#### Abstract

As the adoption of Software Defined Networks (SDNs) grows, the security of SDN still has several unaddressed limitations. A key network security research area is in the study of malware propagation across the SDN-enabled networks. To analyze the spreading processes of network malware (e.g., viruses) in SDN, we propose a dynamic model with a time-varying community network, inspired by research models on the spread of epidemics in complex networks across communities. We assume subnets of the network as communities and links that are dense in subnets but sparse between subnets. Using numerical simulation and theoretical analysis, we find that the efficiency of network malware propagation in this model depends on the mobility rate of the nodes between subnets. We also find that there exists a mobility rate threshold . The network malware will spread in the SDN when the mobility rate . The malware will survive when and perish when . The results showed that our model is effective, and the results may help to decide the SDN control strategy to defend against network malware and provide a theoretical basis to reduce and prevent network security incidents.

#### 1. Introduction

With separate control and data planes for computer networking [1], Software Defined Networks (SDNs) are considered by many to be a promising network platform as it empowers programmability and flexible configuration—paving the way for more powerful network control and traffic data analysis. However, the SDN architecture also introduces complexity and increased risks to network security. With the continuous development of SDN security applications, we need to anticipate issues that might arise throughout the implementation of SDN-based security applications.

At their core, SDN computer networks are complex systems [2]. The research content of computer networks includes network topology, network traffic characteristics, and the influence of the network behavior on the whole network. The spread and prevention of network malware are key technologies studied in SDN and have been one of the most prolific fields in complex network dynamics research. Through our research, we found that some characteristics of computer network virus propagation are similar to real world epidemic spread.

Compared to past computer network architectures (where it is not easy to control the whole network from the global level), SDNs are considered by many to be a promising network platform as it empowers programmability and flexible configuration—enabling powerful network control and traffic data analysis. As such, the study of the transition probability for malware within SDN makes not just an interesting endeavor but also an important research area considering upcoming trends in computer networking. Hence, in this research, we present a simple network model with a time-varying community network and investigate network malware spreading processes within this model. In terms of scope, this paper does not consider the source and the specific types of the malware.

The remainder of the paper is organized as follows. Section 2 discusses the background and related work. In Section 3, a model with a time-varying community network of malware propagation in SDN is proposed. Then, in Section 4, we implement a numerical simulation to evaluate the influences of the mobility rate on the dynamic behavior of SDN, and the theoretical analysis of this model is performed. In Section 5, the possible applications of our research are presented. Finally, we conclude and offer prospective areas for future research in Section 6.

#### 2. Background and Related Work

##### 2.1. Industry Trends

This research paves the way for practical implementations using SDN as a platform for malware propagation control. In the industry, Google has already deployed SDN for data center backbone traffic. Major commercial switch vendors including Cisco, IBM, HP, Dell, and Juniper Networks have announced intent to support or have already launched switching products that support SDN. We see a lot of potential in applying our research into similar environments.

The market research company IDC predicts that the market for SDN applications will reach $37 billion by 2016 [3]. It is also realistic to expect malware (e.g., network viruses, Botnets) to continue to be a threat for future SDN deployments. Specifically, we witness a recent surge in malware (e.g., Mirai) specifically designed for launching Distributed Denial-of-Service (DDOS) attacks to network-connected assets. To assure Internet security, effective detection malwares are indispensable. Our research addresses these issues directly.

##### 2.2. Research Trends and Gaps

Research on the network security of SDN raised concern in recent years. Most prior studies have looked at the development and analysis of SDN security applications [4]. However, few solutions provide an effective defense mechanism against the threat of attacks in SDNs because all types of open applications make the end-hosts and switches the target of attacks, which is a threat to the entire network [5]. In all types of security incidents, network malware usually spreads quickly and has a strong influence on availability, making network malware the most important issue to resolve in Internet security.

The control plane of SDN will have direct control over the data plane elements [6]. Network administrators of SDNs often use programmable soft switches to provide network virtualization. Modifying routing rules in traditional networks is difficult but easier in SDNs, which will help address problems in traditional networks and is advantageous to adjust the route strategy of the entire network. The logical centralization of network intelligence presents exciting challenges and opportunities to enhance security in such networks, including new ways to prevent, detect, and react to threats, as well as innovative security services and applications that are built upon SDN capabilities. Malicious code detection and prevention under the new architecture need further study [7–14].

