Botnet Defense System [Japanese] [English] [Chinese] [Shingo Yamaguchi] Last updated: 2024/10/01
Botnet Defense System: A Cybersecurity System Utilizing White-Hat Botnets

Botnet Defense System (BDS) is a cybersecurity system that takes the unique approach of countering malicious botnets with botnets of its own construction, embodying the principle of "fight fire with fire". Unlike traditional botnets created with malicious intent, BDS utilizes white-hat botnets that are developed for ethical purposes. These white-hat botnets propagate autonomously throughout Internet of Things (IoT) networks, actively disrupting and neutralizing malicious botnets. This innovative approach is expected to significantly enhance network defense capabilities.
        
PrototypeBotnet threat and BDS operationPN2Simulator

Background

In September 2016, cybercriminals launched a devastating distributed denial-of-service (DDoS) attack by exploiting vulnerabilities in IoT devices. This attack crippled major websites like Amazon, Twitter (now known as X), and many others. The attacks were triggered by the Mirai malware [Antonakakis2017], which hijacked vulnerable IoT devices and turned them into malicious botnets. DDoS attacks from Mirai botnets tend to be massive and disruptive. In fact, French hosting company OVH was attacked by more than 100,000 IoT devices at over 1 Tbps. The escalating severity of these attacks stems from three characteritics of IoT devices: large volume, pervasiveness, and high vulnerability [Kolias2017]. By early October 2016, the Mirai malware had become a global pandemic, infecting over 300,000 devices across 164 countries, including emerging and developing economies [Nakao2018]. No matter worse, the creator of Mirai released its source code. This allowed other cybercriminals for the creation of even more dangerous variants. These variants, such as Satori, Okiru, and OMG, boast enhanced attack capabilities and pose a significant threat of infecting a far greater number of IoT devices. Despite being seven years old, Mirai and its variants remain a significant threat worldwide. In fact, in June 2021, a new type of botnet called Meris appeared and made headlines as the "resurgence of Mirai." [Meris2021]

System Architecture

The BDS system utilizes a component-based architecture comprised of four distinct modules: This modular architecture allows for efficient and scalable operation of the BDS system, enabling it to effectively combat a wide range of botnet threats within IoT networks.

Process

BDS takes the following steps:
  1. Network Monitoring and Malicious Botnet Detection: BDS continuously monitors the network to identify malicious botnets.
  2. Extermination Strategy Development: Based on the detected botnet's characteristics, BDS formulates a customized strategy to effectively eliminate it.
  3. White-Hat Botnet Creation: To execute the strategy, BDS deploys white-hat worms onto the network. These white-hat worms then establish a controlled white-hat botnet.
  4. Autonomous White-Hat Botnet Control: BDS strategically directs and manages the white-hat botnet's autonomous operations to neutralize the malicious botnet.
By employing this strategic use of white-hat botnets, BDS offers a promising solution for bolstering network defenses against ever-evolving cyber threats.

Strategy

While BDS leverages white-hat botnets to combat malicious botnets, it is crucial to acknowledge the inherent trade-off. These white-hat botnets, though effective in neutralizing malicious counterparts, also consume additional system resources. Therefore, the success of BDS hinges on strategic planning to optimize resource utilization. The strategy planner plays a pivotal role in BDS. It analyzes threat data from the monitor and formulates two critical strategies: building and operating strategies.

