Security and Communication Networks

Volume 2017, Article ID 2910310, 8 pages

https://doi.org/10.1155/2017/2910310

## Malware Propagation and Prevention Model for Time-Varying Community Networks within Software Defined Networks

^{1}School of Electronics & Information, Guangdong Polytechnic Normal University, Guangzhou 510665, China^{2}Cyber Security Lab, Department of Computer Science, University of Waikato, Hamilton, New Zealand

Correspondence should be addressed to Lan Liu; moc.621@ll_tsuh

Received 10 December 2016; Revised 18 February 2017; Accepted 5 March 2017; Published 28 March 2017

Academic Editor: Ángel Martín Del Rey

Copyright © 2017 Lan Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

As the adoption of Software Defined Networks (SDNs) grows, the security of SDN still has several unaddressed limitations. A key network security research area is in the study of malware propagation across the SDN-enabled networks. To analyze the spreading processes of network malware (e.g., viruses) in SDN, we propose a dynamic model with a time-varying community network, inspired by research models on the spread of epidemics in complex networks across communities. We assume subnets of the network as communities and links that are dense in subnets but sparse between subnets. Using numerical simulation and theoretical analysis, we find that the efficiency of network malware propagation in this model depends on the mobility rate of the nodes between subnets. We also find that there exists a mobility rate threshold . The network malware will spread in the SDN when the mobility rate . The malware will survive when and perish when . The results showed that our model is effective, and the results may help to decide the SDN control strategy to defend against network malware and provide a theoretical basis to reduce and prevent network security incidents.

#### 1. Introduction

With separate control and data planes for computer networking [1], Software Defined Networks (SDNs) are considered by many to be a promising network platform as it empowers programmability and flexible configuration—paving the way for more powerful network control and traffic data analysis. However, the SDN architecture also introduces complexity and increased risks to network security. With the continuous development of SDN security applications, we need to anticipate issues that might arise throughout the implementation of SDN-based security applications.

At their core, SDN computer networks are complex systems [2]. The research content of computer networks includes network topology, network traffic characteristics, and the influence of the network behavior on the whole network. The spread and prevention of network malware are key technologies studied in SDN and have been one of the most prolific fields in complex network dynamics research. Through our research, we found that some characteristics of computer network virus propagation are similar to real world epidemic spread.

Compared to past computer network architectures (where it is not easy to control the whole network from the global level), SDNs are considered by many to be a promising network platform as it empowers programmability and flexible configuration—enabling powerful network control and traffic data analysis. As such, the study of the transition probability for malware within SDN makes not just an interesting endeavor but also an important research area considering upcoming trends in computer networking. Hence, in this research, we present a simple network model with a time-varying community network and investigate network malware spreading processes within this model. In terms of scope, this paper does not consider the source and the specific types of the malware.

The remainder of the paper is organized as follows. Section 2 discusses the background and related work. In Section 3, a model with a time-varying community network of malware propagation in SDN is proposed. Then, in Section 4, we implement a numerical simulation to evaluate the influences of the mobility rate on the dynamic behavior of SDN, and the theoretical analysis of this model is performed. In Section 5, the possible applications of our research are presented. Finally, we conclude and offer prospective areas for future research in Section 6.

#### 2. Background and Related Work

##### 2.1. Industry Trends

This research paves the way for practical implementations using SDN as a platform for malware propagation control. In the industry, Google has already deployed SDN for data center backbone traffic. Major commercial switch vendors including Cisco, IBM, HP, Dell, and Juniper Networks have announced intent to support or have already launched switching products that support SDN. We see a lot of potential in applying our research into similar environments.

The market research company IDC predicts that the market for SDN applications will reach $37 billion by 2016 [3]. It is also realistic to expect malware (e.g., network viruses, Botnets) to continue to be a threat for future SDN deployments. Specifically, we witness a recent surge in malware (e.g., Mirai) specifically designed for launching Distributed Denial-of-Service (DDOS) attacks to network-connected assets. To assure Internet security, effective detection malwares are indispensable. Our research addresses these issues directly.

