Abstract

The complex interactions among internet worms have great impact on the dynamics of worms. To contain the propagation of worms, it is necessary to characterize these interactions. Therefore, a two-worm interaction model is presented in this paper. Different from previous researches, we have considered the influence of adaptive human reaction stirred by one cooperative worm on the other worm in the model. The model’s equilibria and their stability conditions are obtained mathematically and verified by simulations. Results indicate that considering adaptive human behavior significantly changes the prospective propagation course of worms and that this consideration has implications for designing counterworm methods.

1. Introduction

Nowadays, malware (including worms, viruses, botnets et al.) is prevalent on the internet, which has led to serious problems to the security of internet. For example, more than one hundred million web-based infections are detected by Kaspersky Lab in February 2012 [1]. According to Crandall et al. [2], the fight against malware, which is often viewed as an “arms race," is quickly becoming unsustainable as so many malware samples are collected each day. However, malware has also created a complex environment for itself. Understanding the effects of interactions of malware with other malware and with its environment may suggest new defense methods that give fundamental advantages to the defender.

Mathematical models have been proposed to characterize the spreading of malware. Han and Tan [3] analyzed the influence of time delay on computer virus by using a susceptible-infected-recovered-susceptible model. They obtained the critical value of time delay which determined whether the model had periodic solution or not. Song et al. [4] presented a model focusing on the worms spreading via both Web-based scanning and removable devices. They found that the existence of infected removable devices was in favor of the outbreak of worms, and limiting the number of removable devices would prevent the worms’ outbreak. In [5], Mishra and Pandey focused on the vertical transmission of worms in computer network. Ren et al. [6] presented a novel model and analyzed the effect of anti-virus ability. Different from other models, the ability of anti-virus software in their model was dependent on the number of infected computers. Some other models [710] have also been given in recent year. However, all of these studies have focused on one type of malware.

Tanachaiwiwat and Helmy [11] proposed the first model focusing on the interactions between two types of competitive worms, to our knowledge. In [12], Song et al. presented an interaction model between two different types of botnets and analyzed the influences of the strategies selected by interacting botnet owners on the propagation of both botnets.

In this paper, we present a two-worm model to analyze the influence of one cooperative worm on the other worm. Different from previous models [11, 12], the influence of adaptive human behavior stirred by the cooperative worm has been included in the model. Our work is motivated by the phenomenon that many worms (cooperative worms, e.g., Email-Worm.Win32.Bagle.p, Email-Worm.Win32.Roron.12, and so on) can block the anti-virus software and the firewall, which will be beneficial to the spreading of other worms [13] but may lead to people’s reaction to the infection state.

The remainder of this paper is organized as follows. In Section 2, we present the model and interpret the actual meanings of the model’s parameters. Then, we give the analytical results in Section 3 and validate the analytical results using various simulations in Section 4. After that, we summarize our results in Section 5.

2. Model Description

The basic model used in this paper is the susceptible-infected-susceptible (SIS) model [14]. To depict the interactions between one cooperative worm and the other worm, here named as noncooperative worm, we enhance the model by dividing the infected compartment into three parts.

Thus, the model, presented here, includes four compartments: susceptible computers (), computers infected by worm1 (cooperative worm) ()—computers that are currently infected by the cooperative worm and are susceptible to the noncooperative worm; computers infected by worm2 (noncooperative worm) ()—computers that are currently infected by some noncooperative worm and are susceptible to the cooperative worm, and computers infected by both worms ().

Here, we assume that the anti-virus software and the firewall will be blocked whenever computers are infected with the cooperative worm. We also assume that a computer’s anti-virus software and firewall are always open unless stopped by the cooperative worm.

Let and denote the susceptible computer’s infection rates due to the successful scanning of a computer infected with the cooperative worm and the successful scanning of a computer infected with the noncooperative worm, respectively. To model the influence of anti-virus software and firewall, an increasing factor in infection rate is given by () while trying to infect a computer with its anti-virus software and firewall closed.