Mathematical Modeling and Analysis

BDS, due to its inherent complexity, can benefit greatly from mathematical modeling and analysis. The dynamic interaction between malicious and white-hat botnets within the system can be regarded as a multi-agent system. To delve deeper into its behavior, researchers have employed a mathematical framework called "Petri Nets in a Petri Net" (PN2). PN2 leverages two layers of Petri nets: an environment net and agent nets. The environment net captures external factors influencing agents, while agent nets depict their internal decision-making processes. Notably, PN2 represents each token in the environment net as a one-to-one correspondence to the agent net. This unique feature enables modeling of several key agent behaviors: To demonstrate the application of PN2, let us consider a network with three linearly connected nodes: n1, n2, and n3. Assume the following initial state of the device at each node.
Figure 1 presents a PN2 model depicting the example network. This model comprises a central environment net and five surrounding agent nets. The environment net (located in the center) utilizes places (drawn as circles, labeled as P1, P2, and P3) to represent the three nodes (n1, n2, and n3) in the network. Place P1 has two tokens (drawn as ellipses), each of which represents device d1 and a malicious worm infecting it. Place P2 has only one token, which represents device d2 in a normal state. Place P3 has two tokens, each representing device d3 and a white-hat worm infecting it. Each token corresponds to an agent, and its state transitions are detailed by the corresponding agent net. These nets utilize places (drawn as circles) to represent states (e.g., p1 for normal) and transitions (drawn as squares) to depict actions (e.g., t1 for infected). Consider the agent net for device d1. The initial state (p1) signifies a normal device. Transition t1 models the "infected" action, causing the device to transition to the infected state (p2). While rebooting an infected device can return it to normal, there is often a delay between infection and reboot (represented by a path). The path a device takes through the agent net depends on the type of worm infecting it. If infected by a malicious worm, the device progresses through a cycle of states (p1, t1, p2, t2, p3, etc.). However, if infected by a white-hat worm, it follows a different cycle (p1, t1, p2, t2, p3, t6, etc.). White-hat worms possess an additional capability. Triggering secondary infections on devices already compromised by malicious worms (represented by transitions t9, t10, t11, and t12). By adjusting the firing probabilities of these transitions, researchers can control the aggressiveness of the white-hat worm's secondary infection ability. The PN2 model of BDS facilitates the simulation of its behavior through a process called a token game. In this game, red transitions signify that they are currently eligible to fire (executable). Let us focus on transition T113. Firing of this transition indicates that the malicious worm residing on node n1 is attempting to infect device d2 on node n2. T113 represents the interaction between the worm's action "m_infect" and the device's action "infect." Here is why T113 is fireable. A token representing the malicious worm is present at an input place (P1) of T113. The agent net for the malicious worm has a fireable transition (t1) labeled "m_infect." Additionally, a token representing device d2 exists at another input place (P2) of T113. The agent net for device d2 also has a fireable transition (t1) labeled "infect." These conditions collectively enable T113 to fire.
Figure 1: PN2 model representing BDS defending a network composed of three devices.

Simulation

PN2Simulator is a software tool that empowers users to edit PN2 models and play interactive token games directly. Figure 2 showcases the PN2Simulator's operation screen. The screen is divided into two main sections:
  • Left Side: Environment net - This section visually depicts the environment net, providing an overview of the network structure.
  • Right Side: Agent nets - Here, individual agent nets corresponding to devices and worms are displayed.
The tabs located at the top of the screen ("Edit" and "Simulate") allow users to seamlessly switch between the editing and simulation modes. Figure 2 specifically highlights the editing mode. Here, users can effortlessly add new PN2 elements to the model. Simply clicking the desired button ("Place," "Transition," or "Arc") and using the mouse to specify the element's location on the screen facilitates the creation of new places, transitions, and arcs within the PN2 model. This user-friendly interface empowers researchers and analysts to construct and explore PN2 models with ease, fostering a deeper understanding of the dynamic interactions within the BDS system.

Figure 2: PN2 model representing BDS defending a network composed of three devices.
Figure 3 depicts the PN2Simulator's simulation screen. This screen provides an interactive environment for simulating the behavior of the PN2 model. Transitions highlighted in red signify that they are currently eligible to fire. Clicking on a red transition triggers its execution, simulating the corresponding action within the model. Pressing the "Random" button initiates the random firing of a single transition from the set of currently fireable transitions. Entering a number (n) in the "Count" text field and clicking the "Auto" button simulates n consecutive random firings of transitions. This is equivalent to pressing the "Random" button n times. The simulation screen shows the state after transition T113 fires in the state shown in Figure 1. In this state, the white-hat worm on the central node is attempting to launch a secondary infection on the device located on the left node. Clicking the fireable transition T112 would simulate this attempted secondary infection. This interactive simulation environment empowers researchers to experiment with different scenarios and gain valuable insights into the dynamic behavior of the BDS system.
Figure 3: PN2 model representing BDS defending a network composed of three devices.

