Modeling, Analysis, and Mitigation of Dynamic Botnet Formation in Wireless IoT Networks

1 Modeling, Analysis, and Mitigation of Dynamic Botnet F ormation in W ireless IoT Networks Muhammad Junaid Farooq, Student Member , IEEE and Quanyan Zhu, Member , IEEE Abstract —The Internet of Things (IoT) relies heavily on wire- less communication devices that are able to discover and interact with other wireless devices in their vicinity . The communication flexibility coupled with software vulnerabilities in devices, due to low cost and short time-to-market, exposes them to a high risk of malware infiltration. Malware may infect a large number of network devices using device-to-device (D2D) communication resulting in the formation of a botnet, i.e., a network of infected devices controlled by a common malware. A botmaster may exploit it to launch a network-wide attack sabotaging infrastruc- ture and facilities, or for malicious pur poses such as collecting ransom. In this paper , we propose an analytical model to study the D2D propagation of malware in wireless IoT networks. Leveraging tools fr om dynamic population processes and point process theory , we capture malware infiltration and coordination process over a network topology . The analysis of mean-field equilibrium in the population is used to construct and solve an optimization problem for the network defender to prev ent botnet formation by patching devices while causing minimum overhead to network operation. The developed analytical model serves as a basis f or assisting the planning, design, and defense of such networks from a defender’s standpoint. Index T erms —Botnet, Internet of Things, de vice-to-device com- munication, population pr ocesses, distrib uted denial of service. I . I N T R O D UC T I O N The Internet of things (IoT) comprises of a network of sensors and actuators, which are embedded computers, com- municating with each other and to the Internet. Often, the endpoint devices rely on a plethora of wireless communication technologies and protocols such as WiFi, Bluetooth, Zigbee, etc., [1]. Although most devices in an IoT network are directly connected, via access points, to the Internet; there is an inherent flexibility in devices to connect to other wireless devices in their communication range in order to leverage their capabilities resulting in powerful functionalities. Furthermore, some commercially av ailable devices hav e extremely versatile processing and communication capabilities, e.g., the Amazon Echo [2], Google Home [3], etc., which enables them to ex ecute custom programs and processes. IoT devices are manufactured by different vendors without strong regulations on embedding cyber security features in the software. T o reduce cost and time-to-market, security issues may be overlooked by device manufacturers [4]. In addition to inherent software vulnerabilities, sev eral other factors increase Muhammad Junaid Farooq and Quanyan Zhu are with the Department of Electrical & Computer Engineering, T andon School of Engineering, New Y ork Univ ersity , Brooklyn, NY , USA, E-mails: { mjf514, qz494 } @nyu.edu. the risk of cyber attacks on these devices. One of the risks is the use of stock passwords to access the control panel of these devices. Moreover , most IoT de vices are left to operate on consumer premises without regular maintenance. It exposes them to the risk of being infected and controlled by malicious software processes, referred to as malware [5]. It is also possible that consumers might willingly accept to install certain processes or applications on their de vices in return for financial incentives, completely unaware of the fact that they might be used to launch a distributed denial of service (DDoS) attack [6] on the network at a later stage. Botnets ha ve become a significant threat to computer and communication networks in the last decade [7]. A botnet is a network of devices infected by malicious software and controlled by an external operator referred to as the botmas- ter [8]. Often, the malware infiltrates the network stealthily ov er time in a self-replicating manner before being instructed by the botmaster to trigger an attack. The objectiv e of the botnet is to cause disruption in service provisioning leading to loss of operation and sometimes with the intent of obtaining ransom [9]. The most f amous botnet attack in recent history has been the Mir ai in 2016 [10]. Recently , researchers hav e identified v ariants of the Mirai botnet referred to as the IoT roop or Reaper that is aimed at using IoT devices to launch DDoS attacks [11]. It is a powerful botnet that comprises of compromised domestic wireless routers, TVs, D VRs, and surveillance cameras exploiting vulnerabilities in devices from major manufacturers. In the case of wireless IoT networks, the malware may spread from one device to another among devices that are in close geographical proximity [12]. Due to the absence of centralized connectivity , the botmaster is compelled to use the same D2D links to issue control commands for coordinating an attack. Seed viruses may be planted into the networks using malicious or infected IoT devices or even using U A Vs [13]. Moreover , the botmster may change the malware code dynamically and may issue control commands to launch a wireless denial of service (WDoS) attack [14]. It is different from traditional DDoS attacks as services do not ha ve to be taken off the Internet. Instead, the goal is to exploit MA C vulnerabilities in wireless devices to generate superfluous traffic that sabotages legitimate operation [15]. The D2D nature of the wireless communication network makes it harder to launch a coordinated DDoS. Ho wever , at the same time, it is also hard to defend against it as a network of devices contributes to the attack and there is no single source. Therefore, the best strategy for a network defender is to pre vent the dynamic de velopment of a large scale botnet and limit its ability to launch a DDoS. Sev eral dynamic processes might be burgeoning in the network at the same time. Malware in an infected de vice might be attempting to replicate itself in nearby devices. Furthermore, the infected de vices also share control commands with other infected devices to agree on an attack point. On the other hand, the network defense mechanisms are also in place which periodically patch 1 the de vices. The patching frequency of devices needs to be carefully selected as it negativ ely affects the regular de vice operation. Particularly , if a device acts as a hub, i.e., connecting multiple devices together , the impact of downtime will be much more sev ere. In order to make such optimal patching frequenc y decisions, we need a theoretical model that can accurately capture the connectivity characteristics of the netw ork and incorporate the continuing dynamic processes. While the modeling and analysis of traditional Internet based botnets is also important due to its huge monetary and non-monetary impact, there hav e been some efforts to prev ent and control them. Howe ver , the botnets in wireless IoT systems need special attention due to the current lack of awareness and the increased security vulnerability of IoT devices. Despite the impending security threat to a massiv e number of unprotected IoT devices and systems, there is a severe dearth of systematic methodologies for understanding such systems from a security standpoint. This necessitates the dev elopment of exclusi ve models for such wireless IoT networks which can capture the spatial distribution of the devices and the dynamic processes of malware infiltration, control command propagation, and device patching by the defender . In this paper , we dev elop the theoretical underpinnings that allow the modeling and analysis of dynamic botnet formation in wireless IoT networks. A summary of the main contributions is provided below: 1) W e propose a novel analytical model, inspired from the dynamics of population processes, to capture the dynamic formation of botnets in wireless IoT systems using D2D communication. 2) W e analyze the degree based mean field equilibrium populations of malware-free devices and control com- mand aware devices in the network and dev elop approx- imate tractable expressions for them. 3) W e formulate an optimization problem from a network defender’ s standpoint, to control the formation of a botnet via patching while causing minimum disruption to regular operation of the IoT network, which turns out to be non-con vex. 4) W e prov e that the formulated non-con vex optimization problem has zero duality gap and consequently solve it using a dual decomposition based algorithm to obtain the optimal patching policy and study its behavior in response to varying network parameters. The rest of the paper is orgainzed as follow: Section II provides a re view of e xisting literature, Section III provides 1 Throughout this paper , the term ‘patch’ refers to attempts made by the defender to bring the device to an un-compromised state, e.g., via po wer cycling, firmware upgrades, etc. a description of the system model including the network setup and threat model used. Section IV pro vides a detailed description on the modeling of malw are & information evo- lution in the network, state space representation & dynamics, and equilibrium analysis. It also provides a formulation of the network defense problem and its solution methodology . Section V pro vides results of numerical e xperiments and the corresponding analysis. Finally Section VI concludes the paper with potential