Modeling, Analysis, and Mitigation of Dynamic Botnet Formation in Wireless IoT Networks
Muhammad Junaid Farooq, Quanyan Zhu

TL;DR
This paper presents an analytical model for understanding and preventing malware-driven botnet formation in wireless IoT networks, using population dynamics and optimization to enhance network security.
Contribution
It introduces a novel analytical framework combining population processes and point process theory to analyze malware spread and optimize device patching strategies in IoT networks.
Findings
Model accurately captures malware propagation dynamics.
Optimal patching strategies reduce botnet formation.
Framework aids in designing resilient IoT networks.
Abstract
The Internet of Things (IoT) relies heavily on wireless communication devices that are able to discover and interact with other wireless devices in their vicinity. The communication flexibility coupled with software vulnerabilities in devices, due to low cost and short time-to-market, exposes them to a high risk of malware infiltration. Malware may infect a large number of network devices using device-to-device (D2D) communication resulting in the formation of a botnet, i.e., a network of infected devices controlled by a common malware. A botmaster may exploit it to launch a network-wide attack sabotaging infrastructure and facilities, or for malicious purposes such as collecting ransom. In this paper, we propose an analytical model to study the D2D propagation of malware in wireless IoT networks. Leveraging tools from dynamic population processes and point process theory, we capture…
| Symbol | Description |
|---|---|
| Density of deployed devices modeled according to a PPP | |
| Communication range of devices | |
| Probability of successful transmission between devices | |
| Proportion of devices vulnerable to malware infiltration | |
| Degree (number of communication neighbors) of a typical device | |
| Probability that a typical device has degree . | |
| Maximum possible degree in the network | |
| Malware spreading rate of bot | |
| Control commands propagation rate of bots | |
| Average probability of being connected to a bot device | |
| Average probability of being connected to an informed bot | |
| Probability that a given link points to an un-compromised device | |
| Probability that a given link points to an informed bot device | |
| Information refresh rate of bot devices | |
| Patching rate of device with degree | |
| Minimum proportion of un-compromised devices in the network | |
| Maximum proportion of informed bots in the network |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\useunder
\ul
Modeling, Analysis, and Mitigation of Dynamic Botnet Formation in Wireless IoT Networks
Muhammad Junaid Farooq, Student Member, IEEE
and Quanyan Zhu, Member, IEEE Muhammad Junaid Farooq and Quanyan Zhu are with the Department of Electrical & Computer Engineering, Tandon School of Engineering, New York University, Brooklyn, NY, USA, E-mails: {mjf514, qz494}@nyu.edu.
Abstract
The Internet of Things (IoT) relies heavily on wireless communication devices that are able to discover and interact with other wireless devices in their vicinity. The communication flexibility coupled with software vulnerabilities in devices, due to low cost and short time-to-market, exposes them to a high risk of malware infiltration. Malware may infect a large number of network devices using device-to-device (D2D) communication resulting in the formation of a botnet, i.e., a network of infected devices controlled by a common malware. A botmaster may exploit it to launch a network-wide attack sabotaging infrastructure and facilities, or for malicious purposes such as collecting ransom. In this paper, we propose an analytical model to study the D2D propagation of malware in wireless IoT networks. Leveraging tools from dynamic population processes and point process theory, we capture malware infiltration and coordination process over a network topology. The analysis of mean-field equilibrium in the population is used to construct and solve an optimization problem for the network defender to prevent botnet formation by patching devices while causing minimum overhead to network operation. The developed analytical model serves as a basis for assisting the planning, design, and defense of such networks from a defender’s standpoint.
Index Terms:
Botnet, Internet of Things, device-to-device communication, population processes, distributed denial of service.
I Introduction
The Internet of things (IoT) comprises of a network of sensors and actuators, which are embedded computers, communicating with each other and to the Internet. Often, the endpoint devices rely on a plethora of wireless communication technologies and protocols such as WiFi, Bluetooth, Zigbee, etc., [1]. Although most devices in an IoT network are directly connected, via access points, to the Internet; there is an inherent flexibility in devices to connect to other wireless devices in their communication range in order to leverage their capabilities resulting in powerful functionalities. Furthermore, some commercially available devices have extremely versatile processing and communication capabilities, e.g., the Amazon Echo [2], Google Home [3], etc., which enables them to execute custom programs and processes.
IoT devices are manufactured by different vendors without strong regulations on embedding cyber security features in the software. To reduce cost and time-to-market, security issues may be overlooked by device manufacturers [4]. In addition to inherent software vulnerabilities, several other factors increase the risk of cyber attacks on these devices. One of the risks is the use of stock passwords to access the control panel of these devices. Moreover, most IoT devices are left to operate on consumer premises without regular maintenance. It exposes them to the risk of being infected and controlled by malicious software processes, referred to as malware [5]. It is also possible that consumers might willingly accept to install certain processes or applications on their devices in return for financial incentives, completely unaware of the fact that they might be used to launch a distributed denial of service (DDoS) attack [6] on the network at a later stage.