Prototyping

BDS is under development in a local IoT network. The implementation leverages Mirai's source code as a foundation, with modifications to create both malicious and white-hat botnets. The implementation employed ten OpenWrt devices as targets. OpenWrt is a popular operating system for routers and various IoT devices. By adapting the Mirai source code, the development process was significantly streamlined, while maintaining realistic bot behavior within the simulated environment. We have implemented those worms using the Mirai source code, but have removed from the source code beforehand the parts related to DDoS attacks and other malicious activities.
Figure 4 depicts a specific infection scenario involving both a malicious and a white-hat botnet. Here, we assume the following initial state.
  • Device 0 is infected by a malicious worm.
  • Device 4 is infected by a white-hat worm.
  • All other devices are in a normal state.
The sequence diagram outlines the subsequent interactions.
  1. Device 0 joins malicious botnet: Device 0 registers as a malicous bot with a malicious C&C server.
  2. Device 1 joins the white-hat botnet: Device 1 registers as a white-hat bot with a White-hat C&C server.
  3. Malicious worm infection: Malicious worm present on Device 0 successfully infects Device 2.
  4. Device 2 joins malicious botnet: After infection, Device 2 becomes a malicious bot and registers with a malicious C&C server, expanding the botnet.
  5. White-hat worm infection: White-hat worm on Device 4 infects Device 3.
  6. Device 3 joins the white-hat botnet: Device 3 transforms into a White-hat bot when infected and registers with a White-hat C&C server, thereby reinforcing the presence of the White-hat botnet.
  7. Secondary Infection: This step demonstrates a key strength of White-hat bots: their ability to initiate secondary infections. Here, the white-hat worm on Device 4 successfully infects Device 2, which was previously compromised by the malicious worm.
  8. Device 2 is infected: As a result of the secondary infection, Device 2 comes under the control of the white-hat bot. Device 2 is disconnected from the malicious C&C server and registers with the white-hat C&C server, effectively disassociating itself from the malicious botnet.
  9. The malicious worm continues to spread: Meanwhile, the malicious worm on Device 0 remains active and infects Device 1.
  10. Device 1 joins the malicious botnet: Device 1 succumbs to the infection and becomes a malicious bot. It registers with a malicious C&C server, further expanding the scope of the malicious botnet.
  11. White-hat bot lifespan expires: Due to its lifespan, the white-hat bot on Device 4 reaches its operational lifespan and self-destructs.

Figure 4: PN2 model representing BDS defending a network composed of three devices.

Publications

Any Books
  1. Shingo Yamaguchi, "Botnet Defense System: A System to Fight Botnets with Botnets," in Gritzalis D., Choo K.-K. R., Patsakis C. (eds.) Malware - Handbook of Prevention and Detection, Springer (Advances in Information Security), 2024 (to appear).
  2. Shingo Yamaguchi, Brij Gupta, "Botnet Defense System and White-Hat Worm Launch Strategy in IoT Network," in Brij B. Gupta (ed.) Advances in Malware and Data-Driven Network Security, chapter 8, pp.176-198, 2021.11. (ISBN: 9781799877905) DOI: 10.4018/978-1-7998-7789-9.ch008
  3. Shingo Yamaguchi, Brij Gupta, "Malware Threat in Internet of Things and Its Mitigation Analysis," in Ramesh C. Joshi, Brij B. Gupta (eds.) Security, Privacy, and Forensics Issues in Big Data, chapter 16, pp.363-379, 2019.8. (ISBN: 9781522597421) DOI: 10.4018/978-1-7998-5348-0.ch020
Jounals
  1. Mohd Anuaruddin Bin Ahmadon, Shingo Yamaguchi, "Diffusion of White-Hat Botnet Using Lifespan with Controllable Ripple Effect for Malware Removal in IoT Networks," Sensors, vol.23, 1018, 2023.1. DOI: 10.3390/s23021018
  2. Shingo Yamaguchi, "Botnet Defense System: Observability, Controllability, and Basic Command and Control Strategy," Sensors, vol.22, no.23, 9423, 2022.12. DOI: 10.3390/s22239423
  3. Xiangnan Pan, Shingo Yamaguchi, "Machine Learning White-Hat Worm Launcher for Tactical Response by Zoning in Botnet Defense System," Sensors, vol.22, no.13, 4666, 2022.6. DOI: 10.3390/s22134666
  4. Xiangnan Pan, Shingo Yamaguchi, Taku Kageyama, and Mohd Hafizuddin Bin Kamilin, "Machine-Learning-Based White-Hat Worm Launcher in Botnet Defense System," International Journal of Software Science and Computational Intelligence (IJSSCI), vol.14, no.1, pp.1-14, 2022.2. DOI: 10.4018/IJSSCI.291713
  5. Shingo Yamaguchi, "Botnet Defense System: Concept, Design, and Basic Strategy," Information, vol.11, 516, pages 15, 2020.11. DOI: 10.3390/info11110516
  6. Shingo Yamaguchi, Hiroaki Tanaka, Mohd Anuaruddin Bin Ahmadon, "Modeling and Evaluation of Mitigation Methods against IoT Malware Mirai with Agent-Oriented Petri Net PN2", International Journal of Internet of Things and Cyber-Assurance, vol.1, nos.3/4, pp.195-213, 2020.1. DOI: 10.1504/IJITCA.2019.10021463
  7. Shingo Yamaguchi, "White-Hat Worm to Fight Malware and Its Evaluation by Agent-Oriented Petri Nets," Sensors, vol.20, issue 2, 556, 2020.1. DOI: 10.3390/s20020556
Proceedings Videos

Reference