**1. Introduction**

A series of major information security incidents have occurred recently. Information security hazards include not only individual hackers highlighting their technical capabilities, but also team attacks aimed at obtaining economic benefits. For example, in 2016, the servers of the First Bank of Taiwan were attacked with a trojan horse from the United Kingdom [1]. Several security breaches involving distributed denial of service (DDoS) attacks have occurred in Taiwan. The Financial Services Information Sharing and Analysis Centre, which is the only global cyber intelligence sharing community solely focused on financial services, reported that more than 100 financial services firms were the targets of a wave of DDoS extortion attacks conducted by the same actor in February 2021. These DDoS attacks by botnets resulted in people being unable to place brokerage orders online with the aforementioned firms. The hackers behind the aforementioned attacks demanded a large ransom from the firms, and threatened to detonate the money by using implanted trojans and launch a new wave of DDoS attacks [2].

The Taiwan Stock Exchange announced that, after suffering DDoS attacks, several companies adopted DDoS attack flow cleaning services based on network intrusion prevention systems in 2020. These services provide possible connections to trace the sources

**Citation:** Lin, H.-C.; Wang, P.; Lin, W.-H.; Chao, K.-M.; Yang, Z.-Y. Identifying the Attack Sources of Botnets for a Renewable Energy Management System by Using a Revised Locust Swarm Optimisation Scheme. *Symmetry* **2021**, *13*, 1295. https://doi.org/10.3390/sym13071295

Academic Editor: Jan Awrejcewicz

Received: 26 June 2021 Accepted: 17 July 2021 Published: 19 July 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

of real attacks, analyse the behavioural feature of cyber attacks with data collection [3], and enable countermeasures to be taken against DDoS threats. To counter DDoS attacks, security managers use the Internet protocol (IP) traceback (IPTBK) scheme for periodically detecting and identifying possible threats.

In the identification of the sources of DDoS attacks from botnets, defenders are assumed to have the ability to collect only a small amount of routing information. Therefore, in real-time IP traceability analysis of the botnet command and control (C&C), a small number of router records are required to trace the attack source successfully in the shortest time. In practice, defenders use machine learning algorithms, such as particle swarm optimisation (PSO) [4–7], the genetic algorithm, and ant colony optimisation, to trace the attack source. The routing information of the attack path is used for recursively estimating multiple possible attack paths on the Internet, finding the real attack URL, and marking the compromised host. However, because the traditional PSO algorithm has a nonoptimal balance between path exploration and exploitation in the search strategy, it often provides a suboptimal solution of the target, and often only particles travel on the same attack paths towards the attack sources. Generally, multi-swarm systems provide a new approach to improve this balance based on multi-swarm optimisation. Multi-swarm optimisation uses multiple sub-swarms instead of one swarm, and ensures that each sub-swarm explores a specific region with symmetrical competitive interactions in biology.

Inspired by multi-swarm PSO (MS-PSO) schemes [8–15], the present study used locust search PSO (LS-PSO) to identify the multiple attack sources generated by DDoS attacks from botnets. In this study, DDoS attack paths with a high success probability were reconstructed by marking router packets, tracing the IPs of the botnet C&C by using the LS-PSO algorithm based on multi-swarm optimisation, and preventing spoofed IP attacks.

In summary, the primary contributions of this study are as follows:


The remainder of this paper is organised as follows. Section 2 presents a review of the locust swarm optimisation (LSO) algorithm for solving multimodal optimisation problems. Section 3 describes the LS-PSO scheme for solving the IPTBK problem. Section 4 presents the experimental results obtained using the LS-PSO algorithm with the ns-3 network simulator, and describes the global heuristic performance of the algorithm. Finally, Section 5 concludes the study.

#### **2. Overview of Multiswarm PSO Schemes**

This section reviews several existing multi-swarm PSO schemes for identifying the possible sources of DDoS attacks.

The LSO algorithm [14] was proposed by Stephen Chen in 2009. The original concept of the LSO algorithm is based on the optimisation of group actions according to the biological intelligence of birds. In the process of a locust swarm searching for food (best solution), each locust (individual) represents a solution. The process of PSO involves dispersing each locust in a certain solution space, searching each specific space with a locust, and sharing the information found with the entire swarm. The locust swarm updates its movement according to the route information and the previous experiences of the locusts. Such updates in the movement direction enable the entire swarm to search for food successfully, that is, to find the best solution in the entire solution space.

Three multimodal optimisation methods use revised PSO schemes: the WOSP [9,10], dynamic multiswarm particle swarm optimisation (DMS-PSO) [11–13], and LSO algorithms [14,15]. The LSO algorithm is introduced in the following text.
