Abstract

Both vaccination and quarantine strategy are adopted to control the Internet worm propagation. By considering the interaction infection between computers and external removable devices, a worm propagation dynamical system with time delay under quarantine strategy is constructed based on anomaly intrusion detection system (IDS). By regarding the time delay caused by time window of anomaly IDS as the bifurcation parameter, local asymptotic stability at the positive equilibrium and local Hopf bifurcation are discussed. Through theoretical analysis, a threshold is derived. When time delay is less than , the worm propagation is stable and easy to predict; otherwise, Hopf bifurcation occurs so that the system is out of control and the containment strategy does not work effectively. Numerical analysis and discrete-time simulation experiments are given to illustrate the correctness of theoretical analysis.

1. Introduction

Internet worms, a great threat to the network security, can spread quickly among hosts via wired or wireless networks. In real network environment, many intelligent worms, such as Conficker, Stuxnet, and Flamer, can also spread themselves via external removable devices (USB drives, CD/DVD drives, external hard drives, etc.), which have become one of the main means of infection transmission as well as networks. Conficker can copy itself as the autorun.inf to removable media drives in the system, thereby forcing the executable to be launched every time a removable drive is inserted into a system [1, 2]. Discovered in the summer of 2010, Stuxnet is a threat targeting a specific industrial control system (ICS) likely in Iran, such as a gas pipeline or power plant. Removable device is one of the main pathways for Stuxnet to migrate from the outside world to supposedly isolated and secure ICS [35]. Discovered in May 2012, Flamer can spread via removable drives using a special folder that hides the files and can result in automatic execution on viewing the removable drive when combined with the Microsoft Windows Shortcut “LNK/PIF” File Automatic File Execution Vulnerability (CVE-2010-2568) [6, 7]. Therefore, it is time to analyze the dynamic behavior and containment strategy of such worms.

Worm propagation dynamical system plays an important role in predicting the spread of worms. It aids in identifying the weakness in the worm spreading chain and provides accurate prediction for the purpose of damage assessment for a new worm threat. Over decades of years, many researches on worms’ dynamical behavior have been done. Kermack and Mckendrick [8] proposed the classical SIR model to explain the rapid rise and fall in the number of infected patients observed in epidemics, which also suits the worm spread. Based on the classical SIR model, Zou et al. derived an Internet worm model called the two-factor model [9]. Quarantine strategy, which borrows from the method of epidemic disease control, has been widely used in worm containment and produced a tremendous effect on controlling worm propagation [1014]. Zou et al. proposed a worm propagation model under dynamic quarantine defense based on the principle “assume [sic] guilty before proven innocent” [10]. Wang et al. proposed a novel epidemic model named SEIQV model which combines both vaccinations and dynamic quarantine methods [11]. However, there is time delay in actual network environment, which may lead to bifurcation phenomenon. Much research has been done on time delay and bifurcation [1525]. Han and Tan studied the dynamic spread behavior of worms by incorporating the delay factor [19]. Dong et al. proposed a computer virus model with time delay based on SEIR model and regarded time delay as bifurcating parameter to study the dynamical behaviors including local asymptotical stability and local Hopf bifurcation [20]. Yao et al. constructed a model with time delay under quarantine strategy [21]. Wu et al. investigated the problem of sliding mode control of Markovian jump singular time-delay systems [23]. Li and Zhang established a delay-dependent bounded real lemma for singular linear parameter-varying systems with time-variant delay [24]. The problems of D-stability and nonfragile control for a class of discrete-time descriptor Takagi-Sugeno fuzzy systems with multiple state delays are discussed in [25].

However, the above works consider less of the effect of removable devices on worm propagation. As mentioned above, removable devices have become a main pathway for some worms to intrude those hosts not connected to the Internet. Song et al. presented a worm model incorporating specific features to worms spreading via both web-based scanning and removable devices [26]. Zhu et al. studied the dynamics of interaction infection between computers and removable devices in [27]. However, time delay and bifurcation research are not considered in their work. In this paper, by considering the interaction infection between hosts and removable devices, we model a delayed worm propagation dynamical system which combines both vaccination and quarantine strategy. Local asymptotic stability of the positive equilibrium and local Hopf bifurcation are discussed to analyze the influence of time delay on worm propagation dynamical system.

