Botnet Defense System

Botnet Defense System [Japanese] [English] [Chinese] [Shingo Yamaguchi] Last updated: 2024/05/01

Botnet Defense System: A Cybersecurity System Utilizing White-Hat Botnets

Botnet Defense System (BDS) is a cybersecurity system that takes the unique approach of countering malicious botnets with botnets of its own construction, embodying the principle of "fight fire with fire". Unlike traditional botnets created with malicious intent, BDS utilizes white-hat botnets that are developed for ethical purposes. These white-hat botnets propagate autonomously throughout Internet of Things (IoT) networks, actively disrupting and neutralizing malicious botnets. This innovative approach is expected to significantly enhance network defense capabilities.


Prototype	Botnet threat and BDS operation	PN2Simulator

Background

In September 2016, cybercriminals launched a devastating distributed denial-of-service (DDoS) attack by exploiting vulnerabilities in IoT devices. This attack crippled major websites like Amazon, Twitter (now known as X), and many others. The attacks were triggered by the Mirai malware [Antonakakis2017], which hijacked vulnerable IoT devices and turned them into malicious botnets. DDoS attacks from Mirai botnets tend to be massive and disruptive. In fact, French hosting company OVH was attacked by more than 100,000 IoT devices at over 1 Tbps. The escalating severity of these attacks stems from three characteritics of IoT devices: large volume, pervasiveness, and high vulnerability [Kolias2017]. By early October 2016, the Mirai malware had become a global pandemic, infecting over 300,000 devices across 164 countries, including emerging and developing economies [Nakao2018]. No matter worse, the creator of Mirai released its source code. This allowed other cybercriminals for the creation of even more dangerous variants. These variants, such as Satori, Okiru, and OMG, boast enhanced attack capabilities and pose a significant threat of infecting a far greater number of IoT devices. Despite being seven years old, Mirai and its variants remain a significant threat worldwide. In fact, in June 2021, a new type of botnet called Meris appeared and made headlines as the "return of Mirai." [Meris2021]

System Architecture

The BDS system utilizes a component-based architecture comprised of four distinct modules:

Monitor: This module continuously monitors the IoT network for signs of malicious botnet activity. Upon detection, the Monitor gathers information about the botnet, including its type and infection status.
Strategy Planner: Leveraging the data provided by the Monitor, the Strategy Planner meticulously analyzes the characteristics of the detected botnet. This analysis forms the basis for a customized strategy to effectively neutralize the threat. The strategy outlines the creation and operation of a white-hat botnet specifically designed to counter the identified malicious botnet.
Worm Launcher: The Worm Launcher plays a crucial role in deploying the strategy. It strategically releases white-hat worms onto the IoT network. These white-hat worms then propagate and establish a controlled white-hat botnet.
Command and Control (C&C) Server: This component acts as the brain of the white-hat botnet. The C&C server provides strategic direction and control over the autonomous operations of the white-hat botnet. By meticulously managing the botnet's actions, the C&C server ensures the effective neutralization of the malicious botnet.

This modular architecture allows for efficient and scalable operation of the BDS system, enabling it to effectively combat a wide range of botnet threats within IoT networks.

Process

BDS takes the following steps:

Network Monitoring and Malicious Botnet Detection: BDS continuously monitors the network to identify malicious botnets.
Extermination Strategy Development: Based on the detected botnet's characteristics, BDS formulates a customized strategy to effectively eliminate it.
White-Hat Botnet Creation: To execute the strategy, BDS deploys white-hat worms onto the network. These white-hat worms then establish a controlled white-hat botnet.
Autonomous White-Hat Botnet Control: BDS strategically directs and manages the white-hat botnet's autonomous operations to neutralize the malicious botnet.

By employing this strategic use of white-hat botnets, BDS offers a promising solution for bolstering network defenses against ever-evolving cyber threats.

Strategy

While BDS leverages white-hat botnets to combat malicious botnets, it is crucial to acknowledge the inherent trade-off. These white-hat botnets, though effective in neutralizing malicious counterparts, also consume additional system resources. Therefore, the success of BDS hinges on strategic planning to optimize resource utilization. The strategy planner plays a pivotal role in BDS. It analyzes threat data from the monitor and formulates two critical strategies: building and operating strategies.

