Mathematical Models for New Types of Cyberattack and Associated Defence StrategiesView this Special Issue
Stability Analysis of a Dynamical Model for Malware Propagation with Generic Nonlinear Countermeasure and Infection Probabilities
The dissemination of countermeasures is widely recognized as one of the most effective strategies of inhibiting malware propagation, and the study of general countermeasure and infection has an important and practical significance. On this point, a dynamical model incorporating generic nonlinear countermeasure and infection probabilities is proposed. Theoretical analysis shows that the model has a unique equilibrium which is globally asymptotically stable. Accordingly, a real network based on the model assumptions is constructed, and some numerical simulations are conducted on it. Simulations not only illustrate theoretical results but also demonstrate the reasonability of general countermeasure and infection.
1. Introduction and Model Formulation
Human society has been subjected to great financial losses since malware constantly emerged (e.g., [1, 2]). The study of modeling and understanding malware spreading has attracted a lot of attention in the past three decades or so, and a multitude of propagation models capturing the behaviors of malware have been proposed. Specifically, SIS (susceptible-infected-susceptible) models (e.g., [3, 4]), SIRS (susceptible-infected-recovered-susceptible) models (e.g., [5, 6]), SLBS (susceptible-latent-breaking-susceptible) models (e.g., [7, 8]), SICS (susceptible-infected-countermeasured-susceptible) models (e.g., [9–11]), and SDIRS (susceptible-delitescent-infected-recovered-susceptible) model (e.g., ).
In the field of malware, countermeasures such as software patches or warnings can supply a valid approach to helping individuals and organizations avert malware infection problems (e.g., [13, 14]). In 2004, the CMC (Countermeasure Competing) strategy is proposed by Chen and Carley . Their results reveal that the CMC strategy is more effective than previous strategies by the empirical malware data.
Inspired by this work and in order to macroscopically describe the mixing transmission of malware and countermeasures, Zhu et al.  presented a compartment model. The dynamics of the model was performed. Later, Yang and Yang  simply extended this model by incorporating the impacts of infected removable storage media and external nodes (e.g., computers). However, these two models both neglect two important facts. On the one hand, they ignore the fact that the linear infection probability is a well fit for the real-world situations only when the infected nodes are few. On the other hand, they overlook the fact that countermeasures may propagate through networks at different rates. Thus, the assumptions of linear infection and countermeasure probabilities are unreasonable.
To remedy these flaws and considering the impacts of general countermeasure and infection on the spread of malware, this paper studies a new dynamical model (see Figure 1), which incorporates generic countermeasure and infection probabilities. Here, , , and (, , and , for short) denote the average numbers of susceptible, infected, and countermeasured internal nodes (i.e., nodes on the network) at time , respectively. Their entering rates are , , and , respectively. Besides, the following basic hypotheses of the model are made: (H1) Each internal node leaves the network with probability . (H2) At time , each susceptible internal node gets infected by infected internal nodes with probability , where is twice continuously differentiable, , and . The concavity hypothesis fits well with the saturation property of the infection probability. (H3) At time , each infected or susceptible internal node obtains the newest countermeasure with probability , where is twice continuously differentiable, , and . (H4) By reinstalling the operating system, each infected (or countermeasured) internal node becomes susceptible with probability (or ).
Combining the above hypotheses, the new proposed model can be represented by the following system:with initial condition .
The globally asymptotic stability of the unique (viral) equilibrium of model (1) is proved and illustrated completely. Additionally, a new network is constructed based on the above assumptions, on which some numerical simulations are examined.
The paper is organized in this fashion. Section 2 determines the (viral) equilibrium and investigates its local and global stabilities. Experimental analysis is presented in Section 3. Finally, some conclusions and outlooks are given in Section 4.
2. Model Analysis
Let , and . Adding up the three equations of system (1), one can easily obtain that . It follows by the asymptotically autonomous system theory  that system (1) is equivalent to the following reduced limiting system:with initial condition , whereand is positively invariant for system (2).
In the following sections, we just need to investigate the dynamical behavior of system (2).
Theorem 1. System (2) has a unique (viral) equilibrium , where is the unique positive solution to the following system:with the initial condition .
Proof. Let us assume that is an equilibrium of system (2). Clearly, satisfies system (4).
Firstly, let us prove that the second equation of system (4) has a unique positive root. LetAs and , it follows that has a zero located in the interval . Furthermore, note thatWe shall proceed by distinguishing two possibilities depending on whether is positive or negative. Case 1: . LetThus, is strictly increasing and decreasing in and , respectively, which implies that has a single zero in . Case 2: . Hence, is strictly decreasing and has a single zero.Collecting the above discussions, it can be concluded that does have a unique zero. Then, , and .