At its core, the spread of network malware on the Internet is a dynamic complex network challenge. In complex network dynamics, if the network evolution speed is slower than the information transmission speed, it can be approximately regarded as a static network. This assumption is set up in many cases, such as computer malware spreading on the Internet. Therefore, we consider that the community structures in complex network models have considerable influence on the spreading of network malware in SDN.

In recent years, many studies have indicated that time-varying networks play an important role in the investigation of the network malware spreading that occurs in complex networks [15]. In computer networks, we can assume subnets as “communities” and “links” that are dense in a subnet but sparse between subnets. Network malware spreading is rapid in the subnets but slow between subnets. Because different subnets are disparate, it is impossible for individuals to propagate malware to different subnets at the same time even if these individuals have connections with many different subnets in a static network. Thus, there are no links among subnets at each time step in a time-varying network, but individuals can move among subnets because of the centralized control of SDN [16].

Toutonji and Yoo proposed a model Passive Worm Dynamic Quarantine (PWDQ) to enable network malware detection and protection [17]. When a node is listed as a suspicious node, the PWDQ model departs from previous models in that infected nodes will be recovered either by passive benign worms or by quarantine measures. Computer simulations show that this method may decrease the number of infectious nodes and reduce the speed of network malware propagation.

Omote and Shimoyama found a method for preventing the spread of network malware [18]. An estimating unit calculates the expected number of infected nodes when the malware transmits a predetermined number of packets, based on the infectivity calculated by the infectivity calculating unit.

Bradley et al. [19] and other studies have shown that the network topology has an impact on network malware spreading: the closer to the “center” of the network the malware is, the faster the malware spreads and the higher the probability of repeated infection is.

Gourdin et al. found that the effect of network malware spreading in a telecommunication network [20], where a certain curing strategy is deployed, can be captured by epidemic models. In their model, the probability of each node being infected depends on the curing and infection rate of its neighbors.

Tang and Li investigated malware spread in Wireless Sensor Networks (WSNs) through Susceptible-Infective (SI) epidemic models [21] and proposed two adaptive network protection schemes for securing WSNs against malware attacks.

Abaid et al. [22] proposed elastically partitioning network traffic to enable distributing detection load across a range of detectors and making a centralized SDN controller, which allows for network-wide threat correlation as well as quick control of malicious flows.

Ichiro et al. mentioned that, in security incident response, the isolation of network virus-infected nodes and investigation of the damage situation of network virus activity are needed [23]. They proposed a method to isolate virus-infected nodes while avoiding being detected by malware by changing network quickly and partially using SDN.

Hosseini et al. [24, 25] proposed a dynamic model of malware propagation in scale-free networks (SFNs) based on a rumor spreading model. The model considers the impact of software diversity to halt the outbreak of malware in networks. Their research stated that the simulation results demonstrate that the model is more effective than other existing models of malware propagation, in terms of reducing the density of infected node.

These research efforts provide several new approaches for studying network malware spreading and prevention in the SDN environment. In terms of our approach, we believe that since an SDN controller can manage and quarantine nodes in the entries network, when new network malware breaks out in a subnet, this controller may change the flow table strategy according to network status and prevent the spreading of the malware to other subnets. As such, we designed a network malware propagation model of SDN to effectively defend against the spreading of network malware.

#### 3. Modeling Network Malware Spreading in an SDN Environment

As the spread of network malware in SDN is similar to the spread of diseases, we can use similar models to study the spread of network malware. This type of model has two assumptions: the state of a network node at any moment is limited; the states include* “susceptible”; “infected”; “recovery”; “isolation”*. We can choose different sets of states according to the characteristics of the network malware and modeling purposes. The infected nodes have a certain probability of infecting other nodes in the network.