Botnets have become a significant threat to computer and communication networks in the last decade [7]. A botnet is a network of devices infected by malicious software and controlled by an external operator referred to as the botmaster [8]. Often, the malware infiltrates the network stealthily over time in a self-replicating manner before being instructed by the botmaster to trigger an attack. The objective of the botnet is to cause disruption in service provisioning leading to loss of operation and sometimes with the intent of obtaining ransom [9]. The most famous botnet attack in recent history has been the Mirai in 2016 [10]. Recently, researchers have identified variants of the Mirai botnet referred to as the IoTroop or Reaper that is aimed at using IoT devices to launch DDoS attacks [11]. It is a powerful botnet that comprises of compromised domestic wireless routers, TVs, DVRs, and surveillance cameras exploiting vulnerabilities in devices from major manufacturers.
In the case of wireless IoT networks, the malware may spread from one device to another among devices that are in close geographical proximity [12]. Due to the absence of centralized connectivity, the botmaster is compelled to use the same D2D links to issue control commands for coordinating an attack. Seed viruses may be planted into the networks using malicious or infected IoT devices or even using UAVs [13]. Moreover, the botmster may change the malware code dynamically and may issue control commands to launch a wireless denial of service (WDoS) attack [14]. It is different from traditional DDoS attacks as services do not have to be taken off the Internet. Instead, the goal is to exploit MAC vulnerabilities in wireless devices to generate superfluous traffic that sabotages legitimate operation [15]. The D2D nature of the wireless communication network makes it harder to launch a coordinated DDoS. However, at the same time, it is also hard to defend against it as a network of devices contributes to the attack and there is no single source. Therefore, the best strategy for a network defender is to prevent the dynamic development of a large scale botnet and limit its ability to launch a DDoS.
Several dynamic processes might be burgeoning in the network at the same time. Malware in an infected device might be attempting to replicate itself in nearby devices. Furthermore, the infected devices also share control commands with other infected devices to agree on an attack point. On the other hand, the network defense mechanisms are also in place which periodically patch111Throughout this paper, the term ‘patch’ refers to attempts made by the defender to bring the device to an un-compromised state, e.g., via power cycling, firmware upgrades, etc. the devices. The patching frequency of devices needs to be carefully selected as it negatively affects the regular device operation. Particularly, if a device acts as a hub, i.e., connecting multiple devices together, the impact of downtime will be much more severe. In order to make such optimal patching frequency decisions, we need a theoretical model that can accurately capture the connectivity characteristics of the network and incorporate the continuing dynamic processes.
While the modeling and analysis of traditional Internet based botnets is also important due to its huge monetary and non-monetary impact, there have been some efforts to prevent and control them. However, the botnets in wireless IoT systems need special attention due to the current lack of awareness and the increased security vulnerability of IoT devices. Despite the impending security threat to a massive number of unprotected IoT devices and systems, there is a severe dearth of systematic methodologies for understanding such systems from a security standpoint. This necessitates the development of exclusive models for such wireless IoT networks which can capture the spatial distribution of the devices and the dynamic processes of malware infiltration, control command propagation, and device patching by the defender. In this paper, we develop the theoretical underpinnings that allow the modeling and analysis of dynamic botnet formation in wireless IoT networks. A summary of the main contributions is provided below:
We propose a novel analytical model, inspired from the dynamics of population processes, to capture the dynamic formation of botnets in wireless IoT systems using D2D communication. 2. 2.
We analyze the degree based mean field equilibrium populations of malware-free devices and control command aware devices in the network and develop approximate tractable expressions for them. 3. 3.
We formulate an optimization problem from a network defender’s standpoint, to control the formation of a botnet via patching while causing minimum disruption to regular operation of the IoT network, which turns out to be non-convex. 4. 4.
We prove that the formulated non-convex optimization problem has zero duality gap and consequently solve it using a dual decomposition based algorithm to obtain the optimal patching policy and study its behavior in response to varying network parameters.
The rest of the paper is orgainzed as follow: Section II provides a review of existing literature, Section III provides a description of the system model including the network setup and threat model used. Section IV provides a detailed description on the modeling of malware & information evolution in the network, state space representation & dynamics, and equilibrium analysis. It also provides a formulation of the network defense problem and its solution methodology. Section V provides results of numerical experiments and the corresponding analysis. Finally Section VI concludes the paper with potential future research directions.
II Related Work
In recent years, significant efforts have been invested in research on Botnets and their characteristics [16]. Most studies are focused on Internet botnets [17] or, more specifically, on IP based networks [18]. However, the botnet phenomenon has been sparingly investigated in wireless networks. Furthermore, the existing studies are are either based on simulations [19, 20] or use abstract theoretical models that do not capture the dynamics of malware propagation or the network geometry into account [21]. In general, there is a lack of analytical modeling and analysis to support the frameworks developed developed particularly for malware spreading that may lead to a coordinated attack as in a botnet.
The most related research to our proposed work is presented in [22, 23, 24]. [23] uses game theory and epidemiology to study security risks in D2D offloading of computational tasks between devices, [22] investigates mobile botnets spreading infection in a D2D fashion on the go, and [24] considers the case when multiple bots are trying to attack a single server. While these are trying to mitigate the risks of a large scale DDoS by a botnet, they do not not account for the dynamics of the malware propagation or the network geometry aspects that are important in wireless IoT networks. On the other hand, a framework for preventing malware propagation in wireless sensor networks has been proposed in [25] that captures the network features, however, it does not take into account the stealthy propagation behavior of a botnet which requires information dissemination and coordination to launch an attack. To overcome the challenge of understanding the propagation of information in wireless networks, we have proposed a framework in our previous works [26, 27], leveraging concepts from mathematical epidemiology [28] and point process theory. However, traditional epidemiological models such as [29] and [30] are not sufficient to analyze the botnet formation in wireless networks due to the interplay between malware infection, control commands propagation, and device patching.
