Hopf Bifurcation in an SEIDQV Worm Propagation Model with Quarantine Strategy

Yao, Yu; Xiang, Wenlong; Qu, Andong; Yu, Ge; Gao, Fuxiang

doi:https://doi.org/10.1155/2012/304868

Discrete Dynamics in Nature and Society

On this page

Abstract Introduction Model Formulation Conclusions Acknowledgments References Copyright Related Articles

Special Issue

Computer Virus: Theory, Model, and Methods

View this Special Issue

Research Article | Open Access

Volume 2012 | Article ID 304868 | https://doi.org/10.1155/2012/304868

Hopf Bifurcation in an SEIDQV Worm Propagation Model with Quarantine Strategy

Yu Yao,^1,2Wenlong Xiang,^1,2Andong Qu,^1,2Ge Yu,^1,2and Fuxiang Gao^1,2

Academic Editor: Bimal Kumar Mishra

Received22 Jul 2012

Accepted26 Oct 2012

Published28 Nov 2012

Abstract

Worms exploiting zero-day vulnerabilities have drawn significant attention owing to their enormous threats to the Internet. In general, users may immunize their computers with countermeasures in exposed and infectious state, which may take a period of time. Through theoretical analysis, time delay may lead to Hopf bifurcation phenomenon so that the worm propagation system will be unstable and uncontrollable. In view of the above factors, a quarantine strategy is thus proposed in the study. In real network, unknown worms and worm variants may lead to great risks, which misuse detection system fails to detect. However, anomaly detection is of help in detecting these kinds of worm. Consequently, our proposed quarantine strategy is built on the basis of anomaly intrusion detection system. Numerical experiments show that the quarantine strategy can diminish the infectious hosts sharply. In addition, the threshold is much larger after using our quarantine strategy, which implies that people have more time to remove worms so that the system is easier to be stable and controllable without Hopf bifurcation. Finally, simulation results match numerical ones well, which fully supports our analysis.

1. Introduction

In recent years, with the rapid development of computer technologies and network applications, Internet has become a powerful mechanism for propagating malicious software programs.Systems running on network computers become more vulnerable to digital threats. In particular,worms that exploit zero-day vulnerabilities have brought severe threats to Internet security. To a certain extent, the propagation of worms in a system of interacting computers could be compared with infectious diseases in a population. Anderson and May discussed the spreading nature of biological viruses, parasites and so forth.leading to infectious diseases in human population through several epidemic models [1, 2]. The action of worms throughout a network can be studied by using epidemiological models for disease propagation [3–8]. Mishra and Saini [4] present a SEIRS model with latent and temporary immune periods, which can reveal common worm propagation. Dong et al. propose a computer virus model with time delay based on an SEIR model and regard time delay as bifurcating parameter to study the dynamical behaviors which include local asymptotical stability and local Hopf bifurcation [9]. Ren et al. give a novel computer virus propagation model and study its dynamic behaviors [10]. L.-X. Yang and X. Yang also investigates the propagation behavior of virus programs provided infected computers are connected to the Internet with positive probability [11]. Gan et al. examine the propagation behavior of computer virus under human intervention [12]. The use of a quarantine strategy has produced a tremendous effect on controlling disease. Inspired by this, quarantine strategy is also widely used in worm containment [13–18]. Based on the two-factor model, Zou et al. proposes a worm propagation model under dynamic quarantine defense [15]. Wang et al. proposes a novel epidemic model, which combines both vaccinations and dynamic quarantine methods, referred to as SEIQV model [18].

However, previous studies have failed to consider the appropriate quarantine strategy to eliminate the negative effect of time delay, which may lead to Hopf bifurcation phenomenon so that the worm propagation system will be unstable and uncontrollable. In this paper, time delay is introduced in a worm propagation model. Users may immunize their computers with countermeasures in exposed and infectious state, which may take a period of time. Through theoretical analysis, it is proved that the system is stable when time delay is less than the threshold and Hopf bifurcation appears when time delay is equal to or greater than the threshold. Moreover, unknown worms and worm-variants may lead to great risks. In order to make up the deficiency of vaccination strategy and eliminate the negative effect of time delay, a quarantine strategy is thus proposed in our study. The current quarantine strategy generally depends on the intrusion detection system, which can be classified into two categories: misuse and anomaly intrusion detection. While misuse detection system fails to detect unknown worms and worm-variants, anomaly detection is of help in detecting these kinds of worm. Consequently, our proposed quarantine strategy is on the basis of anomaly intrusion detection system. According to the above descriptions, we present an SEIDQV worm propagation model to study the behaviors of worm propagation in the real world. Then, the stability of the positive equilibrium and the critical value of Hopf bifurcation are studied. By analysis, the quarantine strategy can diminish the infectious hosts sharply. Moreover, the threshold is much larger after using our quarantine strategy, which implies that people have more time to remove worms so that the system is easier to be stable and controllable without Hopf bifurcation.