future research directions. I I . R E L A T E D W O R K In recent years, significant efforts have been in vested in research on Botnets and their characteristics [16]. Most studies are focused on Internet botnets [17] or, more specifically , on IP based networks [18]. Howe ver , the botnet phenomenon has been sparingly in vestigated in wireless networks. Furthermore, the existing studies are are either based on simulations [19], [20] or use abstract theoretical models that do not capture the dynamics of malware propagation or the network geometry into account [21]. In general, there is a lack of analytical modeling and analysis to support the framew orks dev eloped dev eloped particularly for malware spreading that may lead to a coordinated attack as in a botnet. The most related research to our proposed work is presented in [22], [23], [24]. [23] uses game theory and epidemiology to study security risks in D2D offloading of computational tasks between devices, [22] inv estigates mobile botnets spreading infection in a D2D fashion on the go, and [24] considers the case when multiple bots are trying to attack a single server . While these are trying to mitigate the risks of a large scale DDoS by a botnet, they do not not account for the dynamics of the malware propagation or the network geometry aspects that are important in wireless IoT networks. On the other hand, a framework for preventing malware propagation in wireless sensor networks has been proposed in [25] that captures the network features, ho wev er, it does not take into account the stealthy propagation behavior of a botnet which requires information dissemination and coordination to launch an attack. T o overcome the challenge of understanding the propagation of information in wireless networks, we have proposed a frame work in our previous works [26], [27], lev eraging concepts from mathematical epidemiology [28] and point process theory . Howe ver , traditional epidemiological models such as [29] and [30] are not sufficient to analyze the botnet formation in wireless networks due to the interplay between malware infection, control commands propagation, and device patching. In this paper , we develop novel methodologies to overcome the unique challenges of modeling and analyzing the cru- cial interplay between mal ware infection, control commands propagation, and device patching in wireless IoT networks. W e leverage ideas from the theories of dynamic population processes [31] and point processes to setup a mean field dynamical system that captures the e volution of malware infected de vices and control command aw are de vices ov er time. In general, obtaining tractable characterizations of the equilibrium state in such population processes is theoretically T ABLE I: List of model parameters. Symbol Description λ Density of deployed devices modeled according to a PPP r Communication range of devices ρ Probability of successful transmission between devices p Proportion of devices vulnerable to malware infiltration K Degree (number of communication neighbors) of a typical device π k Probability that a typical device has degree K = k . k max Maximum possible degree in the network γ b Malware spreading rate of bot γ c Control commands propagation rate of bots σ 1 A verage probability of being connected to a bot device σ 2 A verage probability of being connected to an informed bot θ ˜ B Probability that a given link points to an un-compromised device θ B I Probability that a given link points to an informed bot device β Information refresh rate of bot devices µ k Patching rate of device with degree K = k τ ˜ B Minimum proportion of un-compromised devices in the network τ B I Maximum proportion of informed bots in the network in volved due to the self-consistent nature of the equations in volved and the complex connectivity profile of the network. In this paper , we propose a variation of the mean field population process model based on a customized state space that allows us to analyze the formation of botnets in wireless IoT networks and helps in making decisions to control its impact. I I I . S Y S T E M M O D E L In this section, we provide a description of the network model used and the associated threat model. For the con ve- nience of readers, the notations used throughout this paper are summarized in T able I along with a brief description. A. Network Model W e consider a set of wireless IoT devices uniformly dis- tributed in R 2 according to a homogeneous Poisson Point Process (PPP) [32] denoted by Φ = { x i } i ≥ 1 with intensity λ ∈ N devices/km 2 , where x i ∈ R 2 represents the location coordinates of the i th device. Each device has computing capabilities for ex ecuting processes and has a wireless inter - face for communication with neighboring devices. The devices are assumed to have omni-directional transmissions with a communication range of r m. A typical device located at x i is connected wirelessly with K = | N i | other devices, where N i = { j : k x i − x j k ≤ r, ∀ j 6 = i } and | . | denotes the cardinality operator . Since the de vices in the network are distributed according to a PPP , the degree K is a random variable with P [ K = k ] = π k = e − λπr 2 ( λπ r 2 ) k k ! . Furthermore, the average de gree of a typical device is E [ K ] = λπ r 2 . An illustration of the network setup along with the state at a particular time is provided in Fig. 1. A realization of a random network is shown where each IoT de vice is shown to be equipped with a wireless interface and executing a regular process and a malw are process (if infected). The de vice connectivity is represented by blue links between de vices that are within a distance r of each other . The malware and the control commands propagate over these wireless links from one devices to another . A simultaneously ex ecuting IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device IoT Device i IoT Device Malware Process Regular Process IoT Device IoT Device r Fig. 1: Netw ork model: A typical IoT de vice, referred to as device i , is highlighted in red colour . Each IoT device ex ecutes a regular process (indicated by green boxes) and may or may not be running a malware process (indicated by the yellow boxes with a bot symbol if infected or gray box otherwise). Devices within the communication range (indicated by the dotted line for device i ) of each other are assumed to be able to communicate with each other and the communication links are highlighted by blue lines between the devices. patching process restores the devices to an un-compromised state (illustrated by the gray boxes). In order to demonstrate the practical applicability of the em- ployed PPP netw ork model and the associated degree profile of the devices, we use location data of W iFi access points in New Y ork City (NYC), referred to as LinkNYC [33]. A map of the locations of hotspots is provided in Fig. 2a. W e use the locations data of 652 hotspots located in Midto wn Manhattan and surrounding neighbourhoods. Assuming the wireless IoT devices are deployed at the locations of LinkNYC hotspots with a communication range of 140 m, the connecti vity profile of a typical devices will almost be Poisson distributed 2 . The empirical degree distribution along with the maximum likelihood estimated Poisson degree is sho wn in Fig. 2. Some distortion is observed due to the physical limitation on the hotspots to be confined to the Manhattan grid lines. W e assume that the network is uncoordinated and the devices communicate with each other using (ALOHA) [34] as the medium access control (MA C) protocol. In other words, the devices do not coordinate with each other in making transmission decisions 3 . A Significant amount of lit- erature is av ailable on capturing the effects of interference, characterizing the probability of transmission success, and ev aluating transmission capacity in Poisson wireless ad hoc networks [35]. In this paper, we introduce the probability of transmission success of a typical transmitting device as a parameter ρ ∈ [0 , 1] . Precise characterization can be obtained using tools from stochastic geometry [32], such as in [36], 2 Note that the LinkNYC data has been used as an example to demonstrate the idea of wireless device reachability in lar ge scale public/priv ately deployed IoT devices in the future. 3 Note that the subsequently proposed framework is not restricti ve to a particular MA C protocol. Other MA C protocols such as the carrier sense multiple access (CSMA) can also be used, howe ver, the mean-field dynamics may not directly apply . (a) Location of WiFi hotspots in New Y ork City . 