#### Abstract

The effects of removable devices’ heterouse in different areas on the propagation of malware spreading via removable devices remain unclear. As a result, in this paper, we present a model incorporating the heterogeneous use of removable devices, obtained by dividing the using rate into local area’s rate, neighbour area’s rate and global area’s rate, and then getting the final rate by multiplying the corresponding area ratio. The model’s equilibria and their stability conditions are obtained mathematically and verified by deterministic and stochastic simulations. Simulation results also indicate that the heterogeneity in using rate significantly changes the prospective propagation course of malware. Additionally, the thresholds of removable devices’ using rate in neighbour area are given, which can guide us in designing effective countermalware method.

#### 1. Introduction

The malicious programs or malware, including network worms, Trojan programs, and various botnets, have posed serious threats to the Internet [1–5]. Furthermore, removable devices have become a common propagation method by those recently detected malware, such as Stuxnet [6], Duqu [7], and Flame [8], which aim at controlling computers or other machinery, especially those physically isolated machines. Thus, it is very necessary to explore the propagation behavior and control strategies of such malware.

To capture the influences of removable devices on malware, some mathematical models have been proposed [9–13]. In [9], Song et al. presented the model by coupling a susceptible-infected-recovered (SIR) model with a susceptible-infected-susceptible (SIS) model [14]. In the model, a removable device would be infected with a certain rate if it was used on an infectious computer and then the infected removable device can infect other computers whenever it was used on them. To depict the computers which have been infected but are not yet infectious, Jin and Wang [10] put forward the susceptible-exposed-infected-recovered (SEIR) model by introducing the “exposed” state into the SIR model. L. X. Yang and X. Yang [11] further considered the model where the “exposed” state had limited infection ability. However, all of these models were homogeneous models. That is to say, each removable device was used with the same probability on all computers.

In [13], Peng et al. gave a model which divided the Internet into many subnets and assumed that removable devices were used equally within the subnet they belong to, but they were used with a lower probability outside the subnet. However, it is not a reasonable assumption that removable devices are homogeneously mixed with computers outside their subnet. Furthermore, under this assumption, they cannot give an effective defense method concerning removable devices’ using area and rate. Hence, we present a heterogeneous model in this paper, which can give an effective countermalware method by exploring the influences of removable devices’ using area and rate.

The remainder of this paper is organized as follows: we give the model and interpret the parameters’ meanings in Section 2. After that, we analyze its dynamical behavior and illustrate our mathematical results by simulations in Section 3. Then, some containment strategies are given in Section 4. In the end, we summarize our work.

#### 2. The Model

The basic models used in this paper are the SIR model and the SIS model. There are five compartments in our model: susceptible computers (); infected computers (); immunized computers (); susceptible media ()—removable devices without malicious programs; infected media ()—removable devices which have carried the malicious programs and can propagate them to susceptible computers.

To depict the influences of removable devices’ using area and rate, we divide the whole area into many subareas and each removable device belongs to an area named the local area of the device. We also assume that removable devices are used equally within the local area and used with a lower probability in their neighbour areas but hardly used in any other areas named global area here.

Let be the susceptible computer’s infection rate caused by the successful scans of an infected computer. denotes susceptible computer’s infection rate (susceptible medium’s infection rate) due to an infected medium (an infected computer) in the same local area. and denote the total number of computers and the total number of removable devices, respectively. Here, we suppose that both and are constant. Then, the obsoleteness rate of computers (removable devices) is given by ().

To model the random discovery of infection by anti-virus program, the recovery rate of infected computers is given by . When infected devices are used on susceptible or immunized computers, the malicious programs carried by infected devices are likely to be detected. We denote this rate by .

Then, the model is given as follows: where is the function of removable devices’ using area and rate. For all removable devices, let denote the ratio of using rate in neighbour area (global area) to the counterpart in local area and let be the ratio of neighbour area’s (global area’s) radius to local area’s radius. Without loss of generality, both removable devices’ using rate in local area and local area’s radius are set to 1. Then,

As and , the model (1) can be rewritten as

Let where is the basic reproduction number [15].

For system (3), there are two equilibria: disease-free equilibrium and positive equilibrium when . The positive equilibrium is given by

where , , and .

#### 3. Model Analysis

Theorem 1. *If , is asymptotically stable.*

*Proof. *The characteristic equation of (3) at is given by

Then, we have

When , corresponding to , all eigenvalues of (7) have negative real parts. Thus, is asymptotically stable. The theorem is proven.

