Research Article | Open Access
An Advanced Persistent Distributed Denial-of-Service Attacked Dynamical Model on Networks
The advanced persistent distributed denial-of-service (APDDoS) attack does a serious harm to cyber security. Establishing a mathematical model to accurately predict APDDoS attack on networks is still an important problem that needs to be solved. Therefore, to help us understand the attack mechanisms of APDDoS on networks, this paper first puts forward a novel dynamical model of APDDoS attack on networks. A systematic analysis of this new model shows that the maximum eigenvalue of the networks is a vital factor that determines the success or failure of the attack. What is more, a new sufficient condition for the global stability of attack-free equilibrium is obtained. The global attractivity of attacked equilibrium has also been proved. Eventually, this paper gives some numerical simulations to show the main results.
Cyber-attack overwhelmingly invades every aspect of our life, which causes huge threats and enormous damage to thousands of industries. According to the report , the percentage of cyber-attack motivated by Cyber Crime has risen to 72.1% in 2017. And nowadays, there are a lot of attack ways, such as DDoS attack, DoS attack, and so on. Here, let us discuss some attacked means to achieve a better understanding of the cyber-attack. DoS attack, which is known as the denial-of-service attack, is an important means of attack. It always launches attacks of blocking the buffer of the host of service providers so as to make legal guests can not access the server. And among the cyber-attacks in 2016, about 11.3% attacks were DoS attacks. Different from the DoS attack, in a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources . In addition, APT (Advanced Persistent Threat), which is a stealthy and continuous computer hacking process, usually has the characteristics of strong concealment, sophisticated techniques, and continuous monitoring . Most importantly, this paper mainly talks about APDDoS (advanced persistent distributed denial-of-service) attack which is DDoS attack equipped with the advance of APT. With the characters of advanced reconnaissance, clear motive, tactical execution, outstanding computing power, and long-term durability , it has caused great losses to the world. During the opening ceremonies of the PyeongChang Winter Olympics in February 2018, TV and web services were affected by an APDDoS attack for about 12 hours . In February 2018, GitHub (the world's largest code hosting website) suffered a serious APDDoS attack; the peak flow rate reached 1.35Tbps . It is easy to know that the APDDoS attack is being more and more harmful and it has a profound impact on the world.
To fully understand the APDDoS attack, its steps must be introduced. First, attacker will invade as many infected computers as possible by inserting or injecting computer malware into phishing websites or phishing texts. So, if the visitor opens it, his/her computer would be infected. And then, the infected computers will be composed into a botnet that is controlled by the attacker. When there are enough infected computers, the attacker can launch flood attack to targeted IPs (services of host) which will be blocked or broken down soon after the attack.
The cyber-attack process on the network can be accurately expressed as a continuous-time Markov chain which is proposed by Van Mieghem [7, 8]. However, this method is difficult in mathematical analysis. In order to overcome these difficulties, some approximation methods are proposed, such as individual-based mean-field theory (IBMF) and degree-based mean-field theory (DBMF) [9, 10]. For IBMF, any node can be regarded as a computer or local network in the network is statistically independent from its neighboring nodes [11–14]. For DBMF, any vertex classified by degree is connected to the set of nodes with different degree with the special probability [15–17].
To better understand the impact of network topology on APDDoS attack, in this paper we propose a novel APDDoS attack model on networks with IBMF. Then we found that the global stability of attack-free equilibrium and the global attractivity of attacked equilibrium depend on the value of the maximum eigenvalue of the attack network.
In Section 2, the paper proposes the APDDoS attack model. Its threshold and the equilibriums are calculated in Section 3. Further Discussions are given in Section 4. Next, the paper shows some numerical simulations in Section 5. Finally, a brief summary of the full paper is given.
2. Model Descriptions
According to the ability of computers to defend against malicious software on the network, the paper divides the computers into two groups: Weak-Protected group and Strong-Protected group. Here, we can divide computers into two groups by checking whether the computer has firewall.
The Weak-Protected group (WP), which lacks firewall protection, is vulnerable to malware attacks, such as computer worm, Trojan, and so on. The Weak-Protected group consists of two kinds of computers, which includes susceptible computers (S-node) and infected computers (I-node). The susceptible computers (S-node) are weak in preventing malware attacks but have not been infected yet, while the infected computers (I-node) refers to the computers which has been infected by malwares and controlled by hackers.
