A delayed worm propagation model with birth and death rates is formulated. The stability of the positive equilibrium is studied. Through theoretical analysis, a critical value
In recent years, Internet is undoubtedly one of the fastest increasing scientific technologies, which brings about convenience in people’s daily work and changes people’s life in variety of aspects. With rapid development of network applications and the increase of network complexity, security problems emerge progressively. Among them, the problem of Internet worms has become the focus with its wide infection range, fast spread speed, and tremendous destruction. Enlightened by the researches in epidemiology, plenty of models have been constructed to predict the spread of worms and some containment strategies have been taken into consideration. In addition, birth and death rates are widely applied in epidemiology because individuals in the ecological system may die during the spread of diseases. Meanwhile baby individuals are born everyday and join the ecological system [
Quarantine strategies have been exploited and applied in the control of disease. The implementation of quarantine strategy in computer field relies on the IDS [
Mechanism of time window was brought in IDS in order to balance the false negative rate and false positive rate [
The rest of the paper is organized as follows. In the next section, related work on time delay and birth is death rates and introduced. Section
Due to the high similarity between the spread of infectious biological viruses and computer worms, some scholars have used epidemic model to simulate and analyze the worm propagation [
Furthermore, some scholars have done some researches on time delay [
Realizing the similarities between Internet worms and biological viruses in propagation characteristics, classical epidemic models have been applied to the research of worm propagation models. Initially, we introduce a simple propagation model, the Kermack Mckendrick model (KM model) [
The KM model assumes that all Internet hosts are in one of three states: susceptible state (
State transition diagram of the KM model.
Although KM model adopts recovery feature and does generate some braking containment effect on the worm propagation, it only describes the initial stage of worm propagation and does not control the outbreaks of worms. More suppression strategies should be taken to further control the worm propagation.
Quarantine strategy, which relies on the intrusion detection system, is an effective way to diminish the speed of worm propagation. On the basis of the KM model, quarantine strategy should be taken into consideration. Firstly, infectious hosts are detected by the systems and then get quarantined and patched. Moreover, considering that hosts could get patched whatever state the hosts stay, we add a new path from hosts in susceptible state to vaccinated state to accord with actual situation. The state transition diagram of the worm propagation model with quarantine strategy is given in Figure
State transition diagram of the quarantine model.
In this model, vaccinated state equals to removed state in KM model, and
The differetial equations of this model are given as
The total number of this model is set to
The first, second, and third equations in system (
Due to the infectionfree state which the system holds in the end, the number of infectious hosts is equal to 0. Obviously, the number of susceptible hosts and number of quarantined hosts are both equal to 0, because all of the hosts in the network will get patched at last, no matter which way the hosts take. Thus the infectionfree equilibrium point
Although all infectious hosts in quarantine model convert to vaccinated hosts, in other words, worms have been eliminated, it is hardly appropriate for real world situation. Actually, not all the hosts will convert to vaccinated hosts, and nopatch hosts are still existing in the network and suffering high risk of worm attack. In addition, considering that hosts are consumer electronic products, the recycling of old hosts happens frequently every day. In order to imitate the facts in the real world, birth and death rates must be taken into consideration.
Additionally, due to the time windows of intrusion detection system, which decreases the number of false positives, time delay should be considered to accord with actual situation. Therefore, in the next section, the new model is proposed.
By adding time delay, along with birth and death rates, the delayed worm propagation model with birth and death rates is presented. Figure
State transition diagram of the delayed model.
In this model, the total number of hosts denoted by
The hosts in delayed state are not likely to leave the network, accounting for the activeness of these hosts. The newborn hosts enter the system with the same rate
Other notations are identical to those in the previous model. To understand them more clearly, the notations in this model are shown in Table
Notations in this paper.
Notation  Definition 


Total number of hosts in the network 

Number of susceptible hosts at time 

Number of infectious hosts at time 

Number of delayed hosts at time 

Number of quarantined hosts at time 

Number of vaccinated hosts at time 

Infection rate 

Vaccine rate of susceptible hosts 

Quarantine rate 

Removal rate of quaratined hosts 

Removal rate of infectious hosts 

Birth and death rates 

Birth ratio of susceptible hosts 

Length of the time window in IDS 
As mentioned in Table
The system has a unique positive equilibrium
From system (
According to (
The positive equilibrium
If
According to RouthHurwitz criterion, all the roots of (
Obviously,
From the two equations of (
Suppose that
If one of followings holds: (a)
If the conditions (a) and (b) are not satisfied, then all roots of (
When
By the RouthHurwitz criterion, all roots of (
Considering (
Assume that
It is assumed that the coefficients in
Then, according to lemma in [
In view of the fact that (
Let
Suppose that
This signifies that there exists at least one eigenvalue with positive real part for
It follows the hypothesis
Suppose that the conditions
For system (
When condition
Theorem
The parameters of the delayed model will be chosen properly, according to the stability of the positive equilibrium, bifurcation analysis, and the practical environment. 500,000 hosts are picked as the population size, and the worm’s average scan rate is
Figure
Worm propagation trend of the model when
Worm propagation trend of the model when
In order to see the influence of time delay,
The number of
Figure
The number of
Figure
The phase portrait when
The projection of the phase portrait in
The projection of the phase portrait in
The phase portrait of susceptible
The phase portrait of susceptible
The discretetime simulation is an expanded version of Zou’s program simulating Code Red worm propagation and has been modified to run on a Linux server. The system in our simulation experiment consists of 500,000 hosts that can reach each other directly, which is consistent with the numerical experiments, and there is no topology issue in our simulation. At the beginning of simulation, 50 hosts are randomly chosen to be infectious and the others are all susceptible.
Identical with the results of numerical experiments, Figure
Simulation result of the five kinds of hosts when
When time delay increases but is less than the threshold derived from theoretical analysis, the number of infectious hosts and other hosts present a damped oscillation and finally reach an approximately stable state. Figure
Simulation result of the five kinds of hosts when
The phase portrait of susceptible
When time delay passes the threshold, a bifurcation appears. Figure
Simulation result of the three kinds of hosts when
The comparison of numerical and simulation experiments.
The comparison of the number of susceptible hosts
The comparison of the number of infectious hosts
In order to accord with actual facts in the real world, time delay generated by time window in IDS is introduced to construct the worm propagation model. Dynamic birth and death rates are considered in this paper, accounting for the reinstallation of OS which users are more likely to do after when the hosts suffer worm’s destruction or quarantined to the Internet. In addition, combined with birth and death rates, time delay may lead to bifurcation and make the worm propagation system unstable.
In this paper, a delayed worm propagation model with birth and death rates is studied. Next, the stability of the positive equilibrium is analyzed. Through theoretical analysis and numerical and simulation experiments, the following conclusions can be derived.
The introduction of time window in IDS may lead to time delay in worm propagation model, which results in bifurcation. The critical time delay
The worm propagation system is stable when time delay
A bifurcation emerges when time delay
Consequently, time delay
In this paper, we have only discussed the cases which satisfy conditions
The authors are very grateful to the anonymous referee for many valuable comments and suggestions which led to a significant improvement of the original paper. This paper is supported by the National Natural Science Foundation of China under Grant no. 60803132; the Natural Science Foundation of Liaoning Province of China under Grant no. 201202059; Program for Liaoning Excellent Talents in University under LR2013011; the Fundamental Research Funds of the Central Universities under Grant nos. N120504006 and N100704001; and MOEIntel Special Fund of Information Technology (MOEINTEL201206).