Next, let us prove that the first equation of system (4) has a unique positive root. LetAs and , does have a (positive) zero located in the interval . Besides, notice thatWe shall also proceed by distinguishing two possibilities depending on whether is positive or negative. Case 1: . LetThus, is strictly increasing and decreasing in and , respectively, implying that has a single zero in . Case 2: . Thus, is strictly decreasing and has a single zero. Then, always has a unique zero . Besides, .In conclusion, the claimed result is proved.
2.2. Local Stability
Theorem 2. is locally asymptotically stable with respect to .
2.3. Global Stability
Lemma 1. System (2) admits no periodic orbit.
Proof. LetIn the interior of , it is easily obtained thatLetAs and for all , .
LetAs and for all , . Thus, we have .
Hence, it follows from the Bendixson–Dulac criterion  that system (2) admits no periodic orbit in the interior of .
On the boundary of , let denote an arbitrary point. Thus, three possibilities can be considered. Case 1: , . Then, . Case 2: , . Then, . Case 3: , , . Thus,Hence, system (2) has no periodic orbit across . In conclusion, the claimed result is proved.
By Theorems 1 and 2, Lemma 1, and the generalized Poincare–Bendixson theorem , we can easily obtain the main result of this paper as follows.
Theorem 3. is globally asymptotically stable with respect to .
In Figures 2 and 3, six orbits of system (1) are examined with different system parameters and different initial conditions, respectively. The illustrated results are in accordance with the main theoretical result (i.e., Theorem 3).
3. Model Simulation
In Section 2, some orbits for system (1) have been examined in Figures 2 and 3. In order to further show the main result and the impacts of nonlinear countermeasure and infection probabilities, some simulations will be made on a constructed network, which is based on the model assumptions. For brevity, a computer is called as a node.
As was treated in the work , let denote the state of node i at time , where is a nonnegative integer. Let , , and denote, at time , the numbers of susceptible, infected, and countermeasured nodes, respectively. Now, let us introduce the network iterative rules.
Rule 1. Each internal node at time would be disconnected from the network with probability at time .
Rule 2. external nodes, including susceptible nodes, infected nodes, and countermeasured nodes, would be connected to the network at the next time.
Rule 3. The state of each susceptible internal node at time is determined by the following rule:
Rule 4. The state of each infected internal node at time is determined by the following rule:
Rule 5. The state of each countermeasured internal node at time is determined by the following rule:
Example 1. Consider system (1) with , , , , , , , and . Three initial conditions are , , and , respectively. Figure 4 shows that the results of theoretical prediction quite agree with the experimental ones.
Example 2. Consider three sets of parameters for system (1): (a) , , , , , , , and ; (b) , , , , , , , and ; (c) , , , , , , , and . The common initial condition is . Figure 5 reveals that the results of experiment and theoretical predictions are almost identical.
Example 3. Consider two systems induced by system (1) with , , , , , and , where one system is with and and the other with and . The common initial condition is . Figure 6 demonstrates that the new model with nonlinear infection and countermeasured probabilities is more reasonable than the original model  because malware would be always there and would not go extinct.
4. Summary and Outlook
In order to investigate the impacts of general countermeasure and infection on the diffusion of malware, a new propagation model, which incorporates nonlinear generic infection and countermeasure probabilities, has been presented and analyzed. The global stability of the unique (viral) equilibrium has been proved. Additionally, some simulations have been examined on a constructed network, whose iterative rules are consistent with the model assumptions. The simulation results show the main result and the effects of general countermeasure and infection.
Additionally, the follow-up work arrangement is as follows. Firstly, time delays (e.g., [19, 20]), pulses (e.g., [21, 22]), random fluctuations (e.g., [23, 24]), and optimal control strategies (e.g., [25–27]) can be considered in the new model. Secondly, the new model may be extended on wireless sensor networks (e.g., [28–30]) and social networks (e.g., ). Finally, the new proposed model can be formulated for cloud computing security (e.g., ).
Data sharing is not applicable to this article as no datasets were generated.
Conflicts of Interest
All authors declare no conflicts of interest.
The authors claim that the research was realized in collaboration with the same responsibility. All authors read and approved the last version of the manuscript.
This work was supported by the Natural Science Foundation of Shanxi Province of China under Grants 201901D111311 and 201801D121117.
P. J. Denning, Computers under Attack: Intruders, Worms and Viruses, Addison-Wesley, Boston, MA, USA, 1990.
P. Szor, The Art of Computer Virus Research and Defense, Addison-Wesley Professional, Boston, MA, USA, 2005.
R. C. Robinson, An Introduction to Dynamical System: Continuous and Discrete, Prentice-Hall, Englewood Cliffs, NJ, USA, 2004.