Our mathematical model of computer malware spread is mostly based on the Susceptible-Infected-Recovery (SIR) model or the simple Susceptible-Infected-Susceptible (SIS) model [26]. To simplify our research, we adopted the SIS model, where each node belongs to one of two states: susceptible or infected [27, 28]. Mathematical analysis on such a model has revealed the importance of topology for propagation dynamics. Particularly, we found that the time-varying community network model is suitable for networks with small numbers of susceptible nodes, and we assumed that the network evolves more slowly than the diffusion process.

##### 3.1. Model Assumptions

Different nodes belong to different subnets in a computer network. In our study, we use logical subnets to classify the community network; network malware spreads more quickly within the subnet and spreads slowly between different subnets. To simplify the complex model, we assume that the network malware cannot spread between different subnets in normal conditions. Because the SDN may change its routing strategy, when one infected node moves from one subnet to another logical subnet, it probably makes the network malware spread between subnets.

To study the effects of network malware spreading when an infected node changes from one subnet to another in SDN, we establish some simple model assumptions.

Consider a total population of nodes in the model, which means that no new nodes enter or leave the system at any time.

In the model, nodes only have two possible states: susceptible () and infected (). A node must be in one of the two states, and an infected node cannot be infected again. We define the initial infected nodes as .

The network malware cannot spread between different subnets in normal conditions, which means that there are no infection paths between different subnets.

Assume that each susceptible neighbor of an infected node has a probability of being infected and a susceptible node has infected neighbors at time in the model. At step, this susceptible node will become infected with probability . At the same time, the infected node may become susceptible at rate through network malware killing and patching.

##### 3.2. Model with Time-Varying Community Network

Although various studies have shown that a computer network is a “scale-free” network, to simplify the model, we begin our analysis with the simple time-varying community network.

Based on the model assumption, we construct a time-varying community network with network malware spreading.

Consider a total population of nodes that is divided into subnets with random nodes in each subnet, and let them satisfy

For each subnet* i*, we use probability to add a link between each two nodes and let them satisfyIn addition, is the average degree of the entire network.

When an infected node jumps from one subnet into another subnet, it will spread the network malware. We assume that every node has probability* q* to jump to another subnet, which is chosen randomly. In order to simulate malware spreading caused by node jump, we add links between different subnet with probability* q*. During each time step, break all of the links between different subnet connected at last time step. Then connect nodes in the different subnet with probability* q* again. The most important value is a threshold . The network malware spreads and becomes infected for and perishes for . In this model, we have a network malware threshold . The network malware spreads and becomes infected when . From the theory of probability [29], we have in the time-varying community network model. For a specific community , when the mobility rate , its network malware subthreshold is defined as

The network malware in the specific community will survive when and die for . We assume that there is only one seed at the beginning, which means . The network malware will spread within the subnet where the seed is chosen and will not affect other subnets.

Because of the regular changes in the routing strategy in SDN, network nodes including mobile devices, network devices, and hosts can be redirected, which means that the node mobility rate between subnets satisfies . When , even if there is only one seed at the beginning, the network malware may spread into all of the subnets. We discover that the time of the network malware outbreak in the subnets is dependent on the mobility rate . When , a mobility rate threshold is considered. The network malware in subnet is where can survive when because of the jump of infected nodes.

#### 4. Simulation and Evaluation

To simulate the network malware spreading, we use a similar experimental environment. To be brief we set and analyze the network malware spreading in two cases. At the beginning, there is only one infected node, , and we set , , , , , and . These parameters satisfy (1) and (2).

*(A) ** (**)*. Let us set . We can obtain and from (3). We set .

In the simulation, we chose an infected node in the first subnet randomly, and the other nodes in the two subnets were susceptible. We simulate the step with mobility rate to 0.00001 between the subnets, and the result is shown in Figure 1. The curve with black asterisks represents the density of infected nodes in the first subnet as a function of time with mobility rate and the other curves represent the evolution of infected nodes in the second subnet with different mobility rates from 0.00001 to 0.000001.

As can be observed from the diagram, the network malware first broke out in the first subnet and then propagated into the second subnet. The time of network malware outbreak in the second subnet decreased with the increase in the mobility rate .