The main contributions of this paper can be summarized as follows.(1)Considering the influence of removable devices on Internet worm propagation and the time delay caused by anomaly IDS, we propose a novel worm propagation dynamical system with time delay.(2)We analyze the system stability at positive equilibrium and derive the time delay threshold at which Hopf bifurcation occurs.(3)By numerical analysis, we illustrate the correctness of theoretical analysis.(4)The discrete-time simulation is adopted to simulate the worm propagation in real network environment. The results demonstrate the reasonableness of the worm propagation model.

The rest of the paper is organized as follows. In Section 2, considering the influence of removable devices, a worm propagation dynamical system with time delay under quarantine strategy is constructed. In Section 3, local stability of the positive equilibrium and local Hopf bifurcation are investigated. In Section 4, several numerical analyses supporting the theoretical analysis are given. Section 5 makes a comparison between simulation experiments and numerical ones. Finally, we give our conclusions in Section 6.

2. Model Formulation

The system contains both hosts and removable devices. In this model, all hosts are in one of following five states: susceptible ( ), infectious ( ), delayed ( ), quarantined ( , and removed ( ). All removable devices are divided into two groups: susceptible ( ) and infectious ( ). and denote the total number of hosts and removable devices, respectively. That is, ; . Susceptible ( ) hosts, which are vulnerable to the attack from worms, will be infected by infectious hosts or removable devices; then they will infect other hosts connected to them or removable devices plugged into them. Infectious ( ) hosts will be immunized by antivirus software at the rate of . Removed ( ) hosts, which have been immunized by antivirus software, will become susceptible at reassembly rate . Hosts whose behavior looks anomaly will be quarantined by IDS and then they will become in a quarantined ( ) state. A susceptible removable device ( ) will be infected when inserted into an infectious host. Worm in an infectious removable device ( ) will be eliminated when connected to removed hosts; then it will become in a susceptible state.

The quarantine strategy is an effective measure to defend against worms’ attack and make up the deficiency of vaccination strategy. In this paper, anomaly intrusion detection system is chosen for applying quarantine strategy. Comparing with misuse IDS, anomaly IDS has great advantage in detecting unknown intrusion or the variants of known intrusion. However, anomaly IDS judges whether a detected behavior is an attack or not via comparing detected behavior with the normal or expected behavior of system and user. If a deviation occurs, the detected behavior is treated as an intrusion immediately. Because of the difficulty in collecting and building the normal behavior database, high false-alarm rate is considered the main drawback of anomaly IDS. In order to reduce the false alarm of anomaly IDS, the mechanism of time window is adopted. A suspicious behavior will not trigger an alarm immediately. On the contrary, anomaly IDS has a period of time to analyze the accumulated behavior. Therefore, an intermediate state, delayed ( ) state, is added into the propagation model. The larger the value of time window, the less the false alarm aroused by anomaly IDS, because there is enough time for anomaly IDS to recognize whether a behavior is an intrusion or not. However, the overlarge time window may lead to worm propagation dynamical system being unstable and out of control. The main notations and definitions are listed in Table 1. The state transition diagram is given by Figure 1.

On the basis of current research, we present a delayed worm propagation model which combines both vaccination and quarantine strategy. Several appropriate assumptions are given as follows.(1) denotes the infection ratio of infectious hosts. Therefore, at time t, the infection force of infectious computers to susceptible computers is given by .(2)Infectious removable devices have the same infectious ability as the infectious hosts. is the contact infection rate between computers and removable devices, that is, the interactive infection rate when a removable device links to a host. The probability of connecting removable devices for every host is , and the probability of removable device exactly being in the infectious state is . Therefore, the infection force of infectious removable devices to susceptible hosts is .(3)Susceptible removable devices will be infected when connecting to an infectious host, and then they will infect any other hosts to which they are connected. Meanwhile, worms of infectious removable devices will be eliminated when connecting to one immunized host. That is, the infection force of infectious hosts to susceptible removable devices is , and the recovery force of removed hosts to infectious removable devices is .(4)Owing to the influence of time delay , the increment of the number of quarantined hosts is the ones quarantined at time . Therefore, the increment is .(5)The time window mechanism leads to an intermediate state, delayed state . The increment of the number of delayed hosts at time t is given by ; the decrement of delayed hosts is the number of those being quarantined, that is, .

Based on the analyses and assumptions above, the delayed differential equations of the model are formulated as (1). The differential on the left of equations means the change rate of related states at time t. Consider

3. Stability at the Positive Equilibrium and Bifurcation Analysis

Theorem 1. The system (1) has a unique positive equilibrium , where

Proof. For system (1), according to [28], if all the derivatives on the left of equal sign of the system are set to 0, which implies that the system becomes stable, we can derive where Assume that system (1) becomes stable at time . By integrating the fourth equation of system (1) with time from 0 to , we can get Since , Obviously, (6) has one unique positive root . So there is one unique positive equilibrium of system (1). The proof is completed.