Botnet building strategies

All-Out Strategy: This approach deploys white-hat worms to all accessible devices within the network. While comprehensive, it may consume excessive resources.
Few-Elite Strategy: This strategy targets a select number of devices with white-hat worms. However, the choice of devices depends on the capabilities of the white-hat worms (lifespan and infection potential) in relation to the malicious botnet's infection status and capabilities.
Environment-Adaptive Strategy: This approach takes network characteristics, such as topology and density, into account when deploying white-hat worms. By targeting strategically, it aims to achieve efficient white-hat botnet creation.

Botnet operating strategy

Pull-Out Strategy: Once the malicious botnet is neutralized, this strategy ensures the self-destruction of the white-hat botnet, minimizing resource consumption.

Mathematical Modeling and Analysis

BDS, due to its inherent complexity, can benefit greatly from mathematical modeling and analysis. The dynamic interaction between malicious and white-hat botnets within the system can be regarded as a multi-agent system. To delve deeper into its behavior, researchers have employed a mathematical framework called "Petri Nets in a Petri Net" (PN2). PN2 leverages two layers of Petri nets: an environment net and agent nets. The environment net captures external factors influencing agents, while agent nets depict their internal decision-making processes. Notably, PN2 represents each token in the environment net as a one-to-one correspondence to the agent net. This unique feature enables modeling of several key agent behaviors:

Agent Movement: The physical locations of agents within the network are mapped to nodes in the environment net. Movement of tokens within this net corresponds to the physical movement of agents.
Agent Duplication and Termination: Token creation in the environment net represents agent replication, while token removal signifies agent termination.
Dynamic Agent Interaction: Transitions within the environment net depict interactions between agents. Unlike standard Petri nets, these transitions do not fire solely based on tokens at their input places. Firing occurs only when the tokens represent agents capable of performing the interaction's required actions. PN2 does not predetermine the specific combination of agents involved, but rather dynamically binds them based on their capabilities. This allows agents with the same action set to substitute for each other.

To demonstrate the application of PN2, let us consider a network with three linearly connected nodes: n1, n2, and n3. Assume the following initial state of the device at each node.

Node n1: Device d1 is infected by a malicious worm and has become a malicious bot.
Node n2: Device d2 is in a normal state.
Node n3: Device d3 is infected by a white-hat worm and has become a white-hat bot.

Figure 1 presents a PN2 model depicting the example network. This model comprises a central environment net and five surrounding agent nets. The environment net (located in the center) utilizes places (drawn as circles, labeled as P1, P2, and P3) to represent the three nodes (n1, n2, and n3) in the network. Place P1 has two tokens (drawn as ellipses), each of which represents device d1 and a malicious worm infecting it. Place P2 has only one token, which represents device d2 in a normal state. Place P3 has two tokens, each representing device d3 and a white-hat worm infecting it. Each token corresponds to an agent, and its state transitions are detailed by the corresponding agent net. These nets utilize places (drawn as circles) to represent states (e.g., p1 for normal) and transitions (drawn as squares) to depict actions (e.g., t1 for infected). Consider the agent net for device d1. The initial state (p1) signifies a normal device. Transition t1 models the "infected" action, causing the device to transition to the infected state (p2). While rebooting an infected device can return it to normal, there is often a delay between infection and reboot (represented by a path). The path a device takes through the agent net depends on the type of worm infecting it. If infected by a malicious worm, the device progresses through a cycle of states (p1, t1, p2, t2, p3, etc.). However, if infected by a white-hat worm, it follows a different cycle (p1, t1, p2, t2, p3, t6, etc.). White-hat worms possess an additional capability. Triggering secondary infections on devices already compromised by malicious worms (represented by transitions t9, t10, t11, and t12). By adjusting the firing probabilities of these transitions, researchers can control the aggressiveness of the white-hat worm's secondary infection ability. The PN2 model of BDS facilitates the simulation of its behavior through a process called a token game. In this game, red transitions signify that they are currently eligible to fire (executable). Let us focus on transition T113. Firing of this transition indicates that the malicious worm residing on node n1 is attempting to infect device d2 on node n2. T113 represents the interaction between the worm's action "m_infect" and the device's action "infect." Here is why T113 is fireable. A token representing the malicious worm is present at an input place (P1) of T113. The agent net for the malicious worm has a fireable transition (t1) labeled "m_infect." Additionally, a token representing device d2 exists at another input place (P2) of T113. The agent net for device d2 also has a fireable transition (t1) labeled "infect." These conditions collectively enable T113 to fire.

Figure 1: PN2 model representing BDS defending a network composed of three devices.