0 2 4 6 8 10 12 14 16 18 Device degree, k 0 0.02 0.04 0.06 0.08 0.1 0.12 0.14 0.16 0.18 Probability Density Communication Range = 140 m Link NYC Data Poisson degree (b) Fig. 2: Analyzing potential connectivity of W iFi hotspots in NYC. [37], howe ver it is not the main focus of this work. B. Threat Model W e assume that a botmaster, i.e., the entity which has authored the malware and subsequently plans to launch an attack, possesses powerful capabilities to exploit loopholes in vulnerable wireless IoT de vices to infiltrate them and install malicious software process on them. W e assume that a proportion p ∈ [0 , 1] of the network is vulnerable to being compromised or infiltrated by the malware if the malware has been successfully transmitted ov er the wireless interface 4 . In other words, 1 /p can be considered to be the average number of successful transmission attempts required to infiltrate a neighboring device. The bots use a fraction of the communication resources of the host device to infiltrate nearby devices and to share control commands. The transmission rate of packets to break into other de vices is referred to as malware spreading rate and denoted by γ b ≥ 0 in units of packets per second. Similarly , the transmission rate of pack ets contributing tow ards the dissemination of control commands is referred to as contr ol command pr opagation rate and denoted by γ c ≥ 0 . Note that the sum of γ b and γ c must be suf ficiently small in order to maintain stealthy operation of the botnet. In summary , the botnet threat in the wireless IoT networks is two fold. Firstly , the malware may spread from one de vice to another in its proximity using the wireless interface. Sec- ondly , the infected devices referred to as bots share control commands using the same wireless medium to coordinate and plan for launching a network-wide attack. Howe ver , as soon as a particular de vice is patched, the malicious process running on the device is terminated and it gets rid of both the malware as well as information about the control commands. After being patched, the device becomes vulnerable to infection again in 4 V ulnerability to be compromised can emanate from events such as using default passwords for access control, using an older version of the firmware etc. the future 5 . I V . M E T H O D O L O G Y In this section, we provide a systematic approach to model the propagation of malware and formation of a botnet in wire- less IoT networks. The proposed model is formally described using the dynamics of population processes and the analysis of equilibrium is presented. Finally , a network defense problem is formulated and a polynomial time algorithm is proposed to obtain the optimal de vice patching strategy mitig ating the formation of a botnet and associated risk of network-wide attack. A. Modeling of Malwar e & Information Evolution In a large scale wireless IoT network, a typical device may either be un-compromised or infiltrated by malware, thus referred to as a bot . Furthermore, devices that are bots may or may not hav e receiv ed control commands. Those that have re- ceiv ed control commands may hav e discarded them due being stale or outdated. Note that since the devices may go from one state to the other based on their communication interactions within their neighborhood, it is appropriate to categorize the devices according to their connectivity or degree 6 . This allows us to use the degree based mean field approach to study the spread of malware and their communication [38]. The possible system states of the population of degree k de vices, i.e., devices that are capable of communicating with k other devices, can then be classified as follows: • ˜ B k - the proportion of de gree k de vices in the network that are un-compromised. • B ˜ I k - the proportion of degree k devices in the network that are bots but uninformed about control commands. • B I k - the proportion of degree k devices in the network that are bots and are also informed with control com- mands. 5 In practice, the device vulnerability for future infection may reduce after getting patched, howev er there always exists a certain minimum vulnerability lev el of the devices. Moreover , the botmaster may also update its strategies to render the devices vulnerable again. 6 This implies that devices with similar connectivity profile will have similar behavior in terms of botnet fromation. B BI BI ~ ~ µ k µ k  k σ 1 k σ 2 k k k Fig. 3: State ev olution diagram for a typical device. Un- compromised devices of degree k , represented by ( ˜ B k ) may become infected with malware to become un-informed bot devices ( B ˜ I k ), which can further become informed bots ( B I k ). The informed devices discard information at a rate β to again become un-informed. A patching process brings both un- informed and informed bots to an un-compromised state. Once, the states are defined, we can study the transitions between each of these states. At any giv en time an un- compromised device may become a un-informed bot at a rate that it proportional to its degree k and the average probability that it is connected to a bot device, denoted by σ 1 . Similarly , an un-informed bot may become an informed bot at a rate that is proportional to its degree k and the av erage probability that it is connected to an informed bot, denoted by σ 2 . On the other hand, an informed bot may discard the control commands at a constant rate β to return to an un-informed state to maintain recency of control information. Finally , if the bots are patched, they return to an un-compromised state. W e use a degree based patching rate µ k inspired from the non-uniform transmission model proposed in [39]. This completes all the transitions between the possible system states. B. State Space Repr esentation & Dynamics In this subsection, we formally express the dynamics of the system using the developed state space. The state space representation and associated transitions described in the pre- vious subsection are illustrated by the state diagram shown in Fig. 3. Using the figure and le veraging concepts from the theory of population processes [31], the state ev olution can be mathematically described by the following dynamical system of equations: d ˜ B k ( t ) dt = µ k ( B ˜ I k ( t ) + B I k ( t )) − k σ 1 ˜ B k ( t ) , = µ k (1 − ˜ B k ( t )) − k σ 1 ˜ B k ( t ) , (1) dB ˜ I k ( t ) dt = − ( µ k + k σ 2 ) B ˜ I k ( t ) + k σ 1 ˜ B k ( t ) + β B I k ( t ) , (2) dB I k ( t ) dt = − ( µ k + β ) B I k ( t ) + k σ 2 B ˜ I k ( t ) . (3) Note that (1) captures the birth and death processes of un- compromised devices. In other w ords, it implies that at time t , the population proportion of un-compromised degree k devices is increasing with a rate that is proportional to the patching rate and the population proportion of bot devices. Howe ver , at the same time, it is also decreasing at a rate that is proportional to the degree k and the expected rate of interacting with a bot device. Similarly , we can interpret the remaining dynamical equations for un-informed bot and informed bot populations. Since, the states represent the pop- ulation proportions, we can use the closure relationship, i.e., ˜ B k ( t ) + B ˜ I k ( t ) + B I k ( t ) = 1 , ∀ t ≥ 0 , to reduce eqs. (1) to (3) to the following independent dynamical system of equations: d ˜ B k ( t ) dt = µ k − ( µ k + k σ 1 ) ˜ B k ( t ) , (4) dB I k ( t ) dt = k σ 2 − ( µ k + β + k σ 2 ) B I k ( t ) − k σ 2 ˜ B k ( t ) . (5) Note that the average probability for a degree k de vice to be connected to a bot device, σ 1 is directly proportional to the probability of transmission success, the vulnerability of the devices, the malware spreading rate, and the probability of being connected to a bot device. Similarly , the the average probability for a degree k de vice to be connected to an informed bot, σ 2 is directly proportional to the probability of transmission success, the control command propag ation rate, and the probability of being connected to an informed bot device. These can be, respectiv ely , expressed as follows 7 : σ 1 = ργ b p (1 − θ ˜ B ) , (6) σ 2 = ργ c θ B I , (7) where θ ˜ B is the probability that a particular link of a degree k device points to an un-compromised device, and θ B I is the probability that a particular link of a degree k device points to an informed bot device. These probabilities can be ev aluated as θ ˜ B = P k 0 P ( k 0 | k ) ˜ B k 0 ( t ) and θ B I = P k 0 P ( k 0 | k ) B I k ( t ) . Howe ver , for networks with uncorrelated degrees, these prob- abilities can be further expressed as follows: θ ˜ B = X k 0 k 0 P ( k 0 ) E [ K ] ˜ B k 0 ( t ) , (8) θ B I = X k 0 k 0 P ( k 0 ) E [ K ] B I k 0 ( t ) . (9) Note that the dynamical system of equations in eqs. (4) and (5) describe the time e volution of the respecti ve populations of un- compromised and informed bot devices in the network o ver time. In order to determine the eventual lev els of each type of population in the network, we need to ev aluate the equilibrium of the dynamical system. In the subsequent, subsections we focus on analyzing the equilibrium populations of degree k devices. C. Analysis of Equilibrium State At the equilibrium state, d ˜ B k ( t ) dt = 0 and dB I k ( t ) dt = 0 . Therefore, the equilibrium population of degree k un- compromised devices, ˜ B ∗ k and of informed bot devices, B I ∗ k can be expressed as follows: ˜ B ∗ k ( µ k ) = µ k µ k + k σ 1 ( θ ∗ ˜ B ) , (10) B I ∗ k ( µ k ) = k 2 σ 1 ( θ ∗ ˜ B ) σ 2 ( θ ∗ B I ) ( µ k + k σ 1 ( θ ∗ ˜ B ))( β + µ k + k σ 2 ( θ ∗ B I )) , (11) 7 The event of a device being vulnerable to malware infection and the suc- cessful reception of wireless signals are independent. Hence, the probabilities can be directly multiplied. with θ ∗ ˜ B and θ ∗ B I denoting the respectiv e probabilities at equi- librium. Note that eqs. (8) and (9) expresses ˜ B ∗ k and B I ∗ k in terms of θ ∗ ˜ B and θ ∗ B I . Howe ver , eqs. (10) and (11) can be used to e xpress θ ∗ ˜ B and θ ∗ B I in terms of ˜ B ∗ k and B I ∗ k . Therefore, it presents a self-consistent system of equations which needs to be solved in order to obtain the equilibrium state. An exact solution to the system in analytically challenging. Howe ver , an approximate characterization 8 of the probabilities θ ˜ B and θ B I at equilibrium is provided by the following lemma. Lemma 1. In a PPP distributed wir eless network with D2D communication, the pr obability of a particular link of a de gree k device