## Mathematical Models for New Types of Cyberattack and Associated Defence Strategies

View this Special IssueResearch Article | Open Access

Xulong Zhang, Xiaoxia Song, "Stability Analysis of a Dynamical Model for Malware Propagation with Generic Nonlinear Countermeasure and Infection Probabilities", *Security and Communication Networks*, vol. 2020, Article ID 8859883, 7 pages, 2020. https://doi.org/10.1155/2020/8859883

# Stability Analysis of a Dynamical Model for Malware Propagation with Generic Nonlinear Countermeasure and Infection Probabilities

**Academic Editor:**Qingyi Zhu

#### Abstract

The dissemination of countermeasures is widely recognized as one of the most effective strategies of inhibiting malware propagation, and the study of general countermeasure and infection has an important and practical significance. On this point, a dynamical model incorporating generic nonlinear countermeasure and infection probabilities is proposed. Theoretical analysis shows that the model has a unique equilibrium which is globally asymptotically stable. Accordingly, a real network based on the model assumptions is constructed, and some numerical simulations are conducted on it. Simulations not only illustrate theoretical results but also demonstrate the reasonability of general countermeasure and infection.

#### 1. Introduction and Model Formulation

Human society has been subjected to great financial losses since malware constantly emerged (e.g., [1, 2]). The study of modeling and understanding malware spreading has attracted a lot of attention in the past three decades or so, and a multitude of propagation models capturing the behaviors of malware have been proposed. Specifically, SIS (susceptible-infected-susceptible) models (e.g., [3, 4]), SIRS (susceptible-infected-recovered-susceptible) models (e.g., [5, 6]), SLBS (susceptible-latent-breaking-susceptible) models (e.g., [7, 8]), SICS (susceptible-infected-countermeasured-susceptible) models (e.g., [9–11]), and SDIRS (susceptible-delitescent-infected-recovered-susceptible) model (e.g., [12]).

In the field of malware, countermeasures such as software patches or warnings can supply a valid approach to helping individuals and organizations avert malware infection problems (e.g., [13, 14]). In 2004, the CMC (Countermeasure Competing) strategy is proposed by Chen and Carley [15]. Their results reveal that the CMC strategy is more effective than previous strategies by the empirical malware data.

Inspired by this work and in order to macroscopically describe the mixing transmission of malware and countermeasures, Zhu et al. [9] presented a compartment model. The dynamics of the model was performed. Later, Yang and Yang [10] simply extended this model by incorporating the impacts of infected removable storage media and external nodes (e.g., computers). However, these two models both neglect two important facts. On the one hand, they ignore the fact that the linear infection probability is a well fit for the real-world situations only when the infected nodes are few. On the other hand, they overlook the fact that countermeasures may propagate through networks at different rates. Thus, the assumptions of linear infection and countermeasure probabilities are unreasonable.

To remedy these flaws and considering the impacts of general countermeasure and infection on the spread of malware, this paper studies a new dynamical model (see Figure 1), which incorporates generic countermeasure and infection probabilities. Here, , , and (, , and , for short) denote the average numbers of susceptible, infected, and countermeasured internal nodes (i.e., nodes on the network) at time , respectively. Their entering rates are , , and , respectively. Besides, the following basic hypotheses of the model are made: (H1) Each internal node leaves the network with probability . (H2) At time , each susceptible internal node gets infected by infected internal nodes with probability , where is twice continuously differentiable, , and . The concavity hypothesis fits well with the saturation property of the infection probability. (H3) At time , each infected or susceptible internal node obtains the newest countermeasure with probability , where is twice continuously differentiable, , and . (H4) By reinstalling the operating system, each infected (or countermeasured) internal node becomes susceptible with probability (or ).

Combining the above hypotheses, the new proposed model can be represented by the following system:with initial condition .

The globally asymptotic stability of the unique (viral) equilibrium of model (1) is proved and illustrated completely. Additionally, a new network is constructed based on the above assumptions, on which some numerical simulations are examined.

The paper is organized in this fashion. Section 2 determines the (viral) equilibrium and investigates its local and global stabilities. Experimental analysis is presented in Section 3. Finally, some conclusions and outlooks are given in Section 4.

#### 2. Model Analysis

Let , and . Adding up the three equations of system (1), one can easily obtain that . It follows by the asymptotically autonomous system theory [16] that system (1) is equivalent to the following reduced limiting system:with initial condition , whereand is positively invariant for system (2).

In the following sections, we just need to investigate the dynamical behavior of system (2).

