^{1, 2}

^{1, 2}

^{3}

^{1, 2}

^{1, 2}

^{1}

^{2}

^{3}

Internet worms exploiting zero-day vulnerabilities have drawn significant attention owing to their enormous threats to Internet in the real world. To begin with, a worm propagation model with time delay in vaccination is formulated. Through theoretical analysis, it is proved that the worm propagation system is stable when the time delay is less than the threshold

With the rapid growth of information technologies and network applications, severe challenges, in form of requirement of a suitable defense system, have been posed to make sure of the safety of the valuable information stored on system and in transit. For example, worms that exploit zero-day vulnerabilities have brought severe threats to Internet security in the real world. To date, none of the patches could effectively and reliably immunize the hosts thoroughly against being attacked by those worms. It may take a period of time for users to immunize their computers if they are in infected state. In addition, the failure of some vaccination measures or worm-variants may also lead to high risks that the hosts being immunized would be infected again. On the other hand, the propagation of worms in a system of interacting computers could be compared to contagious diseases in human population. In computer science field, computers are like individuals in an ecological system and thus the same mechanism of birth and death should be considered. Being infected by network worms or quarantined by IDS (intrusion detection systems), hosts will become dangerous and their owners will have to reinstall the system. Another factor to consider is that when new computers are brought, most of them have preinstalled operating systems but without newest safety patches while old computers are discarded and recycled. Consequently, in order to imitate the real world, birth and death rates should be introduced to worm propagations model.

Considering all the above, we firstly construct a worm propagation model with time delay in vaccination based on the classical epidemic Kermack-Mckendrick model [

Consequently, this paper proposes a worm propagation model with impulsive quarantine strategy based on a hybrid intrusion detection system that combines both misuse and anomaly intrusion detection to make up for the gaps existing in the two systems. After adoption impulsive quarantine strategy, it is clearly proved that Hopf bifurcation is eliminated thoroughly so that the system is stable.

The rest of the paper is organized as follows. In the next section, related work on time delay and quarantine strategy is introduced. Section

With the similarity between Internet worms and biological diseases, epidemiological models have been widely used in modeling the propagation of worms [

However, previous studies have failed to consider the appropriate quarantine strategy to eliminate the negative effect of time delay. For instance, the pulse quarantine strategy that Yao has proposed [

With regard to worms exploiting zero-day vulnerabilities, none of the patches could effectively and reliably immunize the hosts. After the hosts are being infected, some measures, such as cutting off the network connection, running manual antivirus, or setting firewall, are taken to remove the worms. With these measures being carried out, the hosts cannot further infect other susceptible hosts, but they are in fact not vaccinated completely. Namely, detecting and cleaning worms take a period of time. Therefore, time delay should be considered in actual conditions. Since time delay exists, infected hosts go through a temporary state (delayed) after vaccination. Consequently, on the basis of KM model, we give a worm propagation model with time delay in vaccination. We assume all hosts are in one of four states: susceptible state (

State transition diagram of delayed model.

Let

In order to show it clearly, we list in Notations section some frequently used notations in this paper.

From the above definitions in the paper, we write down the complete differential equations of the delayed model:

The system has a unique positive equilibrium

For system (

Obviously, if

According to (

The positive equilibrium

If

According to Routh-Hurwitz criterion, all the roots of (

Obviously,

Let

Suppose that

If one of the following holds: (a)

If the conditions (a) and (b) are not satisfied, then all roots of (

When

By the Routh-Hurwitz criterion, all roots of (

Considering (

Assume that

Assume that the coefficients in

According to lemma, it is proved that (

In view of the fact that (

Suppose

This signifies that there exists at least one eigenvalue with positive real part for

Hence,

The root of characteristic equation (

Suppose that the conditions

The equilibrium

If condition

This implies that when time delay

Enlightened by the methods in disease control, quarantine is selected as an effective way to diminish the speed of worm propagation. The current quarantine strategy generally depends on the intrusion detection system, which can be classified into two categories: misuse and anomaly intrusion detection [

Misuse intrusion detection system builds a database with the feature of known attack behaviors. The system can recognize the invaders once their behaviors agree with one of the databases and accurately detect known worms [

State transition diagram of constant quarantine model.

