#### Abstract

The advanced persistent distributed denial-of-service (APDDoS) attack does a serious harm to cyber security. Establishing a mathematical model to accurately predict APDDoS attack on networks is still an important problem that needs to be solved. Therefore, to help us understand the attack mechanisms of APDDoS on networks, this paper first puts forward a novel dynamical model of APDDoS attack on networks. A systematic analysis of this new model shows that the maximum eigenvalue of the networks is a vital factor that determines the success or failure of the attack. What is more, a new sufficient condition for the global stability of attack-free equilibrium is obtained. The global attractivity of attacked equilibrium has also been proved. Eventually, this paper gives some numerical simulations to show the main results.

#### 1. Introduction

Cyber-attack overwhelmingly invades every aspect of our life, which causes huge threats and enormous damage to thousands of industries. According to the report [1], the percentage of cyber-attack motivated by Cyber Crime has risen to 72.1% in 2017. And nowadays, there are a lot of attack ways, such as DDoS attack, DoS attack, and so on. Here, let us discuss some attacked means to achieve a better understanding of the cyber-attack. DoS attack, which is known as the denial-of-service attack, is an important means of attack. It always launches attacks of blocking the buffer of the host of service providers so as to make legal guests can not access the server. And among the cyber-attacks in 2016, about 11.3% attacks were DoS attacks. Different from the DoS attack, in a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources [2]. In addition, APT (Advanced Persistent Threat), which is a stealthy and continuous computer hacking process, usually has the characteristics of strong concealment, sophisticated techniques, and continuous monitoring [3]. Most importantly, this paper mainly talks about APDDoS (advanced persistent distributed denial-of-service) attack which is DDoS attack equipped with the advance of APT. With the characters of advanced reconnaissance, clear motive, tactical execution, outstanding computing power, and long-term durability [4], it has caused great losses to the world. During the opening ceremonies of the PyeongChang Winter Olympics in February 2018, TV and web services were affected by an APDDoS attack for about 12 hours [5]. In February 2018, GitHub (the world's largest code hosting website) suffered a serious APDDoS attack; the peak flow rate reached 1.35Tbps [6]. It is easy to know that the APDDoS attack is being more and more harmful and it has a profound impact on the world.

To fully understand the APDDoS attack, its steps must be introduced. First, attacker will invade as many infected computers as possible by inserting or injecting computer malware into phishing websites or phishing texts. So, if the visitor opens it, his/her computer would be infected. And then, the infected computers will be composed into a botnet that is controlled by the attacker. When there are enough infected computers, the attacker can launch flood attack to targeted IPs (services of host) which will be blocked or broken down soon after the attack.

The cyber-attack process on the network can be accurately expressed as a continuous-time Markov chain which is proposed by Van Mieghem [7, 8]. However, this method is difficult in mathematical analysis. In order to overcome these difficulties, some approximation methods are proposed, such as individual-based mean-field theory (*IBMF*) and degree-based mean-field theory (*DBMF*) [9, 10]. For* IBMF*, any node can be regarded as a computer or local network in the network is statistically independent from its neighboring nodes [11–14]. For* DBMF,* any vertex classified by degree is connected to the set of nodes with different degree with the special probability [15–17].

To better understand the impact of network topology on APDDoS attack, in this paper we propose a novel APDDoS attack model on networks with* IBMF*. Then we found that the global stability of attack-free equilibrium and the global attractivity of attacked equilibrium depend on the value of the maximum eigenvalue of the attack network.

In Section 2, the paper proposes the APDDoS attack model. Its threshold and the equilibriums are calculated in Section 3. Further Discussions are given in Section 4. Next, the paper shows some numerical simulations in Section 5. Finally, a brief summary of the full paper is given.

#### 2. Model Descriptions

According to the ability of computers to defend against malicious software on the network, the paper divides the computers into two groups: Weak-Protected group and Strong-Protected group. Here, we can divide computers into two groups by checking whether the computer has firewall.