However, because the existence of the firewall, the Strong-Protected group (SP) can defend against many kinds of attacks, but it also can be attacked by APDDoS attack. The Strong-Protected group also consists of two kinds of computers, tolerant computers (T-node), and missed computers (M-node). Tolerant computers (T-node) represent computers with a firewall (which usually means servers) and works normally, while missed computers (M-node) denote the computers with a firewall but cannot respond to the request and become missed for the visitors due to the APDDoS attacks (see Figure 1).
Based on the above facts, some constants can be defined as follows:(i)G= (V, E): the network structure of the computers on network, and G can be represented as an undirected, connected, and nonlooped graph.(ii)N: the scale of network G, which is also the whole number of the computer in the G.(iii)A: the matrix of the network connection situation. A is a symmetric matrix with zero diagonal. , , .(iv): the spectrum of A, . As A is real and symmetric, we may assume .(v)Si(t): the node, which is susceptible(S-node) at time t.(vi)Ii(t): the node, which is infected(I-node) at time t.(vii)Ti(t): the node, which is tolerant(T-node) at time t.(viii)Li(t): the node, which is missed(M-node) at time t.
(H1) As executing some operations that do harm to the computer security, like browsing the phishing websites or opening the phishing email, etc., any Si infected by the neighboring I-nodes with probability β, the average probability of each Si gets infected per unit time, is .
(H2) By installing some antivirus soft-wares, any Ii(t) recovers to the state of susceptible, which also means becoming Si(t) with the probability γ.
(H3) As occurring APDDoS attacks, any Ti(t) can be attacked by neighboring I-nodes with the probability α. By calculating, the average probability of each Ti(t) turns into the Mi(t) per unit time is .
(H4) As changing the hardware of computers and strengthen the firewall, any Mi(t) restarts or recovers with the probability η.
(H5) As the two groups of the computer are separated, the paper uses ϕ to denote the proportion of the Weak-Protected group and then is the proportion of the Strong-Protected group; also there are Si (t)+Ii (t)= ϕ and Ti (t)+Mi(t)=1-ϕ.
Let Also, the following equations can be obtained:
In order to satisfy these above equations, β and α should be far less than 1. Let ∆t be a very small interval. According to the assumptions given above, the following equations can be got:
Substituting these equations into the above relations and letting >0, the following 4N-dimensional dynamic system has been proposed:with the initial conditions that , , , .
According to Assumption (H5) that , , system (4) can be rewritten into the following 2N-dimensional dynamic system:with the initial conditions , .
3. Model Analysis
To achieve that, let
Let x(t)=(I1(t), …, IN(t),M1(t), …, MN(t), and rewrite system (5) as the following notation: with the initial condition , where
Theorem 1. Consider system (5) that (a)the attack-free equilibrium P0 is locally asymptotically stable if ;(b)the attack-free equilibrium P0 is a saddle point.
Proof. The characteristic equation with respect to P0 isEquation (11) has negative roots with multiplicity N and has ,1≤ k ≤ N as the remaining N roots. When , then for all k. So, all the roots of (11) are negative, implying that the attacked-free equilibrium of system (5) is locally asymptotically stable. Otherwise, if , then the attack-free equilibrium is a saddle point.
Remark 2. This theorem can also be formulated as (a) , and (b) .
Next, study the global stability of the attack-free equilibrium of system (6).
LetLet y(t)=(I1(t), …, IN(t), and rewrite system (6) as the following notation: with the initial condition , where Lemma 3 (see ). Consider a smooth dynamical system that is defined at least in a compact set U. Then, U is positively invariant if for any smooth point w on , the vector g(w) is tangent to or pointing into U.
Lemma 4 (see [23, 24]). Consider an n-dimensional autonomous systemwhere Γ is a region that contains the origin, , . Suppose there is a positively invariant compact convex set that contains the origin, and a real eigenvector of , a positive number r such that
(C1) for all ,
(C2) for all ,
(C3) the origin forms the largest positively invariant set that is included in the set .
Then we have
(1) implies that the origin is globally asymptotically stable in C,
(2) implies there exists such that implies .
Lemma 5. The set of Ψ is positively invariant for system (6). That is, implies for all .and for i=1,…,N, Ti, Wi. We haveas their respective outer normal vectors. Let y be a smooth point of∂Ψ. The paper distinguishes among two possibilities.Combining the above discussions, we get that g(w) is pointing into ∂Ψ. The claimed result then follows from Lemma 3. The proof is completed.
Theorem 6. The attacked-free equilibrium of system (6) is globally and asymptotically stable if .
Proof. Look at system (13). As matrix is irreducible and its off-diagonal entries are all nonnegative, it follows from  that has a positive eigenvector z= (z1, …, zN) belonging to its eigenvalue s(). Let r=mini zi(r>0). Then, for all , we have Moreover, <H(y), z> = 0 implies that y=0. In view of Theorem 1 and Lemma 5, the claimed result follows from Lemma 4. The proof is complete.
