Security and Communication Networks

Volume 2018, Article ID 9756982, 11 pages

https://doi.org/10.1155/2018/9756982

## An Epidemic Model of Computer Worms with Time Delay and Variable Infection Rate

^{1}Key Laboratory of Medical Image Computing, Ministry of Education, Northeastern University, Shenyang 110004, China^{2}College of Computer Science and Engineering, Northeastern University, Shenyang 110819, China^{3}Software College, Northeastern University, Shenyang 110819, China

Correspondence should be addressed to Qiang Fu; moc.kooltuo@uf.gnaiq

Received 13 November 2017; Revised 15 January 2018; Accepted 28 January 2018; Published 6 March 2018

Academic Editor: Angel M. Del Rey

Copyright © 2018 Yu Yao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

With rapid development of Internet, network security issues become increasingly serious. Temporary patches have been put on the infectious hosts, which may lose efficacy on occasions. This leads to a time delay when vaccinated hosts change to susceptible hosts. On the other hand, the worm infection is usually a nonlinear process. Considering the actual situation, a variable infection rate is introduced to describe the spread process of worms. According to above aspects, we propose a time-delayed worm propagation model with variable infection rate. Then the existence condition and the stability of the positive equilibrium are derived. Due to the existence of time delay, the worm propagation system may be unstable and out of control. Moreover, the threshold of Hopf bifurcation is obtained. The worm propagation system is stable if time delay is less than . When time delay is over , the system will be unstable. In addition, numerical experiments have been performed, which can match the conclusions we deduce. The numerical experiments also show that there exists a threshold in the parameter , which implies that we should choose appropriate infection rate to constrain worm prevalence. Finally, simulation experiments are carried out to prove the validity of our conclusions.

#### 1. Introduction

With the deep application of the Internet, network security plays a more and more important role in recent years. Among the security events, the consequences of large-scale network attacks (such as worm attacks and DOS attacks) are especially serious. Meanwhile, the characteristics of worm attacks are wide infection scale, fast spread speed, and serious harm. Consequently, many experts focus on the spread of Internet worms. Some traditional epidemic models of infectious diseases were used to describe the propagation of Internet worms [1] when the Red Code worms broke out. In order to study the spread of malware among mobile phones, the SIS model [2] is proposed by some researchers. Qing and Wen introduced the Kermack-McKendrick model, which is also called SIR model [3]. Then many mathematical models [4–9] inspired by the SIR model have been employed to constrain the propagation of Internet worms. Some research achievements [10–12] showed that the spread dynamic system of malware would be unstable and bifurcation and chaos would appear. Considering the fact that the intrusion detection system (IDS) may lead to time delay, Yao et al. [13–15] obtained the threshold of time delay when Hopf bifurcation occurred. Pulse quarantine strategy [16] also has been taken to constrain the propagation of worms in network. Due to the effect of different topologies, some experts presented different models [9, 17] to analyse the results.

Although most of previous works can offer useful insight into the Internet worm propagations, some of them fail to grasp the detail that has important impact on the worm propagation. Namely, some of the previous models ignore the variation of the infection rate. They usually regard it as a constant that cannot describe the characteristics and dynamics of worm propagation accurately, such as SIS model [18], SIR models [12, 19], SIRS model [20], and SIES model [21]. Moreover, some unconventional models such as delayed models [6, 22] and impulsive models [23, 24] have been proposed. Analogously, these models regard infection rate as a constant as well. In the early stages of worm invasion, the number of infected nodes is small and the linear assumption is still more reasonable. However, as the number of infected nodes increases, the true infection rate will tend to be saturated, and it can be significantly nonlinear. In this case, the linear assumption will overestimate the harmfulness of the worms and lead to great waste of resources.

In this paper, a variable infection rate is introduced into the worm propagation. Some experts have suggested that worm infection is a nonlinear process. The majority of previous models mentioned above are based on the bilinear incidence rate assumption, which is a good approximation of the general incidence rate in the case where the proportion of infected computers is small. However, in reality, the density of infected computers may be large [25]. To understand the spreading behaviour of worm propagation better, it is necessary to study epidemic models with general incidence rate. The nonlinear infection rate is used to capture the dynamics of overcrowded infectious networks and high viral loads [26]. Gan et al. [25] show that some nonlinear incidence rates may be conducive to the containment of computer viruses. Feng et al. [27] have proposed the SIRS model with a variable infection rate which plays an important role in the spread of the Internet worm. We consider that the vaccinated hosts (the immunizing hosts) may turn to susceptible hosts (the hosts liable to infection by worms) if the worm variants appear or the patches lose efficacy, and this process may take a period of time. Due to the existence of time delay, vaccinated hosts go through a temporary state (delayed state) after the failure of vaccination before becoming susceptible. In this paper, we try to establish a realistic worm propagation model, motivated by the works [7, 27]. This model can give deep insight into predicting worm spread in networks.

The subsequent materials of this work are organized as follows. In Section 2, we present the SIQVD model. Section 3 analyses the stability of equilibrium and the threshold of Hopf bifurcation. In Section 4, we carry out the numerical analysis and simulation of our model. Section 5 gives the conclusion and proposes useful strategies.

#### 2. Model Formulation

We propose a model of worm propagation to describe the spreading behaviour of Internet worms more realistically in this paper. Susceptible hosts can turn to the infectious state by many factors. Many classical models employ bilinear infection rate described by , where is determined by the probability of transmission contact between* S* (susceptible hosts) and* I* (infectious hosts). Previous models usually regard as a constant. In fact, the worm infection is a nonlinear process so that should be adjusted to . Infectious hosts can change to vaccinated hosts if there are countermeasures applying to them. The countermeasures include antivirus software, firewall, and patching. Meanwhile, we consider zero-day attacks in this paper. Zero-day attacks spread Internet worms through vulnerabilities of the system or software. Usually, the time of the whole process is not over 24 hours. There are no effective and safe patches when the zero-day attacks appear. So quarantine strategy is proposed to control the worm propagation for the hosts without useful patches. The application of the quarantine strategy relies on the hybrid intrusion detection system (IDS). The hybrid IDS not only can detect unknown worms making up for the lack of misuse detection system but also can avoid the high rate of false positives generated by the anomaly detection system. Thus, some hosts are in quarantined state. And the quarantined hosts can turn to vaccinated hosts by installing patches. Usually some patches are temporary and the temporary patches may lose efficacy if we install operating systems. When the worm variants and unknown worms appear, vaccinated hosts may change to susceptible states. This process can generate a time delay which we called delay states.

We assume that all the hosts change over time among five states: susceptible (*S*), infectious (*I*), quarantined (*Q*), vaccinated (*V*), and delay (*D*). Let , , , , and denote the number of susceptible, infectious, quarantined, vaccinated, and delay hosts, respectively, at time . We assume that the total number of all the hosts throughout Internet is* N*. The transition diagram is given in Figure 1.