A Novel Computer Virus Propagation Model under Security Classification

In reality, some computers have specific security classification. For the sake of safety and cost, the security level of computers will be upgraded with increasing of threats in networks. Here we assume that there exists a threshold value which determines when countermeasures should be taken to level up the security of a fraction of computers with low security level. And in some specific realistic environments the propagation network can be regarded as fully interconnected. Inspired by these facts, this paper presents a novel computer virus dynamics model considering the impact brought by security classification in full interconnection network. By using the theory of dynamic stability, the existence of equilibria and stability conditions is analysed and proved. And the above optimal threshold value is given analytically. Then, some numerical experiments are made to justify the model. Besides, some discussions and antivirus measures are given.


Introduction
With the rapid development of the Internet, the spread of computer virus has brought a lot of potential safety problems, which not only caused huge waste to the network resources but also harmed the interests of individuals and the masses.The traditional way of antivirus is constantly updating the virus library of antivirus software.But it is a passive mechanism to prevent viruses.In this context, the macroscopical study of computer virus propagation is regarded as a very important approach to antivirus and has received more and more attention from scholars.
In 1991, Kephart and White firstly used the model of biological infectious virus to study the spread of computer viruses [1].Since then, a lot of dynamical models of computer virus have been presented.These models can be simply divided into two broad categories: homogeneous models and heterogeneous models according to according to whether the network is fully connected or not.
In recent years, more and more scholars have begun to study heterogeneous models.Kjaergaard and his partners followed the time evolution of information propagation through communication networks by using the susceptibleinfected (SI) model with empirical data on contact sequences [2].Castellano and Pastor-Satorras studied the threshold of epidemic models in quenched networks with degree distribution given by a power-law for the susceptible-infectedsusceptible (SIS) model [3].Zhu et al. investigated a new epidemic SIS model with nonlinear infectivity, as well as birth and death of nodes and edges [4].Taking into account the power-law degree distribution of the Internet, Yang et al. proposed a novel epidemic model of computer viruses and presented the spreading threshold for the model [5].L.-X.Yang and X. Yang proposed an epidemic model of computer viruses over a reduced scale-free network [6].Yang and his partners proposed a node-based susceptiblelatent-breaking-susceptible (SLBS) model which addresses the impact of the structure of the viral propagation network on the viral prevalence [7].To understand the impact of available information in the control of malicious network epidemics, Mishra and three others proposed a 1---1 type differential epidemic model, where the differentiability allows a symptom based classification [8].All these models assume that the spread of viruses can only be through the topological neighbors.
In fact, a lot of viruses can propagate without dependence on the topology, such as Code Red (2001), Slammer (2003), Blaster (2003), Witty (2004), and Conficker (2009).By probing the entire IPv4 space or localized IP addresses, these viruses can infect an arbitrary vulnerable computer.In this condition, the propagation network can be regarded as fully connected.Besides, there are still some fully interconnected networks, such as virtual cluster in cloud [9][10][11][12].So the study of homogeneous models is also an important branch of computer virus dynamical models.A portion of infected external computers could enter the Internet and removable storage media could carry viruses, based on the two facts.Gan et al. established a series of dynamical models [13][14][15][16].Amador and Artalejo investigated the dynamics of computer virus spreading by considering a stochastic SIRS model where immune computers send warning signals to reduce the propagation of the virus among the rest of computers in the network [17].Liu and Zhong presented and analyzed an SDIRS model describing the propagation of web malware based on the assumption of homogeneity [18].Yuan and three others presented a nonlinear force of infection function for e-SEIR model to study the crowding and psychological effects in network virus prevalence [19].
In order to protect the security and stability of information systems, the concept of information security classified protection is proposed and has been a basic strategy of construction of national information.But to our knowledge, nearly all previous models describing the spread of computer viruses ignore the impacts of security classifications.In order to study how these factors affect the spread of computer viruses on the Internet, this paper proposes a novel computer virus propagation model.A thorough analysis of this model shows that some equilibria existed and are globally asymptotically stable in a specific situation.Besides, some simulation experiments are performed to examine the conclusion got from this model.In the end, some effective strategies for controlling virus spreading are recommended.
The subsequent materials are organized in this fashion: The idea of modeling is introduced in Section 2. The new model is established in Section 3. The analysis of four equilibria is addressed in Section 4. The local and global stabilities of these equilibria are investigated in Sections 5 and 6, respectively.Simulation experiments and some discussions are presented in Section 7. Finally, this work is outlined in Section 8.

