#### Abstract

The Flash Disk worms, spreading via both Web-based scanning and removable devices between multiple subnets, have become a serious threat to the Internet, especially those physically isolated subnets. We present a model which incorporates specific features of these worms in this paper. Then, we analyze the dynamic behaviors of the model when one subnet is considered. Analytical result shows that the Flash Disk worm can self-perpetuate when and will die out otherwise. When multiple subnets are considered, we get that once a computer is infected by the Flash Disk worms, other computers in that subnet will be infected in a short time. Thus, for any subnet, to contain the Flash Disk worms, the most effective way is to prevent the first infected individual by improving the users’ security awareness of using removed devices. Our results are illustrated by numerical simulation.

#### 1. Introduction

The Flash Disk worms, which spread via both Web-based scanning on the Internet and removable devices, mainly attack SIMATIC and WinCC software. Those worms appear to be aimed directly at controlling physical machinery and attempt to take control of critical physical infrastructure. Stuxnet which is a kind of the Flash Disk worms has infected about 500,000–1000,000 computers, mainly in Iran, India, Indonesia, and Pakistan [1]. Nowadays, it becomes a major question to research the Flash Disk worms.

For a great many similarities between computer worms and biological virus [2], some biological epidemic models have been modified to describe the spreading of the Internet worms. For example, the susceptible-infected-susceptible (SIS) model was modified including a reintroduction parameter by Wierman and Marchette [3]. In [4], the susceptible-infected-recovered (SIR) model and a discrete Markov model were presented to capture the short term and long term dynamics of viral propagation. The susceptible-antidotal-infected-contaminated (SAIC) model whose two new compartments were introduced was proposed [5]. Besides, there were the susceptible-infected-recovered-susceptible (SIRS), the susceptible-infected-detected-recovered (SIDR), and the susceptible-asymptomatic-symptomatic-recovered (SAIR) models which were adopted [6–9]. However, these models cannot be applied to the worms which spread via both Web-based scanning on the Internet and removable devices.

Jin and Wang describe the FD-SEIR model to analyze and control the Flash Disk worms [10]. Besides, Song et al. present the worms model about the cross infection of computers and removable devices [11]. However, the two models were analyzed under the condition of computers and removable devices mixed evenly. It is not suitable for the spread of Stuxnet because of the different speed of Stuxnet’s spreading in different subnets. Inspired by these models, we will build a model focusing on Stuxnet which spreads via Web-based scanning on the Internet and removable devices in multiple subnets.

The organization of this paper is as follows. In Section 2, we present a model in multiple subnets. In Section 3, we analyze its dynamical behavior in one and more subnets and give some results by numerical simulation in multiple subnets. The paper concludes with a brief discussion in Section 4.

#### 2. The Model Formulation in Multiple Subnets

The Flash Disk worms spread by Web-based scanning on the Internet and using removable devices between subnets. In the different subnets, the Flash Disk worms may have the different spreading speed. Thus, the propagation of worms can be considered to be a fast system. If they spread slowly, these subnets will be seen as a slow system. For simplicity, we suppose that the removable devices represent all mobile devices related to computer, including flash disk, mobile hard disk, and memory card. Assume that computer hosts are classified in three compartments: susceptible (), infected (), and recovered () and the removable devices are two compartments: susceptible and infected . To consider the spread relationship between computers and removable devices, the model is as follows:where , , and meaning of the parameters and state variables is shown in Notations and Definitions section.

#### 3. Model Analysis

In the section, two parts will be analyzed. In the first part, we will not consider the worms spreading among different subnets. In the second part, we will consider worms spreading among different subnets.

##### 3.1. Model Analysis in the th Subnet

If we let , then the worms will be only propagated in subnet. Model (1) becomes Then we will consider the existence and stability of equilibria for system (2). It is obvious that there is a disease-free equilibrium in system (2). To analyze the existence of the positive equilibria, we firstly give the basic reproduction number:Here is the number of newly infected individuals at the disease-free equilibrium in the th subnet in infectious period.

By calculating, we obtain that satisfied the following equation: According to Descartes sign rule, if , there exists a unique positive equilibrium in system (2), where

Furthermore, we consider the stability of equilibria. We have the following theorems.

Theorem 1. *If , the disease-free equilibrium of (2) is locally asymptotically stable.*

*Proof. *The Jacobian matrix of (2) at is Then the characteristic equation isIt is easily seen that all eigenvalues of have negative real parts if . Thus, the theorem is proven by Routh-Hurwitz criterion.

Theorem 2. *When , the disease-free equilibrium of system (2) is globally asymptotically stable.*

*Proof. *Take Lyapunov function,which is always positive in whereThen, Then, when , the disease-free equilibrium of system (2) is globally asymptotically stable. The theorem is proven.