We have not plotted the curve of the other mobility rate in the first subnet because the network malware spreading in the first subnet has less of a relationship with . The values of mobility rate applied above were chosen based on experiment and by experience. A deep understanding of the detailed time evolution of network malware spreading is a prerequisite to finding optimal strategies to prevent network malware outbreaks. Thus, we analyzed it in detail.

From the simulation, we knew that when , the network malware would have an outbreak in the second subnet only if there was one node that was infected by the nodes and had moved from the first subnet.

At each time step, the number of infected nodes that move from the first subnet can be calculated as , where represents the density of the infected nodes in the first subnet at time* t*,* q* is the mobility rate between subnets, and is the total number of nodes of the first subnet.

In the time-varying network model, small world model, and scale-free model, these theories are based on mean field theory. According to mean field theory, satisfies equation .

In this equation, represents the density of the infected nodes in the first subnet and each infected node will become susceptible at rate . is the probability that each susceptible node linked by an infected node will be infected. On the right side of the equation, shows the reduced number of infected nodes, is the density of susceptible nodes, and presents the number of infected nodes around a susceptible node. According to the multiplication rule, presents the increased number of infected nodes in the entire network. The simplified formula iswhere , , and

shows the density of infected nodes at time , and, in this simple example, we obtain . At time step , there are infected nodes in the first subnet. According to model, the nodes between subnets connect with probability . So, in the second subnet, there are nodes connected with the infected nodes in the first subnet, which have a probability of being infected. So, at each time step , the probability of the node in the second subnet being infected is . Supposing that the probability of the node in the second subnet being infected at time step is 100%, we can write the formula as

Then, we can obtain

We can obtain the outbreak time of the network malware in the second subnet by

In this formula, is the time for the number of infected nodes in the second subnet to increase from one to half of the stabilized value. To check the above theoretical analysis, we simulate experiments to obtain test data. We make numerical experiments and determine by checking the number of infected nodes of the second subnet, which reaches half of the stabilized value at time step . We build the time-varying network with the same parameters as shown in Figure 1 and set and . We simulate the experiment many times and take the average result of several experiments. When we change the mobility rate from 0.000001 to 0.00001, we obtain two curves, as shown in Figure 2. The circles and asterisks denote the results from two different values by experiment, and the two lines represent the results calculated from (8), where and . As we can see, the numerical simulations and theoretical conclusion are consistent.

*(B) *. Through our analysis, we know that the network malware will perish in the first subnet, where the mobility rate is too low. However, if the mobility rate is high enough, the network malware may also spread into the second subnet.

In the experiments, we select and use the same values of the other parameters of the time-varying network, as in Figure 1. The value conforms to , and we use the initial value of infected nodes , which is selected randomly from the first subnet. We get the values , , and , where , , and represent the density of infected nodes in the first subnet, second subnet, and entire network, respectively.

Figures 3(a) and 3(b) show the evolution function curve of in two subnets with the mobility rates and . The black asterisks represent the density of infected nodes in the first subnet as a function of time, and the red circles represent the evolution of infected nodes in the second subnet. As indicated in Figure 3(a), the network malware broke out at approximately for in the second subnet. However, for , the number of infected nodes was reduced to zero slowly in the first subnet and the network malware did not break out at all in the second subnet, as shown in Figure 3(b).

**(a)**

**(b)**

We theoretically analyze how the mobility rate influences the spreading of network malware. Because , there must be a time step when the network malware will perish when in the first subnet. The network malware can spread in the second subnet only if the infected nodes can move into the second subnet and at least one susceptible node in the second subnet is infected before . According to (4), we know that when , is reduced gradually to close to zero. We use as a small number and solve (4) to obtain :

From (7) and (9) and considering when , we define as in (5) and obtain

To simulate the process better, we repeated the experiments several times and set to 200 and set to 0.01, and then the mobility rate is gradually increased from 0. When the mobility rate increases to the threshold , the network malware will break out in the second subnet. For each set of and , we conducted the experiment 100 times and averaged the test data. As shown in Figure 4, the circles and asterisks indicate the experiment results for and 200, respectively. The lines represent the theoretical value calculated from (10) and show that, for a specific , the mobility rate threshold is approximately inversely proportional to , which is the initial number of infected nodes in the first subnet. However, for a specific , rapidly decreases with the increase in the infection rate . For example, when , decreases from to as increases from 0.004 to 0.01. The numerical simulation results confirm the theoretical formula in (10).

Some researchers [30, 31] have conducted studies on the impact of community structure on SIS epidemic spreading process and these research results provide us with a new idea of studying time-varying community structure of the field of network security. On the basis of the simulation experiments, we proved the effectiveness of our model to find the propagation threshold of network community. This may be helpful to evaluating the network malware outbreak time in SDN.

#### 5. Possible Applications

With SDN redefining the traditional networking business model, customers can easily discover, learn, and get specific network applications and download them to their own environment. Conversely, malware will easily spread in the whole network. Specifically, our research may be useful at malware propagation and prevention within SDN in the following ways.

Firstly, by the analysis we can get the mobility rate threshold of the malware propagation and when there are some new and large-scale malware outbreaks, through some measures (such as firewall, access control), the respective national information security center (e.g., the national Computer Emergency Response Team (CERT)) may provide SDN-based network security for data centers and assets, detecting malware propagation and insider attacks at an early stage. The security center can decide the SDN control strategy to reduce the spread and the possibility of outbreak of the malware.

Secondly, in the face of a highly globalized business environment, many companies are eager to transform their network architectures into ones which are easy to control and adjust; SDN applications make this aspiration possible. Our model can help the companies’ administrator(s) to modify the network routing policy to reduce and prevent the spread of the network malware.

Finally, a potential SDN-based “App” approach (recently introduced by HP and Huawei) offers a platform for customers to see real, high-value use cases of SDN that can benefit their organization. Customers can easily access and deploy innovative solutions to solve real business problems that legacy infrastructures cannot and gain the complete visibility and control only IP Address Management can provide. When they get the information of emerging malware, they can adjust their strategies to avoid their own resources by malware propagation.

#### 6. Conclusion and Perspectives

This research proposes a network model with time-varying community structures in an SDN environment. A model was designed to analyze network malware spreading and prevention under SDN architecture. In our model, connections are static within subnets and are dynamic between subnets. The impact of the mobility rate on network malware spreading is studied. It is found that when nodes infected with network malware move from the source subnet to the target subnet, the network malware would break out in the target subnet in which there exists no infected node initially, and the outbreak time decreases with increasing mobility rate.

We have also found that there exists a mobility rate threshold . The network malware breaks out when the mobility rate is larger than the threshold value and dies when the mobility rate is smaller than the threshold value in all of the subnets.

The control plane of SDNs enables us to adjust the management strategy of the entire network [32]. Our results may be helpful in evaluating the network malware outbreak time in a subnet that contacts other infected subnets from a global perspective. We can now isolate suspected infected nodes dynamically, control the mobility rate of subnets, and modify the network routing policy to reduce and prevent the spread of the network malware.

In terms of future work, we plan to analyze the network malware spreading and protection in a scale-free network model in an SDN environment because a scale-free network is more similar to a computer network. Increasingly, we find that emerging groups of researchers are starting to work on similar research areas, showing the validity and urgency of our work. Further improvements can be made, as our study is only beginning and its theoretical model is relatively simple; effort to make our study align closer to real-life network environments in large deployments is a critical direction. From a theoretical analysis viewpoint, the degree of nodes is different in scale-free networks, their mobility rate effects on the spread of computer malware are also different, and the mobility of center nodes will have more influence on the spread of computer malware. We will study the network malware spreading and protection in a scale-free network model and analyze the relationship between the node mobility rate and spread of network malware in this model. This model will be more complicated and our work will begin with simulation experiments.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This research is supported by the National Natural Science Foundation of China (no. 61571141), the Guangdong Province Teaching Quality Project ([2015] no. 133)-Network Engineering Comprehensive Reform, and the Guangdong Provincial Application Oriented Technical Research and Development Special Fund Project (2015B010131017). This research is also supported by the New Zealand Office of the Privacy Commissioner and STRATUS (https://stratus.org.nz).