibody worm” variants that can dynamically adapt their behavior to a wide range of attack vectors is also essential to building a truly resilient system against evolving threats.

5. Prototype Implementation and Experimental Evaluation

5.1. Prototype Implementation

We implemented a prototype of iBDS on a local network and verified its operation. This was developed on the BDS prototype [32] by introducing antibody worms and phagocyte worms. Although these worms were implemented using Mirai source code [33], the code related to malicious activities such as DDoS attacks was removed in advance in accordance with the EC-Council Code of Ethics [34]. This simplified the development process while reproducing realistic bot behavior. The network used in the experiment consists of the following:

• DNS and DHCP server: 192.168.0.1;
• C&C, Web, Loader server for malicious botnet: 192.168.0.4;
• C&C, Web, Loader server for phagocyte botnet: 192.168.0.14;
• C&C, Web, Loader server for antibody botnet: 192.168.0.24;
• A total of 22 vulnerable devices: 192.168.0.100 ∼ 192.168.0.250.

Each device runs on the OpenWrt [35] operating system, which is widely used in routers and IoT devices.

The botnet targeted in this study comes from the Mirai family, running as processes in volatile memory after device infection and leaving no permanent traces in non-volatile memory or file systems. Due to this characteristic, a Mirai bot on an infected device can be completely eliminated by simply killing the processes. The proposed phagocyte worms enact disinfection by identifying the process from the port used by the malicious worms and forcibly terminating it. This method is based on the Killer process [33] found in Mirai’s source code. The proposed worms are designed to perform an automatic and efficient disinfection, minimizing manual intervention in the event of large-scale infection.

In this prototype, vulnerable login credentials, i.e., a user ID and password combination, were used as the device vulnerability. Each device d has the initial vulnerability used by Mirai for actual infections, $V\left(d\right)=\left\{\right(\mathtt{root},\mathtt{xc}\mathtt{3511}\left)\right\}$. The worm specifications are detailed in

Table 3. Worm specifications in the prototype implementation.

Worm	Exploit	Vulnerability to Be	Vulnerability to Be
$\mathit{w}$	$\mathit{X}\left(\mathit{w}\right)$	Removed ${\mathit{V}}^{-}\left(\mathit{w}\right)$	Added ${\mathit{V}}^{+}\left(\mathit{w}\right)$
$\gamma$-type malicious worm	$\left\{\right(\mathtt{root},\mathtt{xc}\mathtt{3511}\left)\right\}$	$\left\{\right\{(\mathtt{root},\mathtt{xc}\mathtt{3511})\left\}\right\}$	$\left\{\right\{(\mathtt{root},\mathtt{mal})\left\}\right\}$
$\zeta$-type phagocyte worm	$\left\{\right(\mathtt{root},\mathtt{xc}\mathtt{3511}),(\mathtt{root},\mathtt{mal}\left)\right\}$	$\left\{\right\{(\mathtt{root},\mathtt{xc}\mathtt{3511})\},\{(\mathtt{root},\mathtt{mal})\left\}\right\}$	$\left\{\right\{(\mathtt{root},\mathtt{phago})\left\}\right\}$
$\eta$-type phagocyte worm	$\left\{\right(\mathtt{root},\mathtt{xc}\mathtt{3511}),(\mathtt{root},\mathtt{anti}\left)\right\}$	$\left\{\right\{(\mathtt{root},\mathtt{xc}\mathtt{3511})\},\{(\mathtt{root},\mathtt{anti})\left\}\right\}$	$\left\{\right\{(\mathtt{root},\mathtt{phago})\left\}\right\}$
$\mu$-type antibody worm	$\left\{\right(\mathtt{root},\mathtt{xc}\mathtt{3511}),(\mathtt{root},\mathtt{mal}\left)\right\}$	$\left\{\right\{(\mathtt{root},\mathtt{xc}\mathtt{3511})\},\{(\mathtt{root},\mathtt{mal})\left\}\right\}$	$\left\{\right\{(\mathtt{root},\mathtt{anti})\left\}\right\}$

. The worm’s lifespan was omitted from the implementation. Malicious worms scan 80 IP addresses per attempt to find infection targets and, if successful, multiply. The other worms scan 160 IP addresses per attempt, which are the same as Mirai. Measuring system overhead is important and will be addressed in future work.

If they successfully infect a device, they move to it, but do not multiply. The different scan counts per attempt have been designed to create a difference in infection speeds. We set the safety factor in the primary immune response to $s=2$ and the boost factor in the secondary immune response to $k=1.5$. These values were selected for initial system verification. We recognize that sensitivity analysis of parameters is important for understanding the robustness and practical deployment of the system. Establishing the optimal values for parameters and their theoretical and empirical basis, as well as conducting sensitivity analysis on them, are important tasks that we plan to address in the future.

5.2. Experimental Evaluation

We conducted three experiments with the prototype. In each experiment, we tried five cases. The first experiment aimed to confirm the innate immune response based on the following scenario.

• iBDS makes 4 $\zeta$-type phagocyte worms that are resident on the IoT network at startup;
• The attacker infects the network with 4 $\gamma$-type malicious worms at about 01:00 (min:sec).

Figure 8 shows the time variation for the number of worms by type for a certain case. At startup, iBDS made $\zeta$-type phagocyte worms that were resident in the network. The $\gamma$-type malicious worms introduced by the attacker at 00:57 infected the devices in a few seconds and created malicious bots. Note that each worm introduced cannot infect the network at once, but rather gradually over time. The phagocyte worms have the exploit $(\mathtt{root},\mathtt{mal})$. Therefore, they directly infected and disinfected the malicious bots. This process took only 39 s (=01:36−00:57). In five cases, the average duration of the elimination process was 34 s. The above result demonstrates that the innate immune response works quickly.