##### 2.2. Research Trends and Gaps

Research on the network security of SDN raised concern in recent years. Most prior studies have looked at the development and analysis of SDN security applications [4]. However, few solutions provide an effective defense mechanism against the threat of attacks in SDNs because all types of open applications make the end-hosts and switches the target of attacks, which is a threat to the entire network [5]. In all types of security incidents, network malware usually spreads quickly and has a strong influence on availability, making network malware the most important issue to resolve in Internet security.

The control plane of SDN will have direct control over the data plane elements [6]. Network administrators of SDNs often use programmable soft switches to provide network virtualization. Modifying routing rules in traditional networks is difficult but easier in SDNs, which will help address problems in traditional networks and is advantageous to adjust the route strategy of the entire network. The logical centralization of network intelligence presents exciting challenges and opportunities to enhance security in such networks, including new ways to prevent, detect, and react to threats, as well as innovative security services and applications that are built upon SDN capabilities. Malicious code detection and prevention under the new architecture need further study [7–14].

At its core, the spread of network malware on the Internet is a dynamic complex network challenge. In complex network dynamics, if the network evolution speed is slower than the information transmission speed, it can be approximately regarded as a static network. This assumption is set up in many cases, such as computer malware spreading on the Internet. Therefore, we consider that the community structures in complex network models have considerable influence on the spreading of network malware in SDN.

In recent years, many studies have indicated that time-varying networks play an important role in the investigation of the network malware spreading that occurs in complex networks [15]. In computer networks, we can assume subnets as “communities” and “links” that are dense in a subnet but sparse between subnets. Network malware spreading is rapid in the subnets but slow between subnets. Because different subnets are disparate, it is impossible for individuals to propagate malware to different subnets at the same time even if these individuals have connections with many different subnets in a static network. Thus, there are no links among subnets at each time step in a time-varying network, but individuals can move among subnets because of the centralized control of SDN [16].

Toutonji and Yoo proposed a model Passive Worm Dynamic Quarantine (PWDQ) to enable network malware detection and protection [17]. When a node is listed as a suspicious node, the PWDQ model departs from previous models in that infected nodes will be recovered either by passive benign worms or by quarantine measures. Computer simulations show that this method may decrease the number of infectious nodes and reduce the speed of network malware propagation.

Omote and Shimoyama found a method for preventing the spread of network malware [18]. An estimating unit calculates the expected number of infected nodes when the malware transmits a predetermined number of packets, based on the infectivity calculated by the infectivity calculating unit.

Bradley et al. [19] and other studies have shown that the network topology has an impact on network malware spreading: the closer to the “center” of the network the malware is, the faster the malware spreads and the higher the probability of repeated infection is.

Gourdin et al. found that the effect of network malware spreading in a telecommunication network [20], where a certain curing strategy is deployed, can be captured by epidemic models. In their model, the probability of each node being infected depends on the curing and infection rate of its neighbors.

Tang and Li investigated malware spread in Wireless Sensor Networks (WSNs) through Susceptible-Infective (SI) epidemic models [21] and proposed two adaptive network protection schemes for securing WSNs against malware attacks.

Abaid et al. [22] proposed elastically partitioning network traffic to enable distributing detection load across a range of detectors and making a centralized SDN controller, which allows for network-wide threat correlation as well as quick control of malicious flows.

Ichiro et al. mentioned that, in security incident response, the isolation of network virus-infected nodes and investigation of the damage situation of network virus activity are needed [23]. They proposed a method to isolate virus-infected nodes while avoiding being detected by malware by changing network quickly and partially using SDN.

Hosseini et al. [24, 25] proposed a dynamic model of malware propagation in scale-free networks (SFNs) based on a rumor spreading model. The model considers the impact of software diversity to halt the outbreak of malware in networks. Their research stated that the simulation results demonstrate that the model is more effective than other existing models of malware propagation, in terms of reducing the density of infected node.

These research efforts provide several new approaches for studying network malware spreading and prevention in the SDN environment. In terms of our approach, we believe that since an SDN controller can manage and quarantine nodes in the entries network, when new network malware breaks out in a subnet, this controller may change the flow table strategy according to network status and prevent the spreading of the malware to other subnets. As such, we designed a network malware propagation model of SDN to effectively defend against the spreading of network malware.

