Mathematical Models for Malware PropagationView this Special Issue
Research Article | Open Access
An Epidemic Model of Computer Worms with Time Delay and Variable Infection Rate
With rapid development of Internet, network security issues become increasingly serious. Temporary patches have been put on the infectious hosts, which may lose efficacy on occasions. This leads to a time delay when vaccinated hosts change to susceptible hosts. On the other hand, the worm infection is usually a nonlinear process. Considering the actual situation, a variable infection rate is introduced to describe the spread process of worms. According to above aspects, we propose a time-delayed worm propagation model with variable infection rate. Then the existence condition and the stability of the positive equilibrium are derived. Due to the existence of time delay, the worm propagation system may be unstable and out of control. Moreover, the threshold of Hopf bifurcation is obtained. The worm propagation system is stable if time delay is less than . When time delay is over , the system will be unstable. In addition, numerical experiments have been performed, which can match the conclusions we deduce. The numerical experiments also show that there exists a threshold in the parameter , which implies that we should choose appropriate infection rate to constrain worm prevalence. Finally, simulation experiments are carried out to prove the validity of our conclusions.
With the deep application of the Internet, network security plays a more and more important role in recent years. Among the security events, the consequences of large-scale network attacks (such as worm attacks and DOS attacks) are especially serious. Meanwhile, the characteristics of worm attacks are wide infection scale, fast spread speed, and serious harm. Consequently, many experts focus on the spread of Internet worms. Some traditional epidemic models of infectious diseases were used to describe the propagation of Internet worms  when the Red Code worms broke out. In order to study the spread of malware among mobile phones, the SIS model  is proposed by some researchers. Qing and Wen introduced the Kermack-McKendrick model, which is also called SIR model . Then many mathematical models [4–9] inspired by the SIR model have been employed to constrain the propagation of Internet worms. Some research achievements [10–12] showed that the spread dynamic system of malware would be unstable and bifurcation and chaos would appear. Considering the fact that the intrusion detection system (IDS) may lead to time delay, Yao et al. [13–15] obtained the threshold of time delay when Hopf bifurcation occurred. Pulse quarantine strategy  also has been taken to constrain the propagation of worms in network. Due to the effect of different topologies, some experts presented different models [9, 17] to analyse the results.
Although most of previous works can offer useful insight into the Internet worm propagations, some of them fail to grasp the detail that has important impact on the worm propagation. Namely, some of the previous models ignore the variation of the infection rate. They usually regard it as a constant that cannot describe the characteristics and dynamics of worm propagation accurately, such as SIS model , SIR models [12, 19], SIRS model , and SIES model . Moreover, some unconventional models such as delayed models [6, 22] and impulsive models [23, 24] have been proposed. Analogously, these models regard infection rate as a constant as well. In the early stages of worm invasion, the number of infected nodes is small and the linear assumption is still more reasonable. However, as the number of infected nodes increases, the true infection rate will tend to be saturated, and it can be significantly nonlinear. In this case, the linear assumption will overestimate the harmfulness of the worms and lead to great waste of resources.
In this paper, a variable infection rate is introduced into the worm propagation. Some experts have suggested that worm infection is a nonlinear process. The majority of previous models mentioned above are based on the bilinear incidence rate assumption, which is a good approximation of the general incidence rate in the case where the proportion of infected computers is small. However, in reality, the density of infected computers may be large . To understand the spreading behaviour of worm propagation better, it is necessary to study epidemic models with general incidence rate. The nonlinear infection rate is used to capture the dynamics of overcrowded infectious networks and high viral loads . Gan et al.  show that some nonlinear incidence rates may be conducive to the containment of computer viruses. Feng et al.  have proposed the SIRS model with a variable infection rate which plays an important role in the spread of the Internet worm. We consider that the vaccinated hosts (the immunizing hosts) may turn to susceptible hosts (the hosts liable to infection by worms) if the worm variants appear or the patches lose efficacy, and this process may take a period of time. Due to the existence of time delay, vaccinated hosts go through a temporary state (delayed state) after the failure of vaccination before becoming susceptible. In this paper, we try to establish a realistic worm propagation model, motivated by the works [7, 27]. This model can give deep insight into predicting worm spread in networks.