pointing to an un-compromised and to an informed bot device respectively at equilibrium can be appr oximately expr essed as follows: θ ∗ ˜ B ≈ min  µ k ργ b p E [ K ] , 1  , (12) θ ∗ B I ≈ max  1 − µ k γ c + ργ b ( β + µ k ) E [ K ] ρpγ b γ c , 0  . (13) Pr oof. See Appendix A . These approximations present a lower bound on the actual probabilities. The loss in accuracy for the sak e of analytical tractability is discussed in Appendix A. Note that Lemma 1 presents an intuitiv e result where the probability of being connected to an un-compromised device, θ ˜ B is directly pro- portional to the patching rate and in versely related to the expected degree, vulnerability , malware spreading rate and the transmission success probability . Similar explanation can be deriv ed for θ B I . A direct corollary of the result presented in Lemma 1, that plays an important role in the optimal patching decisions is provided below: Corollary 1. F or a PPP deployed wir eless IoT network being infiltrated by a botnet with malwar e spreading at a rate γ b and contr ol commands pr opagating at a rate γ c , the upper bound on the r equir ed patching rate for a device to have an impact on the equilibrium populations is given by µ k ≤ ργ b p E [ K ] , ∀ k ≥ 1 , (14) Pr oof. See Appendix B . This is significant since it provides an estimate of the maximum patching frequency that can be used by the network defender on a degree k de vice to have an impact on the equilibrium proportions of the devices. In other words, it presents the fundamental limits of the patching rate, since using a higher patching rate than will lead to a completely bot- free population at equilibrium. Similarly , an auxiliary result emanating from (13) is expressed in the following Corollary . 8 Note that these results are based on first order approximation of the first moment of a function of a random variable. Although higher order approximations would lead to tighter approximations, howev er, it makes the solution analytically complicated precluding subsequent analysis and optimization. Corollary 2. The maximum information refr esh r ate, β that can be selected by a bot device to have non-zer o informed bot population at equilibrium can be expr essed as follows: β < pγ c E [ K ] (15) Pr oof. See Appendix B Although the results presented in Lemma 1 are useful, howe ver , the presence of the minimum and maximum func- tions present a challenge in leveraging them for optimization purposes. T o circumvent this challenge, we propose to use the Log-Sum-Exponential (LSE) function 9 to provide a smooth and continuously differentiable approximation of these expres- sions. It results in the following: θ ∗ ˜ B ≈ − 1 η ln  e − η + e − η  µ k ργ b p E [ K ]   , (16) θ ∗ B I ≈ 1 η ln  1 + e η  1 − µ k γ c + ργ b ( β + µ k ) E [ K ] ρpγ b γ c   , (17) where η is a sufficiently lar ge constant chosen for accuracy of the soft-minimum and soft-maximum functions. Note that the LSE relaxation in eqs. (16) and (17) may slightly af fect the upper bound on the patching rate expressed in Corollary 1 and the upper bound on the possible information refresh rate expressed in Corollary 2. Howe ver , the inaccuracy diminishes with the selection of large η . Finally , using the results of Lemma 1 and the subsequent LSE relaxation, the equilibrium populations of devices that are un-compromised and devices that are informed bots is expressed by the following theorem: Theorem 1. At equilibrium, the pr oportion of de gr ee k devices in the network that are un-compr omised (not infected with malwar e), i.e., ˜ B ∗ k and those that are bots and informed by contr ol commands, i.e., B I ∗ k can be approximately expr essed by eqs. (18) and (19) respectively . Pr oof. Substitution of (16) into (10) and (17) into (11) leads to this result. In the following subsection, we make use of the de veloped analytical model and the approximate results to formulate the network defense problem and subsequently discuss the methodology for solving it. D. Network Defense Pr oblem & Solution The goal of the network defender is to set up a patching schedule for each network device based on its connectivity in order to prev ent the formation of a large scale botnet. The patching rate must take into account the disruption caused to regular operation due to the strategies employed, e.g., firmware upgrade or po wer cycling, which can be in terms of the downtime of de vices. The cost incurred on the operation of a network device due to patching activity is assumed to be a smooth, conv ex, and increasing function of the patching 9 The function max( x, y ) can be approximated by 1 η ln ( e ηx + e ηy ) and min( x, y ) can be approximated by − 1 η ln  e − ηx + e − ηy  provided that η is sufficiently large. ˜ B ∗ k ( µ k ) ≈ µ k µ k + k ργ b p  1 + 1 η ln  e − η + e − η  µ k ργ b p E [ K ]   , (18) B I ∗ k ( µ k ) ≈ k 2 ρ 2 γ b γ c p  1 + 1 η ln  e − η + e − η  µ k ργ b p E [ K ]    µ k + k ργ b p  1 + 1 η ln  e − η + e − η  µ k ργ b p E [ K ]   × 1 η ln  1 + e η  1 − µ k γ c + ργ b ( β + µ k ) E [ K ] ρpγ b γ c    β + µ k + k ργ c + 1 η ln  1 + e η  1 − µ k γ c + ργ b ( β + µ k ) E [ K ] ρpγ b γ c   . (19) rate µ k , represented by φ k : R + → R + , ∀ k ≥ 1 . The risk of a botnet formation can be measured in terms of the equilibrium population of devices that are bots and the devices that are receiving control commands assuming knowledge of the transmission rates. Accordingly , tar gets for the minimum expected proportion of network that is un-compromised and the maximum tolerable proportion of the network that is an informed bot, denoted by τ ˜ B ∈ [0 , 1] and τ B I ∈ [0 , 1] respectiv ely , can be set. The network defender’ s problem can then be formulated as follows: minimize µ k ,k ≥ 1 ∞ X k =1 φ k ( µ k ) π k , (20) subject to ∞ X k =1 ˜ B ∗ k ( µ k ) π k ≥ τ ˜ B , (21) ∞ X k =1 B I ∗ k ( µ k ) π k ≤ τ B I . (22) The objective represents the total expected cost of patching devices at a rate µ k , ∀ k , while the constraints imply that the av erage proportion of un-compromised devices in the network must be higher than τ ˜ B and the a verage proportion of informed bot devices in the network must be smaller than τ B I . Note that the constraints are coupled with the objective, which makes the primal problem challenging to solve. Furthermore, despite the fact that the objective is con vex, both the constraints may be non-conv ex in the decision vector since some terms inside the summation are concave while others are con ve x. This is formally stated in the following lemma. Lemma 2. The equilibrium pr oportion of un-compr omised devices, ˜ B ∗ k is concave in µ k for k < E [ K ] and con vex otherwise. Similarly , there is a change in curvature of the equilibrium pr oportion of informed bot devices, B I k fr om con vex to concave with incr easing device de gree k . Pr oof. See Appendix C . Another important observation is that the constraints are linked in terms of the patching rates. A set of patching rates may completely satisfy one of the constraints but not the other . Therefore, it is important to in vestigate the conditions under which the constraints are active, particularly because there exists a limiting rate at which the constraints saturate. The following lemma presents an important condition relating the target thresholds that determines the status of the constraints. Lemma 3. The constraint on the average equilibrium popu- lation of informed bots, expr essed in (22) , is always satisfied for any τ B I ∈ [0 , 1] if the tar get on the averag e equilibrium population of un-compr omised devices is set as follows: τ ˜ B ≥ E [ K ] pγ c − β E [ K ] p ( ργ b + γ c ) (23) Pr oof. See Appendix D. Therefore, if the condition presented in Lemma 3 is sat- isfied, we can effecti vely ignore the constraint (22) from the optimization problem and proceed with only (21). This is extremely important since otherwise, the solution to the optimization problem may be difficult as one of the constraints saturates and is no longer monotonously increasing or de- creasing. Howe ver , ev aluating the condition a priori , we can circumvent this difficulty and ef fectiv ely solv e the optimiza- tion problem. Howe ver , there are several additional challenges. First, since the network is random, there is no upper bound on the maximum possible degree of a device, which makes the optimization problem intractable due to an infinite number of optimization variables. Howe ver , due to the structure of the network 10 , it is increasingly rare for a device to have larger degrees. Therefore, we note that there e xists a suf ficiently large k = k max such that P [ K > k max ] ≤  , where  is arbitrarily small. This allows us to conv ert the optimization problem into one with finite number of optimization variables referred to as µ = [ µ 1 , µ 2 , . . . , µ k max ] T . Therefore, the problem can then be expressed as follows: minimize µ k max X k =1 φ k ( µ k ) π k + ∞ X k = k max φ k ( µ k ) π k | {z }  1 subject to τ ˜ B − k max X k =1 ˜ B ∗ k ( µ k ) π k − ∞ X k = k max ˜ B ∗ k ( µ k ) π k | {z }  2 ≤ 0 , k max X k =1 B I ∗ k ( µ k ) π k + ∞ X k = k max B I ∗ k ( µ k ) π k | {z }  3 − τ B I ≤ 0 . (24) Since, the the Poisson density decays faster than the exponen- tial rate for large degree values, the terms labeled as  1 ,  2 , and  3 can be made arbitrarily small for suf ficiently large k max . Hence, effecti vely , these terms can be removed and the problem can be conv erted into a finite optimization problem. 