##### 2.1. Equilibrium

Theorem 1. *System (2) has a unique (viral) equilibrium , where is the unique positive solution to the following system:with the initial condition .*

*Proof. *Let us assume that is an equilibrium of system (2). Clearly, satisfies system (4).

Firstly, let us prove that the second equation of system (4) has a unique positive root. LetAs and , it follows that has a zero located in the interval . Furthermore, note thatWe shall proceed by distinguishing two possibilities depending on whether is positive or negative. Case 1: . LetThus, is strictly increasing and decreasing in and , respectively, which implies that has a single zero in . Case 2: . Hence, is strictly decreasing and has a single zero.Collecting the above discussions, it can be concluded that does have a unique zero. Then, , and .

Next, let us prove that the first equation of system (4) has a unique positive root. LetAs and , does have a (positive) zero located in the interval . Besides, notice thatWe shall also proceed by distinguishing two possibilities depending on whether is positive or negative. Case 1: . LetThus, is strictly increasing and decreasing in and , respectively, implying that has a single zero in . Case 2: . Thus, is strictly decreasing and has a single zero. Then, always has a unique zero . Besides, .In conclusion, the claimed result is proved.

##### 2.2. Local Stability

Theorem 2. * is locally asymptotically stable with respect to .*

*Proof. *Let . The corresponding Jacobian matrix of system (2) at is given as follows:and its two eigenvalues areThus, the claimed result follows from the Lyapunov stability theorem [17].

##### 2.3. Global Stability

Lemma 1. *System (2) admits no periodic orbit.*

*Proof. *LetIn the interior of , it is easily obtained thatLetAs and for all , .

LetAs and for all , . Thus, we have .

Hence, it follows from the Bendixson–Dulac criterion [17] that system (2) admits no periodic orbit in the interior of .

On the boundary of , let denote an arbitrary point. Thus, three possibilities can be considered. Case 1: , . Then, . Case 2: , . Then, . Case 3: , , . Thus,Hence, system (2) has no periodic orbit across . In conclusion, the claimed result is proved.

By Theorems 1 and 2, Lemma 1, and the generalized Poincare–Bendixson theorem [17], we can easily obtain the main result of this paper as follows.

Theorem 3. * is globally asymptotically stable with respect to .*

In Figures 2 and 3, six orbits of system (1) are examined with different system parameters and different initial conditions, respectively. The illustrated results are in accordance with the main theoretical result (i.e., Theorem 3).

#### 3. Model Simulation

In Section 2, some orbits for system (1) have been examined in Figures 2 and 3. In order to further show the main result and the impacts of nonlinear countermeasure and infection probabilities, some simulations will be made on a constructed network, which is based on the model assumptions. For brevity, a computer is called as a *node*.

As was treated in the work [18], let denote the state of node *i* at time , where is a nonnegative integer. Let , , and denote, at time , the numbers of susceptible, infected, and countermeasured nodes, respectively. Now, let us introduce the network iterative rules.

*Rule 1. *Each internal node at time would be disconnected from the network with probability at time .

*Rule 2. * external nodes, including susceptible nodes, infected nodes, and countermeasured nodes, would be connected to the network at the next time.

*Rule 3. *The state of each susceptible internal node at time is determined by the following rule:

*Rule 4. *The state of each infected internal node at time is determined by the following rule:

*Rule 5. *The state of each countermeasured internal node at time is determined by the following rule:

*Example 1. *Consider system (1) with , , , , , , , and . Three initial conditions are , , and , respectively. Figure 4 shows that the results of theoretical prediction quite agree with the experimental ones.

*Example 2. *Consider three sets of parameters for system (1): (a) , , , , , , , and ; (b) , , , , , , , and ; (c) , , , , , , , and . The common initial condition is . Figure 5 reveals that the results of experiment and theoretical predictions are almost identical.

*Example 3. *Consider two systems induced by system (1) with , , , , , and , where one system is with and and the other with and . The common initial condition is . Figure 6 demonstrates that the new model with nonlinear infection and countermeasured probabilities is more reasonable than the original model [9] because malware would be always there and would not go extinct.

#### 4. Summary and Outlook

In order to investigate the impacts of general countermeasure and infection on the diffusion of malware, a new propagation model, which incorporates nonlinear generic infection and countermeasure probabilities, has been presented and analyzed. The global stability of the unique (viral) equilibrium has been proved. Additionally, some simulations have been examined on a constructed network, whose iterative rules are consistent with the model assumptions. The simulation results show the main result and the effects of general countermeasure and infection.