The Weak-Protected group (WP), which lacks firewall protection, is vulnerable to malware attacks, such as computer worm, Trojan, and so on. The Weak-Protected group consists of two kinds of computers, which includes susceptible computers (*S*-node) and infected computers (*I*-node). The susceptible computers (*S*-node) are weak in preventing malware attacks but have not been infected yet, while the infected computers (*I*-node) refers to the computers which has been infected by malwares and controlled by hackers.

However, because the existence of the firewall, the Strong-Protected group (SP) can defend against many kinds of attacks, but it also can be attacked by APDDoS attack. The Strong-Protected group also consists of two kinds of computers, tolerant computers (*T*-node), and missed computers (*M*-node). Tolerant computers (*T*-node) represent computers with a firewall (which usually means servers) and works normally, while missed computers (*M*-node) denote the computers with a firewall but cannot respond to the request and become missed for the visitors due to the APDDoS attacks (see Figure 1).

Based on the above facts, some constants can be defined as follows:(i)*G*= (*V*,* E*): the network structure of the computers on network, and* G* can be represented as an undirected, connected, and nonlooped graph.(ii)*N*: the scale of network* G*, which is also the whole number of the computer in the* G*.(iii)*A*: the matrix of the network connection situation.* A *is a symmetric matrix with zero diagonal. , , .(iv): the spectrum of* A*, . As* A* is real and symmetric, we may assume .(v)*S*_{i}(*t*): the node, which is susceptible(*S*-node) at time* t*.(vi)*I*_{i}(*t*): the node, which is infected(*I*-node) at time* t*.(vii)*T*_{i}(*t*): the node, which is tolerant(*T*-node) at time* t*.(viii)*L*_{i}(*t*): the node, which is missed(*M*-node) at time* t*.

Next, some reasonable assumptions are proposed as follows [18–21].

(*H*1) As executing some operations that do harm to the computer security, like browsing the phishing websites or opening the phishing email, etc., any* S*_{i} infected by the neighboring* I*-nodes with probability *β*, the average probability of each* S*_{i} gets infected per unit time, is .

(*H*2) By installing some antivirus soft-wares, any* I*_{i}(*t*) recovers to the state of susceptible, which also means becoming* S*_{i}(*t*) with the probability *γ*.

(*H*3) As occurring APDDoS attacks, any* T*_{i}(*t*) can be attacked by neighboring* I*-nodes with the probability *α*. By calculating, the average probability of each* T*_{i}(*t*) turns into the* M*_{i}(*t*) per unit time is .

(*H*4) As changing the hardware of computers and strengthen the firewall, any* M*_{i}(*t*) restarts or recovers with the probability* η*.

(*H*5) As the two groups of the computer are separated, the paper uses* ϕ* to denote the proportion of the Weak-Protected group and then is the proportion of the Strong-Protected group; also there are

*S*

_{i }(

*t*)+

*I*

_{i }(

*t*)=

*and*

*ϕ**T*

_{i }(

*t*)+

*M*

_{i}(

*t*)=1-

*.*

*ϕ*Let Also, the following equations can be obtained:

In order to satisfy these above equations, *β* and *α* should be far less than 1. Let* ∆t* be a very small interval. According to the assumptions given above, the following equations can be got:

Substituting these equations into the above relations and letting >0, the following 4*N*-dimensional dynamic system has been proposed:with the initial conditions that , , , .

According to Assumption (*H*5) that , , system (4) can be rewritten into the following 2*N*-dimensional dynamic system:with the initial conditions , .

Since the first* N* equations of system (5) are independent of* M*, so system (5) can be simplified into the following form:with the initial conditions .

#### 3. Model Analysis

This section aims to understand the dynamical behavior of system (5) and system (6) which was proposed in the previous section.

Clearly, there is a unique attack-free equilibrium in system (5). First, consider properties of the attack -free equilibrium of system (5).