10 In a PPP network, the probability of having a large number of neighbors decreases faster than the exponential decay rate for sufficiently large degrees. Since the primal problem may be non-con vex, we resort to solving the dual optimization problem [40]. Note, howe ver , that the duality gap in this problem setting is zero and hence solving the dual problem is equiv alent to solving the primal problem (See Appendix E for details). W e, therefore, relax the original problem by forming the Lagrangian as follows: L ( µ , ζ , ξ ) = k max X k =1 φ k ( µ k ) π k − ζ k max X k =1 ˜ B ∗ k ( µ k ) π k − τ ˜ B ! − ξ τ B I − k max X k =1 B I ∗ k ( µ k ) π k ! , = k max X k =1  φ k ( µ k ) π k − ζ ˜ B ∗ k ( µ k ) π k + ξ B I ∗ k ( µ k ) π k  + ζ τ ˜ B − ξ τ B I . (25) where ζ and ξ are the Lagrange multipliers, which are dual feasible if ζ ≥ 0 and ξ ≥ 0 . The Lagrange dual function can be written as follows: g ( ζ , ξ ) = min µ ≥ 0 k max X k =1  φ k ( µ k ) π k − ζ ˜ B ∗ k ( µ k ) π k + ξ B I ∗ k ( µ k ) π k  + ζ τ ˜ B − ξ τ B I , = k max X k =1  min µ k ≥ 0  φ k ( µ k ) π k − ζ ˜ B ∗ k ( µ k ) π k + ξ B I ∗ k ( µ k ) π k   + ζ τ ˜ B − ξ τ B I . Note that due to the structure of the Lagrangian, the optimiza- tion problem in the dual function decouples in the optimization variables, which makes the complexity of e valuating g ( ζ , ξ ) linear in k max [41]. For a given pair of Lagrange multipliers, the optimal patching rates µ ∗ can be written as follows: µ ∗ k = arg min µ k ≥ 0  φ k ( µ k ) π k − ζ ˜ B ∗ k ( µ k ) π k + ξ B I ∗ k ( µ k ) π k  . (26) Note that if both ˜ B ∗ k and B I ∗ k are not monotonous in µ k , it may not be possible to obtain a globally optimal solution for µ k in (26). Howe ver , fortunately using Lemma 3, we can determine if one of the functions will saturate or not at the optimal µ k based on the target thresholds set by the defender . If the condition in Lemma 3 is satisfied, we can ignore the term containing B I ∗ k in (26) and proceed with the optimization 11 . Finally , the dual optimization problem can be written as follows: maximize ζ ≥ 0 ,ξ ≥ 0 g ( ζ , ξ ) (27) Since g ( ζ , ξ ) is a concave optimization problem and has a unique maxima, we can employ a gradient based strategy to achiev e the optimal result. Howe ver , since a closed form of the dual function may not exist, and hence differentiability may not be guaranteed, we can resort to sub-gradient based iterati ve update methods for the dual v ariables [42]. The sub-gradients 11 Remov al of the term containing B I ∗ k automatically results in the removal of the Lagrange multiplier ξ in the subsequent expressions. of the dual function, ev aluated at the optimal patching rates, can be expressed as follows: ∇ ζ g ( ζ , ξ ) = τ ˜ B − k max X k =1 ˜ B ∗ k ( µ ∗ k ) π k , (28) ∇ ξ g ( ζ , ξ ) = k max X k =1 B I ∗ k ( µ ∗ k ) π k − τ B I . (29) Therefore, the iterative dual update rule based on the sub- gradients can be expressed as follows: ζ ( i +1) = h ζ ( i ) − α ∇ ζ i + , = " ζ ( i ) − α τ ˜ B − k max X k =1 ˜ B ∗ k ( µ ∗ k ) π k ! # + , i = 0 , 1 , 2 , . . . , (30) ξ ( i +1) = h ξ ( i ) − α ∇ ξ i + , = " ξ ( i ) − α k max X k =1 B I ∗ k ( µ ∗ k ) π k − τ B I ! # + , , i = 0 , 1 , 2 , . . . , (31) where α is the step size. The complete procedure for obtaining the optimal patching policy is pro vided in Algorithm 1. W e ini- tialize the iteration counter i to zero. Furthermore, we initialize the Lagrange multipliers to an arbitrary positive value and set a sufficiently small step-size α . Based on the condition τ ˜ B ≥ E [ K ] pγ c − β E [ K ] p ( ργ b + γ c ) , we exclude or include the term containing B I ∗ k and the associated Lagrange multiplier ξ . W e then proceed to solve the optimization problem in (26) for all possible device degrees. Once the optimal intermediate patching rates have been determined, the dual variables are updated based on the sub-gradient based update rule defined in (30) and (31). This process is repeated until the dual variables hav e conv erged and the corresponding µ ∗ k , ∀ k = 1 , 2 , . . . , k max , define the optimal patching rates for each device type. The complete procedure can be shown to hav e polynomial complexity in the total number of device degrees k max . In the following section, we provide numerical studies to illustrate the behavior of the solutions and its sensiti vities with respect to dif ferent model parameters. V . R E S U L T S In this section, we first describe the network setup and sys- tem parameters used for numerical studies. Then, we present the results obtained from the solution to the optimization problem and the associated impact of the parameters in volved. The parameters selected for the generation of numerical results are for illustrativ e purposes and can be modified according to the scenario in practical applications. Consider a random network of wireless IoT devices dis- tributed according to a homogeneous PPP with intensity λ = 300 de vice/km 2 and a communication range of r = 100 m. On av erage, a typical IoT device would be able to communicate with E [ K ] = λπ r 2 = 9 . 4 , i.e., approximately 9 other de vices. W e assume that the maximum possible degree in the netw ork is Algorithm 1 Dual Algorithm to solve the optimal patching problem Require: T arget thresholds, τ ˜ B and τ B I . 1: Initialize: Iteration i = 0 , Step-size α , Lagrange multipliers ζ ( i ) > 0 , ξ ( i ) > 0 . 2: repeat 3: procedur e D UA L F U N C T I ON O P T I M I ZAT IO N 4: if τ ˜ B ≥ E [ K ] pγ c − β E [ K ] p ( ργ b + γ c ) then 5: µ ( i ) ∗ k ← arg min µ k ≥ 0  φ k ( µ k ) π k − ζ ˜ B ∗ k ( µ k ) π k  , ∀ k = 1 , . . . , k max . 6: else 7: µ ( i ) ∗ k ← arg min µ k ≥ 0  φ k ( µ k ) π k − ζ ˜ B ∗ k ( µ k ) π k + ξ B I ∗ k ( µ k ) π k  , ∀ k = 1 , . . . , k max . 8: procedur e D UA L V A R I A B L E U P DA T E 9: if τ ˜ B ≥ E [ K ] pγ c − β E [ K ] p ( ργ b + γ c ) then 10: ζ ( i +1) ← " ζ ( i ) − α  τ ˜ B − P k max k =1 ˜ B ∗ k ( µ ∗ k ) π k  # + . 11: ξ ( i +1) ← " ξ ( i ) − α  P k max k =1 B I ∗ k ( µ ∗ k ) π k − τ B I  # + . 12: else 13: ζ ( i +1) ← " ζ ( i ) − α  τ ˜ B − P k max k =1 ˜ B ∗ k ( µ ∗ k ) π k  # + . 14: until con vergence of ζ and ξ . k max = 25 for which  = P ( K ≥ k max ) is of the order 10 − 6 . Due to interference and fading effects of the wireless channel during communication, we assume a successful transmission probability of ρ = 0 . 95 . W e assume that a proportion p = 0 . 7 , of the network is vulnerable to be infected by mal ware. The malware introduced by a botmaster is assumed to transmit packets for infiltration in nearby devices at a rate of γ b = 0 . 001 packets per second (or 1 packet e very 1000 seconds) and for control commands propagation at a rate of γ c = 0 . 001 packets per second. The information refresh rate of bots is selected as β = 0 . 002 per second. Note that this choice of β satisfies the condition provided in Corollary 2. In the theoretical analysis, the scaling constant for LSE relaxation of the minimum function is chosen to be η = 100 for accuracy . The impact of patching a device of degree k on the operational performance of the network is assumed to be captured by the function φ k ( µ k ) = w k µ 2 k , where the weights are modeled using the following logistic function: w k = 1 1 + e − a ( k − b ) , (32) and the constants a and b are chosen to be a = 0 . 2 and b = 10 respectiv ely . An illustration of the weight function is provided in Fig. 4. It implies that a unit patching rate on a device of degree k has a higher impact on network operation as k increases. Hence, it is more costly to increase patching rate for higher degree devices. In Fig. 5a, we plot the optimal patching rates for a degree k device in the network with varying target of un-compromised device proportion while fixing τ B I = 0 . 2 . The right axis plots the proportion of degree k devices in the network, or equiv alently the probability of a typical device ha ving degree 0 0.2 0.4 0.6 0.8 1 0 5 10 15 20 25 Fig. 4: Relative impact of unit patching rate of a degree k device on network performance. k , as a reference for interpreting the results. The dotted line shows the theoretical maximum patching rate that impacts the equilibrium populations as described in Lemma 1. It can be observed that for τ ˜ B = 0 . 6 , 0 . 7 , the optimal patching rates closely follow the proportion of devices due to the monotonously increasing weights w k . Howev er, for more aggressiv e targets e.g., τ ˜ B = 0 . 8 , 0 . 9 , the optimal patching rates saturate for the more probable degrees while increasing patching rates for the lesser probable ones. In Fig. 5b, we plot the optimal patching rates for a degree k device in the network with v arying tar get of informed bot proportion while fixing τ ˜ B = 0 . 7 . Note that a similar behavior is observed in this case where the optimal patching rates closely follo w the network de gree profile for less aggressive targets, e.g., τ B I = 0 . 1 , 0 . 2 . Howe ver , for more aggressiv e targets such as τ B I = 0 . 01 , 0 . 