Additionally, the follow-up work arrangement is as follows. Firstly, time delays (e.g., [19, 20]), pulses (e.g., [21, 22]), random fluctuations (e.g., [23, 24]), and optimal control strategies (e.g., [25–27]) can be considered in the new model. Secondly, the new model may be extended on wireless sensor networks (e.g., [28–30]) and social networks (e.g., [31]). Finally, the new proposed model can be formulated for cloud computing security (e.g., [32]).

#### Data Availability

Data sharing is not applicable to this article as no datasets were generated.

#### Conflicts of Interest

All authors declare no conflicts of interest.

#### Authors’ Contributions

The authors claim that the research was realized in collaboration with the same responsibility. All authors read and approved the last version of the manuscript.

#### Acknowledgments

This work was supported by the Natural Science Foundation of Shanxi Province of China under Grants 201901D111311 and 201801D121117.

#### References

- P. J. Denning,
*Computers under Attack: Intruders, Worms and Viruses*, Addison-Wesley, Boston, MA, USA, 1990. - P. Szor,
*The Art of Computer Virus Research and Defense*, Addison-Wesley Professional, Boston, MA, USA, 2005. - J. C. Wierman and D. J. Marchette, “Modeling computer virus prevalence with a susceptible-infected-susceptible model with reintroduction,”
*Computational Statistics & Data Analysis*, vol. 45, no. 1, pp. 3–23, 2004. View at: Publisher Site | Google Scholar - A. d’Onofrio, “A note on the global behaviour of the network-based SIS epidemic model,”
*Nonlinear Analysis Real World Applications*, vol. 9, no. 4, pp. 1567–1572, 2008. View at: Publisher Site | Google Scholar - B. K. Mishra and N. Jha, “Fixed period of temporary immunity after run of anti-malicious software on computer nodes,”
*Applied Mathematics and Computation*, vol. 190, no. 2, pp. 1207–1212, 2007. View at: Publisher Site | Google Scholar - C. Gan, Q. Feng, Q. Zhu, Z. Zhang, Y. Zhang, and Y. Xiang, “Analysis of computer virus propagation behaviors over complex networks: a case study of oregon routing network,”
*Nonlinear Dynamics*, vol. 100, no. 2, pp. 1725–1740, 2020. View at: Publisher Site | Google Scholar - L.-X. Yang, X. Yang, L. Wen, and J. Liu, “A novel computer virus propagation model and its dynamics,”
*International Journal of Computer Mathematics*, vol. 89, no. 17, pp. 2307–2314, 2012. View at: Publisher Site | Google Scholar - C. Zhang, W. Liu, J. Xiao, and Y. Zhao, “Hopf bifurcation of an improved SLBS model under the influence of latent period,”
*Mathematical Problems in Engineering*, vol. 2013, Article ID 196214, 10 pages, 2013. View at: Publisher Site | Google Scholar - Q. Zhu, X. Yang, L. Yang, and X. Zhang, “A mixing propagation model of computer viruses and countermeasures,”
*Nonlinear Dynamics*, vol. 73, no. 7, pp. 1433–1441, 2013. View at: Publisher Site | Google Scholar - L.-X. Yang and X. Yang, “The effect of infected external computers on the spread of viruses: a compartment modeling study,”
*Physica A: Statistical Mechanics and Its Applications*, vol. 392, no. 24, pp. 6523–6535, 2013. View at: Publisher Site | Google Scholar - X. Zhang and C. Gan, “Global attractivity and optimal dynamic countermeasure of a virus propagation model in complex networks,”
*Physica A: Statistical Mechanics and Its Applications*, vol. 490, pp. 1004–1018, 2018. View at: Publisher Site | Google Scholar - W. Liu and S. Zhong, “A novel dynamic model for web malware spreading over scale-free networks,”
*Physica A: Statistical Mechanics and Its Applications*, vol. 505, pp. 848–863, 2018. View at: Publisher Site | Google Scholar - J. O. Kephart and S. R. White, “Directed-graph epidemiological models of computer viruses,” in
*Proceedings of the IEEE Computer Security Symposium on Research in Security and Privacy*, Oakland, CA, USA, May 1991. View at: Publisher Site | Google Scholar - J. O. Kephart and S. R. White, “Measuring and modeling computer virus pervalence,” in
*Proceedings of the IEEE Computer Security Symposium on Research in Security and Privacy*, Oakland, CA, USA, May 1993. View at: Publisher Site | Google Scholar - L.-C. Chen and K. M. Carley, “The impact of countermeasure propagation on the prevalence of computer viruses,”