The rest of the paper is organized as follows. Section 2 provides an SEIDQV worm propagation model. In Section 3, we analyze the stability of the positive equilibrium and the threshold of Hopf bifurcation. Section 4 describes the numerical analysis of our model. In Section 5, we present simulation experiments based on slammer worm. The simulation results match well with numerical ones. Finally, Section 6 gives the conclusions.

2. Model Formulation

Considering worms exploiting zero-day vulnerabilities, none of effective and reliable safety patches could immunize the hosts.Susceptible hosts first go through a latent period (exposed) after infection before becoming infectious [9]. People may immunize their computers with countermeasures in exposed and infectious hosts, which may take a period of time. Since time delay exists, infectious hosts go through a temporary state (delayed) after vaccination before becoming vaccinated. What is more, unknown worms and worm-variants may lead to great risks. To our knowledge, quarantine strategies have produced a tremendous effect on controlling disease. Enlightened by this, quarantine strategies are also widely used in worm containment. In order to make up the deficiency of vaccination strategy and eliminate the negative effect of time delay, a quarantine strategy is thus proposed in the study. The current quarantine strategy generally depends on the intrusion detection system, which can be classified into two categories: misuse and anomaly intrusion detection. On one hand, misuse intrusion detection system, which constructs a database with the feather of known attack behaviors, can recognize invaders once their behaviors agree with one of the databases. Although the system can accurately detect known worms, it fails to detect unknown worms and worm variants. On the other hand, an attack can be detected by the anomaly detection system as long as its behavior differs from any database consisting of normal behaviors, which is of help in detecting unknown worms and worm variants. Consequently, our proposed quarantine strategy is on the basis of anomaly intrusion detection system. Meanwhile, anomaly detection system is accompanied by false-positive rates. The quarantine is implemented as follows: the infectious, exposed and susceptible hosts are detected by the anomaly intrusion detection system. The advantage of this strategy lies in detecting unknown worms and worm variants effectively. As anomaly detection system is accompanied by false-positive rates, the quarantine strategy adds two transitions as a result of the influence of the anomaly detection method. The false-positive rates of exposed and susceptible hosts detected by the anomaly detection method are set and , respectively.

According to the descriptions above, we give an SEIDQV worm propagation model with quarantine strategy. Assume all hosts are in one of six states: Susceptible state (), Exposed state (), Infectious state (), Delayed state (), Quarantined state (), and Vaccinated state (). Let denote the number of susceptible hosts at time , denote the number of exposed hosts at time denote the number of infectious hosts at time , denote the number of delayed hosts at time , denote the number of quarantined hosts at time , and denote the number of vaccinated hosts at time . is the infection rate at which susceptible hosts are infected by infectious hosts, and is the rate of removal of infectious for circulation. is the rate that vaccinated hosts become susceptible. Time delay is denoted by . More parameters are listed in Table 1. The states and state transition diagram of the SEIDQV model are given in Figure 1.

In order to understand clearly, we list in Table 1 some frequently used notations in this paper.

From the above definitions in the paper, we write down the complete differential equations of the SEIDQV model:

As mentioned above, the population size is set , which is set to unity

3. Stability of the Positive Equilibrium and Bifurcation Analysis

Theorem 3.1. The system has a unique positive equilibrium when it satisfies the following condition:

Proof. For system (2.1), if all the derivatives on the left of equal sign of the system are set to 0, which implies that the system becomes stable, we can derive Substituting the value of each variable in (3.2) for each of (2.2), then we can derive
Obviously, if is satisfied, (3.3) has one unique positive root , and there is one unique positive equilibrium of system (2.1). The proof is completed.

According to (2.2), , thus system (2.1) can be simplified to

The Jacobi matrix of (3.4) about is given by The characteristic equation of that matrix can be obtained by where

Theorem 3.2. The positive equilibrium is locally asymptotically stable without time delay, if the following holds:

Proof. If , (3.6) reduces to
According to Routh-Hurwitz criterion, all the roots of (3.9) have negative real parts. Therefore, it can be deduced that the positive equilibrium is locally asymptotically stable without time delay. The proof is completed.

