This chapter introduces a new kind of cybersecurity system named botnet defense system (BDS) that defends an IoT system against malicious botnets. This chapter consists of two parts. The former part describes the concept and design of the BDS. The concept is “fight fire with fire.” To realize the concept, the BDS uses bot technology. The BDS builds a white-hat botnet on the IoT system by itself and uses it to exterminate the malicious botnets. The white-hat botnet autonomously spreads over the IoT system and thus drastically increases the defense ability. The latter part explains the strategy of the BDS. The white-hat botnet is a so-called double-edged sword. It defends the IoT system against malicious botnet but wastes the system's resources. Therefore, the BDS should strategically use the white-hat botnet. Some strategies have been proposed. Their characteristics are discussed through the simulation with the agent-oriented petri nets.
TopIntroduction
Internet of Things (IoT) aims everything including humans to interact and to create new values from sharing information. IoT has enriched our lives while gives rise to a new risk on cybersecurity. IoT devices are explosively increasing, and the number is predicted to reach 30 billion by 2023 (Cisco, 2020). The problem is that most of them are vulnerable. This is because they do not have resources to run security functions and their vendors may sacrifice security in the price competition and/or their rush to market. In September 2016, that risk became reality. IoT was used as a springboard of giant distributed denial-of-service (DDoS) attacks, which struck many of the world’s biggest sites such as Netflix and Twitter (O’Brien, S.A.,2016). These attacks were brought about by malware called Mirai. Mirai infects IoT devices and turns them into bots. Those bots form a network (botnet) that can be used for DDoS attacks. For the detail of Mirai, refer to (Sinaović, H., & Mrdovic, S., 2017) and (Yamaguchi, S. & Gupta, B., 2019). Mirai’s DDoS attacks have a tendency to be large-scale and disruptive. This is because IoT devices are characterized by large-volume, pervasiveness, and high vulnerability (Kolias, C., Kambourakis, G., Stavrou, A., & Voas, J., 2017). Mirai has spread to emerging markets and developing countries (Nakao, K., 2018). In early October 2016, Mirai infected over 300,000 IoT devices in 164 countries (Devry, J., 2016). To make matters worse, Mirai’s authors published the source code (Bonderud, D., 2016). It gave rise to many variants of Mirai such as Satori (360 netlab., 2017) and Okiru (Arzamendi, P., Bing, M. & Soluk, K., 2018). Even now after five years since Mirai appeared, Mirai and variants continue to rage all over the world (Milić, J., 2019).
Some techniques have been proposed against Mirai’s threat. The United States Computer Emergency Readiness Team (US-CERT) showed rebooting the infected device can clear Mirai (US-CERT, 2016). This is because Mirai penetrates only to the dynamic memory of the device. However, Moffitt, T. (2016) reported that Mirai can reinfect the device within minutes unless the vulnerability is patched. The other techniques can be roughly divided into three categories: detection, mitigation, and spread prevention. The following are typical examples.
Detection Techniques: Bezerra, V.H., da Costa, V.G.T., Barbon, J., Miani, R.S., & Zarpelão, B.B. (2019) have proposed a host-based approach to detect IoT botnets called IoTDS (Internet of Things Detection System). IoTDS monitors a device and collects its CPU use and temperature, memory consumption, and the number of processes. If the device detects any anomaly from the data, an alert of botnet detection is sent to the central server.
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Shabtai, A., Breitenbacher, D., & Elovici, Y. (2018) have proposed a network-based anomaly detection method for the IoT called N-BaIoT. N-BaIoT extracts behavior snapshots of the network and uses deep autoencoders to detect anomalous network traffic from compromised IoT devices.
Mitigation Techniques: Some of this category include both detection and mitigation (Jaramillo, L.E.S., 2018) and (Alomari, E., Manickam, S., Gupta, B. B., Anbar, M., Saad, R. M., & Alsaleem, S., 2016). Manso, P., Moura, J., & Serrão, C. (2019) have proposed a Software-Defined Intrusion Detection System. This system can automatically detect several DDoS attacks. Once the IDS detects an attack, it notifies a software-defined networking controller to control devices. Therefore, it timely enables to detect a botnet exploitation, to mitigate malicious network traffic, and to protect normal network traffic.