#### 3. Modeling Network Malware Spreading in an SDN Environment

As the spread of network malware in SDN is similar to the spread of diseases, we can use similar models to study the spread of network malware. This type of model has two assumptions: the state of a network node at any moment is limited; the states include* “susceptible”; “infected”; “recovery”; “isolation”*. We can choose different sets of states according to the characteristics of the network malware and modeling purposes. The infected nodes have a certain probability of infecting other nodes in the network.

Our mathematical model of computer malware spread is mostly based on the Susceptible-Infected-Recovery (SIR) model or the simple Susceptible-Infected-Susceptible (SIS) model [26]. To simplify our research, we adopted the SIS model, where each node belongs to one of two states: susceptible or infected [27, 28]. Mathematical analysis on such a model has revealed the importance of topology for propagation dynamics. Particularly, we found that the time-varying community network model is suitable for networks with small numbers of susceptible nodes, and we assumed that the network evolves more slowly than the diffusion process.

##### 3.1. Model Assumptions

Different nodes belong to different subnets in a computer network. In our study, we use logical subnets to classify the community network; network malware spreads more quickly within the subnet and spreads slowly between different subnets. To simplify the complex model, we assume that the network malware cannot spread between different subnets in normal conditions. Because the SDN may change its routing strategy, when one infected node moves from one subnet to another logical subnet, it probably makes the network malware spread between subnets.

To study the effects of network malware spreading when an infected node changes from one subnet to another in SDN, we establish some simple model assumptions.

Consider a total population of nodes in the model, which means that no new nodes enter or leave the system at any time.

In the model, nodes only have two possible states: susceptible () and infected (). A node must be in one of the two states, and an infected node cannot be infected again. We define the initial infected nodes as .

The network malware cannot spread between different subnets in normal conditions, which means that there are no infection paths between different subnets.

Assume that each susceptible neighbor of an infected node has a probability of being infected and a susceptible node has infected neighbors at time in the model. At step, this susceptible node will become infected with probability . At the same time, the infected node may become susceptible at rate through network malware killing and patching.

##### 3.2. Model with Time-Varying Community Network

Although various studies have shown that a computer network is a “scale-free” network, to simplify the model, we begin our analysis with the simple time-varying community network.

Based on the model assumption, we construct a time-varying community network with network malware spreading.

Consider a total population of nodes that is divided into subnets with random nodes in each subnet, and let them satisfy

For each subnet* i*, we use probability to add a link between each two nodes and let them satisfyIn addition, is the average degree of the entire network.

When an infected node jumps from one subnet into another subnet, it will spread the network malware. We assume that every node has probability* q* to jump to another subnet, which is chosen randomly. In order to simulate malware spreading caused by node jump, we add links between different subnet with probability* q*. During each time step, break all of the links between different subnet connected at last time step. Then connect nodes in the different subnet with probability* q* again. The most important value is a threshold . The network malware spreads and becomes infected for and perishes for . In this model, we have a network malware threshold . The network malware spreads and becomes infected when . From the theory of probability [29], we have in the time-varying community network model. For a specific community , when the mobility rate , its network malware subthreshold is defined as

The network malware in the specific community will survive when and die for . We assume that there is only one seed at the beginning, which means . The network malware will spread within the subnet where the seed is chosen and will not affect other subnets.

Because of the regular changes in the routing strategy in SDN, network nodes including mobile devices, network devices, and hosts can be redirected, which means that the node mobility rate between subnets satisfies . When , even if there is only one seed at the beginning, the network malware may spread into all of the subnets. We discover that the time of the network malware outbreak in the subnets is dependent on the mobility rate . When , a mobility rate threshold is considered. The network malware in subnet is where can survive when because of the jump of infected nodes.

#### 4. Simulation and Evaluation

To simulate the network malware spreading, we use a similar experimental environment. To be brief we set and analyze the network malware spreading in two cases. At the beginning, there is only one infected node, , and we set , , , , , and . These parameters satisfy (1) and (2).

*(A) ** (**)*. Let us set . We can obtain and from (3). We set .

In the simulation, we chose an infected node in the first subnet randomly, and the other nodes in the two subnets were susceptible. We simulate the step with mobility rate to 0.00001 between the subnets, and the result is shown in Figure 1. The curve with black asterisks represents the density of infected nodes in the first subnet as a function of time with mobility rate and the other curves represent the evolution of infected nodes in the second subnet with different mobility rates from 0.00001 to 0.000001.