Obviously, is a root of (3.6). After separating the real and imaginary parts, it can be written as which implies where

Let , (3.11) can be written as Yang et al. [19] obtained the following results on the distribution of roots of (3.13). Denote

Lemma 3.3. For the polynomial equation (3.13)(1)if , then (3.13) has at least one positive root.(2)if and , then (3.13) has positive roots if and only if and ,(3)if and , then (3.13) has positive roots if and only if there exists at least one , such and .

Lemma 3.4. Suppose that is satisfied.(1)If one of following holds: (a) ; (b) and ; (c) , and there exists at least such that and , then all roots of (3.6) have negative real parts when , is a certain positive constant.(2)If the conditions (a)–(c) are not satisfied, then all roots of (3.6) have negative real parts for all .

Proof. When , (3.6) can be reduced to
By the Routh-Hurwitz criterion,all roots of (3.9) have negative real parts and only if .
From Lemma 3.3, it can be known that if (a)–(c) are not satisfied, then (3.6) has no roots with zero real part for all ; if one of (a)–(c) holds, when , (3.6) has no roots with zero real part and is the minimum value of , so (3.6) has purely imaginary roots. According to [20], one obtains the conclusion of the lemma.
When conditions (a)–(c) of Lemma 3.4 are not satisfied, always has no positive root. Therefore, under these conditions, (3.6) has no purely imaginary roots for any , which implies that the positive equilibrium of system (2.1) is absolutely stable. Therefore, the following theorem on the stability of positive equilibrium can be easily obtained.

Theorem 3.5. Assume that and are satisfied, (a) or ; (b) , and there is no , such that and . Then the positive equilibrium of system (2.1) is absolutely stable. Namely, is asymptotically stable for any time delay .

Assume that the coefficients in satisfy the condition as follows:

(a) or ; (b) , and there is no , such that and .

According to the previous lemma,it is proved that (3.13) has at least a positive root , namely, the characteristic equation (3.6) has a pair of purely imaginary roots .

In view of the fact that (3.6) has a pair of purely imaginary roots , the corresponding is given by eliminating in (3.10): Let be the root of (3.6), so that and are satisfied when .

Lemma 3.6. Suppose . If , then is a pair of purely imaginary roots of (3.6). In addition, if the conditions in Lemma 3.4(1) are satisfied, then

This signifies that it exists at least one eigenvalue with positive real part for . Differentiating both sides of (3.6) with respect to , it can be written as: Therefore, where , then it follows the hypothesis that .

Hence, The root of characteristic equation (3.6) crosses from left to right on the imaginary axis as continuously varies from a value less than to one greater than according to Routh’s theorem. Therefore, according to Hopf bifurcation theorem for functional differential equations, the transverse condition holds and the conditions for Hopf bifurcation are satisfied at . Then the following result can be obtained.

Theorem 3.7. Suppose that the conditions and are satisfied.(1)The equilibrium is locally asymptotically stable when , but unstable when .(2)If condition is satisfied, the system will undergo a Hopf bifurcation at the positive equilibrium when where is defined by (3.16).

This implies that when time delay , the system will stabilize at its infection equilibrium point, which is beneficial for us to implement a containment strategy; when time delay , the system will be unstable and worms cannot be effectively controlled.

4. Numerical Analysis

In order to simulate the real behavior of the spread of a worm, the parameters in the experiments are practical values. The slammer worm is selected for experiments. 750,000 hosts are picked as the population size, and the worm’s average scan rate is 3300 per second. The worm infection rate can be calculated as . It means that average 0.5763 hosts of all the hosts can be scanned by one host. The infection rate is , the recovery rate of infectious hosts is set , the quarantine rates of infectious, exposed and susceptible hosts are set , , . Other parameters are set , , , and . At the beginning, there are 50 infectious hosts, while others are susceptible. Figures 2–5 show that the propagation trend of the five kinds of host and comparison of infectious hosts before and after adopting quarantine strategy when and .