Since , , , . System (1) can be simplified to The Jacobian matrix of (7) about is given by Let The characteristic equation of system (8) can be obtained by where

Theorem 2. The positive equilibrium is locally asymptotically stable without time delay, if condition ( ) is satisfied: where

Proof. When , (10) reduces to
According to Routh-Hurwitz criterion, all roots of (14) have negative real parts. Therefore, it can be concluded that the positive equilibrium is locally asymptotically stable without time delay. The proof is completed.

If is the root of (10), separating the real and imaginary parts, the following two equations can be obtained: From (15), the following equation can be obtained: That is, where Letting , (17) can be written as Zhang et al. [18] obtained the following results on the distribution of roots of (19). Denote

Lemma 3. For the polynomial equation (19),(1)if , then (19) has at least one positive root;(2)if and , then (19) has positive root if and only if and ;(3)if and , then (19) has positive root if and only if there exists at least one , such that and .

Lemma 4. Suppose that condition , , , is satisfied.(1)If one of the followings holds, (a) ; (b) , ,  , and ; (c) , and ,  and there exits at least a such that and , then all roots of (10) have negative real parts when ; here, is a certain positive constant.(2)If conditions (a)–(c) of (1) are not satisfied, then all roots of (10) have negative real parts for all .

Proof. When , (10) can be reduced to
According to the Routh-Hurwitz criterion, all roots of (21) have negative real parts if and only if , , , and .
From Lemma 3, it can be known that if (a)–(c) are not satisfied, then (10) has no roots with zero real part for all ; if one of (a)–(c) holds, when , , , (10) has no roots with zero real part and is the minimum value of , so (10) has purely imaginary roots. According to [18], one obtains the conclusion of the lemma.
Let be the root of (10), and .
From Lemmas 3 and 4, the following are obtained.
When conditions (a)–(c) of Lemma 4(1) are not satisfied, always has no positive root. Therefore, under these conditions, (10) has no purely imaginary roots for any , which implies that the positive equilibrium of system (7) is absolutely stable. Therefore, the following theorem on the stability of positive equilibrium can be easily obtained.

Theorem 5. Supposing that condition ( ) is satisfied, (a) , , , and ; (b) and , and there is no such that and , then the positive equilibrium of system (7) is absolutely stable.
In what follows, it is assumed that the coefficients in satisfy the condition
(a) , , , and ; (b) , and there is no such that and .
According to [29], it is known that (19) has at least a positive root , which implies that characteristic equation (10) has a pair of purely imaginary roots .
Since (10) has a pair of purely imaginary roots , the corresponding is given by (15). Consider
Let be the root of (10). and are satisfied when .

Lemma 6. Suppose that . If , then is a pair of purely imaginary roots of (10). In addition, if the conditions of Lemma 4(1) are satisfied, then .
It is claimed that This signifies that there is at least one eigenvalue with positive real part for .
Differentiating two sides of (10) with respect to , it can be written as Therefore where . It follows from the hypothesis that and therefore the transversality condition holds. It can be obtained that
The root of characteristic equation (10) crosses from the left to the right on the imaginary axis as continuously varies from a value less than to one greater than according to Rouche’s theorem [15]. Therefore, according to the Hopf bifurcation theorem [30] for functional differential equations, the transversality condition holds and the conditions for Hopf bifurcation are satisfied at . Then the following result can be obtained.

Theorem 7. Supposing that condition is satisfied,(1)if , then the positive equilibrium of system (7) is asymptotically stable and unstable when ;(2)if condition is satisfied, system (7) will undergo a Hopf bifurcation at the positive equilibrium when ( ), where is defined by (22).

This implies that when the time delay , the system will stabilize at its infection equilibrium point, which is beneficial for us to implement a containment strategy; when time delay , the system will be unstable and worms cannot be effectively controlled.

4. Numerical Analysis

In this section, several numerical results are presented to prove the correctness of theoretical analysis above. 750,000 hosts and 50,000 removable devices are selected as the population size; the worm’s average scan rate is per second. The worm infection rate can be calculated as , which means that average 0.698 hosts of all the hosts can be scanned by one infectious host. The infection ratio is . The contact infection rate between hosts and removable devices is . The recovery rates of infectious hosts and removable devices are and , respectively. The immunization rate of quarantined hosts is and the reassembly rate of immunization hosts is . At the beginning, there are 50 infectious hosts and 20 infectious removable devices, while the rest of hosts and removable devices are susceptible.

