Stability Analysis of an Advanced Persistent Distributed Denial-of-Service Attack Dynamical Model

Zhang, Chunming; Xiao, Jingwei

doi:https://doi.org/10.1155/2018/5353060

Security and Communication Networks

On this page

Abstract Introduction Conclusion Appendix Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Mathematical Models for Malware Propagation

View this Special Issue

Research Article | Open Access

Volume 2018 | Article ID 5353060 | https://doi.org/10.1155/2018/5353060

Stability Analysis of an Advanced Persistent Distributed Denial-of-Service Attack Dynamical Model

Chunming Zhang¹and Jingwei Xiao¹

Academic Editor: Angel M. Del Rey

Received27 Dec 2017

Accepted22 Apr 2018

Published24 May 2018

Abstract

The advanced persistent distributed denial-of-service (APDDoS) attack is a fairly significant threat to cybersecurity. Formulating a mathematical model for accurate prediction of APDDoS attack is important. However, the dynamical model of APDDoS attack has barely been reported. This paper first proposes a novel dynamical model of APDDoS attack to understand the mechanisms of APDDoS attack. Then, the attacked threshold of this model is calculated. The global stability of attack-free and attacked equilibrium are both proved. The influences of the model’s parameters on attacked equilibrium are discussed. Eventually, the main conclusions of the theoretical analysis are examined through computer simulations.

1. Introduction

Cyberattack has already become one of the greatest threats to cybersecurity [1–4]. With the rapid development of information technologies, a considerable number of cyberattack methods have been emerging in the past few decades, such as SQL injection (SQLi) attack, distributed denial-of-service (DDos) attack, targeted attack, and account hijackings [5]. In particular, DDoS attack has become one of the most popular methods of hackers due to its strong covertness and low cost. Recently, several cases have been widely reported; for instance, in November, 2016, five Russian banks have suffered a persistent DDoS attack for almost 12 hours, which caused unnumbered economic losses and social turbulence [6]. What is more, in August, 2017, Ukraine’s national postal service has been hit by a two-day-long cyberattack [7].

Denial-of-service attack (DoS attack) is a cyberattack, where the attackers attempt to disrupt the servers which are going to respond to the requests. When these attacks of DoS attack originate from many different computers and networks, this attack mode can be referred to as distributed denial-of-service attack (DDoS attack). On the other hand, the dynamical models of advanced persistent threats (APTs) have already attracted the attention of researchers [8–12]. An advanced persistent threat is a set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity [13]. The computers with defensive ability in network cannot be successfully attacked easily by a standard DDoS attack (only DDoS attack once), which means that a standard DDoS attack does little harm to the network. But nowadays, there are numerous hackers with clear aim, well resource, and exceptional skills. Therefore, they are able to launch continuous and long-term attack, which is also called APDDoS attack in this paper. In this way, attackers of APDDoS attack would cause a bigger threat to cybersecurity [14].

Although the APDDoS attack has been mentioned in numerous papers [15–18], the dynamical models of APDDoS attack have rarely been reported yet. In this context, this paper proposes a dynamical model of APDDoS attack, which can help to figure out the mechanism of APDDoS attack.

In reality, different computer has different defensive ability. For example, the computer with low level of defensive ability is more likely to be attacked, while the high level of defensive ability makes the computer not be totally affected easily, so that the flooding attack is the only one way to attack the high-defensive computer. Hence, this paper divides the computers into two parts which are weak-defensive computers and strong-defensive computers. Meanwhile, the procedures of APDDoS attack can be typically classified into two phases, including spreading computer worms and launching flooding attacks (see Figure 1).

(1) Spreading Computer Worms. As to infect more computers with low level of defensive ability, hackers are attempting to spread more computer worms on networks (such as Internet and WWW) by sending fake and malicious emails or links, which are going to lure people to click on them and thus lead them to visit virus websites and then download malware unconsciously. So, zombie in here is used to denote the infected computer or an infectious local network. Then, worms can also be diffused through the zombie to its neighbors under the control of the hackers.

(2) Launching Flooding Attacks. After successfully intruding the computer and gaining the control of zombies, the hackers will send instructions to the zombies so as to launch APDDoS attacks to computers with extraordinary high-defensive levels. Owing to the strong disruptive power of APDDoS attacks, some high-defensive computers will still be intruded and broken down. So, compromised computer is utilizing to represent the high-defensive computer, which has been broken down.

The rest of this paper is organized as follows. In Section 2, a dynamical model of APDDoS attack is proposed; then the model is analyzed in Section 3; some further discussions are provided in Section 4; finally, the summary of this paper is given in Section 5.

2. Model Description

This paper makes the hypothesis that computers can be classified into two parts: weak-defensive computers and strong-defensive computers.

The weak-defensive computers consist of two groups, weak-defensive nodes (not infected yet) and attacked nodes.

(i) Weak-defensive node, which has not been infected by worms or malwares yet, lacks in defending the malicious attacks, for existing some system vulnerabilities and device defects or being without the defense of antivirus software. It is also called node for short.

(ii) Attack node, the zombie that can infect other nodes and launch attacks controlled by hackers, can be also represented by node briefly.

The strong-defensive computers also can be divided into two groups, strong-defensive nodes (not compromised yet) and compromised nodes.

(i) Strong-defensive node, which provides considerable power of filtering and self-defensive ability, represents the computer with firewall equipped. In general, strong-defensive node acts as server in the network, and it is also called node in this paper.

(ii) Compromised node, which denotes the state that node becomes compromised and cannot respond to the requests after the attacks, is called node in this paper.

Based on the above facts, the following assumptions can be obtained.

(H1) The system is closed; the total number of systems is constant. Hence, .

(H2) Due to opening the phishing emails or text or performing some operations which would damage system security, node is infected with the probability of .

(H3) Due to executing some positive measures, like reinstalling operation system, node recovers with the probability of .

(H4) Due to the APDDoS attacks, node is compromised with the probability of .

(H5) With the assistance of firewall, , used to describe the self-protection ability of node, represents the ability of resisting attack of APDDoS. And should be proportional to the rate that node compromised. Besides, must be greater than 1.

(H6) Due to some positive measures, like restarting the computer, node turns to an node with the probability of .

(H7) As the system is divided into two separated parts, the parameters ϕ and are used to, respectively, denote the rate of the weak part and the strong part. So the following equations hold, and .

According to (H1)–(H7), the following dynamical system is got (see Figure 2).where , , , , and , , , , .

3. Theoretical Analysis of the Dynamical Model

This section focuses on the mathematical properties of the dynamical model, such as equilibriums, threshold, and the local and global stability of system (1).

As and , the equations of system (1) can be deduced into a two-dimensional system as follows:where and . The simply connected compact set can be obtained that .

Since system (1) and system (2) are equivalent, we are going to examine the properties of system (2).

3.1. Equilibriums

Theorem 1. System (2) has a unique attack-free equilibrium .

Proof. Letting and , then the unique attack-free equilibrium is shown as follows:

Theorem 2. System (2) has a unique attack-free equilibrium:

It is easy to prove, so the proof has been omitted here.

3.2. Attacked Threshold

In this paper, propagation threshold is a vital indicator that determines whether system will suffer APDDoS attack.

According to method described in Appendix, there are four statuses in system (1), so let and the following vectors can be obtained thatwhich satisfies where , , , . So

Then , where is strictly increasing with respect to the parameters and and strictly decreasing with respect to .

Example 3. Fixing and changing the parameters and , the value of is shown in Figure 3.

Example 4. Fixing the and varying the parameters and , the value of is shown in Figure 4.

3.3. The Global Stability of Attack-Free Equilibrium

Theorem 5. is globally asymptotically stable when .

Proof. Consider the following Lyapunov function with an undermined coefficientwhere is a positive constant to be determined. Besides, and , so is nonnegative.
The time derivative of along an orbit of system (2) isAs , then and are obtained. And another part, , can be deduced into Obviously, . When then the inequality holds.
Considering inequality (11), let , so . Finally, the remaining part, , is nonnegative, for . Hence, only if , that , . , when . The result confirms the stability principle in [19].
The proof is completed.

Example 6. In system (2) with , , , , , , where , computers will not suffer from APDDoS attacks and the attack-free equilibrium is globally asymptotically stable (see Figure 5).

(a)

(b)

3.4. The Global Stability of Attacked Equilibrium

Firstly, the local stability of attacked equilibrium of system (2) will be demonstrated.

Lemma 7. is locally asymptotically stable when .

Proof. The Jacobian of the linearized system (2) evaluated at is as follows:and the corresponding characteristic equation isClearly, two roots of (13) are and , so the possibility of these two roots will be discussed next. As , it is easy to get that . Besides, the equation of can be rewritten into and , for . Hence, the two roots of (13) both have negative real parts. Further, the conclusion of this result follows by the Lyapunov theorem, conforming to the Hurwitz criterion [19].
The proof is completed.

Second, the global behaviors of the equilibrium of will be examined.

Lemma 8. The simplified system admits no periodic orbit in the interior of [20].

Proof. LetDefine ; thenThe result follows the Bendixson–Dulac criterion [20].

Lemma 9. System (2) admits no periodic orbit that passes through a point on , that is the boundary of .

Proof. As for the smoothness of all orbits of system (2), all conditions can be enumerated as follows.
(a) There is no periodic orbit that passes through a corner of , i.e., either or or , or .
(b) If there is a periodic orbit passes through a noncorner point on , then this orbit must be tangent to at this point.

On the contrary, suppose that there is a periodic orbit that passes through a noncorner point on ; then there are four possibilities.

Case 1. , . Then , implying that is not tangent to at this point, which leads to a contradiction.

Case 2. , . Then , implying that is not tangent to at this point, which is self-contradictory.

Case 3. , . Then , implying that is not tangent to at this point, which leads to a contradiction.

Case 4. , . Then , implying that is not tangent to at this point, which is also a contradiction.

Theorem 10. is globally asymptotically stable when .

Proof. The claimed result follows by combining Lemmas 7–9 with the generalized Poincaré–Bendixson theorem [20].

Example 11. Under system (2) with , , , , , , where , computers in this situation will under the attack of APDDoS, and thus the attacked equilibrium is globally asymptotically stable (see Figure 6).

(a)

(b)

Example 12. Under system (2) with , , , , , that , computers will suffer APDDoS attack, also the attacked equilibrium is globally asymptotically stable (see Figure 7).

(a)

(b)

4. Further Discussion

In this section, the impact of parameters on the attacked equilibrium of system (2) will be discussed.

In Section 3, the attacked equilibrium can be rewritten into

By calculation,So, it is easy to get the following conclusions:(1) is strictly increasing with respect to parameters and .(2) is strictly increasing with respect to parameter , and is strictly decreasing with respect to parameters and .(3)Both of and are strictly decreasing with respect to parameter .

Now, let us consider the influence of and on the proportion of . The following relations can be gained:Hence, is strictly increasing with respect to the parameters .

Then, focusing on the influence of , the relation between and is shown as follows:So the following function has been constructed:when is the positive root of function (20) and will get its maximum or minimum.

Finally the discussion of the value of will be shown as follows.

Let represent the discriminant which determines whether the function has real root and how many it has. By definition, it is easy to get , where . exists in two real roots if . Let and denote the two real roots of if . Also the axis of symmetry of the function , , can be obtained easily.

Case 1. , which also means , the inequality can be derived as and infer that , which means ; thus, that contradicts . Therefore, the attacked equilibrium does not exist, and this condition is not satisfied when .

Case 2. , and , . Considering the positive value , increases with respect to when , and decreases with respect to when . So is the local maximum of (see Figure 8).

Case 3. , and , . When , the attacked equilibrium does not exist because and . Hence, increases with respect to when , and decreases with respect to when . Here the only concern about the condition is that , where is the local maximum of , respectively (see Figure 9).

Case 4. , and , . If , , thenthese two inequalities can be further derived ashowever, these two formulas are contradictory. Hence, this condition does not hold.

Case 5. , and , . Then ; the axis of symmetry of the function is on the right side of , which means . So this condition does not hold.

According to the above discussion, only Cases 2 and 3 may have attacked equilibrium.

(4) When the attacked equilibrium exists, will increase at first, and then will decrease.

Example 13. Fixing , , , , , and varying , the change of in system (2) is shown in Figure 8. By calculation, (has been ignored because of ), (see Figure 8).

Example 14. Fixing , , , , , and varying , the proportion of in system (2) is shown in Figure 9. By calculation, , , so exists as a maximum (see Figure 9).

According to above conclusion, there are some suggestions as follows.

(1) Regular antivirus and strengthening the precaution of malwares will help to reduce and enlarge and can decrease node.

(2) Also strengthening the precaution of malwares, which will enlarge , can help to decrease nodes.

(3) Enhancing the firewall’s abilities, like filter and information processing, helps to increase and prevent nodes from becoming nodes.

(4) Reinstalling operation system or changing the hardware of computer, which also means to enlarge or , will be useful to turn nodes to nodes or make nodes become nodes.

(5) Practically, it is hard to reduce by controlling or decreasing the destructive power of malware, but it is available to inhibit the propagation of malware by enhancing the firewall’s abilities of spying and controlling.

(6) By taking some special strategies, it is feasible to change the structure of the network, which also means to change , like installing firewall. Besides, according to the discussion of the parameter of , it must be regarded that the proportion of nodes will get its maximum in special , which will cause enormous damage.

5. Conclusion

This paper aims at modelling a dynamical APDDoS attack model. And some properties of this novel model have been deeply researched, like threshold, equilibriums, and stability. The numerical simulations have been got at the same time. Finally, by analyzing the respective influences of system parameters, some suggestions are proposed to reduce the harm of DDoS attacks

Appendix

Referring to the method of calculating the propagation threshold in [21], the calculation process is shown as follows.

In an -dimensional system, let denote the number of individuals in each compartment with . And let denote the set of disease states. Also let be the rate of appearance of new infections in compartment , be the rate of transfer of individuals into compartment i, and be the rate of transfer of individuals out of compartment .

Then the above model consists of nonnegative initial condition together with the following system of equations:where and the functions satisfy the following 5 assumptions:

(A1) If , then , , for .

(A2) If , then . In particular, if , then for .

(A3) if .

(A4) If then and for .

(A5) If is a set of zeros, then all eigenvalues of , which is the derivative evaluated at the equilibrium, , have negative real parts.

And then, the derivatives and are partitioned aswhere and are the matrices defined by

Further, is nonnegative, is a matrix, and all eigenvalues of have positive real part. , the spectral radius of , is a threshold parameter.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work is supported by the Natural Science Foundation of Guangdong Province, China (no. 2014A030310239).

References

R. Zheng, W. Lu, and S. Xu, “Active cyber defense dynamics exhibiting rich phenomena,” in Proceedings of the Symposium and Bootcamp on the Science of Security, HotSoS '15, p. 2, ACM, 2015.
View at: Google Scholar
C.-W. Ten, G. Manimaran, and C.-C. Liu, “Cybersecurity for critical infrastructures: attack and defense modeling,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 40, no. 4, pp. 853–865, 2010.
View at: Publisher Site | Google Scholar
S. Xu, “Emergent behavior in cybersecurity,” in Proceedings of the the 2014 Symposium and Bootcamp, pp. 1-2, Raleigh, North Carolina, April 2014.
View at: Publisher Site | Google Scholar
L.-X. Yang, X. Yang, and Y. Wu, “The impact of patch forwarding on the prevalence of computer virus: a theoretical assessment approach,” Applied Mathematical Modelling: Simulation and Computation for Engineering and Environmental Systems, vol. 43, pp. 110–125, 2017.
View at: Publisher Site | Google Scholar | MathSciNet
http://www.hackmageddon.com/2017/01/19/2016-cyber-attacks-statistics.
http://www.bbc.com/news/technology-37941216.
http://www.bbc.com/news/technology-40886418.
C. Tankard, “Advanced Persistent threats and how to monitor and deter them,” Network Security, vol. 2011, no. 8, pp. 16–19, 2011.
View at: Publisher Site | Google Scholar
S. Rass, S. König, and S. Schauer, “Defending against advanced persistent threats using game-theory,” PLoS ONE, vol. 12, no. 1, Article ID e0168675, 2017.
View at: Publisher Site | Google Scholar
B. Schneier, “Attack trees,” Doctor Dobbs Journal, vol. 24, no. 12, pp. 21–29, 1999.
View at: Google Scholar
A. K. Sood and R. J. Enbody, “Targeted cyberattacks: a superset of advanced persistent threats,” IEEE Security and Privacy, vol. 11, no. 1, pp. 54–61, 2013.
View at: Publisher Site | Google Scholar
L.-X. Yang, P. Li, X. Yang, and Y. Y. Tang, “Security evaluation of the cyber networks under advanced persistent threats,” IEEE Access, vol. 5, pp. 20111–20123, 2017.
View at: Publisher Site | Google Scholar
https://en.wikipedia.org/wiki/Advanced_persistent_threat.
W. Liu and S. Zhong, “Web malware spread modelling and optimal control strategies,” Scientific Reports, vol. 7, Article ID 42308, 2017.
View at: Publisher Site | Google Scholar
J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the source,” IEEE International Conference on Network Protocols IEEE Computer Society, vol. 154, no. 3-4, pp. 312–321, 2002.
View at: Google Scholar
B. Wang, Y. Zheng, W. Lou, and Y. T. Hou, “DDoS attack protection in the era of cloud computing and Software-Defined Networking,” Computer Networks, vol. 81, pp. 308–319, 2015.
View at: Publisher Site | Google Scholar
Q. Yan, F. R. Yu, Q. X. Gong, and J. Q. Li, “Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges,” IEEE Communications Surveys & Tutorials, vol. 18, no. 1, pp. 602–622, 2016.
View at: Publisher Site | Google Scholar
L. X. Yang, X. Yang, and Y. Y. Tang, “A bi-virus competing spreading model with generic infection rates,” IEEE Network Science and Engineering, vol. 5, no. 1, pp. 2–13, 2018.
View at: Google Scholar
J. P. LaSalle, “The stability of dynamical systems,” SIAM Journal on Mathematical Analysis, vol. 25, 1976.
View at: Google Scholar
R. C. Robinson, “An introduction to dynamical systems: continuous and discrete,” American Mathematical Society, vol. 19, 2012.
View at: Google Scholar
P. van den Driessche and J. Watmough, “Reproduction numbers and sub-threshold endemic equilibria for compartmental models of disease transmission,” Mathematical Biosciences, vol. 180, no. 1-2, pp. 29–48, 2002.
View at: Publisher Site | Google Scholar | MathSciNet

Copyright

Copyright © 2018 Chunming Zhang and Jingwei Xiao. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1063

Downloads

890

Citations