The second experiment aimed to confirm the acquired immune response based on the following scenario.

• iBDS makes 4 $\eta$-type phagocyte worms that are resident on the IoT network at starup;
• The attacker infects the network with 3 $\gamma$-type malicious worms at about 01:00;
• When iBDS detects 4 ($=\#m$) malicious bots, it deploys 8 ($=\#m·s$) $\mu$-type antibody worms as the primary immune response.

Figure 9 shows the time variation for the number of worms by type for a certain case. In this experiment, we used $\eta$-type phagocyte worms instead of the $\zeta$-type version. Note that $\eta$-type phagocyte worms cannot infect $\gamma$-type malicious bots because they do not have the exploit $(\mathtt{root},\mathtt{mal})$. At 00:56, iBDS detected 4 malicious bots and deployed 8 $\mu$-type antibody worms. Each worm does not infect the network all at once, but gradually over time. The antibody worms have the exploit $(\mathtt{root},\mathtt{mal})$. Therefore, they infected the bots and enabled the phagocyte worms to infect and disinfect them. This process took 03:33 (=04:29−00:56). During this process, at 03:30, the malicious worm multiplied, but thanks to the safety factor, there was no shortage of antibody worms. In five cases, the average duration of the elimination process was 03:12. The above result demonstrates that the acquired immune response works adaptively.

The third experiment aimed to confirm the immune memory process based on the following scenario.

• iBDS makes 4 $\eta$-type phagocyte worms that are resident on the IoT network at startup;
• The attacker infects the network again with 3 $\gamma$-type malicious worms at about 01:00;
• When iBDS detects 4 ($=\#m$) malicious bots, it deploys 8 ($=\#m·s·k$) $\mu$-type antibody worms as the secondary immune response.

Figure 10 shows the time variation for the number of worms by type for a certain case. In this experiment, we continued to use $\eta$-type phagocyte worms. At 01:37, iBDS detected 4 malicious bots. Since they were the same type of bots as the previous ones, iBDS deployed 12 $\mu$-type antibody worms according to immune memory. The antibody worms infected the bots and enabled the phagocyte worms to infect and disinfect them. This process took 02:29 (=04:06−01:37). In five cases, the average duration of the elimination process was 02:24, which was shorter than before. As in the previous case, the malicious worm multiplied at 02:30 during the elimination process. Since antibody worm deployment takes time, some continued to be deployed even after all the malicious worms were eliminated in this example. Even after the malicious worms were eliminated, 7 antibody worms remained, and iBDS maintained sufficient defense capabilities. The above results indicate that immune memory provides resistance to variability caused by the autonomous behavior of botnets.

5.3. Discussion

The prototype implementation and experimental evaluation results suggest that iBDS offers effective defense against repeated malicious botnet infections in IoT networks. While BDSs build a defensive botnet after detecting malicious bots, iBDS keeps a phagocyte botnet resident in the network. This reduces elimination time. Furthermore, iBDS leverages immune memory for more effective eradication against repeatedly infecting botnets. Therefore, iBDS demonstrates superior defensive capabilities compared to BDSs. However, this prototype only demonstrates the basic operation and effectiveness of iBDS and does not fully reflect the real-world network environment in terms of simplifying the network environment and limiting target vulnerabilities and attack scenarios. Future work includes addressing these limitations and advancing research and development for performance evaluation and practical application in more realistic environments.

The countermeasures proposed in this study are based on known vulnerabilities. Due to the difficulty of software updates and the characteristics of application-specific systems, attacks that exploit known vulnerabilities are not uncommon in IoT networks. Therefore, focusing on countermeasures based on this premise can be a realistic and effective security strategy.

However, IoT systems are constantly evolving, so the emergence of unknown vulnerabilities is inevitable. This threat is similar to the threat posed by new coronaviruses, for which vaccines must be updated to address new mutant strains [36]. The proposed iBDS has the potential to incorporate unknown vulnerabilities into its immune system. This update mechanism is an important topic for future research and development.

6. Conclusions

In this paper, we propose an immune mechanism inspired by bioimmune responses to combat repeated botnet infections of IoT networks. We also describe the development of iBDS, which incorporates this mechanism. iBDS provides a multi-layered defense system consisting of rapid responses using phagocyte worms, similar to innate immunity, as well as adaptive responses through the cooperation of antibody worms and phagocyte worms, similar to acquired immunity. In addition, the immune memory function provides a rapid and strong response to reinfection, which is an important innovation that is absent from traditional BDSs. The results of the prototype implementation and the experimental evaluation suggest that iBDS can effectively defend against repeatedly infected malicious botnets in an IoT network.

Future plans include addressing more complex attack scenarios, such as evolutionary attacks using variants and simultaneous attacks using multiple malicious botnets. These scenarios will require the systematic operation of an immune system consisting of various antibody worms and phagocyte worms, as well as the development of operational strategies. In addition, real-world botnet attacks include dynamic elements such as zero-day vulnerabilities, diverse device firmware patching status, and advanced evasion tactics. Future work will focus on extending iBDS to address these complexities. This includes integrating real-time vulnerability discovery mechanisms and dynamically updating the specificity of immune worms. We will also explore ways to autonomously adapt worm functionality to counter evolving evasion techniques.