As in [12, 15], when the operating system was reinstalled, infected computers would return to the susceptible state. Here, we denote the random reinstallation rate as . We also assume an increasing in the reinstallation rate whenever a computer is infected with the cooperative worm. It is reasonable since the cooperative worm will block the anti-virus software and firewall, and this may stimulate user’s reaction to the invasion of malware. For simplicity, let be the rate which combines the random reinstallation rate and the reinstallation rate caused by user’s adaptive behavior.

The probability of successfully finding a susceptible computer in one scan is , where is the total number of computers considered. Then, and are the susceptible computer’s infection numbers per time step caused by a computer infected with the cooperative worm and the noncooperative worm, respectively.

Thus, the model is given below: where .

Note that the model is conservative for total computers since we do not include both new computers and obsolete computers in (2.1). Then, the model can be rewritten as

The initial state of the system (2.2) is set to , , and , where . The values of , , , and are given in the simulation section.

3. Model Analysis

3.1. Equilibria

The equilibria of system (2.2) are given by

Let be the basic reproduction number, the number of secondary infections deriving from a single primary infection, of the cooperative worm, and , be the basic reproduction numbers of the noncooperative worm when the cooperative worm dies out or exists, respectively. Then, we have

where

and ,  ,  and  .

As the derivations of and are very simple, we only give the derivation of here.

Adding (3.1a) to (3.1c) leads to or means that the cooperative worm exists. Thus, we only consider the condition when . Using this condition in (3.1b) and (3.1c), we get This yields

According to the right hand side of (3.8), we can get the term of . Furthermore, (3.4) can be obtained by substituting in (3.8) into (3.1a).

For the simplified system (2.2), there always exists a disease-free equilibrium for (). If and , there exists an equilibrium , corresponding to the cooperative worm endemic equilibrium. If and , the noncooperative worm endemic equilibrium will exist. The coexistence endemic equilibrium () occurs if and , where is the same as in (3.4),

Thus, (3.3a) and (3.3b) give the noncooperative worm’s existence thresholds when the cooperative worm dies out or exists, respectively, that is, to ensure the existence of noncooperative worm, must be greater than the threshold value () predicted by (cooperative worm dies out) or the threshold value () predicted by (cooperative worm exists).

3.2. Stability

Theorem 3.1. If and , then the disease-free equilibrium is asymptotically stable.

Theorem 3.2. If and , then the cooperative worm endemic equilibrium is asymptotically stable.

Theorem 3.3. If and , then the noncooperative worm endemic equilibrium is asymptotically stable.

Theorems 3.1, 3.2, and 3.3 are easy to be proven. Here, we only give the detailed proof of the stability of coexistence endemic equilibrium (, , ).

Let where , , , , , , , and .

Theorem 3.4. If , , and , then the coexistence endemic equilibrium (, , ) is asymptotically stable.

Proof. The Jacobian matrix of system (2.2) at the coexistence endemic equilibrium is given by By means of similarity transformation upon the matrix (3.11), we have The characteristic equation of (3.12) is given by where , , , and .
In (3.13), , which is less than zero as . Then, we only need to prove that the eigenvalues in the square brackets of (3.13) have negative real parts.
According to the Hurwitz criteria [16],
It is easy to see that and Thus, and provided that . Consider where denotes and denotes . As , we have where denotes and denotes and where , , , and are the same as in (3.10).
According to the root extracting formula, the equation, , has one positive real root . Furthermore, for any , if , then .
As and can guarantee , according to the text mentioned above, can guarantee that both and are greater than zero, which means that both eigenvalues in the square brackets of (3.13) have negative real parts. Thus, if , and , there exists a coexistence endemic equilibrium, and it is asymptotically stable. The proof is completed.

4. Simulation

In this paper, we use the improved Euler method to simulate the system (2.2). In the simulation, the total number of computers is set to 1000000. The initially infected computers with cooperative worm (), the initially infected computers with noncooperative worm (), and the initially infected computers with both worms () are set to 100, 100, and 0, respectively, for all simulations. Thus, the initially susceptible computers () are 999800.