Idea of Modeling
In a security classification network, blindly increasing the security level of computer will result in both waste of resource and increase of cost.Therefore, reinforcing the security level of computer must be targeted.About security classification of computer, the influential criteria are "Trusted Computer System Evaluation Criteria (TcsEC)" issued by United States Department of Defense [20].By using these criteria, computers in the network can be divided into four divisions.From high to low, they are Levels A, B, C, and D, respectively.
Low Security Level: Divisions D and C. In this level, it is reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class.
Classes in this level provide for discretionary (need-to-know) protection and it can only provide a review of protection.
High Security Level: Divisions B and A. The security-relevant sections of a system are mentioned throughout this document as the Trusted Computing Base (TCB) [21].Computers in this level must carry the sensitivity labels with most data structures in the system and the system developer should provide the security policy model based on TCB.By using formal security verification methods, this level requires that each operation in the system must have a formal documentation and can only be made by the administrator.Obviously, computers with low security level are more likely to be infected by virus.This is the first breakthrough point for modeling.
In the network with security classification, administrators usually do not take any measures to upgrade the computers with low security level if there are only few threats for the sake of cost.With the increase of the infected computers number in the network, the administrators will upgrade the security level of computers ultimately.Here we assume that there exists a threshold value.If the number of infected computers is above the threshold value, some countermeasures will be taken to level up the security of a fraction of computers with low security level.Further, assume that the probability of taking upgrading measures for one uninfected computer is proportional to the number of infected computers.The flow diagram in Figure 1 can briefly express these operations.How the threshold value and the fraction of upgraded computers affect the propagation of computer virus is the concern in this paper.

Model Formulation
According to the situation of computer virus infection and the level of computer security, all computers in the network are divided into three compartments.For the modeling purpose, a series of parameters are introduced and some assumptions are made.
(1) One can assume that the average probabilities per unit time of   and  ℎ computers connecting to the network are   and  ℎ , respectively.
(2) Every computer in the system is got out for some reasons with the average probability per unit time , where  is positive constant.
(3) Due to possible contact with infected computers in the network, every   and  ℎ computer is infected with the average probabilities   and  ℎ per unit time, respectively, where   and  ℎ are positive constant and   >  ℎ .
(4) Assume that one  computer becomes an   computer (or an  ℎ computer) with the average probability per unit time   (or  ℎ ), where   ,  ℎ are positive constants.
(5) As mentioned in Section 2, the upgrading probability of an   computer is denoted by a piecewise function ().The expression of () is as follows: max denotes the threshold value and  denotes the a fraction of upgrading computers.
Let   (),  ℎ (), and () denote, at time , the average numbers of   -,  ℎ -, and -compartment computers, respectively.Let () denote the total number of all computers in the system at time .Unless otherwise stated in the following content, they will be abbreviated as ,   ,  ℎ , and , respectively.Then,   +  ℎ +  = .The collection of the above parameters and assumptions can be schematically depicted in Figure 2, from which the dynamical model is formulated as the following differential system: Considering that   +  ℎ +  = , system (2) can be reduced to the following system: Solving the first equations of system (3), it is easy to obtain lim →∞  =  * = (  +  ℎ )/.Therefore, system (3) can be reduced to the following limiting system [22,23]: The feasible region for system (4) is which is positively invariant.
Proof.Like the proof of Theorem 1, it does not need to be stated.

The Local Stability Analysis
To examine the local stability of the equilibria of system (4), its Jacobian matrices should be got as follows: Theorem 4.  * 0 is locally asymptotically stable if  0 < 1.
Proof.The associated characteristic equation of  * 0 can be got from  1 as follows: Then Based on the Lyapunov theorem [24], only if  0 < 1 are all eigenvalues of (17) negative.At this situation,  * 0 is locally asymptotically stable.Theorem 5.  * 1 (or  * 3 ) is locally asymptotically stable if system (4) follows Theorem 1 or 2 or 3.

The Global Stability Analysis
This section will discuss the global stability of the equilibrium of system (4).To get global stability, let us investigate the following lemmas.Lemma 6.For system (4), there is no periodic solution in the interior of Ω.

𝐺 (𝑆
and then Thus, the claimed result follows from the Bendixson-Dulac criterion [24]. Lemma 7.For system (4), there is no periodic solution that passes through a point on Ω, the boundary of Ω.
Proof.Consider an arbitrary point ( ℎ , ), on the boundary of Ω. From ( 5), Ω consists of the following three possibilities:  In view of the orbit smoothness, combining the above discussions can get the claimed result.
In view of Lemmas 6 and 7 and Theorems 3-5, the main result of this section can be got as follows.