The subsequent materials of this work are organized as follows. In Section 2, we present the SIQVD model. Section 3 analyses the stability of equilibrium and the threshold of Hopf bifurcation. In Section 4, we carry out the numerical analysis and simulation of our model. Section 5 gives the conclusion and proposes useful strategies.
2. Model Formulation
We propose a model of worm propagation to describe the spreading behaviour of Internet worms more realistically in this paper. Susceptible hosts can turn to the infectious state by many factors. Many classical models employ bilinear infection rate described by , where is determined by the probability of transmission contact between S (susceptible hosts) and I (infectious hosts). Previous models usually regard as a constant. In fact, the worm infection is a nonlinear process so that should be adjusted to . Infectious hosts can change to vaccinated hosts if there are countermeasures applying to them. The countermeasures include antivirus software, firewall, and patching. Meanwhile, we consider zero-day attacks in this paper. Zero-day attacks spread Internet worms through vulnerabilities of the system or software. Usually, the time of the whole process is not over 24 hours. There are no effective and safe patches when the zero-day attacks appear. So quarantine strategy is proposed to control the worm propagation for the hosts without useful patches. The application of the quarantine strategy relies on the hybrid intrusion detection system (IDS). The hybrid IDS not only can detect unknown worms making up for the lack of misuse detection system but also can avoid the high rate of false positives generated by the anomaly detection system. Thus, some hosts are in quarantined state. And the quarantined hosts can turn to vaccinated hosts by installing patches. Usually some patches are temporary and the temporary patches may lose efficacy if we install operating systems. When the worm variants and unknown worms appear, vaccinated hosts may change to susceptible states. This process can generate a time delay which we called delay states.
We assume that all the hosts change over time among five states: susceptible (S), infectious (I), quarantined (Q), vaccinated (V), and delay (D). Let , , , , and denote the number of susceptible, infectious, quarantined, vaccinated, and delay hosts, respectively, at time . We assume that the total number of all the hosts throughout Internet is N. The transition diagram is given in Figure 1.
In order to show the parameters clearly, we list some frequent notations of the model in Notations.
After above description, we can express the model with the following equations: where changes with time . We regard the infection rate as , where is a nonlinear function of . For being nonlinear, the function is assumed to satisfy the following assumptions :(1).(2).(3).(4).
In other words, is an increasing function that is bounded (by the constant ).
From the above discussion, we can express the model by the following differential equations: where .
3. Stability of Equilibrium and Bifurcation Analysis
Theorem 1. System (2) has a unique positive equilibrium point when , where
Proof. When system (2) is stable, it satisfies the following equations: We make ; then we haveSince the total number of hosts in system (5) is , we can get the following equation of :Then we calculate the sign of its derivative as follows:Since , we can get . As a result, . If there exists a positive root of , must satisfy . So we can getFrom (9), we can conclude that when . Hence, there exists a positive equilibrium point if . The proof is completed.
Since , we can simplify system (2) as follows:
The Jacobi matrix of system (10) about is given by
The characteristic equation of the matrix (11) can be obtained by
The expressions of arewhere
Theorem 2. If the condition is satisfied as , the positive equilibrium is locally asymptotically stable without time delay.
Proof. When , (12) simplifies toAccording to Routh-Hurwitz criterion, all the roots of (16) have negative real parts. Hence, we can deduce that the positive equilibrium is locally asymptotically stable without time delay. The proof is completed.
It can be written as where
Let ; then (20) can be turned into
Theorem 3. Assume that is satisfied; , , , or ; , , and there is no such that and . Then the positive equilibrium of system (1) is absolutely stable. Namely, is asymptotically stable for any time delay .
Assume that the coefficients in satisfy the following condition::(a) , or ; (b) , and there is no such that and .
Let be the root of (12). It is satisfied that .
This means that there exists at least one eigenvalue with positive real part when . Differentiating on both sides of (12) with respect to , we can obtain
Then it follows hypothesis and . Therefore
According to Routh’s theorem, the root of characteristic equation (12) crosses from left to right on the imaginary axis as continuously varies from a value less than to one greater than . Hence, according to Hopf bifurcation theorem for functional differential equations, the transverse condition holds and the conditions for Hopf bifurcation are satisfied at .
Theorem 5. Supposing that the conditions and are satisfied,(1)when , the positive equilibrium of system (2) is locally asymptotically stable and it is unstable when ,(2)when system (2) satisfies , the system undergoes a Hopf bifurcation at the positive equilibrium when .This implies that when the time delay , the system will stabilize at its equilibrium point, which is beneficial for us to implement a containment strategy; when the delay , the system will be unstable and worms cannot be effectively controlled.
4. Numerical Simulations and Simulations Experiments
In order to verify the theorems proposed in this paper, we have made the numerical experiments in this section. We select the Slammer worm for experiments. The total number of hosts is assumed as 400000. Based on the actual situation, the worm’s average scan rate is per second. We can calculate the infection rate . The susceptible hosts change to vaccinated hosts at rate . The recovered rate of infectious hosts is set as . The quarantine rate of infectious hosts is 0.2 and the immunity rate of quarantined hosts is 0.05. The vaccinated hosts lose immunity at rate . We choose the nonlinear function ; then we have , where is the parameter that represents the infection rate sensitivity to the number of infected hosts . When is zero, it means that the infection rate is a constant. Then we can get . At first, the number of infectious hosts is five and the others’ states are susceptible.
When , we can see the changes of the numbers of four kinds of hosts in Figure 2. From Figure 2, we can find that every kind of hosts will be stable when , which implies that is locally asymptotically stable. Figure 3 shows the numbers of susceptible, infectious, quarantined, vaccinated, and delayed hosts when . In this figure, it can be clearly found that the curves of hosts are fluctuant and it is hard for us to predict the propagation of worms.
In order to see the influence of time delay, Figure 4 shows the number of infectious hosts in the same coordinate with different time delays , , , and . Initially, time delay has little effect in the initial stage of worm propagation, which can be obtained by the overlap of the four curves. With the increase of time delay, the curve begins to oscillate. The infecting process gets unstable with time delay passing through the threshold , which meets our conclusions.
Figures 5 and 6 show the number of infected hosts in the same condition with , , and when and . From these two figures, we can get the conclusion that the larger is, the lower peak of the number of infectious hosts is. Therefore, we can choose appropriate to get proper to constrain the spread of Internet worms.
Figure 7 shows the phase portrait of susceptible hosts and infectious hosts of system (2) when . Moreover, Figure 8 shows the condition when . From the figures, we can find that the curve converges to a fixed point, which implies that the system is stable when and the curve radiates to a limit cycle, which implies that the system is unstable when . Figures 9 and 10 are the projection of the phase portrait of system (2) in -space at and . The same conclusion can be obtained by the figures.
Figure 11 gives the bifurcation diagram of system (2) with the parameter . It can be easily obtained that the Hopf bifurcation occurs at , which is similar to results of theoretical derivation. Figure 12 gives the bifurcation diagram of system (2) with the parameter . The Hopf bifurcation occurs at . Comparing the two figures, it is shown that the parameter has effect on the time of Hopf bifurcation occurrence. As the parameter increases, the Hopf bifurcation occurs at a later time.
In order to simulate the actual behaviour of worm propagation and verify the correctness of the theoretical analysis and numerical simulation, we carry out the discrete-time simulation, which is an expanded version of Zou et al.’s  program. The simulation experiment is used to simulate the worm propagation in the real network. There are 400000 hosts in our simulation experiments. At first, we randomly choose five hosts in the network to be infectious hosts and the others’ states are set to be susceptible. In the simulation experiments, the implementation of transition rates of the worm propagation model depends on probability.
Figure 13 shows the comparisons between numerical and simulation curves of susceptible, infectious, quarantined, and vaccinated hosts when , which implies that the simulation curves match the numerical curves very well.
When the value of increases and passes over the threshold value of , namely, , numerical and simulation curves of susceptible, infectious, quarantined, and vaccinated hosts can also match very well as Figure 14 shows. We can find that there exists a difference between numerical and simulation curves because of the high precision of numerical and simulation curves because of the high precision of numerical experiment. However, the small difference does not affect the validity of our conclusions.
In this paper, we propose a SIQVD model with the variable infection rate based on the consideration of a quarantine strategy. Then we analyse the stability of the positive equilibrium and Hopf bifurcation. The critical time delay in which Hopf bifurcation appears is obtained. Through the theoretical analysis, the useful conclusions are obtained, which can be verified by the numerical experiments and simulations. The following conclusions can be derived by the current research:(1)The worm propagation system is stable when time delay . In this condition, we can predict the spread of worms correctly, and the worms can be reduced to a low extent at last.(2)The worm propagation system is unstable when time delay , and the system is out of control. Therefore, time delay should be controlled in a proper range: .(3)When parameter increases an order of magnitude, the infection rate reduces and the peak of the number of infected hosts will decrease very obviously. Meanwhile, will be reduced by the decrease of . Hence, there exists a threshold for , and we can choose proper infection rate by adjusting the value of to control the prevalence of worms.
The worm propagation model can be used for Internet worms, such as Code Red worms, Slammer worms, and Witty worms. It can predict the spreading behaviour of Internet worms more realistically. In our future work, we will focus more on the network structure and study it further.
|:||The number of susceptible hosts at time|
|:||The number of infectious hosts at time|
|:||The number of quarantined hosts at time|
|:||The number of vaccinated hosts at time|
|:||The number of delay hosts at time|
|:||The total number of hosts throughout Internet|
|:||The infection rate at time|
|:||The initial infection rate|
|:||The immune rate of susceptible hosts|
|:||The recovered rate of infectious hosts|
|:||The quarantine rate of infectious hosts|
|:||The immunity rate of quarantined hosts|
|:||The rate at which the vaccinated hosts lose immunity.|
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
This paper is supported by Program for Fundamental Research Funds of the Central Universities (Grants nos. N150402006 and N161704005) and the Doctoral Scientific Research Foundation of Liaoning Province (20170520122).
- S. Staniford, V. Paxson, and N. Weaver, “How to Own the Internet in Your Spare Time,” pp. 149–169, 2002.
- J. C. Martin, L. L. Burge, J. I. Gill, A. N. Washington, and M. Alfred, “Modelling the spread of mobile malware,” International Journal of Computer Aided Engineering and Technology (IJCAET), vol. 2, no. 1, pp. 3–14, 2010.
- S. H. Qing and W. P. Wen, “A survey and trends on internet worms,” Computers & Security, vol. 24, no. 4, pp. 334–346, 2005.
- K. M. Bimal and K. S. Dinesh, “SEIRS epidemic model with delay for transmission of malicious objects in computer network,” Applied Mathematics and Computation, vol. 188, no. 2, pp. 1476–1482, 2007.
- R. Xu, Z. Ma, and Z. Wang, “Global stability of a delayed SIRS epidemic model with saturation incidence and temporary immunity,” Computers & Mathematics with Applications. An International Journal, vol. 59, no. 9, pp. 3211–3221, 2010.
- B. K. Mishra and D. K. Saini, “SEIRS epidemic model with delay for transmission of malicious objects in computer network,” Applied Mathematics and Computation, vol. 188, no. 2, pp. 1476–1482, 2007.
- C. C. Zou, W. B. Gong, and D. Towsley, “Worm propagation modeling and analysis under dynamic quarantine defense,” in Proceedings of the ACM Workshop on Rapid Malcode (WORM '03), pp. 51–60, Washington, DC, USA, October 2003.
- B. K. Mishra and N. Keshri, “Mathematical model on the transmission of worms in wireless sensor network,” Applied Mathematical Modelling, vol. 37, no. 6, pp. 4103–4111, 2013.
- R. Albert and A. L. Barabási, “Statistical mechanics of complex networks,” Reviews of Modern Physics, vol. 74, no. 1, pp. 47–97, 2002.
- J. Ren, Y. Xiaofan, and L. X. Yang, “A delayed computer virus propagation model and its dynamics Chaos,” Chaos, Solitons & Fractals, vol. 45, no. 1, pp. 74–79, 2012.
- S. Wang, Q. Liu, X. Yu, and Y. Ma, “Bifurcation analysis of a model for network worm propagation with time delay,” Mathematical and Computer Modelling, vol. 52, no. 3-4, pp. 435–447, 2010.
- Q. Zhu, X. Yang, and J. Ren, “Modeling and analysis of the spread of computer virus,” Communications in Nonlinear Science and Numerical Simulation, vol. 17, no. 12, pp. 5117–5124, 2012.
- Y. Yao, X. W. Xie, H. Guo, G. Yu, F. X. Gao, and X. J. Tong, “Hopf bifurcation in an Internet worm propagation model with time delay in quarantine,” Mathematical and Computer Modelling, vol. 57, no. 11-12, pp. 2635–2646, 2013.
- Y. Yao, W. Xiang, A. Qu, G. Yu, and F. Gao, “Hopf bifurcation in an SEIDQV worm propagation model with quarantine strategy,” Discrete Dynamics in Nature and Society, vol. 2012, Article ID 304868, 18 pages, 2012.
- Y. Yao, X. Feng, W. Yang, W. Xiang, and F. Gao, “Analysis of a delayed internet worm propagation model with impulsive quarantine strategy,” Mathematical Problems in Engineering, vol. 5, p. 2014, 2014.
- Y. Yao, L. Guo, and H. Guo, “Pulse quarantine strategy of internet worm propagation: Modelling and analysis,” Computers Electrical Engineering, vol. 38, no. 5, pp. 1047–1061, 2012.
- L. X. Yang, X. Yang, J. Liu, Q. Zhu, and C. Gan, “Epidemics of computer viruses: s complex-network approach,” Applied Mathematics and Computation, vol. 219, no. 16, pp. 8705–8717, 2013.
- O. J. Kephart, “Directed-graph epidemiological models of computer viruses,” in Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, Calif, USA, 1991.
- J. Ren, X. Yang, Q. Zhu, L. Yang, and C. Zhang, “A novel computer virus model and its dynamics,” Nonlinear Analysis: Real World Applications, vol. 13, no. 1, pp. 376–384, 2012.
- C. Gan, X. Yang, W. Liu, Q. Zhu, and X. Zhang, “Zhang Propagation of Computer Virus under Human Intervention: A Dynamical Model,” in Discrete Dynamics in Nature and Society, pp. 203–222, 203-222, 2012.
- C. Gan, X. Yang, Q. Zhu, J. Jin, and L. He, “The spread of computer virus under the effect of external computers,” Nonlinear Dynamics, vol. 73, no. 3, pp. 1615–1620, 2013.
- X. Han and Q. Tan, “Dynamical behavior of computer virus on Internet,” Applied Mathematics and Computation, vol. 217, no. 6, pp. 2520–2526, 2010.
- X. Yang and L. X. Yang, “Towards the epidemiological modeling of computer viruses,” Discrete Dynamics in Nature and Society, vol. 2012, Article ID 259671, 2012.
- C. Zhang, Y. Zhao, and Y. Wu, “An impulse model for computer viruses,” Discrete Dynamics in Nature and Society, vol. 2012, Article ID 260962, 13 pages, 2012.
- C. Gan, X. Yang, W. Liu, Q. Zhu, and X. Zhang, “An epidemic model of computer viruses with vaccination and generalized nonlinear incidence rate,” Applied Mathematics and Computation, vol. 222, pp. 265–274, 2013.
- C. M. A. Pinto, “Effects of dynamic quarantine and nonlinear infection rate in a model for computer worms propagation,” in Proceedings of the International Conference on Numerical Analysis and Applied Mathematics 2014, ICNAAM 2014, Greece, September 2014.
- L. Feng, X. Liao, Q. Han, and H. Li, “Dynamical analysis and control strategies on malware propagation model,” Applied Mathematical Modelling, vol. 37, no. 16-17, pp. 8225–8236, 2013.
- S. M. Moghadas and A. B. Gumel, “Global stability of a two-stage epidemic model with generalized non-linear incidence,” Mathematics and Computers in Simulation, vol. 60, no. 1-2, pp. 107–118, 2002.
Copyright © 2018 Yu Yao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.