05 , a saturation is observed for more probable degree types. Howe ver , note that the higher and less probable degree de vices are patched more frequently although it causes higher disruption since the targets are otherwise not achiev able. Finally , Fig. 6a and Fig. 6b illustrate the behavior of the expected total patching cost with varying malware spreading rate and control command spreading rates respectiv ely . It is observed that the expected total patching cost increases at an increasing rate both with increasing malware spreading rate and the target un-compromised device proportion. Howe ver , the expected total patching cost increases at a decreasing rate with increasing control command propagation rate. This shows that the defender is more reactive to the malware spreading rate than the control command propagation rate in terms of a botnet formation. With regards to the effect of varying the device vulnerability in the network as well as the probability of transmission success, a similar behaviour is observed since changing these parameters in turn alters the ef fectiv e malware propagation rate and the control command propagation rate. A. Simulation & V alidation In this section, we conduct simulation experiments to vali- date the accuracy of the obtained theoretical results. In the first part, we simulate the considered PPP network. T wo different phases are inv estigated. In the first phase, a malware is intro- duced at epoch to an arbitrarily selected node and is allowed to propagate to its neighbourhood according to the device vulnerabilities, wireless transmission success probability , as well as the malware propagation rates. The malware spreads from one device to another in a D2D fashion until all the network has been compromised. Note that during the initial 0 5 10 15 20 25 0 0.001 0.002 0.003 0.004 0.005 0.006 0.007 0.008 0.009 0.01 0 0.02 0.04 0.06 0.08 0.1 0.12 0.14 BI = 0.2, b = 0.001, c = 0.01 (a) 0 5 10 15 20 25 0 0.001 0.002 0.003 0.004 0.005 0.006 0.007 0.008 0.009 0.01 0 0.02 0.04 0.06 0.08 0.1 0.12 0.14 BI = 0.01, 0.05, 0.1, 0.2 (b) Fig. 5: Impact of varying un-compromised bot proportion threshold τ ˜ B and informed bot proportion threshold τ B I . The dotted line shows the theoretical upper bound expressed in Corollary 1. 1 2 3 4 5 6 7 8 9 10 10 -3 0 0.002 0.004 0.006 0.008 0.01 0.012 0.014 0.016 0.018 c = 0.01 (a) V arying malware spreading rate and bot-free population target. 1 2 3 4 5 6 7 8 9 10 10 -3 0.9 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 10 -4 b = 0.001 (b) V arying control commands propagation rate and informed bot pop- ulation target. Fig. 6: Expected total cost of patching against varying system parameters. phase, there is no patching of de vices. During the second phase, the optimal patching policy for each device, based on its degree, is applied on the network. This leads to the reco very of bot devices and the proportions of bots in the netw ork is observed over time. The experiment is repeated for dif ferent target thresholds for bot-free population, i.e., τ ˜ B = 0 . 7 , 0 . 8 and 0.9. Fig. 7 illustrates a snapshot of the device states in the network after reaching equilibrium. Note that more devices are un-compromised at equilibrium as τ ˜ B increases as reflected by Fig. 7a, 7b, and 7c. The time ev olution of un-compromised devices for each of the thresholds is recorded in Fig. 8. Notice that the proportion of un-compromised devices increasingly drops from 100% to 0% as the mal ware is allo wed to propag ate in the network. Howe ver , when the patching process is started in the second phase (i.e., t = 10 4 ), the bot-free population sharply rises until it reaches the target threshold. Although the population keeps fluctuating due to the ongoing dynamical processes but on av erage the policy is observed to accurately achiev e the defined targets. T o further illustrate the usefulness and impact of our proposed methodology and obtained results, we simulate an experiment on the actual LinkNYC hotspot locations data. W e assume that IoT devices are placed at each of these locations with a communication range of 140 m. Again, the simulation is carried out in two phases. In the first phase, the malware is allo wed to propagate in the network until it has achiev ed the maximum spread. T o ensure complete penetration of the malware in the network, we initially introduce the malware in nodes which ha ve a degree of 2. This allows the propagation of the malware from one device to another ov er time until it affects most of the nodes during the first phase. Note that this network is not exactly a PPP , the malware spread is not as effecti ve since some nodes may be isolated or clustered together . Similarly , during the second phase (i.e., t = 2 . 5 × 10 4 ), the patching process is started until the equilibrium is achiev ed. Again, the experiment is repeated for different target thresholds for bot-free population, i.e., τ ˜ B = 0 . 7 , 0 . 8 and 0.9. The snapshots of the network states -0.5 -0.4 -0.3 -0.2 -0.1 0 0.1 0.2 0.3 0.4 0.5 -0.5 -0.4 -0.3 -0.2 -0.1 0 0.1 0.2 0.3 0.4 0.5 (a) -0.5 -0.4 -0.3 -0.2 -0.1 0 0.1 0.2 0.3 0.4 0.5 -0.5 -0.4 -0.3 -0.2 -0.1 0 0.1 0.2 0.3 0.4 0.5 (b) -0.5 -0.4 -0.3 -0.2 -0.1 0 0.1 0.2 0.3 0.4 0.5 -0.5 -0.4 -0.3 -0.2 -0.1 0 0.1 0.2 0.3 0.4 0.5 (c) Fig. 7: Snapshot of network states at equilibrium in a PPP network. 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 time, t × 10 4 0 10 20 30 40 50 60 70 80 90 100 Prop ortion of un-c ompromis ed devices , ˜ B ( t ) τ BI = 0.2, γ b = 0.001, γ c = 0.01 τ ˜ B = 0 . 9 τ ˜ B = 0 . 8 τ ˜ B = 0 . 9 Fig. 8: T ime e volution of the proportion of un-compromised devices in a PPP network. at equilibrium are shown in Fig. 9. A similar behaviour is observed as the network increasingly becomes bot free at equilibrium as the patching rates are increased. The time e vo- lution of un-compromised devices for each of the thresholds is recorded in Fig. 10. W e start of f with infecting around 40% of the devices with malware and allow it to spread. It results in an infection of around 92% of the network with 8% un-compromised devices. Howe ver , once the patching policy is implemented, the netw ork recov ers sharply and is able to achiev e much higher bot-free proportions than the target. It is pertinent to mention that since the network is not a PPP , the spread of malware is more difficult. Hence, the dev eloped patching policy is more effecti ve than e xpected, resulting in better performance of the policy . Therefore, a Poisson network assumption proves to be a more conserv ativ e approximation of the real network, which is fav ourable in practice as the results correspond to a worst case scenario. V I . C O N C L U S I O N & F U T U R E W O R K In this paper , we dev elop a mathematical model to study the formation of botnets in wireless IoT networks. A customized dynamic population process model coupled with a Poisson point process based network model is proposed to capture the ev olution of different types of population in the network while keeping the network geometry into account. The proposed model characterizes the behaviour of malware transmission from one de vice to another using the wireless interface along with the propagation of control commands between bot devices in the network. A netw ork defender is assumed to patch the devices to av ert the formation of a botnet that may trigger a coordinated attack at a later stage. The equilibrium state of malware infection and message propagation in the devices is determined using approximate analysis. The results are then used to dev elop a network defense problem that aims to obtain optimal patching rates while minimizing the disruption to regular network operation under tolerable botnet activity . While the optimal patching problem may be non-con vex, a dual decomposition algorithm with appropriate conditions is proposed to solve the optimization problem resulting in the optimal patching schedule for network devices based on their connectivity profile. In this work, the network defender’ s problem has been studied based on the knowledge of the attacker behavior and strategies. Howe ver , the defender’ s actions may also impact the attacker’ s strategies. Therefore, as part of the future work, we intend to use the proposed model as a basis for dev eloping a game theoretic framework which will enable us to deri ve optimal policies for both the attacker and defender . A P P E N D I X A P RO O F O F L E M M A 1 By substituting (10) into (8), we arrive at the follo wing equation that needs to be solved for θ ˜ B : θ ˜ B = X k 0 k 0 P ( k 0 ) E [ K ]  µ k 0 µ k 0 + k 0 σ 1 ( θ ˜ B )  , = X k 0 k 0 P ( k 0 ) E [ K ]  µ k 0 µ k 0 + k 0 ργ b p (1 − θ ˜ B )  . (33) The optimal θ ˜ B is referred to as θ ∗ ˜ B . The first step is to make use of the degree independence in a homogeneous PPP network to write (33) as follows: θ ∗ ˜ B = E " µ k µ k + k ργ b p (1 − θ ∗ ˜ B ) # . (34) (a) (b) (c) Fig. 9: Snapshot of network states at equilibrium in the LinkNYC network. 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 time, t × 10 4 0 10 20 30 40 50 60 70 80 90 100 Prop ortion of un-c ompromis ed devices , ˜ B ( t ) τ BI = 0.2, γ b = 0.001, γ c = 0.01 τ ˜ B = 0 . 9 τ ˜ B = 0 . 8 τ ˜ B = 0 . 