Proof. It follows from Theorem 6, which implies thatfor any ε> 0 there exists time T1 such that, for all , we haveFrom the last N equations of system (5), we get that for And for ,As the comparison systemhas a globally asymptotically stable equilibrium , we get that, for any ε> 0, there exists T2> 0 such that, for all t≥T2,This implies thatThe proof is complete.
The following corollary can be obtained easily based on Lemma 4 and Theorem 7.
Theorem 9. System (5) has an attacked equilibrium if .
Theorem 10. The attacked equilibrium is globally attractive if .
Proof. For any solution P(t) to system (5), let Clearly, , are continuous and have right-hand derivatives. For some t0 and ε> 0, we may assume , thenIf , then .
When ,When ,As , , we know that , implying . Likewise, implies ; implies , and implies .
LetObviously, and are continuous and nonnegative.
Besides,LetThenAny solution of system (5) starting in Ω approaches follows from the LaSalle Invariance Principle . Therefore, the claimed follows from is globally attractive.
Conjecture 11. The attacked equilibrium is globally asymptotically stable if .
4. Further Discussions
In order to control APDDoS attack, must be satisfied. To different parameters on . Let us do the following calculations:
From these computational results, the following conclusions can be got:(a)Reducing the infection rate could be help to control APDDoS attack.(b)Raising the cure rate conduces to the suppression of APDDoS attack.(c)Reducing the rate conduces to the suppression of APDDoS attack.(d)Reducing the value of leads to the restraint of APDDoS attack.
Based on the above discussions, the corresponding practical suggestions are as follows:(i)Install antivirus software or firewall and update it regularly.(ii)Improve the defensive level of computer.(iii)Filter IP addresses so as to reduce the number of IP addresses that can access computer on networks.
5. Numerical Simulations
This section gives some examples about equilibriums of system (5) under the distinguish networks and optimal dynamic control strategies for disrupting APDDoS attack.
The paper discusses the equilibrium of system on four different kinds of networks: full-connected network, stochastic network, scale-free network which uses Barabasi-Albert method, and realistic network.
First, consider system (5) under the fully connected network.
Example 1. Consider a network with 200 nodes and every node is connected to other nodes, which is full-connected network. With = 0.004, = 0.01, = 0.4, =0.1, =0.5 where the threshold of the system is =199, the attack-free equilibrium is globally stable (see Figure 3).
Example 2. Consider a network that nodes are fully connected to other with 200 nodes. With = 0.01, = 0.01, = 0.75, =0.1, =0.5 where the threshold of the system is , the attacked equilibrium is attractivity (see Figure 4).
Then consider system (5) under the network of stochastic network.
Example 3. Consider a network that nodes are connected randomly to other with 200 nodes. With = 0.01, = 0.01, = 0.5, =0.1, =0.5 where the threshold of the system is , the attack-free equilibrium is globally stable (see Figure 5).
Example 4. Consider a network whose nodes are connected randomly to other with 200 nodes. With = 0.017, = 0.01, = 0.75, =0.1, =0.5 where the threshold of the system is , the attacked equilibrium is attractivity (see Figure 6).
Now, let us consider system (5) under the network of scale-free network.
Example 5. Consider a network whose nodes are connected to other with 200 nodes. With = 0.001, = 0.002, = 0.0035, =0.1, =0.5 where the threshold of the system is , the attack-free equilibrium is globally stable(see Figure 7).
Example 6. Consider a network whose nodes are connected to other with 200 nodes. With = 0.001, = 0.002, = 0.0026, =0.1, =0.5 where the threshold of the system is , the attacked equilibrium is attractivity(see Figure 8).
Example 7. Consider a network whose nodes are connected to other with 300 nodes. With = 0.01, = 0.013, = 0.18, =0.1, =0.5 where the threshold of the system is , the attack-free equilibrium is globally stable(see Figure 9).
Example 8. Consider a network that nodes are connected randomly to other with 300 nodes. With β = 0.01, = 0.013, = 0.05, =0.1, =0.5 where the threshold of the system is , the attacked equilibrium is attractivity(see Figure 10).
This paper puts forward a novel dynamical model of APDDoS attack on networks. Then, a systematic analysis of this model is showed. After that, a new sufficient condition for the global stability of attack-free equilibrium is obtained. Next, the sufficient condition for the global attractivity of attacked equilibrium also is studied. Eventually, some numerical simulations are given to show the main results of this paper.