*IEEE Transactions on Systems, Man and Cybernetics, Part B (Cybernetics)*, vol. 34, no. 2, pp. 823–833, 2004. View at: Publisher Site | Google Scholar - H. R. Thieme, “Convergence results and a Poincare-Bendixson trichotomy for asymptotically autonomous differential equations,”
*Journal of Mathematical Biology*, vol. 30, no. 7, pp. 755–763, 1992. View at: Publisher Site | Google Scholar - R. C. Robinson,
*An Introduction to Dynamical System: Continuous and Discrete*, Prentice-Hall, Englewood Cliffs, NJ, USA, 2004. - C. Gan, X. Yang, W. Liu, Q. Zhu, and X. Zhang, “An epidemic model of computer viruses with vaccination and generalized nonlinear incidence rate,”
*Applied Mathematics and Computation*, vol. 222, pp. 265–274, 2013. View at: Publisher Site | Google Scholar - Y. Yao, X. Xie, H. Guo, G. Yu, F. Gao, and X. Tong, “Hopf bifurcation in an Internet worm propagation model with time delay in qurantine,”
*Mathematical and Computer Modelling*, vol. 57, no. 11-12, pp. 2635–2646, 2013. View at: Publisher Site | Google Scholar - J. Ren and Y. Xu, “Stability and bifurcation of a computer virus propagation model with delay and incomplete antivirus ability,”
*Mathematical Problems in Engineering*, vol. 2014, Article ID 475934, 9 pages, 2014. View at: Publisher Site | Google Scholar - L.-X. Yang and X. Yang, “The pulse treatment of computer viruses: a modeling study,”
*Nonlinear Dynamics*, vol. 76, no. 2, pp. 1379–1393, 2014. View at: Publisher Site | Google Scholar - Y. Yao, X. D. Feng, W. Yang, W. L. Xiang, and F. X. Gao, “Analysis of a delayed Internet worm propagation model with impulsive quarantine strategy,”
*Mathematical Problems in Engineering*, vol. 2014, Article ID 369360, 18 pages, 2014. View at: Publisher Site | Google Scholar - C. Zhang, Y. Zhao, Y. Wu, and S. Deng, “A stochastic dynamic model of computer viruses,”
*Discrete Dynamics in Nature and Society*, vol. 2012, Article ID 264874, 16 pages, 2012. View at: Publisher Site | Google Scholar - J. Amador, “The stochastic SIRA model for computer viruses,”
*Applied Mathematics and Computation*, vol. 232, pp. 1112–1124, 2014. View at: Publisher Site | Google Scholar - L. Chen, K. Hattaf, and J. Sun, “Optimal control of a delayed SLBS computer virus model,”
*Physica A: Statistical Mechanics and Its Applications*, vol. 427, pp. 244–250, 2015. View at: Publisher Site | Google Scholar - P. Li, X. Yang, Q. Xiong, J. Wen, and Y. Y. Tang, “Defending against the advanced persistent threat: an optimal control approach,”
*Security and Communication Networks*, vol. 2018, Article ID 2975376, 2018. View at: Publisher Site | Google Scholar - J. Bi, X. Yang, W. Liu, and D.-W. Huang, “A cost-effective algorithm for selecting optimal bandwidth to clear malicious codes,”
*IEEE Access*, vol. 8, pp. 19900–19910, 2020. View at: Publisher Site | Google Scholar - L. Feng, L. Song, Q. Zhao, and H. Wang, “Modeling and stability analysis of worm propagation in wireless sensor network,”
*Mathematical Problems in Engineering*, vol. 2015, Article ID 129598, 8 pages, 2015. View at: Publisher Site | Google Scholar - A. Singh, A. K. Awasthi, K. Singh, and P. K. Srivastava, “Modeling and analysis of worm propagation in wireless sensor networks,”
*Wireless Personal Communications*, vol. 98, no. 3, pp. 2535–2551, 2018. View at: Publisher Site | Google Scholar - Z. Zhang, S. Kundu, and R. Wei, “A delayed epidemic model for propagation of malicious codes in wireless sensor network,”
*Mathematics*, vol. 7, no. 5, Article ID 396, 2019. View at: Publisher Site | Google Scholar - Y. Yi, Z. Zhang, L. T. Yang, C. Gan, X. Deng, and L. Yi, “Reemergence modeling of intelligent information diffusion in heterogeneous social networks: the dynamics perspective,”
*IEEE Transactions on Network Science and Engineering*, vol. 2020, 2020. View at: Publisher Site | Google Scholar - C. Gan, Q. Feng, X. Zhang, Z. Zhang, and Q. Zhu, “Dynamical propagation model of malware for cloud computing security,”
*IEEE Access*, vol. 8, pp. 20325–20333, 2020. View at: Publisher Site | Google Scholar

#### Copyright

Copyright © 2020 Xulong Zhang and Xiaoxia Song. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.