7 Fig. 10: T ime e volution of the proportion of un-compromised devices in the LinkNYC network. Due to the complex form of P ( K = k ) , a tractable closed form for E  µ k µ k + kργ b p (1 − θ ∗ ˜ B )  cannot be easily obtained. Using T aylor expansions for the moments of functions of random variables, the expectation of a function g ( . ) can be expressed as E [ g ( K )] ≈ g ( E [ K ]) + g 00 ( E [ K ]) 2 σ 2 K , where σ K is the variance of the degree. Howe ver , using a second order approx- imation results in loss of tractable solution for (34). Therefore, we resort to the first order approximation for simplicity , which results in (34) being expressed as follows: θ ∗ ˜ B ≈ µ k µ k + E [ K ] ργ b p (1 − θ ∗ ˜ B ) , (35) It can be solved for θ ∗ ˜ B to lead to the following: θ ∗ ˜ B ≈ µ k ργ b p E [ K ] . (36) Note that since µ k ≥ 0 is not bounded from above, so θ ∗ ˜ B may become higher than unity which is not possible since it represents a probability . Therefore, we restrict it from above by unity , thus proving the first part of the lemma. Using a similar methodology , substituting (11) into (9) leads to the following expression for θ ∗ B I : θ ∗ B I = E " k 2 σ 1 ( θ ˜ B ) σ 2 ( θ ∗ B I ) ( µ k + k σ 1 ( θ ˜ B ))( β + µ k + k σ 2 ( θ ∗ B I )) # , = E " k 2 σ 1 ( θ ˜ B ) ργ c θ ∗ B I ( µ k + k σ 1 ( θ ˜ B ))( β + µ k + k ργ c θ ∗ B I ) # . (37) Again, using the first order approximation of the function inside the expectation, we arriv e at solving the following equation: θ ∗ B I ≈ ( E [ K ]) 2 σ 1 ( θ ˜ B ) σ 2 ( θ ∗ B I ) ( µ k + E [ K ] σ 1 ( θ ˜ B ))( β + µ k + E [ K ] σ 2 ( θ ∗ B I )) , (38) Solving this for θ ∗ B I , after some algebraic manipulations, leads to the following result: θ ∗ B I ≈ 1 − µ k γ c + ργ b ( β + µ k ) k ρpγ b γ c . (39) Since µ k represents a probability , it needs to be non-negativ e. Hence, θ ∗ B I needs to be restricted at 0 from belo w , leading to the result provided in Lemma 1. In Fig. 11, we plot the results obtained from the first order and second order approximations of the probabilities θ ∗ ˜ B and θ ∗ B I against the patching rates. It is observed that the gap between the approximations increases as the patching rate gets higher . Furthermore, the approximations for θ ∗ ˜ B are relatively much closer as compared to the ones for θ ∗ B I . Therefore, despite some loss in accuracy , it is still reasonable to use the first order approximations due to the powerful analytical tractability , that facilitates further analysis and decision-making. A P P E N D I X B P RO O F O F C O R O L L A RY 1 From (10), we deduce that in order for θ ∗ ˜ B to assume a nontrivial value, µ k ργ b p E [ K ] must be smaller than unity . This implies that µ k ≤ ργ b p E [ K ] . Similarly , from (11), we deduce that µ k γ c + ργ b ( β + µ k ) E [ K ] ρpγ b γ c ≤ 1 in order for θ ∗ B I to assume a non- trivial value. It results in the condition µ k ≤ ργ b γ c p E [ K ] − ργ b β γ c + ργ b with an implicit condition β < pγ c E [ K ] for it to be mean- ingful. It is formally e xpressed as Corollary 2. Howe ver , the upper bound obtained from (10) is higher , thus becoming the effecti ve upper bound. Therefore, any µ k higher than the upper bound is futile in ha ving an impact on the equilibrium state of the devices. In other w ords, patching devices at a higher rate than the upper bound only affects the regular network operation without having any impact on botnet formation. A P P E N D I X C P RO O F O F L E M M A 2 W e can observe that d ˜ B ∗ k dµ k = kσ 1 − µ k kσ 0 1 ( µ k + kσ 1 ) 2 and d 2 ˜ B ∗ k dµ 2 k = ( µ k + kσ 1 ) ( ( µ k + kσ 1 )( − µ k kσ 00 1 ) − 2(1+ kσ 0 1 )( kσ 1 − µ k kσ 0 1 ) ) ( µ k + kσ 1 ) 3 , where σ 0 1 = dσ 1 ( µ k ) dµ k = − 1 E [ K ] and σ 00 1 = d 2 σ 1 ( µ k ) dµ 2 k = 0 . The denominator of d 2 ˜ B ∗ k dµ 2 k is always positi ve and the numerator ev aluates to − 2( µ k + k σ 1 )  1 − k E [ K ]   k σ 1 + kµ k E [ K ]  . Therefore, it is clear that d 2 ˜ B ∗ k dµ 2 k < 0 if k < E [ K ] and vice versa. Therefore, we can conclude that ˜ B k ev aluated at equilibrium is concave for k < E [ K ] and con vex otherwise. Similarly , for B I k , it can be shown that d 2 B I ∗ k dµ 2 k experiences a change in sign with k , which is hard to characterize analytically but the change point can be proved to be different than E [ K ] . In order to demonstrate the change in curvature of the equilibrium populations, we plot the respectiv e equilibrium populations of un-compromised devices and informed bots in Fig. 12 for dif ferent v alues of k . Note that with an increasing patching rate, the un-compromised device population increases until it reaches 1 ( − ˜ B k is plotted in Fig. 12, which is decreasing to − 1 ). Howe ver , on the other hand, the equilibrium population of informed bot devices decreases until it reaches 0. Furthermore, the informed bot device population diminishes completely with a much smaller patching rate that is required to make the network completely un-compromised. These equilibrium populations have been plotted with mean device de gree E [ K ] = 9 . 4 and it can be observed that the curvature of the constraints is different if the degree is small, i.e., k = 5 , than when it is large, i.e., k = 15 . A P P E N D I X D P RO O F O F L E M M A 3 From Appendix B, it can be concluded that ˆ µ k = ργ b γ c p E [ K ] − ργ b β γ c + ργ b can completely eradicate equilibrium pop- ulation of informed bots of degree k . Howe ver , at this patching rate, the population of un-compromised devices can be obtained as ˜ B ∗ k ( ˆ µ k ) = E [ K ]( pγ c E [ K ] − β ) k ( β + E [ K ] pργ b )+ E [ K ]( E [ K ] pγ c − β ) . Since ˜ B ∗ k ( ˆ µ k ) is a conv ex function of k , P ∞ k =1 ˜ B ∗ k ( ˆ µ k ) = E [ ˜ B ∗ k ( ˆ µ k )] ≥ ˜ B ∗ E [ K ] ( ˆ µ k ) (Using Jensen’ s inequality [43]). It results in E [ ˜ B ∗ k ( ˆ µ k )] ≥ E [ K ] pγ c − β E [ K ] p ( ργ b + γ c ) . Knowing that ˜ B ∗ k is an increasing function of µ k , we can deduce that if τ ˜ B ≥ E [ K ] pγ c − β E [ K ] p ( ργ b + γ c ) , then it requires a patching rate higher than ˆ µ k . This implies that B I ∗ k will be zero at the optimal patching rate. Hence, the constraint (22) will always be satisfied if τ ˜ B is suf ficiently high and therefore, we can ef fectively remove it from the optimization problem. This phenomenon can also be observed from Fig. 12 where the equilibrium population of informed bots diminishes to zero much earlier than the equilibrium proportion of un-compromised devices. A P P E N D I X E T o prov e that the duality gap for the optimization problem formulated in eqs. (20) to (22) is zero, we inv oke a key result from [40]. An adaptation of its statement is provided as follo ws: Consider the primal optimization problem of the form minimize P k max k =1 f k ( x k ) subject to P k max k =1 h k ( x k ) ≤ P , where f k ( . ) is a scalar function, h k ( . ) is a vector function, and P is a vector of constraints. Both f k ( . ) and h k ( . ) may not necessarily be con vex. Now , let x and y be the optimal solutions to be problem with P = P x and P = P y respectiv ely . Then, for ν ∈ [0 , 1] , if there exists z such that P k max k =1 h k ( z k ) ≤ ν P x + (1 − ν ) P y and P k max k =1 f k ( z k ) ≤ ν P k max k =1 f k ( x k ) + (1 − ν ) P k max k =1 f k ( y k ) , then the duality gap is zero leading to the same solution for the primal and dual problems. For more details, the readers are referred to [40] and references therein. No w , for the problem considered in this paper , the objectiv e is strictly con vex while the constraints may not necessarily be con vex. Assuming that we are considering the feasible re gime for µ as defined in Corollary 1 and µ x , µ y are the optimal patching rates corresponding to threshold vectors P x and P y . First, assume that only the constraint (21) is acti ve, i.e., P x = τ x ˜ B and P y = τ y ˜ B are scalars. Since ˜ B ∗ k ( . ) is strictly monotone, so if τ x ˜ B > τ y ˜ B , then the optimal µ x ,k > µ y ,k , ∀ k . Therefore, there exists an interior point µ z = { µ z ,k : min( µ x ,k , µ y ,k ) ≤ z k ≤ max( µ x ,k , µ y ,k ) , ∀ k } for which − P k max k =1 ˜ B ∗ k ( µ z ,k ) ≤ − ν τ x ˜ B − (1 − ν ) τ y ˜ B . From the con vexity of φ k ( . ) in the objecti ve in (20), it is clear that P k max k =1 φ k ( µ z ,k ) π k ≤ ν P k max k =1 φ k ( µ x ,k ) π k + (1 − ν ) P k max k =1 φ k ( µ y ,k ) π k . This implies that the duality gap of the problem is zero. Now , when both constraints (22) and (21) are acti ve, the argument still applies since both − ˜ B ∗ k ( . ) and B I ∗ k are strictly decreasing functions of the arguments which guarantees the existence of an interior point corresponding to ev ery linear combination of P x and P y The conv exity of the objectiv e function subsequently completes the proof. R E F E R E N C E S [1] S. Al-Sara wi, M. Anbar, K. Alieyan, and M. Alzubaidi, “Internet of things (IoT) communication protocols: Review , ” in 8th Intl. Conf. Inf. T echnol. (ICIT 2017) , May 2017, pp. 685–690. [2] Amazon Echo. [Online]. A vailable: https://www .amazon.com/ Amazon- Echo- And- Alexa- De vices/b?ie=UTF8&node=9818047011 0 0.5 1 1.5 2 2.5 3 Patc hing rate of degree k device, µ k × 10 -3 0 0.1 0.2 0.3 0.4 0.5 0.6 Approximate solution of θ ∼ B First Order Approximation Second Order Approximation (a) 0 0.5 1 1.5 2 2.5 3 Patc hing rate of degree k device, µ k × 10 -3 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Approximate solution of θ ∗ BI First Order Approximation Second Order Approximation (b) Fig. 11: Approximation accuracy of link probabilities. 0 1 2 3 4 5 6 Patc hing rate of degree k device, µ k × 10 -3 -0.8 -0.6 -0.4 -0.2 0 0.2 0.4 0.6 Equilibrium population proportions k = 5 ( ≪ E [ K ]) − ˜ B ∗ k B I ∗ k (a) Equilibrium populations against patching rate for small degree devices. 0 1 2 3 4 5 6 Patc hing rate of degree k device, µ k × 10 -3 -0.8 -0.6 -0.4 -0.2 0 0.2 0.4 0.6 0.8 Equilibrium population proportions k = 15 ( ≫ E [ K ]) − ˜ B ∗ k B I ∗ k (b) Equilibrium populations against patching rate for large degree devices. Fig. 12: Curvature analysis of equilibrium population processes for different degree devices. [3] Google Home. [Online]. A vailable: \ https://store.google.com/us/ product/google home?hl=en- US [4] A. T annenbaum, “Why do IoT companies keep building devices with huge security flaws?” Harvard Business Review , Apr . 