Numerical Examples and Discussions
In this section, some numerical examples are used to verify the results obtained in the previous section.
By introducing random factors and model adaptive behavior, a series of simulations run are used to approximate closer to actual worm propagation due to the unavailability of real-world data.Hosts (used IP addresses) here appear as abstractions in the simulations.Instead of modeling various operating systems and services, each host is simply considered to be one of the following: susceptible nodes with    proposed in this paper can be applied to curbing the spread of virus effectively.Moreover, a large number of simulations are conducted to study how the combination of  max and  affects the propagation scale (see Figure 9).Obviously, the earlier (the lower  max ) and stronger (the higher ) the intervention is introduced, the fewer the nodes finally get infected.We divide the parameter subspace {(,  max ):  > 0,  max > 0} into two parts, numbered as A and B (as shown in Figure 9).Simulation results lead the following conclusion.
(1) If (,  max ) ∈ , the value of  final (defined in Figure 9) only depends on the value of .So in Figure 8 the number of infected nodes in scenarios with  max = 500 is the same as the one with  max = 1000, where  = 0.2, and it is higher than the one with  max = 500 and  = 0.6.More precisely, the value of  final decreases as  increasing.
(2) If (,  max ) ∈ , the value of  final only depends on the value of  max (4).So in Figure 8 the number of infected nodes in scenarios with  = 0.2 is the same as the one with  = 0.6, where  max = 2000, and it is higher than the one with  max = 1000 and  = 0.6.Note that  final does not always decrease with the increase of  max , because the intervention is never involved for large  max (see the dark black part for  max > 0.3 in Figure 9).Remark 6.The simulations here do not take into account latency issues, hop-count, bandwidth limitations, and transfer times or connectivity issues.Since the scale of simulated network is quite small compared with the real Internet, all parameters are assumed on that scale.But the scale factor can also make the real-world more complex.Table 2 suggests that, to eradicate viruses from the Internet, one should take necessary actions to control the system parameters so that  * 0 is well below 1 and not let system meet the lines 3-5 of Table 2 Thus,  0 is increasing with   ,  ℎ ,   ,  ℎ and is decreasing with ,   ,  ℎ .
Based on the above discussions, an incomplete list of effective measures for users to contain the virus prevalence is presented below: (1) Timely acquire the updated versions of the antivirus software, so that the two infecting probabilities,   and  ℎ , are both reduced and the curing probabilities,   and  ℎ , are enhanced.(2) Do not connect computers to the Internet when unnecessary, so that the recruitment rate, , is lowered.(3) For both cost and security, let the threshold value of computer virus lead administrator to take measures to upgrade the security level approaching the value of stable infections in the stage of taking measures.

Conclusions
In this paper, we presented a novel intervention mechanism to restrain the virus spreading under the framework of security classification.The model reflects a realistic scenario how the intervention is applied when the number of infected nodes reaches the intervention threshold.Theoretical analysis and numerical evaluation are used to study how  max ,  affect the propagation behaviors.The main results are listed as follows: (1) The dynamic behaviors of computer virus under security classification are different with common circumstance.Obviously, much higher security computers will lead to fewer infections.(2) The earlier and the stronger the intervention is introduced, the fewer the nodes finally get infected.
(3) According to the brief parameter analysis, some other effective measures in reality are presented.Viewed from a real-world perspective, in order to make better use of this intervention mechanism, one of the most important things is how to detect the exact number of infected nodes.Although an in-depth discussion of this is outside this paper's scope, we are forced to point out that the measured value is below the actual one.In this case, the actual value of intervention threshold must be set below the theoretical one.
Our future work will be focused on studying such intervention mechanism in heterogeneous networks, such as small-world network and scale-free network.
(a)   -compartment: the set of uninfected or susceptible computers in low security level (b)  ℎ -compartment: the set of uninfected or susceptible computers in high security level (c) -compartment: the set of infected computers

Figure 2 :
Figure 2: Transition diagram of the new model.

Figure 3 :
Figure 3: Trajectory figure and time plots of Example 1.

Figure 4 :
Figure 4: Trajectory figure and time plots of Example 2.

Figure 8 :
Figure 8: Time evolution of the infected nodes in different scenarios.

Figure 9 :
Figure 9: Influence of  max and  on  final . max and  final are the proportions of infected nodes in all nodes.Moreover,  final is the average of 100 values for  > 10000.Here all other parameters are the same as Figure 8.
. After simple calculations, the following can be got: