- About this Journal ·
- Abstracting and Indexing ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Articles in Press ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Subscription Information ·
- Table of Contents

Discrete Dynamics in Nature and Society

Volume 2015 (2015), Article ID 941862, 7 pages

http://dx.doi.org/10.1155/2015/941862

## Modeling and Analyzing the Spread of Flash Disk Worms via Multiple Subnets

^{1}School of Mathematics, Nanjing Normal University, Nanjing, Jiangsu 210046, China^{2}Department of Mathematics, North University of China, Taiyuan, Shan’xi 030051, China^{3}Department of Computer Science and Technology, North University of China, Taiyuan, Shan’xi 030051, China

Received 18 June 2014; Accepted 15 July 2014

Academic Editor: Kaifa Wang

Copyright © 2015 Guihua Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

The Flash Disk worms, spreading via both Web-based scanning and removable devices between multiple subnets, have become a serious threat to the Internet, especially those physically isolated subnets. We present a model which incorporates specific features of these worms in this paper. Then, we analyze the dynamic behaviors of the model when one subnet is considered. Analytical result shows that the Flash Disk worm can self-perpetuate when and will die out otherwise. When multiple subnets are considered, we get that once a computer is infected by the Flash Disk worms, other computers in that subnet will be infected in a short time. Thus, for any subnet, to contain the Flash Disk worms, the most effective way is to prevent the first infected individual by improving the users’ security awareness of using removed devices. Our results are illustrated by numerical simulation.

#### 1. Introduction

The Flash Disk worms, which spread via both Web-based scanning on the Internet and removable devices, mainly attack SIMATIC and WinCC software. Those worms appear to be aimed directly at controlling physical machinery and attempt to take control of critical physical infrastructure. Stuxnet which is a kind of the Flash Disk worms has infected about 500,000–1000,000 computers, mainly in Iran, India, Indonesia, and Pakistan [1]. Nowadays, it becomes a major question to research the Flash Disk worms.

For a great many similarities between computer worms and biological virus [2], some biological epidemic models have been modified to describe the spreading of the Internet worms. For example, the susceptible-infected-susceptible (SIS) model was modified including a reintroduction parameter by Wierman and Marchette [3]. In [4], the susceptible-infected-recovered (SIR) model and a discrete Markov model were presented to capture the short term and long term dynamics of viral propagation. The susceptible-antidotal-infected-contaminated (SAIC) model whose two new compartments were introduced was proposed [5]. Besides, there were the susceptible-infected-recovered-susceptible (SIRS), the susceptible-infected-detected-recovered (SIDR), and the susceptible-asymptomatic-symptomatic-recovered (SAIR) models which were adopted [6–9]. However, these models cannot be applied to the worms which spread via both Web-based scanning on the Internet and removable devices.

Jin and Wang describe the FD-SEIR model to analyze and control the Flash Disk worms [10]. Besides, Song et al. present the worms model about the cross infection of computers and removable devices [11]. However, the two models were analyzed under the condition of computers and removable devices mixed evenly. It is not suitable for the spread of Stuxnet because of the different speed of Stuxnet’s spreading in different subnets. Inspired by these models, we will build a model focusing on Stuxnet which spreads via Web-based scanning on the Internet and removable devices in multiple subnets.

The organization of this paper is as follows. In Section 2, we present a model in multiple subnets. In Section 3, we analyze its dynamical behavior in one and more subnets and give some results by numerical simulation in multiple subnets. The paper concludes with a brief discussion in Section 4.

#### 2. The Model Formulation in Multiple Subnets

The Flash Disk worms spread by Web-based scanning on the Internet and using removable devices between subnets. In the different subnets, the Flash Disk worms may have the different spreading speed. Thus, the propagation of worms can be considered to be a fast system. If they spread slowly, these subnets will be seen as a slow system. For simplicity, we suppose that the removable devices represent all mobile devices related to computer, including flash disk, mobile hard disk, and memory card. Assume that computer hosts are classified in three compartments: susceptible (), infected (), and recovered () and the removable devices are two compartments: susceptible and infected . To consider the spread relationship between computers and removable devices, the model is as follows:where , , and meaning of the parameters and state variables is shown in Notations and Definitions section.

#### 3. Model Analysis

In the section, two parts will be analyzed. In the first part, we will not consider the worms spreading among different subnets. In the second part, we will consider worms spreading among different subnets.

##### 3.1. Model Analysis in the th Subnet

If we let , then the worms will be only propagated in subnet. Model (1) becomes Then we will consider the existence and stability of equilibria for system (2). It is obvious that there is a disease-free equilibrium in system (2). To analyze the existence of the positive equilibria, we firstly give the basic reproduction number:Here is the number of newly infected individuals at the disease-free equilibrium in the th subnet in infectious period.

By calculating, we obtain that satisfied the following equation: According to Descartes sign rule, if , there exists a unique positive equilibrium in system (2), where

Furthermore, we consider the stability of equilibria. We have the following theorems.

Theorem 1. *If , the disease-free equilibrium of (2) is locally asymptotically stable.*

*Proof. *The Jacobian matrix of (2) at is Then the characteristic equation isIt is easily seen that all eigenvalues of have negative real parts if . Thus, the theorem is proven by Routh-Hurwitz criterion.

Theorem 2. *When , the disease-free equilibrium of system (2) is globally asymptotically stable.*

*Proof. *Take Lyapunov function,which is always positive in whereThen, Then, when , the disease-free equilibrium of system (2) is globally asymptotically stable. The theorem is proven.

Theorem 3. *If , the positive equilibrium of (2) is locally asymptotically stable.*

*Proof. *The matrix of the linearization of system (2) at the unique positive equilibrium is Then the characteristic equation is , where ThenHence the Routh-Hurwitz criterion is satisfied. Thus it follows that the endemic equilibrium of (2), which exists if , is always locally asymptotically stable. The theorem is proven.

To prove the global stability, we have a dimensionless transformation where , , , , , and , for system (2). It becomesThen,The positive equilibrium is

Theorem 4. *When , the positive equilibrium of system (14), as well as the positive equilibrium of system (2), is globally asymptotically stable.*

* Proof. *Take Lyapunov function,which is always positive in whereThen,The positive equilibrium of system (14), as well as the positive equilibrium of system (2), is globally asymptotically stable when . The theorem is proven.

##### 3.2. Model Analysis between Subnets

In the subsection, we will analyze the existence of positive equilibrium for system (1). For convenience, assume that the fast system is stable in one subnet. Then the slow system iswhere and . From system (20), we can obtain and . If ,whereFrom (21), we know that one can prevent the worm spreading by controlling parameters. If infected computers and removable devices by the worms is less than one, that is, and , the worms will die out. Otherwise, they will be epidemic. We should improve the security awareness of using removable devices. For model (20), it is difficult to analyze the dynamic behaviors. In the following part, we will simulate the dynamic behaviors of system (1).

Take the determined parameters and the average value of about 100 experimental results. Firstly, let , , , , , , , , , , and time step . Then we plot figures of dynamical behaviors if we take the different initial value. (i) if and if when . From Figure 1, we can see that if , the number of infected computers will gradually reduce and finally disappear. On the contrary, if , the number of infected computers will increase and then tend to a stable status. (ii) Let the initial value when and the other values do not change. We draw change figures for the proportion of infected computers with time in the th subnet (see Figure 2) and multiple subnets (see Figure 3). From Figure 2, we can obtain that if a computer is infected by Stuxnet, other computers will be infected in a short time. From Figure 3, it is found that once a computer is infected by the Flash Disk worms, other computers will be infected among the different subnets after a longer time. Furthermore, comparing Figure 2 with Figure 3, we can find that if a computer is infected by the Flash Disk worms, other computers will be infected in a short time in one subnet. To prevent computer from being infected by the worms, we should take some effective measures. We can improve the safety awareness of using removable devices to prevent the first computer from being infected by the worms.