Theorem 2. *If , the endemic equilibrium is asymptotically stable.*

*Proof. *The characteristic equation of (3) at is given by

corresponding to
where , , , , , , and .

According to the Hurwitz criteria [16, 17], we have

If , we have , and and then all eigenvalues of (9) have negative real parts. Thus, there exists an endemic equilibrium and it is asymptotically stable when . The proof is completed.

To validate the accuracy of Theorems 1 and 2, we used both deterministic method and stochastic method to simulate the system (3) with , , , and and two sets of other variables: (i) , , and , where ; (ii) , , and , where .

As shown in Figure 1, when , in both deterministic and stochastic simulations, the number of infected computers tends to the theoretical value predicted by (5a) finally, which indicates an endemic state . However, in Figure 2, when , the steady-state number of is zero in accordance with the number predicted by disease-free state .

#### 4. Control Strategies

We first give the convergence proof of the numerical method, the improved Euler method, used in the simulation. Let . Then, we can rewrite the system (3) as . Obviously, is a continuous and differential function in . Thus, satisfies the Lipschitz condition and, where is a constant.

The Euler iteration equation is where , and . , representing the step value in the Euler iteration algorithm. Then, we have Thus, the numerical technique used here is convergent as we can ensure that by selecting a small value of .

In this paper, we also use a Monte Carlo algorithm to simulate the propagation of malware [18, 19]. In all simulations given below, we set , , , , , , , and , where because that malware such as Stuxnet is mainly spreading via removable devices to infect physically isolated machines. The initial numbers of and are set to 1000 and 0, respectively.

First, we compared three different models with the same parameters: homogeneous model presented in [9] where removable devices are assumed to be used with the same probability on all computers; heterogeneous model presented in [13] where the using rate of removable devices is divided into two rates (using rate on local computers and using rate on the other computers); and the model in this paper. We ran the simulation 100 times and got the average number of infected computers. Figure 3 shows the simulation results.

As shown in Figure 3, the model in this paper leads to the lowest infection rate and propagation speed. As it is established under the most reasonable assumptions among three models, its prediction is in accordance with the real propagation process to the most degree. The homogeneous model obtains the highest infection rate and the fastest propagation speed. Although the heterogeneity in removable devices’ using rate is included in the model given in [13], this simplistic division of removable devices’ using rate also leads to a great deviation.

We also simulated various and to gain some insight into the containment of the malware considered in this paper. Figures 4(a) and 4(b) give the simulation results with fixed and fixed , respectively.

**(a)**

**(b)**

Figures 4(a) and 4(b) show that the radius of neighbour area () and the using rate () in this area have great influences on the propagation of malware. The infection rate and speed decrease rapidly with the decrease of using rate () or neighbour area’s radius (). In Figure 4(a) with fixed (10), the malware dies out directly when , which means an effective countermalware method.

To get the effective countermalware thresholds under various values of , we further simulated the system (3) and got the values of below which the malware would die out. Figure 5 plots the simulation results.

As it is shown in Figure 5, the points in left area can guarantee the extinction of malware. However, the malware can self perpetuate in the right area. The threshold of decreases with the increase of and this decrease is much faster in the area between two arrows (). Furthermore, when the radius of neighbour area is less than two times of the radius of local area, corresponding to (=2), the malware will die out no matter what value is, which gives a promising countermalware threshold.

#### 5. Conclusion

Recently, the researches concerning malware have focused on those pieces malware spreading via removable devices [9–13]. Different from these researches, we present a model with a detailed depiction of the heterogeneity in removable devices’ using rate. This consideration of heterogeneity can lead to an effective countermalware method by controlling the removable devices’ using rate in neighbour area. Furthermore, when , the model presented in this paper corresponds to the model given in [9, 12]; when , it corresponds to the model given in [13]. Thus, the model in this paper is a more general model and can depict the malware’s spreading process more precisely.

Mathematical analysis and stochastic simulations indicate that the dynamics are determined by the value of . Simulation results have also shown that removable devices’ using rate and the radius of neighbour area have great influences on the dynamics of malware. Specifically, we have obtained the thresholds of removable devices’ using rate () when different values of (the radius of neighbour area) are considered, which can guide us in designing effective countermalware method.

In the future, we plan to use real trace data to test our model, especially the special value of removable devices’ using area () and then get the most effective policy to help people in defending their devices and machines against malware.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgment

This work is supported by the National Natural Science Foundation of China (61379125, 61379080 and 11201434), Program for Basic Research of Shan’xi province (2012011015-3).