According to the above parameters, Figure 2 shows the curves of five kinds of hosts when . All of the five kinds of hosts get stable quickly, which illustrates that is asymptotically stable. It implies that the number of infectious hosts maintain a relatively low value and can be predicted. Further strategies can be developed and utilized to eliminate worms. In Figure 3, when , the maximum of infectious hosts is diminished sharply. Finally, the number of infectious hosts is almost 18,000. It is much less than ones without using quarantine strategy. However, when time delay gets increased and then reached the threshold , will lose its stability and a bifurcation will occur. Figure 4 shows the susceptible, exposed, infectious, quarantined, and vaccinated hosts when . In this figure, we can clearly see that the number of infectious hosts will outburst after a short period of peace and repeat again and again but not in the same period, which is hard for us to predict the worm spread or eliminate worms. In Figure 5, when , it is clearly that the maximum of infectious hosts is diminished sharply from 170,000 to 40,000, which illustrates that quarantine strategy has much better inhibition impact than single vaccination.

In order to see the influence of time delay, is set to a different value each time with other parameters remaining the same. Figure 6 shows the number of infectious hosts in the same coordinate with time delay .

Initially, the four curves are overlapped which means that time delay has little effect in the initial stage of worm propagation. With the increase of time delay, the curve begins to oscillate. When time delay passes through the threshold , the infecting process gets unstable. Meanwhile, it can be discovered that the amplitude and period of the number infectious hosts increase.

Figure 7 shows the projection of the phase portrait of system (2.1) in -space when , respectively. In Figure 8, when , it is clear that the curve converges to a fixed point, which suggests that the system is stable. When , the curve converges to a limit circle, which implies that the system is unstable.

(a)

(b)

(a)

(b)

Figure 9 shows bifurcation diagram with from 1 to 60; Hopf bifurcation will occur when . In Figure 10, it shows bifurcation diagram with from 1 to 120; Hopf bifurcation will occur when . The threshold is greater than model without quarantine strategy, which illustrates that the model gets stable easier and the users have more time to remove worms.

5. Simulation Experiments

The discrete-time simulation is an expanded version of Zou’s program simulating Code Red worm propagation. The system in our simulation experiment consists of 750,000 hosts that can reach each other directly, which is consistent with the numerical experiments. At the beginning of simulation, 50 hosts are randomly chosen to be infectious and the others are all susceptible. In the simulation experiments, the implement of transition rates of the model is based on probability. Under the propagation parameters of the slammer worm, several simulation experiments are carried out. Figure 11 shows the comparisons between numerical and simulation curves of susceptible, infectious, quarantined and vaccinated hosts respectively, when , which indicate that the simulation curves match the numerical ones very well. When time delay passes the threshold, a bifurcation appears. Figure 12 shows the difference between simulation and numerical results of the four kinds of host when . In this figure, the periods of these two curves are well matched. But there is a difference in amplitudes. This mainly results from the precision of experiments. The number of hosts in numerical experiments can be either integers or decimals. However, in simulation experiments, the number of hosts must be integer. In addition, when the number of infectious hosts is very little, the tiny difference may result in a big gap.

(a)

(b)

(c)

(d)

(a)

(b)

(c)

(d)

6. Conclusions

By considering that time delay may lead to Hopf bifurcation phenomenon so that the worm propagation system will be unstable and uncontrollable, this paper proposes a quarantine strategy to control worm propagation. An SEIDQV worm propagation model is constructed for practical application. Then, the stability of the positive equilibrium and the critical value of Hopf bifurcation are studied. Through careful theoretical analysis, the following conclusions can be derived.(i)The critical time delay where Hopf bifurcation appears is obtained (ii)When time delay , the worm propagation system will stabilize at its infection equilibrium point, which is beneficial for us to implement a containment strategy to eliminate the worm completely.(iii)When time delay , Hopf bifurcation appears, which implies the system will be unstable and the worm cannot be effectively controlled.(iv)The quarantine strategy can diminish the infectious hosts sharply. The threshold is much larger after using the proposed quarantine strategy, which implies that people have more time to remove worms so that the system is easier to be stable and controllable without Hopf bifurcation.

In order to control and predict the worm propagation, time delay should remain less than the threshold by decreasing the time of detecting and removing worm. In real world, various factors can affect worm propagation. The paper focuses on analyzing the influence of time delay. Other impact factors to worm propagation will be a major emphasis of our future research.

Acknowledgments

This paper is supported by the National Natural Science Foundation of China under NSFC no. 60803132 and by the Fundamental Research Funds of the Central Universities under no. N100404001.

