Abstract

The advanced persistent distributed denial-of-service (APDDoS) attack does a serious harm to cyber security. Establishing a mathematical model to accurately predict APDDoS attack on networks is still an important problem that needs to be solved. Therefore, to help us understand the attack mechanisms of APDDoS on networks, this paper first puts forward a novel dynamical model of APDDoS attack on networks. A systematic analysis of this new model shows that the maximum eigenvalue of the networks is a vital factor that determines the success or failure of the attack. What is more, a new sufficient condition for the global stability of attack-free equilibrium is obtained. The global attractivity of attacked equilibrium has also been proved. Eventually, this paper gives some numerical simulations to show the main results.

1. Introduction

Cyber-attack overwhelmingly invades every aspect of our life, which causes huge threats and enormous damage to thousands of industries. According to the report [1], the percentage of cyber-attack motivated by Cyber Crime has risen to 72.1% in 2017. And nowadays, there are a lot of attack ways, such as DDoS attack, DoS attack, and so on. Here, let us discuss some attacked means to achieve a better understanding of the cyber-attack. DoS attack, which is known as the denial-of-service attack, is an important means of attack. It always launches attacks of blocking the buffer of the host of service providers so as to make legal guests can not access the server. And among the cyber-attacks in 2016, about 11.3% attacks were DoS attacks. Different from the DoS attack, in a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources [2]. In addition, APT (Advanced Persistent Threat), which is a stealthy and continuous computer hacking process, usually has the characteristics of strong concealment, sophisticated techniques, and continuous monitoring [3]. Most importantly, this paper mainly talks about APDDoS (advanced persistent distributed denial-of-service) attack which is DDoS attack equipped with the advance of APT. With the characters of advanced reconnaissance, clear motive, tactical execution, outstanding computing power, and long-term durability [4], it has caused great losses to the world. During the opening ceremonies of the PyeongChang Winter Olympics in February 2018, TV and web services were affected by an APDDoS attack for about 12 hours [5]. In February 2018, GitHub (the world's largest code hosting website) suffered a serious APDDoS attack; the peak flow rate reached 1.35Tbps [6]. It is easy to know that the APDDoS attack is being more and more harmful and it has a profound impact on the world.

To fully understand the APDDoS attack, its steps must be introduced. First, attacker will invade as many infected computers as possible by inserting or injecting computer malware into phishing websites or phishing texts. So, if the visitor opens it, his/her computer would be infected. And then, the infected computers will be composed into a botnet that is controlled by the attacker. When there are enough infected computers, the attacker can launch flood attack to targeted IPs (services of host) which will be blocked or broken down soon after the attack.

The cyber-attack process on the network can be accurately expressed as a continuous-time Markov chain which is proposed by Van Mieghem [7, 8]. However, this method is difficult in mathematical analysis. In order to overcome these difficulties, some approximation methods are proposed, such as individual-based mean-field theory (IBMF) and degree-based mean-field theory (DBMF) [9, 10]. For IBMF, any node can be regarded as a computer or local network in the network is statistically independent from its neighboring nodes [11–14]. For DBMF, any vertex classified by degree is connected to the set of nodes with different degree with the special probability [15–17].

To better understand the impact of network topology on APDDoS attack, in this paper we propose a novel APDDoS attack model on networks with IBMF. Then we found that the global stability of attack-free equilibrium and the global attractivity of attacked equilibrium depend on the value of the maximum eigenvalue of the attack network.

In Section 2, the paper proposes the APDDoS attack model. Its threshold and the equilibriums are calculated in Section 3. Further Discussions are given in Section 4. Next, the paper shows some numerical simulations in Section 5. Finally, a brief summary of the full paper is given.

2. Model Descriptions

According to the ability of computers to defend against malicious software on the network, the paper divides the computers into two groups: Weak-Protected group and Strong-Protected group. Here, we can divide computers into two groups by checking whether the computer has firewall.

The Weak-Protected group (WP), which lacks firewall protection, is vulnerable to malware attacks, such as computer worm, Trojan, and so on. The Weak-Protected group consists of two kinds of computers, which includes susceptible computers (S-node) and infected computers (I-node). The susceptible computers (S-node) are weak in preventing malware attacks but have not been infected yet, while the infected computers (I-node) refers to the computers which has been infected by malwares and controlled by hackers.

However, because the existence of the firewall, the Strong-Protected group (SP) can defend against many kinds of attacks, but it also can be attacked by APDDoS attack. The Strong-Protected group also consists of two kinds of computers, tolerant computers (T-node), and missed computers (M-node). Tolerant computers (T-node) represent computers with a firewall (which usually means servers) and works normally, while missed computers (M-node) denote the computers with a firewall but cannot respond to the request and become missed for the visitors due to the APDDoS attacks (see Figure 1).

Figure 1 

Schematic diagram of APDDoS attack.

Based on the above facts, some constants can be defined as follows:(i)G= (V, E): the network structure of the computers on network, and G can be represented as an undirected, connected, and nonlooped graph.(ii)N: the scale of network G, which is also the whole number of the computer in the G.(iii)A: the matrix of the network connection situation. A is a symmetric matrix with zero diagonal. , , .(iv): the spectrum of A, . As A is real and symmetric, we may assume .(v)S_i(t): the node, which is susceptible(S-node) at time t.(vi)I_i(t): the node, which is infected(I-node) at time t.(vii)T_i(t): the node, which is tolerant(T-node) at time t.(viii)L_i(t): the node, which is missed(M-node) at time t.

Next, some reasonable assumptions are proposed as follows [18–21].