Simulation

PN2Simulator is a software tool that empowers users to edit PN2 models and play interactive token games directly. Figure 2 showcases the PN2Simulator's operation screen. The screen is divided into two main sections:

Left Side: Environment net - This section visually depicts the environment net, providing an overview of the network structure.
Right Side: Agent nets - Here, individual agent nets corresponding to devices and worms are displayed.

The tabs located at the top of the screen ("Edit" and "Simulate") allow users to seamlessly switch between the editing and simulation modes. Figure 2 specifically highlights the editing mode. Here, users can effortlessly add new PN2 elements to the model. Simply clicking the desired button ("Place," "Transition," or "Arc") and using the mouse to specify the element's location on the screen facilitates the creation of new places, transitions, and arcs within the PN2 model. This user-friendly interface empowers researchers and analysts to construct and explore PN2 models with ease, fostering a deeper understanding of the dynamic interactions within the BDS system.

Figure 2: PN2 model representing BDS defending a network composed of three devices.

Figure 3 depicts the PN2Simulator's simulation screen. This screen provides an interactive environment for simulating the behavior of the PN2 model. Transitions highlighted in red signify that they are currently eligible to fire. Clicking on a red transition triggers its execution, simulating the corresponding action within the model. Pressing the "Random" button initiates the random firing of a single transition from the set of currently fireable transitions. Entering a number (n) in the "Count" text field and clicking the "Auto" button simulates n consecutive random firings of transitions. This is equivalent to pressing the "Random" button n times. The simulation screen shows the state after transition T113 fires in the state shown in Figure 1. In this state, the white-hat worm on the central node is attempting to launch a secondary infection on the device located on the left node. Clicking the fireable transition T112 would simulate this attempted secondary infection. This interactive simulation environment empowers researchers to experiment with different scenarios and gain valuable insights into the dynamic behavior of the BDS system.

Figure 3: PN2 model representing BDS defending a network composed of three devices.

Prototyping

BDS is under development in a local IoT network. The implementation leverages Mirai's source code as a foundation, with modifications to create both malicious and white-hat botnets.

Lifespan: A critical aspect of white-hat bots is their finite lifespan. The implementation incorporates a mechanism to terminate the white-hat worm process once its predetermined lifespan elapses after infecting a device.
Secondary infection ability: Unlike traditional botnets where ports are closed after infection, white-hat bots maintain open ports used for infection even after successfully compromising a device. This enables them to launch secondary infections if they detect the presence of malicious worms on the compromised device. Upon such detection, the white-hat bot can terminate the malicious worm process, neutralizing the threat.

The implementation employed ten OpenWrt devices as targets. OpenWrt is a popular operating system for routers and various IoT devices. By adapting the Mirai source code, the development process was significantly streamlined, while maintaining realistic bot behavior within the simulated environment.

Figure 4 depicts a specific infection scenario involving both a malicious and a white-hat botnet. Here, we assume the following initial state.

Device 0 is infected by a malicious worm.
Device 4 is infected by a white-hat worm.
All other devices are in a normal state.

The sequence diagram outlines the subsequent interactions.

Device 0 joins malicious botnet: Device 0 registers as a malicous bot with a malicious C&C server.
Device 1 joins the white-hat botnet: Device 1 registers as a white-hat bot with a White-hat C&C server.
Malicious worm infection: Malicious worm present on Device 0 successfully infects Device 2.
Device 2 joins malicious botnet: After infection, Device 2 becomes a malicious bot and registers with a malicious C&C server, expanding the botnet.
White-hat worm infection: White-hat worm on Device 4 infects Device 3.
Device 3 joins the white-hat botnet: Device 3 transforms into a White-hat bot when infected and registers with a White-hat C&C server, thereby reinforcing the presence of the White-hat botnet.
Secondary Infection: This step demonstrates a key strength of White-hat bots: their ability to initiate secondary infections. Here, the white-hat worm on Device 4 successfully infects Device 2, which was previously compromised by the malicious worm.
Device 2 is infected: As a result of the secondary infection, Device 2 comes under the control of the white-hat bot. Device 2 is disconnected from the malicious C&C server and registers with the white-hat C&C server, effectively disassociating itself from the malicious botnet.
The malicious worm continues to spread: Meanwhile, the malicious worm on Device 0 remains active and infects Device 1.
Device 1 joins the malicious botnet: Device 1 succumbs to the infection and becomes a malicious bot. It registers with a malicious C&C server, further expanding the scope of the malicious botnet.
White-hat bot lifespan expires: Due to its lifespan, the white-hat bot on Device 4 reaches its operational lifespan and self-destructs.