According to the definitions above in the paper, the differential equations of constant quarantine model are given as follows:

The system has a unique positive equilibrium

For system (

Substituting the value of each variable in (

Obviously, if

According to (

The positive equilibrium

If

According to Routh-Hurwitz criterion, all the roots of (

Obviously,

Let

Suppose that

If one of the following holds: (a)

If the conditions (a) and (b) are not satisfied, then all roots of (

when

By the Routh-Hurwitz criterion, all roots of (

Considering (

Assume that

Assume that the coefficients in

According to lemma, it is proved that (

In view of the fact that (

Suppose

This signifies that there exists at least one eigenvalue with positive real part for

Hence,

The root of characteristic equation (

Suppose that the conditions

Equilibrium

If condition

This implies that when time delay

Although constant quarantine strategy based on misuse intrusion detection does improve vaccination effect, the system is out of control and bifurcation is still not eliminated. In addition, the system fails to detect unknown worms and worm-variants. Anomaly intrusion detection system is of help in detecting these kinds of worm. However, the system is accompanied by high false-positive rate. To solve the problem of constant quarantine strategy and anomaly intrusion detection system, we proposed a novel quarantine strategy called impulsive quarantine based on a hybrid intrusion detection system, which can make up for the gaps existing in the two systems. Impulsive quarantine is implemented as follows: constant quarantine of infected hosts found by the misuse detection is performed, while susceptible and infected hosts detected by anomaly detection are quarantined in an impulsive way every

The state transition diagram of impulsive quarantine model is given in Figure

State transition diagram of impulsive quarantine model.

The complete differential equations of the impulsive quarantine model are showed as follows:

We have

We may see that the first four equations in (

Let

Let

System (

The solution of system (

Suppose

Denote

Consider the following equation:

We have

if

if

We first demonstrate the existence of the infection-free periodic solution, in which infected individuals are entirely absent from the population permanently, that is,

First we show below that the susceptible population

From the second and fifth equations of system (

Therefore

The infection-free periodic solution

Since

Let

Let

For the third equation of system (

It is easy to obtain that there is a

In order to simulate the worm propagation in the real world, the parameters in the experiments are practical values. The Slammer worm is selected for experiments [

According to the above parameters, as shown in Figure

Worm propagation trend of model with time delay when

However, when time delay

Worm propagation trend of model with time delay when

In order to see the influence of time delay,

Number of infected hosts when

In Figure

The projection of the phase portrait of system (

The phase portrait of susceptible hosts

Bifurcation diagram of system (

In order to show the impact of constant quarantine strategy, we analyze the numerical results after adopting the constant quarantine strategy. Further, we compare them with the worm propagation model with time delay.

Figure

Worm propagation trend of model with constant quarantine strategy when

When time delay

Worm propagation trend of model with constant quarantine strategy when

In Figure

Comparison of infected hosts before and after adopting constant quarantine strategy if

Figure

The projection of the phase portrait of system (

The phase portrait of susceptible hosts

Bifurcation diagram of system (

The paper performs the numerical experiments and compares the results with constant quarantine model after using impulsive quarantine strategy. The interval time of impulsive quarantine is set

Figure

Worm propagation trend of model with impulsive quarantine strategy when

Worm propagation trend of model with impulsive quarantine strategy when

Comparison of infected hosts without quarantine, adopting constant quarantine strategy and impulsive quarantine strategy, respectively, when

The discrete-time simulation is an expanded version of Zou’s program [

Comparison of numerical and simulation curve of the infected hosts of constant quarantine model.

Comparison of numerical and simulation curve of the infected hosts of impulsive quarantine model.

By considering that time delay leads to Hopf bifurcation so that the worm propagation system will be out of control, this paper proposes two quarantine strategies: constant quarantine and impulsive quarantine strategy to control the stability of worm propagation. Through theoretical analysis and simulation experiments, the following conclusions can be derived.

In order to accord with actual facts in the real world, a worm propagation model with time delay in vaccination is constructed. The critical time delay

Constant quarantine strategy based on misuse IDS has only some inhibition impact. Through theoretical analysis, the threshold

Impulsive quarantine strategy is proposed, which can both make up for the gaps existing in the misuse and anomaly IDS and eliminate bifurcation. Through theoretical analysis and numerical experiments, the numerical results match theoretical ones well, which fully support our analysis.

Furthermore, various factors can affect worm propagation. The paper focuses on analyzing the influence of time delay. Other impact factors to worm propagation will be a major emphasis of our future research.

Total number of hosts in the network

Number of susceptible hosts at time

Number of infected hosts at time

Number of delayed hosts at time

Number of quarantined hosts at time

Number of vaccinated hosts at time

Infection rate

Removal rate of infected hosts

Rate from vaccinated to susceptible hosts

Birth and death rates

Birth ratio of susceptible hosts

Quarantine rate

Removal rate of quarantined hosts

The interval time of impulsive quarantine

Quarantine rate of susceptible hosts using impulsive quarantine

Quarantine rate of infected hosts using impulsive quarantine

Time delay of detecting and removing worms.

The authors declare that there is no conflict of interests regarding the publication of this paper.

This paper is supported by Program for New Century Excellent Talents in University (NCET-13-0113); Natural Science Foundation of Liaoning Province of China under Grant no. 201202059; Program for Liaoning Excellent Talents in University under LR2013011; Fundamental Research Funds of the Central Universities under Grants no. N120504006 and N100704001; and MOE-Intel Special Fund of Information Technology (MOE-INTEL-2012-06).