(H1) As executing some operations that do harm to the computer security, like browsing the phishing websites or opening the phishing email, etc., any S_i infected by the neighboring I-nodes with probability β, the average probability of each S_i gets infected per unit time, is .

(H2) By installing some antivirus soft-wares, any I_i(t) recovers to the state of susceptible, which also means becoming S_i(t) with the probability γ.

(H3) As occurring APDDoS attacks, any T_i(t) can be attacked by neighboring I-nodes with the probability α. By calculating, the average probability of each T_i(t) turns into the M_i(t) per unit time is .

(H4) As changing the hardware of computers and strengthen the firewall, any M_i(t) restarts or recovers with the probability η.

(H5) As the two groups of the computer are separated, the paper uses ϕ to denote the proportion of the Weak-Protected group and then is the proportion of the Strong-Protected group; also there are S_i (t)+I_i (t)= ϕ and T_i (t)+M_i(t)=1-ϕ.

Let Also, the following equations can be obtained:

In order to satisfy these above equations, β and α should be far less than 1. Let ∆t be a very small interval. According to the assumptions given above, the following equations can be got:

Substituting these equations into the above relations and letting >0, the following 4N-dimensional dynamic system has been proposed:with the initial conditions that , , , .

According to Assumption (H5) that , , system (4) can be rewritten into the following 2N-dimensional dynamic system:with the initial conditions , .

Since the first N equations of system (5) are independent of M, so system (5) can be simplified into the following form:with the initial conditions .

3. Model Analysis

This section aims to understand the dynamical behavior of system (5) and system (6) which was proposed in the previous section.

Clearly, there is a unique attack-free equilibrium in system (5). First, consider properties of the attack -free equilibrium of system (5).

To achieve that, let

Let x(t)=(I₁(t), …, I_N(t),M₁(t), …, M_N(t), and rewrite system (5) as the following notation: with the initial condition , where

Let

Theorem 1. Consider system (5) that (a)the attack-free equilibrium P₀ is locally asymptotically stable if ;(b)the attack-free equilibrium P₀ is a saddle point.

Proof. The characteristic equation with respect to P₀ isEquation (11) has negative roots with multiplicity N and has ,1≤ k ≤ N as the remaining N roots. When , then for all k. So, all the roots of (11) are negative, implying that the attacked-free equilibrium of system (5) is locally asymptotically stable. Otherwise, if , then the attack-free equilibrium is a saddle point.
Remark 2. This theorem can also be formulated as (a) , and (b) .
Next, study the global stability of the attack-free equilibrium of system (6).
LetLet y(t)=(I₁(t), …, I_N(t), and rewrite system (6) as the following notation: with the initial condition , where Lemma 3 (see [22]). Consider a smooth dynamical system that is defined at least in a compact set U. Then, U is positively invariant if for any smooth point  w on , the vector g(w) is tangent to or pointing into U.
Lemma 4 (see [23, 24]). Consider an n-dimensional autonomous systemwhere Γ is a region that contains the origin, , . Suppose there is a positively invariant compact convex set that contains the origin, and a real eigenvector of , a positive number r such that
(C1) for all ,
(C2) for all ,
(C3) the origin forms the largest positively invariant set that is included in the set .
Then we have
(1) implies that the origin is globally asymptotically stable in C,
(2) implies there exists such that implies .
Lemma 5. The set of Ψ is positively invariant for system (6). That is, implies for all .and for i=1,…,N, T_i, W_i. We haveas their respective outer normal vectors. Let y be a smooth point of∂Ψ. The paper distinguishes among two possibilities.Combining the above discussions, we get that g(w) is pointing into ∂Ψ. The claimed result then follows from Lemma 3. The proof is completed.

Theorem 6. The attacked-free equilibrium of system (6) is globally and asymptotically stable if .

Proof. Look at system (13). As matrix   is irreducible and its off-diagonal entries are all nonnegative, it follows from [23] that   has a positive eigenvector z= (z₁, …, z_N) belonging to its eigenvalue s(). Let r=min_i z_i(r>0). Then, for all , we have Moreover, <H(y), z> = 0 implies that y=0. In view of Theorem 1 and Lemma 5, the claimed result follows from Lemma 4. The proof is complete.

Theorem 7. The attacked-free equilibrium of system (5) is globally and asymptotically stable if (see Figures 2, 4, 6, and 8).

Figure 2 

Status transition graph of the basic model (the dashed line on the graph means the attack from I-node to T-node).

Proof. It follows from Theorem 6, which implies thatfor any ε> 0 there exists time T₁ such that, for all , we haveFrom the last N equations of system (5), we get that for And for ,As the comparison systemhas a globally asymptotically stable equilibrium , we get that, for any ε> 0, there exists T₂> 0 such that, for all t≥T₂,This implies thatThe proof is complete.

The following corollary can be obtained easily based on Lemma 4 and Theorem 7.

Corollary 8. System (5) is uniformly persistent if.
Second, consider properties of the attacked equilibrium of system (5).

Theorem 9. System (5) has an attacked equilibrium if .

Proof. Note that any solution of system (5) is bounded. Hence, the claimed result follows easily from Corollary 8 [25].

Theorem 10. The attacked equilibrium is globally attractive if .

Proof. For any solution P(t) to system (5), let Clearly, , are continuous and have right-hand derivatives. For some t₀ and ε> 0, we may assume , thenIf , then .
When ,When ,As , , we know that , implying . Likewise, implies ; implies , and implies .
LetObviously, and are continuous and nonnegative.
Besides,LetThenAny solution of system (5) starting in Ω approaches follows from the LaSalle Invariance Principle [26]. Therefore, the claimed follows from is globally attractive.