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
This work is supported by the Natural Science Foundation of Guangdong Province, China (no. 2014A030310239).
- A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying denial of service attacks,” in Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM '03), ACM, Karlsruhe, Germany, August 2003.
- P. V. Mieghem, J. Omic, and R. Kooij, “Virus spread in networks,” IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp. 1–14, 2009.
- P. V. Mieghem and E. Cator, “Epidemics in networks with nodal self-infection and the epidemic threshold,” Physical Review E: Statistical, Nonlinear, and Soft Matter Physics, vol. 86, no. 1, Article ID 016116, 2012.
- R. Pastor-Satorras, C. Castellano, P. Van Mieghem, and A. Vespignani, “Epidemic processes in complex networks,” Reviews of Modern Physics, vol. 87, no. 3, pp. 120–131, 2015.
- Z.-K. Zhang, C. Liu, X.-X. Zhan, X. Lu, C.-X. Zhang, and Y.-C. Zhang, “Dynamics of information diffusion and its applications on complex networks,” Physics Reports, vol. 651, pp. 1–34, 2016.
- M. Youssef and C. Scoglio, “An individual-based approach to SIR epidemics in contact networks,” Journal of Theoretical Biology, vol. 283, pp. 136–144, 2011.
- S. Xu, W. Lu, and L. Xu, “Push- and pull-based epidemic spreading in networks: Thresholds and deeper insights,” ACM Transactions on Autonomous and Adaptive Systems (TAAS), vol. 7, no. 3, Article ID 2348835, pp. 1–26, 2012.
- L. X. Yang, M. Draief, and X. Yang, “Heterogeneous virus propagation in networks: a theoretical study,” Mathematical Methods in the Applied Sciences, vol. 40, no. 5, pp. 1396–1413, 2017.
- L.-X. Yang, X. Yang, and Y. Yan Tang, “A bi-virus competing spreading model with generic infection rates,” IEEE Transactions on Network Science and Engineering, vol. 5, no. 1, pp. 2–13, 2017.
- C. Zhang, T. Feng, Y. Zhao, and G. Jiang, “A new model for capturing the spread of computer viruses on complex-networks,” Discrete Dynamics in Nature and Society, Article ID 956893, 9 pages, 2013.
- L.-X. Yang and X.-F. Yang, “The spread of computer viruses over a reduced scale-free network,” Physica A: Statistical Mechanics and its Applications, vol. 396, pp. 173–184, 2014.
- C. Zhang and H. Huang, “Optimal control strategy for a novel computer virus propagation model on scale-free networks,” Physica A: Statistical Mechanics and its Applications, vol. 451, pp. 251–265, 2016.
- J. O. Kephart and S. R. White, “Directed-graph epidemiological models of computer viruses,” in Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, pp. 343–359, Oakland, Calif, USA, May 1991.
- B. K. Mishra and S. K. Pandey, “Dynamic model of worm s with vertical transmission in computer network,” Applied Mathematics and Computation, vol. 217, no. 21, pp. 8438–8446, 2011.
- J. Ren, X. Yang, Q. Zhu, L. Yang, and C. Zhang, “A novel computer virus model and its dynamics,” Nonlinear Analysis: Real World Applications, vol. 13, no. 1, pp. 376–384, 2012.
- C. Gan and X. Yang, “Theoretical and experimental analysis of the impacts of removable storage media and antivirus software on viral spread,” Communications in Nonlinear Science and Numerical Simulation, vol. 22, no. 1-3, pp. 167–174, 2015.
- J. A. Yorke, “Invariance for ordinary differential equations,” Mathematical Systems Theory, vol. 1, no. 4, pp. 353–372, 1967.
- A. Lajmanovich and J. A. Yorke, “A deterministic model for gonorrhea in a nonhomogeneous population,” Mathematical Biosciences, vol. 28, no. 3-4, pp. 221–236, 1976.
- C. Gan, “Modeling and analysis of the effect of network eigenvalue on viral spread,” Nonlinear Dynamics, vol. 84, no. 3, pp. 1727–1733, 2016.
- H. L. Smith and P. Waltman, The Theory of the Chemostat, Cambridge University Press, Cambridge, UK, 1995.
- R. C. Robinson, An Introduction to Dynamical Systems: Continuous and Discrete, Prentice Hall, Englewood Cliffs, 2004.
- L.-X. Yang, X. Yang, and Y. Wu, “The impact of patch forwarding on the prevalence of computer virus: a theoretical assessment approach,” Applied Mathematical Modelling, vol. 43, pp. 110–125, 2017.
Copyright © 2019 Chunming Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.