In this paper, we develop novel methodologies to overcome the unique challenges of modeling and analyzing the crucial interplay between malware infection, control commands propagation, and device patching in wireless IoT networks. We leverage ideas from the theories of dynamic population processes [31] and point processes to setup a mean field dynamical system that captures the evolution of malware infected devices and control command aware devices over time. In general, obtaining tractable characterizations of the equilibrium state in such population processes is theoretically involved due to the self-consistent nature of the equations involved and the complex connectivity profile of the network. In this paper, we propose a variation of the mean field population process model based on a customized state space that allows us to analyze the formation of botnets in wireless IoT networks and helps in making decisions to control its impact.
III System Model
In this section, we provide a description of the network model used and the associated threat model. For the convenience of readers, the notations used throughout this paper are summarized in Table I along with a brief description.
III-A Network Model
We consider a set of wireless IoT devices uniformly distributed in according to a homogeneous Poisson Point Process (PPP) [32] denoted by with intensity devices/km2, where represents the location coordinates of the device. Each device has computing capabilities for executing processes and has a wireless interface for communication with neighboring devices. The devices are assumed to have omni-directional transmissions with a communication range of m. A typical device located at is connected wirelessly with other devices, where and denotes the cardinality operator. Since the devices in the network are distributed according to a PPP, the degree is a random variable with . Furthermore, the average degree of a typical device is . An illustration of the network setup along with the state at a particular time is provided in Fig. 1. A realization of a random network is shown where each IoT device is shown to be equipped with a wireless interface and executing a regular process and a malware process (if infected). The device connectivity is represented by blue links between devices that are within a distance of each other. The malware and the control commands propagate over these wireless links from one devices to another. A simultaneously executing patching process restores the devices to an un-compromised state (illustrated by the gray boxes).
In order to demonstrate the practical applicability of the employed PPP network model and the associated degree profile of the devices, we use location data of WiFi access points in New York City (NYC), referred to as LinkNYC [33]. A map of the locations of hotspots is provided in Fig. 2a. We use the locations data of 652 hotspots located in Midtown Manhattan and surrounding neighbourhoods. Assuming the wireless IoT devices are deployed at the locations of LinkNYC hotspots with a communication range of 140 m, the connectivity profile of a typical devices will almost be Poisson distributed222Note that the LinkNYC data has been used as an example to demonstrate the idea of wireless device reachability in large scale public/privately deployed IoT devices in the future.. The empirical degree distribution along with the maximum likelihood estimated Poisson degree is shown in Fig. 2. Some distortion is observed due to the physical limitation on the hotspots to be confined to the Manhattan grid lines.
We assume that the network is uncoordinated and the devices communicate with each other using (ALOHA) [34] as the medium access control (MAC) protocol. In other words, the devices do not coordinate with each other in making transmission decisions333Note that the subsequently proposed framework is not restrictive to a particular MAC protocol. Other MAC protocols such as the carrier sense multiple access (CSMA) can also be used, however, the mean-field dynamics may not directly apply.. A Significant amount of literature is available on capturing the effects of interference, characterizing the probability of transmission success, and evaluating transmission capacity in Poisson wireless ad hoc networks [35]. In this paper, we introduce the probability of transmission success of a typical transmitting device as a parameter . Precise characterization can be obtained using tools from stochastic geometry [32], such as in [36, 37], however it is not the main focus of this work.
III-B Threat Model
We assume that a botmaster, i.e., the entity which has authored the malware and subsequently plans to launch an attack, possesses powerful capabilities to exploit loopholes in vulnerable wireless IoT devices to infiltrate them and install malicious software process on them. We assume that a proportion of the network is vulnerable to being compromised or infiltrated by the malware if the malware has been successfully transmitted over the wireless interface444Vulnerability to be compromised can emanate from events such as using default passwords for access control, using an older version of the firmware etc.. In other words, can be considered to be the average number of successful transmission attempts required to infiltrate a neighboring device.
The bots use a fraction of the communication resources of the host device to infiltrate nearby devices and to share control commands. The transmission rate of packets to break into other devices is referred to as malware spreading rate and denoted by in units of packets per second. Similarly, the transmission rate of packets contributing towards the dissemination of control commands is referred to as control command propagation rate and denoted by . Note that the sum of and must be sufficiently small in order to maintain stealthy operation of the botnet.
In summary, the botnet threat in the wireless IoT networks is two fold. Firstly, the malware may spread from one device to another in its proximity using the wireless interface. Secondly, the infected devices referred to as bots share control commands using the same wireless medium to coordinate and plan for launching a network-wide attack. However, as soon as a particular device is patched, the malicious process running on the device is terminated and it gets rid of both the malware as well as information about the control commands. After being patched, the device becomes vulnerable to infection again in the future555In practice, the device vulnerability for future infection may reduce after getting patched, however there always exists a certain minimum vulnerability level of the devices. Moreover, the botmaster may also update its strategies to render the devices vulnerable again..
IV Methodology
In this section, we provide a systematic approach to model the propagation of malware and formation of a botnet in wireless IoT networks. The proposed model is formally described using the dynamics of population processes and the analysis of equilibrium is presented. Finally, a network defense problem is formulated and a polynomial time algorithm is proposed to obtain the optimal device patching strategy mitigating the formation of a botnet and associated risk of network-wide attack.