Here, we first give the convergence proof of the numerical method used in the simulation. Let , a three-dimensional vector. Then, the system (2.2) can be rewritten as , where is a three-dimensional vector function in . It is obvious that is a continuous and differential function in . Thus, satisfies the Lipschitz condition, and we have , where is a constant.

The Euler iteration equation is , where , , and . , representing the step value in the Euler iteration algorithm. Then, Thus, the Euler iteration algorithm used in this paper is convergent as we can ensure that by selecting the step value .

To validate the accuracy of the thresholds predicted by (3.3a) and (3.3b), we simulated the model (2.2) using four sets of variables: (i) the cooperative worm exists: , , , and , (ii) no cooperative worm: , , , and , (iii) the cooperative worm exists: , , , and , and (iv) no cooperative worm: , , , and . is set to 1.5 for these simulations.

Note that in (i) is less than the existence threshold (0.0285) predicted by (3.3b). Thus, the noncooperative worm will die out although is greater than the existence threshold (0.025) predicted by (3.3a). Similar results can also be reached with the other three sets of variables.

Figure 1 shows the simulation results of the noncooperative worm using the first two sets of variables. Figure 2 shows the simulation results using another two sets of variables.

As shown in Figure 1, when the cooperative worm exists and , the noncooperative worm dies out; when the cooperative worm terminates and , the noncooperative worm survives. In Figure 2, when the cooperative worm exists and , the noncooperative worm survives; when the cooperative worm terminates and , the noncooperative worm dies out. Thus, both Figures 1 and 2 demonstrate that the simulation results are consistent with the theoretical prediction.

Figures 1 and 2 also show that the cooperative worm has dual influences on the noncooperative worm, which is different from our intuition. In Figure 1, the existence of cooperative worm (i) contains the propagation of noncooperative worm. However, the existence of cooperative worm (iii) favors the propagation of noncooperative worm in Figure 2.

To get the effective noncooperative worm containment strategy, we further explore the influence of adaptive human behavior () on the noncooperative worm. We simulated with various and calculated the thresholds of predicted by and . Figures 3(a), 3(b), and 3(c) plot the results with , 1.5 and 2, respectively.

According to Figures 3(a), 3(b), and 3(c), adaptive human behavior (reflected by ) has great influence on the propagation of noncooperative worm. The threshold (dash line) increases rapidly with the increase of no matter what value is. Moreover, when , the thresholds (dash line) in all figures are much higher than the corresponding values (solid line) when no human behavior is considered (the cooperative worm dies out), which also means a promising worm-counter-worm method.

We also verified the accuracy of coexistence endemic equilibrium’s stability thresholds given by Theorem (3.4). Here, the simulation parameters are set to (i) , , , , and where is greater than (=0.346), and (ii) , , , , and where is less than . Figures 4(a) and 4(b) show the simulation results.

Note that the cooperative worm () is a constant with any given and . Thus, we only plot the noncooperative worm’s propagation process in Figures 4(a) and 4(b).

As shown in Figure 4(a), when , the noncooperative worm approaches a stable state. However, in Figure 4(b), when , we can see a clearly oscillatory epidemic phenomenon, which validates the conclusion of Theorem (3.4).

5. Conclusion

Recently, the researches concerning network security and malware have focused on the fight between antimalware system and malware [310]. In this paper, we have explored the interactions between one cooperative worm and the other noncooperative worm; especially we focus on the influence of adaptive human behavior, to find an inherent advantage in the fight against attackers.

Different from our intuition, the results presented in this paper have shown that the cooperative worm has dual effects on the propagation of the noncooperative worm due to the existence of adaptive human behavior, which is a valuable information for defenders in designing counter-worm methods [17, 18]. In the future, we plan to use real trace data to test our model and get the most effective policy to motivate people.

Acknowledgment

This work is supported by the National Natural Science Foundation of China under Grant no. 11171314 and the Natural Science Foundation of Shanxi Province of China under Grant no. 2012011015-3.