In anomaly intrusion detection system, the rate at which infected hosts are detected and quarantined is per second. It means that an infected host can be detected and quarantined in about 5 s. The rate at which susceptible hosts are detected and quarantined is per second; that is, about two false alarms are generated by the anomaly intrusion detection system per day.

When , Figure 2 presents the changes of the number of five kinds of hosts and Figure 3 shows the curves of two kinds of removable devices. According to Theorem 5, the positive equilibrium is asymptotically stable when , which is illustrated by the numerical simulations in Figures 2 and 3. Finally, the number of every kind of host and removable device keeps stable.

When gets increased and passes through the threshold , the positive equilibrium will lose its stability and a Hopf bifurcation will occur. A family of periodic solution bifurcates from the positive equilibrium . When , Figure 4 shows the curves of susceptible, infectious, quarantined, and removed hosts and the numerical simulation results of two kinds of removable devices are depicted by Figure 5. From Figures 4 and 5, we can clearly see that every state of hosts and removable devices is unstable. Figure 4 shows that the number of infectious hosts will outburst after a short period of peace and repeat again and again.

In order to state the influence of time delay, the delay is set to a different value each time with other parameters remaining unchanged. Figure 6 shows four curves of the number of infectious hosts in the same coordinate with four delays: , , , and , respectively. Figures 7(a)7(c) show four curves of the number of infectious hosts in four coordinates. Initially, the four curves are overlapped which means that the time delay has little effect on the initial state of worm spread. With the increase of the time T, the time delay affects the number of infectious hosts. With the increase of time delay, the curve begins to oscillate. The system becomes unstable as time delay passes through the critical value . At the same time, it can be discovered that the amplitude and period of the number of infectious hosts gradually increase.

Figures 8(a) and 8(b) show the phase portraits of susceptible hosts and infectious hosts with and , respectively. Figures 9(a) and 9(b) show the projection of the phase portrait of system (1) in -space when and , respectively. It is clear that the curve converges to a fixed point when , which means that the system is stable. When , the curve converges to a limit circle, which implies that the system is unstable and the worm propagation is out of control.

Figure 10 shows the bifurcation diagram with from 1 to 90. It is clear that Hopf bifurcation will occur when .

5. Simulation Experiments

In our simulation experiments, the discrete-time simulation is adopted because of its accuracy and is less time-consuming. The discrete-time simulation is an expanded version of Zou’s program simulating Code Red worm propagation. All of the parameters are consistent with the numerical experiments.

Figures 11(a)11(d) show the comparisons between numerical and simulation curves of susceptible, infectious, quarantined, and removed hosts when , respectively. It is clearly seen that the simulation curves match the numerical ones very well. Figures 12(a)12(d) show the comparisons between numerical and simulation results of four kinds of hosts when . In this figure, two curves are still matched well. It fully illustrates the correctness of our theoretical analysis.

6. Conclusions

In this paper, considering the influence of removable devices, a delayed worm propagation dynamical system based on anomaly IDS has been constructed. By regarding the time delay caused by time window of anomaly IDS as the bifurcation parameter, the local asymptotic stability at the positive equilibrium and local Hopf bifurcation were discussed. Through theoretical analysis and related experiments, the main conclusions can be summarized as follows.(a)The critical time delay where Hopf bifurcation appears is derived: (b)When the time delay , worm propagation system is stable and worms’ behavior is easy to predict, which is beneficial for us to implement containment strategy to control and eliminate the worm.(c)When time delay , Hopf bifurcation occurs, which implies that the system will be unstable and containment strategy does not work effectively.

Thus, in order to control and even eliminate the worm, the size of time window of anomaly IDS must be less than . In real network environment, various factors can affect worm propagation. This paper concentrates on analyzing the influence of time delay caused by anomaly IDS; other factors having an impact on worm propagation will be the center of our future study.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This paper is supported by the Program for New Century Excellent Talents in University (NCET-13-0113); Natural Science Foundation of Liaoning Province of China under Grant no. 201202059; Program for Liaoning Excellent Talents in University under LR2013011; Fundamental Research Funds of the Central Universities under Grant nos. N120504006 and N100704001; and MOE-Intel Special Fund of Information Technology (MOE-INTEL-2012-06).