To achieve that, let

Let* x*(*t*)=(*I*_{1}(*t*), …,* I*_{N}(*t*),*M*_{1}(*t*), …,* M*_{N}(*t*), and rewrite system (5) as the following notation: with the initial condition , where

Let

Theorem 1. *Consider system (5) that *(a)*the attack-free equilibrium P_{0} is locally asymptotically stable if ;*(b)

*the attack-free equilibrium*

*P*_{0}is a saddle point.*Proof. *The characteristic equation with respect to* P*_{0} isEquation (11) has negative roots with multiplicity* N* and has ,1≤* k* ≤* N* as the remaining* N* roots. When , then for all* k.* So, all the roots of (11) are negative, implying that the attacked-free equilibrium of system (5) is locally asymptotically stable. Otherwise, if , then the attack-free equilibrium is a saddle point.*Remark 2*. This theorem can also be formulated as (a) , and (b) .

Next, study the global stability of the attack-free equilibrium of system (6).

LetLet* y*(*t*)=(*I*_{1}(*t*), …,* I*_{N}(*t*), and rewrite system (6) as the following notation: with the initial condition , where **Lemma ****3** (see [22]).* Consider a smooth dynamical system ** that is defined at least in a compact set U. Then, U is positively invariant if for any smooth point **w** on **, the vector g(**w**) is tangent to or pointing into U.***Lemma ****4** (see [23, 24]).* Consider an n-dimensional autonomous system**where Γ is a region that contains the origin, **, **. Suppose there is a positively invariant compact convex set ** that contains the origin, and a real eigenvector ** of **, a positive number r such that **(C1) ** for all *,*(C2) ** for all *,*(C3) the origin forms the largest positively invariant set that is included in the set *.*Then we have **(**1) ** implies that the origin is globally asymptotically stable in C*,*(**2) ** implies there exists ** such that ** implies *.**Lemma ****5**.* The set of Ψ is positively invariant for system (6). That is, ** implies ** for all **.**and for i*=1,…,*N*,* T*_{i},* W*_{i}.* We have**as their respective outer normal vectors. Let y be a smooth point of∂*Ψ.* The paper distinguishes among two possibilities.**Combining the above discussions, we get that g(**w**) is pointing into ∂Ψ. The claimed result then follows from Lemma 3. The proof is completed.*

Theorem 6. *The attacked-free equilibrium of system (6) is globally and asymptotically stable if .*

*Proof. *Look at system (13). As matrix is irreducible and its off-diagonal entries are all nonnegative, it follows from [23] that has a positive eigenvector* z*= (*z*_{1}, …,* z*_{N}) belonging to its eigenvalue* s*(). Let* r*=min_{i }*z*_{i}(*r*>0). Then, for all , we have Moreover, <*H*(*y*),* z*> = 0 implies that* y*=0. In view of Theorem 1 and Lemma 5, the claimed result follows from Lemma 4. The proof is complete.

Theorem 7. *The attacked-free equilibrium of system (5) is globally and asymptotically stable if (see Figures 2, 4, 6, and 8).*

*Proof. *It follows from Theorem 6, which implies thatfor any* ε*> 0 there exists time

*T*

_{1}such that, for all , we haveFrom the last

*N*equations of system (5), we get that for And for ,As the comparison systemhas a globally asymptotically stable equilibrium , we get that, for any

*> 0, there exists*

*ε**T*

_{2}> 0 such that, for all

*t*≥

*T*

_{2},This implies thatThe proof is complete.

The following corollary can be obtained easily based on Lemma 4 and Theorem 7.

Corollary 8. *System (5) is uniformly persistent if.**Second, consider properties of the attacked equilibrium of system (5).*

Theorem 9. *System (5) has an attacked equilibrium if .*

*Proof. *Note that any solution of system (5) is bounded. Hence, the claimed result follows easily from Corollary 8 [25].

Theorem 10. *The attacked equilibrium is globally attractive if .*

*Proof. *For any solution* P*(t) to system (5), let Clearly, , are continuous and have right-hand derivatives. For some* t*_{0} and *ε*> 0, we may assume , thenIf , then .

When ,When ,As , , we know that , implying . Likewise, implies ; implies , and implies .

LetObviously, and are continuous and nonnegative.

Besides,LetThenAny solution of system (5) starting in Ω approaches follows from the LaSalle Invariance Principle [26]. Therefore, the claimed follows from is globally attractive.

Conjecture 11. *The attacked equilibrium is globally asymptotically stable if .*

#### 4. Further Discussions

In order to control APDDoS attack, must be satisfied. To different parameters on . Let us do the following calculations:

From these computational results, the following conclusions can be got:(a)Reducing the infection rate could be help to control APDDoS attack.(b)Raising the cure rate conduces to the suppression of APDDoS attack.(c)Reducing the rate conduces to the suppression of APDDoS attack.(d)Reducing the value of leads to the restraint of APDDoS attack.

Based on the above discussions, the corresponding practical suggestions are as follows:(i)Install antivirus software or firewall and update it regularly.(ii)Improve the defensive level of computer.(iii)Filter IP addresses so as to reduce the number of IP addresses that can access computer on networks.

#### 5. Numerical Simulations

This section gives some examples about equilibriums of system (5) under the distinguish networks and optimal dynamic control strategies for disrupting APDDoS attack.

The paper discusses the equilibrium of system on four different kinds of networks: full-connected network, stochastic network, scale-free network which uses Barabasi-Albert method, and realistic network.

First, consider system (5) under the fully connected network.

*Example 1. *Consider a network with 200 nodes and every node is connected to other nodes, which is full-connected network. With = 0.004, = 0.01, = 0.4, =0.1, =0.5 where the threshold of the system is =199, the attack-free equilibrium is globally stable (see Figure 3).

*Example 2. *Consider a network that nodes are fully connected to other with 200 nodes. With = 0.01, = 0.01, = 0.75, =0.1, =0.5 where the threshold of the system is , the attacked equilibrium is attractivity (see Figure 4).

Then consider system (5) under the network of stochastic network.

*Example 3. *Consider a network that nodes are connected randomly to other with 200 nodes. With = 0.01, = 0.01, = 0.5, =0.1, =0.5 where the threshold of the system is , the attack-free equilibrium is globally stable (see Figure 5).

*Example 4. *Consider a network whose nodes are connected randomly to other with 200 nodes. With = 0.017, = 0.01, = 0.75, =0.1, =0.5 where the threshold of the system is , the attacked equilibrium is attractivity (see Figure 6).

Now, let us consider system (5) under the network of scale-free network.

*Example 5. *Consider a network whose nodes are connected to other with 200 nodes. With = 0.001, = 0.002, = 0.0035, =0.1, =0.5 where the threshold of the system is , the attack-free equilibrium is globally stable(see Figure 7).

*Example 6. *Consider a network whose nodes are connected to other with 200 nodes. With = 0.001, = 0.002, = 0.0026, =0.1, =0.5 where the threshold of the system is , the attacked equilibrium is attractivity(see Figure 8).

Finally, consider system (5) under realistic network [27].

*Example 7. *Consider a network whose nodes are connected to other with 300 nodes. With = 0.01, = 0.013, = 0.18, =0.1, =0.5 where the threshold of the system is , the attack-free equilibrium is globally stable(see Figure 9).

*Example 8. *Consider a network that nodes are connected randomly to other with 300 nodes. With *β* = 0.01, = 0.013, = 0.05, =0.1, =0.5 where the threshold of the system is , the attacked equilibrium is attractivity(see Figure 10).

#### 6. Conclusion

This paper puts forward a novel dynamical model of APDDoS attack on networks. Then, a systematic analysis of this model is showed. After that, a new sufficient condition for the global stability of attack-free equilibrium is obtained. Next, the sufficient condition for the global attractivity of attacked equilibrium also is studied. Eventually, some numerical simulations are given to show the main results of this paper.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work is supported by the Natural Science Foundation of Guangdong Province, China (no. 2014A030310239).