IV-A Modeling of Malware & Information Evolution
In a large scale wireless IoT network, a typical device may either be un-compromised or infiltrated by malware, thus referred to as a bot. Furthermore, devices that are bots may or may not have received control commands. Those that have received control commands may have discarded them due being stale or outdated. Note that since the devices may go from one state to the other based on their communication interactions within their neighborhood, it is appropriate to categorize the devices according to their connectivity or degree666This implies that devices with similar connectivity profile will have similar behavior in terms of botnet fromation.. This allows us to use the degree based mean field approach to study the spread of malware and their communication [38]. The possible system states of the population of degree devices, i.e., devices that are capable of communicating with other devices, can then be classified as follows:
- •
- the proportion of degree devices in the network that are un-compromised.
- •
- the proportion of degree devices in the network that are bots but uninformed about control commands.
- •
- the proportion of degree devices in the network that are bots and are also informed with control commands.
Once, the states are defined, we can study the transitions between each of these states. At any given time an un-compromised device may become a un-informed bot at a rate that it proportional to its degree and the average probability that it is connected to a bot device, denoted by . Similarly, an un-informed bot may become an informed bot at a rate that is proportional to its degree and the average probability that it is connected to an informed bot, denoted by . On the other hand, an informed bot may discard the control commands at a constant rate to return to an un-informed state to maintain recency of control information. Finally, if the bots are patched, they return to an un-compromised state. We use a degree based patching rate inspired from the non-uniform transmission model proposed in [39]. This completes all the transitions between the possible system states.
IV-B State Space Representation & Dynamics
In this subsection, we formally express the dynamics of the system using the developed state space. The state space representation and associated transitions described in the previous subsection are illustrated by the state diagram shown in Fig. 3. Using the figure and leveraging concepts from the theory of population processes [31], the state evolution can be mathematically described by the following dynamical system of equations:
[TABLE]
Note that (1) captures the birth and death processes of un-compromised devices. In other words, it implies that at time , the population proportion of un-compromised degree devices is increasing with a rate that is proportional to the patching rate and the population proportion of bot devices. However, at the same time, it is also decreasing at a rate that is proportional to the degree and the expected rate of interacting with a bot device. Similarly, we can interpret the remaining dynamical equations for un-informed bot and informed bot populations. Since, the states represent the population proportions, we can use the closure relationship, i.e., , to reduce eqs. 1, 2 and 3 to the following independent dynamical system of equations:
[TABLE]
Note that the average probability for a degree device to be connected to a bot device, is directly proportional to the probability of transmission success, the vulnerability of the devices, the malware spreading rate, and the probability of being connected to a bot device. Similarly, the the average probability for a degree device to be connected to an informed bot, is directly proportional to the probability of transmission success, the control command propagation rate, and the probability of being connected to an informed bot device. These can be, respectively, expressed as follows777The event of a device being vulnerable to malware infection and the successful reception of wireless signals are independent. Hence, the probabilities can be directly multiplied.:
[TABLE]
where is the probability that a particular link of a degree device points to an un-compromised device, and is the probability that a particular link of a degree device points to an informed bot device. These probabilities can be evaluated as and . However, for networks with uncorrelated degrees, these probabilities can be further expressed as follows:
[TABLE]
Note that the dynamical system of equations in eqs. 4 and 5 describe the time evolution of the respective populations of un-compromised and informed bot devices in the network over time. In order to determine the eventual levels of each type of population in the network, we need to evaluate the equilibrium of the dynamical system. In the subsequent, subsections we focus on analyzing the equilibrium populations of degree devices.
IV-C Analysis of Equilibrium State
At the equilibrium state, and . Therefore, the equilibrium population of degree un-compromised devices, and of informed bot devices, can be expressed as follows:
[TABLE]
with and denoting the respective probabilities at equilibrium. Note that eqs. 8 and 9 expresses and in terms of and . However, eqs. 10 and 11 can be used to express and in terms of and . Therefore, it presents a self-consistent system of equations which needs to be solved in order to obtain the equilibrium state. An exact solution to the system in analytically challenging. However, an approximate characterization888Note that these results are based on first order approximation of the first moment of a function of a random variable. Although higher order approximations would lead to tighter approximations, however, it makes the solution analytically complicated precluding subsequent analysis and optimization. of the probabilities and at equilibrium is provided by the following lemma.
Lemma 1**.**
In a PPP distributed wireless network with D2D communication, the probability of a particular link of a degree device pointing to an un-compromised and to an informed bot device respectively at equilibrium can be approximately expressed as follows:
[TABLE]
Proof.
See Appendix A. ∎
These approximations present a lower bound on the actual probabilities. The loss in accuracy for the sake of analytical tractability is discussed in Appendix A. Note that Lemma 1 presents an intuitive result where the probability of being connected to an un-compromised device, is directly proportional to the patching rate and inversely related to the expected degree, vulnerability, malware spreading rate and the transmission success probability. Similar explanation can be derived for . A direct corollary of the result presented in Lemma 1, that plays an important role in the optimal patching decisions is provided below:
Corollary 1**.**
For a PPP deployed wireless IoT network being infiltrated by a botnet with malware spreading at a rate and control commands propagating at a rate , the upper bound on the required patching rate for a device to have an impact on the equilibrium populations is given by
[TABLE]
Proof.