2017. [5] Y . Dibrov , “The Internet of things is going to change everything about cybersecurity , ” Harvard Business Review , Dec. 2017. [6] C. Kolias, G. Kambourakis, A. Stavrou, and J. V oas, “DDoS in the IoT: Mirai and other botnets, ” Computer , vol. 50, no. 7, pp. 80–84, 2017. [7] M. Feily , A. Shahrestani, and S. Ramadass, “ A survey of botnet and botnet detection, ” in 3rd Intl. Conf. Emerging Security Inf. Sys. T echnol. , June 2009, pp. 268–273. [8] G. V ormayr, T . Zseby , and J. Fabini, “Botnet communication patterns, ” IEEE Commun. Surveys T uts. , vol. 19, no. 4, pp. 2768–2796, Fourth Quarter 2017. [9] E. Bertino and N. Islam, “Botnets and Internet of things security , ” Computer , vol. 50, no. 2, pp. 76–79, Feb. 2017. [Online]. A vailable: doi.ieeecomputersociety .org/10.1109/MC.2017.62 [10] M. A. et al, “Understanding the Mirai botnet, ” in Proceedings of the 26th USENIX Security Symposium , 2017. [On- line]. A vailable: https://www .usenix.org/conference/usenixsecurity17/ technical- sessions/presentation/antonakakis [11] P . Moriuchi and S. Chohan, “Mirai-variant IoT botnet used to target financial sector in january 2018, ” Insikt Group, Apr . 2018. [12] M. Knysz, X. Hu, Y . Zeng, and K. G. Shin, “Open W iFi networks: Lethal weapons for botnets?” in Pr oc. IEEE Intl. Conf . Comput. Commun. (INFOCOM 2012) , Orlando, FL, USA, Mar . 2012, pp. 2631–2635. [13] T . Reed, J. Geis, and S. Dietrich, “SkyNET: A 3G-enabled mobile attack drone and stealth botmaster, ” in Pr oc. 5th USENIX Conf. on Offensive T echnologies , ser . WOO T’11. Berkeley , CA, USA: USENIX Association, 2011. [14] K. Pelechrinis, M. Iliofotou, and S. V . Krishnamurthy , “Denial of service attacks in wireless networks: The case of jammers, ” IEEE Commun. Surveys T uts. , vol. 13, no. 2, pp. 245–257, Second Quarter 2011. [15] “Can wireless LAN denial of service attacks be prevented? understand- ing WLAN DoS vulnerabilities & practical countermeasures, ” Motorola Inc., White Paper , 2009. [16] N. Vlajic and D. Zhou, “IoT as a land of opportunity for DDoS hackers, ” Computer , vol. 51, no. 7, pp. 26–34, Jul. 2018. [17] Q. W ang, Z. Chen, and C. Chen, “On the characteristics of the worm infection family tree, ” IEEE T rans. Inf. F orensics and Security , vol. 7, no. 5, pp. 1614–1627, Oct 2012. [18] J. Kim, S. Radhakrishnan, and S. K. Dhall, “Measurement and analysis of worm propagation on Internet network topology , ” in Pr oc.13th Intl. Conf. Computer Commun. Netw . (IEEE Cat. No.04EX969) , Oct. 2004, pp. 495–500. [19] K. Channakeshav a, D. Chafekar, K. Bisset, V . S. A. Kumar , and M. Marathe, “Epinet: A simulation framework to study the spread of malware in wireless networks, ” in Proc. 2nd Intl. Conf. Simulation T ools and T echniques , ser. Simutools ’09. Brussels, Belgium, Belgium: Insti- tute for Computer Sciences, Social-Informatics and T elecommunications Engineering (ICST), 2009. [20] D. Yin, L. Zhang, and K. Y ang, “ A DDoS attack detection and mitig ation with software-defined internet of things framework, ” IEEE Access , vol. 6, pp. 24 694–24 705, 2018. [21] J. A. Jerkins and J. Stupiansky , “Mitigating IoT insecurity with inoculation epidemics, ” in Pr oceedings of the ACMSE 2018 Confer ence , ser . A CMSE ’18. New Y ork, NY , USA: ACM, 2018, pp. 4:1–4:6. [Online]. A vailable: http://doi.acm.org/10.1145/3190645.3190678 [22] Z. Lu, W . W ang, and C. W ang, “On the ev olution and impact of mobile botnets in wireless networks, ” IEEE T rans. Mobile Comput. , vol. 15, no. 9, pp. 2304–2316, Sep. 2016. [23] J. Xu, L. Chen, K. Liu, and C. Shen, “Designing security-aware incen- tiv es for computation offloading via device-to-de vice communication, ” IEEE T ransactions on W ireless Communications , vol. 17, no. 9, pp. 6053–6066, Sept. 2018. [24] A. A. Santos, M. Nogueira, and J. M. F . Moura, “ A stochastic adaptive model to explore mobile botnet dynamics, ” IEEE Communications Letters , vol. 21, no. 4, pp. 753–756, Apr. 2017. [25] S. Shen, H. Li, R. Han, A. V . V asilakos, Y . W ang, and Q. Cao, “Differential game-based strategies for prev enting malware propagation in wireless sensor networks, ” IEEE T rans Inf. F orensics and Security , vol. 9, no. 11, pp. 1962–1973, Nov 2014. [26] M. J. Farooq and Q. Zhu, “On the secure and reconfigurable multi-layer network design for critical information dissemination in the Internet of battlefield things (IoBT), ” IEEE T rans. W ireless Commun. , v ol. 17, no. 4, pp. 2618–2632, Apr . 2018. [27] ——, “Secure and reconfigurable network design for critical information dissemination in the internet of battlefield things (IoBT), ” in 15th Intl. Symp. Model Optim. in Mobile, Ad Hoc, and W ireless Netw . (WiOpt 2017) , May 2017, pp. 1–8. [28] F . Brauer , P . van den Driessche, and E. J. W u, Mathematical Epidemi- ology . Springer, Berlin: Springer, 2008. [29] A. L. Lloyd and R. M. May , “How viruses spread among computers and people, ” Science , vol. 292, no. 5520, pp. 1316–1317, 2001. [Online]. A vailable: http://science.sciencemag.org/content/292/5520/1316 [30] Y . Moreno, M. Nekovee, and A. F . Pacheco, “Dynamics of rumor spreading in complex networks, ” Phys. Rev . E , vol. 69, p. 066130, Jun 2004. [Online]. A vailable: https://link.aps.org/doi/10.1103/PhysRevE. 69.066130 [31] J. F . C. Kingman, “Markov population processes, ” Journal of Applied Pr obability , vol. 6, no. 1, pp. 1–18, 1969. [32] D. Stoyan, W . S. Kendall, and J. Mecke, Stochastic geometry and its applications , ser . Wiley series in probability and mathematical statisitics. Chichester , W . Sussex, New Y ork: W iley , 1987. [33] NYC OpenData, NYC Wi-Fi Hotspot Locations. [Online]. A vailable: https://data.cityofnewyork.us/Social- Services/ NYC- W i- Fi- Hotspot- Locations/a9we- mtpn [34] N. Abramson, “THE ALOHA SYSTEM: Another alternativ e for computer communications, ” in Proceedings of the November 17-19, 1970, F all Joint Computer Conference , ser. AFIPS ’70 (Fall). Ne w Y ork, NY , USA: ACM, 1970, pp. 281–285. [Online]. A vailable: http://doi.acm.org/10.1145/1478462.1478502 [35] S. W eber, J. G. Andrews, and N. Jindal, “ An overvie w of the trans- mission capacity of wireless networks, ” IEEE T rans. Commun. , vol. 58, no. 12, pp. 3593–3604, Dec. 2010. [36] M. Haenggi, “Outage, local throughput, and capacity of random wireless networks, ” IEEE T rans. W ir eless Commun. , vol. 8, no. 8, pp. 4350–4359, Aug. 2009. [37] M. Kaynia and N. Jindal, “Performance of ALOHA and CSMA in spa- tially distributed wireless networks, ” in 2008 IEEE Intl. Conf. Commun. , May 2008, pp. 1108–1112. [38] R. Pastor-Satorras, C. Castellano, P . V an Mieghem, and A. V espignani, “Epidemic processes in complex networks, ” Rev . Mod. Phys. , vol. 87, pp. 925–979, Aug. 2015. [39] C. yi Xia, Z. W ang, J. Sanz, S. Meloni, and Y . Moreno, “Effects of delayed recovery and nonuniform transmission on the spreading of diseases in complex networks, ” Physica A: Statistical Mechanics and its Applications , vol. 392, no. 7, pp. 1577 – 1585, 2013. [Online]. A vailable: http://www .sciencedirect.com/science/article/pii/S0378437112010084 [40] W . Y u and R. Lui, “Dual methods for noncon vex spectrum optimization of multicarrier systems, ” IEEE T rans. Commun. , v ol. 54, no. 7, pp. 1310– 1322, July 2006. [41] D. P . Palomar and M. Chiang, “ A tutorial on decomposition methods for network utility maximization, ” IEEE J. Sel. Areas Commun. , vol. 24, no. 8, pp. 1439–1451, Aug. 2006. [42] L. Xiao, M. Johansson, and S. P . Boyd, “Simultaneous routing and resource allocation via dual decomposition, ” IEEE T rans. Commun. , vol. 52, no. 7, pp. 1136–1144, July 2004. [43] Z. Cvetko vski, Inequalities: Theorems, T echniques and Selected Pr ob- lems , Springer, Berlin, Heidelber g, 2012, ch. Conv exity , Jensen’ s In- equality , pp. 69–77. Muhammed Junaid Farooq recei ved the B.S. degree in electrical engineering from the School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and T ech- nology (NUST), Islamabad, Pakistan, the M.S. de- gree in electrical engineering from the King Abdul- lah Univ ersity of Science and T echnology (KA UST), Thuwal, Saudi Arabia, in 2013 and 2015, respec- tiv ely . Then, he was a Research Assistant with the Qatar Mobility Innovations Center (QMIC), Qatar Science and T echnology Park (QSTP), Doha, Qatar. Currently , he is a PhD student at the T andon School of Engineering, New Y ork University (NYU), Brooklyn, New Y ork. His research interests include modeling, analysis and optimization of wireless communication systems, cyber -physical systems, and the Internet of things. He is a recipient of the President’ s Gold Medal for academic excellence from NUST , the Ernst W eber Fellowship A ward for graduate studies and the Athanasios Papoulis A ward for graduate teaching excellence from the department of Electrical & Computer Engineering (ECE) at NYU T andon School of Engineering. Quanyan Zhu (S’04, M’12) receiv ed B. Eng. in Honors Electrical Engineering from McGill Univ er- sity in 2006, M.A.Sc. from Uni versity of T oronto in 2008, and Ph.D. from the Univ ersity of Illinois at Urbana-Champaign (UIUC) in 2013. After stints at Princeton Univ ersity , he is currently an assistant pro- fessor at the Department of Electrical and Computer Engineering, New Y ork University . He is a recipient of many awards including NSERC Canada Graduate Scholarship (CGS), Mavis Future F aculty Fellow- ships, and NSERC Postdoctoral Fellowship (PDF). He spearheaded and chaired INFOCOM W orkshop on Communications and Control on Smart Energy Systems (CCSES), and Midwest W orkshop on Control and Game Theory (WCGT). His current research interests include Internet of things, cyber-ph ysical systems, security and priv acy , and system and control.