Modeling, Analysis, and Mitigation of Dynamic Botnet Formation in Wireless IoT Networks

TL;DR

The paper builds an analytical framework to study dynamic botnet formation in wireless IoT networks by combining degree-based mean-field population dynamics with a Poisson point process network geometry. It models malware infiltration and control-command propagation across D2D links, derives approximate equilibrium expressions, and formulates a patching-based defense that minimizes downtime costs while meeting bot-free and informed-bot targets. A zero-duality-gap dual decomposition algorithm is proposed to compute optimal degree-specific patching rates, with validation via PPP and real-world-like LinkNYC data. The work offers a principled method for planning and defending IoT networks against coordinated botnet attacks, with clear quantitative guidance on patching limits and policy design.

Abstract

The Internet of Things (IoT) relies heavily on wireless communication devices that are able to discover and interact with other wireless devices in their vicinity. The communication flexibility coupled with software vulnerabilities in devices, due to low cost and short time-to-market, exposes them to a high risk of malware infiltration. Malware may infect a large number of network devices using device-to-device (D2D) communication resulting in the formation of a botnet, i.e., a network of infected devices controlled by a common malware. A botmaster may exploit it to launch a network-wide attack sabotaging infrastructure and facilities, or for malicious purposes such as collecting ransom. In this paper, we propose an analytical model to study the D2D propagation of malware in wireless IoT networks. Leveraging tools from dynamic population processes and point process theory, we capture malware infiltration and coordination process over a network topology. The analysis of mean-field equilibrium in the population is used to construct and solve an optimization problem for the network defender to prevent botnet formation by patching devices while causing minimum overhead to network operation. The developed analytical model serves as a basis for assisting the planning, design, and defense of such networks from a defender's standpoint.

Figures (12)

• Figure 1: Network model: A typical IoT device, referred to as device $i$, is highlighted in red colour. Each IoT device executes a regular process (indicated by green boxes) and may or may not be running a malware process (indicated by the yellow boxes with a bot symbol if infected or gray box otherwise). Devices within the communication range (indicated by the dotted line for device $i$) of each other are assumed to be able to communicate with each other and the communication links are highlighted by blue lines between the devices.
• Figure 2: Analyzing potential connectivity of WiFi hotspots in NYC.
• Figure 3: State evolution diagram for a typical device. Un-compromised devices of degree $k$, represented by $(\tilde{B}_k)$ may become infected with malware to become un-informed bot devices ($B\tilde{I}_k$), which can further become informed bots ($BI_k$). The informed devices discard information at a rate $\beta$ to again become un-informed. A patching process brings both un-informed and informed bots to an un-compromised state.
• Figure 4: Relative impact of unit patching rate of a degree $k$ device on network performance.
• Figure 5: Impact of varying un-compromised bot proportion threshold $\tau_{\tilde{B}}$ and informed bot proportion threshold $\tau_{BI}$. The dotted line shows the theoretical upper bound expressed in Corollary 1.

Theorems & Definitions (12)

• Lemma 1
• proof
• Corollary 1
• proof
• Corollary 2
• proof
• Theorem 1
• proof
• Lemma 2
• proof