Theorem 3. *If , the positive equilibrium of (2) is locally asymptotically stable.*

*Proof. *The matrix of the linearization of system (2) at the unique positive equilibrium is Then the characteristic equation is , where ThenHence the Routh-Hurwitz criterion is satisfied. Thus it follows that the endemic equilibrium of (2), which exists if , is always locally asymptotically stable. The theorem is proven.

To prove the global stability, we have a dimensionless transformation where , , , , , and , for system (2). It becomesThen,The positive equilibrium is

Theorem 4. *When , the positive equilibrium of system (14), as well as the positive equilibrium of system (2), is globally asymptotically stable.*

* Proof. *Take Lyapunov function,which is always positive in whereThen,The positive equilibrium of system (14), as well as the positive equilibrium of system (2), is globally asymptotically stable when . The theorem is proven.

##### 3.2. Model Analysis between Subnets

In the subsection, we will analyze the existence of positive equilibrium for system (1). For convenience, assume that the fast system is stable in one subnet. Then the slow system iswhere and . From system (20), we can obtain and . If ,whereFrom (21), we know that one can prevent the worm spreading by controlling parameters. If infected computers and removable devices by the worms is less than one, that is, and , the worms will die out. Otherwise, they will be epidemic. We should improve the security awareness of using removable devices. For model (20), it is difficult to analyze the dynamic behaviors. In the following part, we will simulate the dynamic behaviors of system (1).

Take the determined parameters and the average value of about 100 experimental results. Firstly, let , , , , , , , , , , and time step . Then we plot figures of dynamical behaviors if we take the different initial value. (i) if and if when . From Figure 1, we can see that if , the number of infected computers will gradually reduce and finally disappear. On the contrary, if , the number of infected computers will increase and then tend to a stable status. (ii) Let the initial value when and the other values do not change. We draw change figures for the proportion of infected computers with time in the th subnet (see Figure 2) and multiple subnets (see Figure 3). From Figure 2, we can obtain that if a computer is infected by Stuxnet, other computers will be infected in a short time. From Figure 3, it is found that once a computer is infected by the Flash Disk worms, other computers will be infected among the different subnets after a longer time. Furthermore, comparing Figure 2 with Figure 3, we can find that if a computer is infected by the Flash Disk worms, other computers will be infected in a short time in one subnet. To prevent computer from being infected by the worms, we should take some effective measures. We can improve the safety awareness of using removable devices to prevent the first computer from being infected by the worms.

#### 4. Conclusion

In this paper, we proposed a new model focusing on the Flash Disk worms spreading via both Web-based scanning and removable devices in multiple subnets. In the th subnet, we deduced the basic reproduction number , a disease-free equilibrium, and a unique equilibrium. If , the disease-free equilibrium is globally asymptotically stable; otherwise the Flash Disk worms can self-perpetuate. In the different subnets, we analyzed controlling the number of infected computers by the determined simulation and stochastic simulation. If a computer is infected by the Flash Disk worms, other computers will be infected in a short time in one subnet. We should improve the safety awareness of using removable devices to prevent the first computer from being infected by the worms. The future work will focus on using real trace data to test the model and these strategies. We will also study some countermeasures against the Flash Disk worms.

#### Notations and Definitions

Number of total computer hosts and removable devices in the th subnet, respectively | |

Number of susceptible computer hosts and removable devices in the th subnet, respectively | |

Number of infected computer hosts and removable devices in the th subnet, respectively | |

: | Number of recovered computer hosts in the th subnet |

Quarantine or replacement rate of computer hosts and removable devices, respectively | |

Recovery rate of infected computer hosts and infected removable devices, respectively | |

: | Infection rate of susceptible computer hosts in the th subnet caused by infected computers inside the th subnet |

: | Infection rate from removable devices to susceptible computer hosts |

: | Infection rate of susceptible computer hosts in the th subnet caused by removable devices inside the th subnet |

: | Infection rate of susceptible computer hosts in the th subnet caused by infected computer hosts in the th subnet |

: | Infection rate of susceptible computer hosts in the th subnet caused by removable devices in the th subnet |

: | The removable devices using probability per unit time in the th subnet |

: | The removable devices of the th patch using probability per unit time in the th subnet |

: | Probability of direct opening when using removable devices |

: | A small dimensionless parameter. |

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This work is supported by the National Science Foundation of China (11201434, 11331009, and 61379125), Fund Program for the Scientific Activities of Selected Returned Overseas Professionals in Shanxi Province, and Research Project Supported by Shanxi Scholarship Council of China (2013-087).