Figure 4: PN2 model representing BDS defending a network composed of three devices.

Publications

Any

Google Scholar

Books

Shingo Yamaguchi, "Botnet Defense System: A System to Fight Botnets with Botnets," in Gritzalis D., Choo K.-K. R., Patsakis C. (eds.) Malware - Handbook of Prevention and Detection, Springer (Advances in Information Security), 2024 (to appear).
Shingo Yamaguchi, Brij Gupta, "Botnet Defense System and White-Hat Worm Launch Strategy in IoT Network," in Brij B. Gupta (ed.) Advances in Malware and Data-Driven Network Security, chapter 8, pp.176-198, 2021.11. (ISBN: 9781799877905) DOI: 10.4018/978-1-7998-7789-9.ch008
Shingo Yamaguchi, Brij Gupta, "Malware Threat in Internet of Things and Its Mitigation Analysis," in Ramesh C. Joshi, Brij B. Gupta (eds.) Security, Privacy, and Forensics Issues in Big Data, chapter 16, pp.363-379, 2019.8. (ISBN: 9781522597421) DOI: 10.4018/978-1-7998-5348-0.ch020

Jounals

Mohd Anuaruddin Bin Ahmadon, Shingo Yamaguchi, "Diffusion of White-Hat Botnet Using Lifespan with Controllable Ripple Effect for Malware Removal in IoT Networks," Sensors, vol.23, 1018, 2023.1. DOI: 10.3390/s23021018
Shingo Yamaguchi, "Botnet Defense System: Observability, Controllability, and Basic Command and Control Strategy," Sensors, vol.22, no.23, 9423, 2022.12. DOI: 10.3390/s22239423
Xiangnan Pan, Shingo Yamaguchi, "Machine Learning White-Hat Worm Launcher for Tactical Response by Zoning in Botnet Defense System," Sensors, vol.22, no.13, 4666, 2022.6. DOI: 10.3390/s22134666
Xiangnan Pan, Shingo Yamaguchi, Taku Kageyama, and Mohd Hafizuddin Bin Kamilin, "Machine-Learning-Based White-Hat Worm Launcher in Botnet Defense System," International Journal of Software Science and Computational Intelligence (IJSSCI), vol.14, no.1, pp.1-14, 2022.2. DOI: 10.4018/IJSSCI.291713
Shingo Yamaguchi, "Botnet Defense System: Concept, Design, and Basic Strategy," Information, vol.11, 516, pages 15, 2020.11. DOI: 10.3390/info11110516
Shingo Yamaguchi, Hiroaki Tanaka, Mohd Anuaruddin Bin Ahmadon, "Modeling and Evaluation of Mitigation Methods against IoT Malware Mirai with Agent-Oriented Petri Net PN2", International Journal of Internet of Things and Cyber-Assurance, vol.1, nos.3/4, pp.195-213, 2020.1. DOI: 10.1504/IJITCA.2019.10021463
Shingo Yamaguchi, "White-Hat Worm to Fight Malware and Its Evaluation by Agent-Oriented Petri Nets," Sensors, vol.20, issue 2, 556, 2020.1. DOI: 10.3390/s20020556

Proceedings

Semantic Scholar

Videos

Shingo Yamaguchi, "Research and Development of Botnet Defense System," In: S. Yamamoto, H. Mori (eds) Human Interface and the Management of Information: Applications in Complex Technological Environments. HCII 2022. Lecture Notes in Computer Science, vol 13306. Springer, Cham., 2022. 10.1007/978-3-031-06509-5_30

Reference

[Antonakakis2017] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J.A. Halderman, L. Invernizzi, M. Kallitsis, et al., "Understanding the mirai botnet," Proc. of 26th USENIX Security Symposium (USENIX Security 17), pp.1093-1110, 2017. DOI: 10.5555/3241189.3241275
[Kolias2017] C. Kolias, G. Kambourakis, A. Stavrou, J. Voas, "DDoS in the IoT: Mirai and Other Botnets," IEEE Computer, vol.50, no.7, pp.80-84, 2017. DOI: 10.1109/MC.2017.201
[Nakao2018] K. Nakao, "Proactive cyber security response by utilizing passive monitoring technologies," Proc. of 2018 IEEE International Conference on Consumer Electronics (ICCE), p.1, 2018. DOI: 10.1109/ICCE.2018.8326061
[Meris2021] "Meris botnet breaks records," Network Security, vol.9, no.3, 2021. DOI: 10.1016/S1353-4858%2821%2900098-2