See Appendix B. ∎
This is significant since it provides an estimate of the maximum patching frequency that can be used by the network defender on a degree device to have an impact on the equilibrium proportions of the devices. In other words, it presents the fundamental limits of the patching rate, since using a higher patching rate than will lead to a completely bot-free population at equilibrium. Similarly, an auxiliary result emanating from (13) is expressed in the following Corollary.
Corollary 2**.**
The maximum information refresh rate, that can be selected by a bot device to have non-zero informed bot population at equilibrium can be expressed as follows:
[TABLE]
Proof.
See Appendix B ∎
Although the results presented in Lemma 1 are useful, however, the presence of the minimum and maximum functions present a challenge in leveraging them for optimization purposes. To circumvent this challenge, we propose to use the Log-Sum-Exponential (LSE) function999The function can be approximated by and can be approximated by provided that is sufficiently large. to provide a smooth and continuously differentiable approximation of these expressions. It results in the following:
[TABLE]
where is a sufficiently large constant chosen for accuracy of the soft-minimum and soft-maximum functions. Note that the LSE relaxation in eqs. 16 and 17 may slightly affect the upper bound on the patching rate expressed in Corollary 1 and the upper bound on the possible information refresh rate expressed in Corollary 2. However, the inaccuracy diminishes with the selection of large .
Finally, using the results of Lemma 1 and the subsequent LSE relaxation, the equilibrium populations of devices that are un-compromised and devices that are informed bots is expressed by the following theorem:
Theorem 1**.**
At equilibrium, the proportion of degree devices in the network that are un-compromised (not infected with malware), i.e., and those that are bots and informed by control commands, i.e., can be approximately expressed by eqs. 18 and 19 respectively.
Proof.
Substitution of (16) into (10) and (17) into (11) leads to this result. ∎
In the following subsection, we make use of the developed analytical model and the approximate results to formulate the network defense problem and subsequently discuss the methodology for solving it.
IV-D Network Defense Problem & Solution
The goal of the network defender is to set up a patching schedule for each network device based on its connectivity in order to prevent the formation of a large scale botnet. The patching rate must take into account the disruption caused to regular operation due to the strategies employed, e.g., firmware upgrade or power cycling, which can be in terms of the downtime of devices. The cost incurred on the operation of a network device due to patching activity is assumed to be a smooth, convex, and increasing function of the patching rate , represented by . The risk of a botnet formation can be measured in terms of the equilibrium population of devices that are bots and the devices that are receiving control commands assuming knowledge of the transmission rates. Accordingly, targets for the minimum expected proportion of network that is un-compromised and the maximum tolerable proportion of the network that is an informed bot, denoted by and respectively, can be set. The network defender’s problem can then be formulated as follows:
[TABLE]
The objective represents the total expected cost of patching devices at a rate , while the constraints imply that the average proportion of un-compromised devices in the network must be higher than and the average proportion of informed bot devices in the network must be smaller than . Note that the constraints are coupled with the objective, which makes the primal problem challenging to solve. Furthermore, despite the fact that the objective is convex, both the constraints may be non-convex in the decision vector since some terms inside the summation are concave while others are convex. This is formally stated in the following lemma.
Lemma 2**.**
The equilibrium proportion of un-compromised devices, is concave in for and convex otherwise. Similarly, there is a change in curvature of the equilibrium proportion of informed bot devices, from convex to concave with increasing device degree .
Proof.
See Appendix C. ∎
Another important observation is that the constraints are linked in terms of the patching rates. A set of patching rates may completely satisfy one of the constraints but not the other. Therefore, it is important to investigate the conditions under which the constraints are active, particularly because there exists a limiting rate at which the constraints saturate. The following lemma presents an important condition relating the target thresholds that determines the status of the constraints.
Lemma 3**.**
The constraint on the average equilibrium population of informed bots, expressed in (22), is always satisfied for any if the target on the average equilibrium population of un-compromised devices is set as follows:
[TABLE]
Proof.
See Appendix D. ∎
Therefore, if the condition presented in Lemma 3 is satisfied, we can effectively ignore the constraint (22) from the optimization problem and proceed with only (21). This is extremely important since otherwise, the solution to the optimization problem may be difficult as one of the constraints saturates and is no longer monotonously increasing or decreasing. However, evaluating the condition a priori, we can circumvent this difficulty and effectively solve the optimization problem. However, there are several additional challenges. First, since the network is random, there is no upper bound on the maximum possible degree of a device, which makes the optimization problem intractable due to an infinite number of optimization variables. However, due to the structure of the network101010In a PPP network, the probability of having a large number of neighbors decreases faster than the exponential decay rate for sufficiently large degrees., it is increasingly rare for a device to have larger degrees. Therefore, we note that there exists a sufficiently large such that , where is arbitrarily small. This allows us to convert the optimization problem into one with finite number of optimization variables referred to as . Therefore, the problem can then be expressed as follows:
[TABLE]
Since, the the Poisson density decays faster than the exponential rate for large degree values, the terms labeled as , and can be made arbitrarily small for sufficiently large . Hence, effectively, these terms can be removed and the problem can be converted into a finite optimization problem. Since the primal problem may be non-convex, we resort to solving the dual optimization problem [40]. Note, however, that the duality gap in this problem setting is zero and hence solving the dual problem is equivalent to solving the primal problem (See Appendix E for details). We, therefore, relax the original problem by forming the Lagrangian as follows:
[TABLE]
where and are the Lagrange multipliers, which are dual feasible if and . The Lagrange dual function can be written as follows:
[TABLE]
Note that due to the structure of the Lagrangian, the optimization problem in the dual function decouples in the optimization variables, which makes the complexity of evaluating linear in [41]. For a given pair of Lagrange multipliers, the optimal patching rates can be written as follows:
[TABLE]
Note that if both and are not monotonous in , it may not be possible to obtain a globally optimal solution for in (26). However, fortunately using Lemma 3, we can determine if one of the functions will saturate or not at the optimal based on the target thresholds set by the defender. If the condition in Lemma 3 is satisfied, we can ignore the term containing in (26) and proceed with the optimization111111Removal of the term containing automatically results in the removal of the Lagrange multiplier in the subsequent expressions.. Finally, the dual optimization problem can be written as follows:
[TABLE]
Since is a concave optimization problem and has a unique maxima, we can employ a gradient based strategy to achieve the optimal result. However, since a closed form of the dual function may not exist, and hence differentiability may not be guaranteed, we can resort to sub-gradient based iterative update methods for the dual variables [42]. The sub-gradients of the dual function, evaluated at the optimal patching rates, can be expressed as follows:
[TABLE]
Therefore, the iterative dual update rule based on the sub-gradients can be expressed as follows:
[TABLE]
where is the step size. The complete procedure for obtaining the optimal patching policy is provided in Algorithm 1. We initialize the iteration counter to zero. Furthermore, we initialize the Lagrange multipliers to an arbitrary positive value and set a sufficiently small step-size . Based on the condition , we exclude or include the term containing and the associated Lagrange multiplier . We then proceed to solve the optimization problem in (26) for all possible device degrees. Once the optimal intermediate patching rates have been determined, the dual variables are updated based on the sub-gradient based update rule defined in (30) and (31). This process is repeated until the dual variables have converged and the corresponding , define the optimal patching rates for each device type. The complete procedure can be shown to have polynomial complexity in the total number of device degrees . In the following section, we provide numerical studies to illustrate the behavior of the solutions and its sensitivities with respect to different model parameters.
V Results
In this section, we first describe the network setup and system parameters used for numerical studies. Then, we present the results obtained from the solution to the optimization problem and the associated impact of the parameters involved. The parameters selected for the generation of numerical results are for illustrative purposes and can be modified according to the scenario in practical applications.
Consider a random network of wireless IoT devices distributed according to a homogeneous PPP with intensity device/km2 and a communication range of m. On average, a typical IoT device would be able to communicate with , i.e., approximately other devices. We assume that the maximum possible degree in the network is for which is of the order . Due to interference and fading effects of the wireless channel during communication, we assume a successful transmission probability of . We assume that a proportion , of the network is vulnerable to be infected by malware. The malware introduced by a botmaster is assumed to transmit packets for infiltration in nearby devices at a rate of packets per second (or 1 packet every 1000 seconds) and for control commands propagation at a rate of packets per second. The information refresh rate of bots is selected as per second. Note that this choice of satisfies the condition provided in Corollary 2.
In the theoretical analysis, the scaling constant for LSE relaxation of the minimum function is chosen to be for accuracy. The impact of patching a device of degree on the operational performance of the network is assumed to be captured by the function , where the weights are modeled using the following logistic function:
[TABLE]
and the constants and are chosen to be and respectively. An illustration of the weight function is provided in Fig. 4. It implies that a unit patching rate on a device of degree has a higher impact on network operation as increases. Hence, it is more costly to increase patching rate for higher degree devices.
In Fig. 5a, we plot the optimal patching rates for a degree device in the network with varying target of un-compromised device proportion while fixing . The right axis plots the proportion of degree devices in the network, or equivalently the probability of a typical device having degree , as a reference for interpreting the results. The dotted line shows the theoretical maximum patching rate that impacts the equilibrium populations as described in Lemma 1. It can be observed that for , the optimal patching rates closely follow the proportion of devices due to the monotonously increasing weights . However, for more aggressive targets e.g., , the optimal patching rates saturate for the more probable degrees while increasing patching rates for the lesser probable ones.
In Fig. 5b, we plot the optimal patching rates for a degree device in the network with varying target of informed bot proportion while fixing . Note that a similar behavior is observed in this case where the optimal patching rates closely follow the network degree profile for less aggressive targets, e.g., . However, for more aggressive targets such as , a saturation is observed for more probable degree types. However, note that the higher and less probable degree devices are patched more frequently although it causes higher disruption since the targets are otherwise not achievable.
Finally, Fig. 6a and Fig. 6b illustrate the behavior of the expected total patching cost with varying malware spreading rate and control command spreading rates respectively. It is observed that the expected total patching cost increases at an increasing rate both with increasing malware spreading rate and the target un-compromised device proportion. However, the expected total patching cost increases at a decreasing rate with increasing control command propagation rate. This shows that the defender is more reactive to the malware spreading rate than the control command propagation rate in terms of a botnet formation. With regards to the effect of varying the device vulnerability in the network as well as the probability of transmission success, a similar behaviour is observed since changing these parameters in turn alters the effective malware propagation rate and the control command propagation rate.
V-A Simulation & Validation
In this section, we conduct simulation experiments to validate the accuracy of the obtained theoretical results. In the first part, we simulate the considered PPP network. Two different phases are investigated. In the first phase, a malware is introduced at epoch to an arbitrarily selected node and is allowed to propagate to its neighbourhood according to the device vulnerabilities, wireless transmission success probability, as well as the malware propagation rates. The malware spreads from one device to another in a D2D fashion until all the network has been compromised. Note that during the initial phase, there is no patching of devices. During the second phase, the optimal patching policy for each device, based on its degree, is applied on the network. This leads to the recovery of bot devices and the proportions of bots in the network is observed over time. The experiment is repeated for different target thresholds for bot-free population, i.e., and 0.9. Fig. 7 illustrates a snapshot of the device states in the network after reaching equilibrium. Note that more devices are un-compromised at equilibrium as increases as reflected by Fig. 7a, 7b, and 7c. The time evolution of un-compromised devices for each of the thresholds is recorded in Fig. 8. Notice that the proportion of un-compromised devices increasingly drops from 100% to 0% as the malware is allowed to propagate in the network. However, when the patching process is started in the second phase (i.e., ), the bot-free population sharply rises until it reaches the target threshold. Although the population keeps fluctuating due to the ongoing dynamical processes but on average the policy is observed to accurately achieve the defined targets.
To further illustrate the usefulness and impact of our proposed methodology and obtained results, we simulate an experiment on the actual LinkNYC hotspot locations data. We assume that IoT devices are placed at each of these locations with a communication range of 140 m. Again, the simulation is carried out in two phases. In the first phase, the malware is allowed to propagate in the network until it has achieved the maximum spread. To ensure complete penetration of the malware in the network, we initially introduce the malware in nodes which have a degree of 2. This allows the propagation of the malware from one device to another over time until it affects most of the nodes during the first phase. Note that this network is not exactly a PPP, the malware spread is not as effective since some nodes may be isolated or clustered together. Similarly, during the second phase (i.e., ), the patching process is started until the equilibrium is achieved. Again, the experiment is repeated for different target thresholds for bot-free population, i.e., and 0.9. The snapshots of the network states at equilibrium are shown in Fig. 9. A similar behaviour is observed as the network increasingly becomes bot free at equilibrium as the patching rates are increased. The time evolution of un-compromised devices for each of the thresholds is recorded in Fig. 10. We start off with infecting around 40% of the devices with malware and allow it to spread. It results in an infection of around 92% of the network with 8% un-compromised devices. However, once the patching policy is implemented, the network recovers sharply and is able to achieve much higher bot-free proportions than the target. It is pertinent to mention that since the network is not a PPP, the spread of malware is more difficult. Hence, the developed patching policy is more effective than expected, resulting in better performance of the policy. Therefore, a Poisson network assumption proves to be a more conservative approximation of the real network, which is favourable in practice as the results correspond to a worst case scenario.
VI Conclusion & Future Work
In this paper, we develop a mathematical model to study the formation of botnets in wireless IoT networks. A customized dynamic population process model coupled with a Poisson point process based network model is proposed to capture the evolution of different types of population in the network while keeping the network geometry into account. The proposed model characterizes the behaviour of malware transmission from one device to another using the wireless interface along with the propagation of control commands between bot devices in the network. A network defender is assumed to patch the devices to avert the formation of a botnet that may trigger a coordinated attack at a later stage. The equilibrium state of malware infection and message propagation in the devices is determined using approximate analysis. The results are then used to develop a network defense problem that aims to obtain optimal patching rates while minimizing the disruption to regular network operation under tolerable botnet activity. While the optimal patching problem may be non-convex, a dual decomposition algorithm with appropriate conditions is proposed to solve the optimization problem resulting in the optimal patching schedule for network devices based on their connectivity profile.
In this work, the network defender’s problem has been studied based on the knowledge of the attacker behavior and strategies. However, the defender’s actions may also impact the attacker’s strategies. Therefore, as part of the future work, we intend to use the proposed model as a basis for developing a game theoretic framework which will enable us to derive optimal policies for both the attacker and defender.
Appendix A Proof of Lemma 1
By substituting (10) into (8), we arrive at the following equation that needs to be solved for :
[TABLE]
The optimal is referred to as . The first step is to make use of the degree independence in a homogeneous PPP network to write (A) as follows:
[TABLE]
Due to the complex form of , a tractable closed form for \mathbb{E}\big{[}\frac{\mu_{k}}{\mu_{k}+k\rho\gamma_{b}p(1-\theta_{\tilde{B}}^{*})}\big{]} cannot be easily obtained. Using Taylor expansions for the moments of functions of random variables, the expectation of a function can be expressed as , where is the variance of the degree. However, using a second order approximation results in loss of tractable solution for (34). Therefore, we resort to the first order approximation for simplicity, which results in (34) being expressed as follows:
[TABLE]
It can be solved for to lead to the following:
[TABLE]
Note that since is not bounded from above, so may become higher than unity which is not possible since it represents a probability. Therefore, we restrict it from above by unity, thus proving the first part of the lemma. Using a similar methodology, substituting (11) into (9) leads to the following expression for :
[TABLE]
Again, using the first order approximation of the function inside the expectation, we arrive at solving the following equation:
[TABLE]
Solving this for , after some algebraic manipulations, leads to the following result:
[TABLE]
Since represents a probability, it needs to be non-negative. Hence, needs to be restricted at 0 from below, leading to the result provided in Lemma 1. In Fig. 11, we plot the results obtained from the first order and second order approximations of the probabilities and against the patching rates. It is observed that the gap between the approximations increases as the patching rate gets higher. Furthermore, the approximations for are relatively much closer as compared to the ones for . Therefore, despite some loss in accuracy, it is still reasonable to use the first order approximations due to the powerful analytical tractability, that facilitates further analysis and decision-making.
Appendix B Proof of Corollary 1
From (10), we deduce that in order for to assume a nontrivial value, must be smaller than unity. This implies that . Similarly, from (11), we deduce that in order for to assume a non-trivial value. It results in the condition with an implicit condition for it to be meaningful. It is formally expressed as Corollary 2. However, the upper bound obtained from (10) is higher, thus becoming the effective upper bound. Therefore, any higher than the upper bound is futile in having an impact on the equilibrium state of the devices. In other words, patching devices at a higher rate than the upper bound only affects the regular network operation without having any impact on botnet formation.
Appendix C Proof of Lemma 2
We can observe that and , where and . The denominator of is always positive and the numerator evaluates to . Therefore, it is clear that if and vice versa. Therefore, we can conclude that evaluated at equilibrium is concave for and convex otherwise. Similarly, for , it can be shown that experiences a change in sign with , which is hard to characterize analytically but the change point can be proved to be different than . In order to demonstrate the change in curvature of the equilibrium populations, we plot the respective equilibrium populations of un-compromised devices and informed bots in Fig. 12 for different values of . Note that with an increasing patching rate, the un-compromised device population increases until it reaches 1 ( is plotted in Fig. 12, which is decreasing to ). However, on the other hand, the equilibrium population of informed bot devices decreases until it reaches 0. Furthermore, the informed bot device population diminishes completely with a much smaller patching rate that is required to make the network completely un-compromised. These equilibrium populations have been plotted with mean device degree and it can be observed that the curvature of the constraints is different if the degree is small, i.e., , than when it is large, i.e., .
Appendix D Proof of Lemma 3
From Appendix B, it can be concluded that can completely eradicate equilibrium population of informed bots of degree . However, at this patching rate, the population of un-compromised devices can be obtained as . Since is a convex function of , (Using Jensen’s inequality [43]). It results in . Knowing that is an increasing function of , we can deduce that if , then it requires a patching rate higher than . This implies that will be zero at the optimal patching rate. Hence, the constraint (22) will always be satisfied if is sufficiently high and therefore, we can effectively remove it from the optimization problem. This phenomenon can also be observed from Fig. 12 where the equilibrium population of informed bots diminishes to zero much earlier than the equilibrium proportion of un-compromised devices.
Appendix E
To prove that the duality gap for the optimization problem formulated in eqs. 20, 21 and 22 is zero, we invoke a key result from [40]. An adaptation of its statement is provided as follows: Consider the primal optimization problem of the form subject to , where is a scalar function, is a vector function, and is a vector of constraints. Both and may not necessarily be convex. Now, let and be the optimal solutions to be problem with and respectively. Then, for , if there exists such that and , then the duality gap is zero leading to the same solution for the primal and dual problems. For more details, the readers are referred to [40] and references therein. Now, for the problem considered in this paper, the objective is strictly convex while the constraints may not necessarily be convex. Assuming that we are considering the feasible regime for as defined in Corollary 1 and , are the optimal patching rates corresponding to threshold vectors and . First, assume that only the constraint (21) is active, i.e., and are scalars. Since is strictly monotone, so if , then the optimal . Therefore, there exists an interior point for which . From the convexity of in the objective in (20), it is clear that . This implies that the duality gap of the problem is zero. Now, when both constraints (22) and (21) are active, the argument still applies since both and are strictly decreasing functions of the arguments which guarantees the existence of an interior point corresponding to every linear combination of and The convexity of the objective function subsequently completes the proof.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] S. Al-Sarawi, M. Anbar, K. Alieyan, and M. Alzubaidi, “Internet of things (Io T) communication protocols: Review,” in 8th Intl. Conf. Inf. Technol. (ICIT 2017) , May 2017, pp. 685–690.
- 2[2] Amazon Echo. [Online]. Available: https://www.amazon.com/Amazon-Echo-And-Alexa-Devices/b?ie=UTF 8&node=9818047011
- 3[3] Google Home. [Online]. Available: \https://store.google.com/us/product/google_home?hl=en-US
- 4[4] A. Tannenbaum, “Why do Io T companies keep building devices with huge security flaws?” Harvard Business Review, Apr. 2017.
- 5[5] Y. Dibrov, “The Internet of things is going to change everything about cybersecurity,” Harvard Business Review, Dec. 2017.
- 6[6] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “D Do S in the Io T: Mirai and other botnets,” Computer , vol. 50, no. 7, pp. 80–84, 2017.
- 7[7] M. Feily, A. Shahrestani, and S. Ramadass, “A survey of botnet and botnet detection,” in 3rd Intl. Conf. Emerging Security Inf. Sys. Technol. , June 2009, pp. 268–273.
- 8[8] G. Vormayr, T. Zseby, and J. Fabini, “Botnet communication patterns,” IEEE Commun. Surveys Tuts. , vol. 19, no. 4, pp. 2768–2796, Fourth Quarter 2017.