References

R. M. Anderson and R. M. May, Infectious Diseases of Human, Dynamics and Control, Oxford University Press, Oxford, UK, 1992.
R. M. Anderson and R. M. May, “Population biology of infectious disease I,” Nature, vol. 180, pp. 361–367, 1999.
View at: Google Scholar
Zhu, Q. Yang X, and J. Ren, “Modeling and analysis of the spread of computer virus,” Communications in Nonlinear Science and Numerical Simulation, vol. 17, no. 12, pp. 5117–55124, 2012.
View at: Publisher Site | Google Scholar
B. K. Mishra and D. K. Saini, “SEIRS epidemic model with delay for transmission of malicious objects in computer network,” Applied Mathematics and Computation, vol. 188, no. 2, pp. 1476–1482, 2007.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
B. K. Mishra and D. Saini, “Mathematical models on computer viruses,” Applied Mathematics and Computation, vol. 187, no. 2, pp. 929–936, 2007.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
B. K. Mishra and N. Jha, “Fixed period of temporary immunity after run of anti-malicious software on computer nodes,” Applied Mathematics and Computation, vol. 190, no. 2, pp. 1207–1212, 2007.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
B. K. Mishra and S. K. Pandey, “Dynamic model of worms with vertical transmission in computer network,” Applied Mathematics and Computation, vol. 217, no. 21, pp. 8438–8446, 2011.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
B. K. Mishra and S. K. Pandey, “Fuzzy epidemic model for the transmission of worms in computer network,” Nonlinear Analysis: Real World Applications, vol. 11, no. 5, pp. 4335–4341, 2010.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
T. Dong, X. Liao, and H. Li, “Stability and Hopf bifurcation in a computer virus model with multistate antivirus,” Abstract and Applied Analysis, Article ID 841987, 16 pages, 2012.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
J. Ren, X. Yang, Q. Zhu, L.-X. Yang, and C. Zhang, “A novel computer virus model and its dynamics,” Nonlinear Analysis. Real World Applications, vol. 13, no. 1, pp. 376–384, 2012.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
L.-X. Yang and X. Yang, “Propagation behavior of virus codes in the situation that infected computers are connected to the Internet with positive probability,” Discrete Dynamics in Nature and Society, vol. 2012, Article ID 693695, 13 pages, 2012.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
C. Gan, X. Yang, W. Liu, Q. Zhu, and X. Zhang, “Propagation of computer virus under human intervention: a dynamical model,” Discrete Dynamics in Nature and Society, vol. 2012, Article ID 106950, 8 pages, 2012.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
C. C. Zou, W. Gong, and D. Towsley, “Code Red worm propagation modeling and analysis,” in Proceedings of the 9th ACM Symposium on Computer and Communication Security, pp. 138–147, Washington, DC, USA, 2002.
View at: Google Scholar
B. K. Mishra and N. Jha, “SEIQRS model for the transmission of malicious objects in computer network,” Applied Mathematical Modelling, vol. 34, no. 3, pp. 710–715, 2010.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
C. C. Zou, W. Gong, and D. Towsley, “Worm propagation modeling and analysis under dynamic quarantine defense,” in Proceedings of the ACM Workshop on Rapid Malcode (WORM '03), pp. 51–60, Washington, DC, USA, October 2003.
View at: Google Scholar
Y. Yao, X. Xei, H. Gao, G. Yub, F. -X. Gaoa, and X. -J. Tong, “Hopf bifurcation in an Internet worm propagation model with time delay in quarantine,” Mathematical and Computer Modeling. In press.
View at: Publisher Site | Google Scholar
Y. Yao, L. Guo, H. Guo, G. Yu, F. Gao, and X. Tong, “Pulse quarantine strategy of internet worm propagation: modeling and analysis,” Computers & Electrical Engineering, vol. 38, no. 5, pp. 1047–1061, 2012.
View at: Publisher Site | Google Scholar
F. Wang, Y. Zhang, C. Wang, J. Ma, and S. Moon, “Stability analysis of a SEIQV epidemic model for rapid spreading worms,” Computers and Security, vol. 29, no. 4, pp. 410–418, 2010.
View at: Publisher Site | Google Scholar
Y. Yang, Y. Fang, and L. Y. Li, “The analysis of propagation model for internet worm based on active vaccination,” in Proceedings of the 4th International Conference on Natural Computation (ICNC '08), pp. 682–688, Chendu, China, October 2008.
View at: Publisher Site | Google Scholar
J.-F. Zhang, W.-T. Li, and X.-P. Yan, “Hopf bifurcation and stability of periodic solutions in a delayed eco-epidemiological system,” Applied Mathematics and Computation, vol. 198, no. 2, pp. 865–876, 2008.
View at: Publisher Site | Google Scholar | Zentralblatt MATH

Copyright

Copyright © 2012 Yu Yao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1128

Downloads

1039

Citations