Both vaccination and quarantine strategy are adopted to control the Internet worm propagation. By considering the interaction infection between computers and external removable devices, a worm propagation dynamical system with time delay under quarantine strategy is constructed based on anomaly intrusion detection system (IDS). By regarding the time delay caused by time window of anomaly IDS as the bifurcation parameter, local asymptotic stability at the positive equilibrium and local Hopf bifurcation are discussed. Through theoretical analysis, a threshold τ0 is derived. When time delay is less than τ0, the worm propagation is stable and easy to predict; otherwise, Hopf bifurcation occurs so that the system is out of control and the containment strategy does not work effectively. Numerical analysis and discrete-time simulation experiments are given to illustrate the correctness of theoretical analysis.
1. Introduction
Internet worms, a great threat to the network security, can spread quickly among hosts via wired or wireless networks. In real network environment, many intelligent worms, such as Conficker, Stuxnet, and Flamer, can also spread themselves via external removable devices (USB drives, CD/DVD drives, external hard drives, etc.), which have become one of the main means of infection transmission as well as networks. Conficker can copy itself as the autorun.inf to removable media drives in the system, thereby forcing the executable to be launched every time a removable drive is inserted into a system [1, 2]. Discovered in the summer of 2010, Stuxnet is a threat targeting a specific industrial control system (ICS) likely in Iran, such as a gas pipeline or power plant. Removable device is one of the main pathways for Stuxnet to migrate from the outside world to supposedly isolated and secure ICS [3–5]. Discovered in May 2012, Flamer can spread via removable drives using a special folder that hides the files and can result in automatic execution on viewing the removable drive when combined with the Microsoft Windows Shortcut “LNK/PIF” File Automatic File Execution Vulnerability (CVE-2010-2568) [6, 7]. Therefore, it is time to analyze the dynamic behavior and containment strategy of such worms.
Worm propagation dynamical system plays an important role in predicting the spread of worms. It aids in identifying the weakness in the worm spreading chain and provides accurate prediction for the purpose of damage assessment for a new worm threat. Over decades of years, many researches on worms’ dynamical behavior have been done. Kermack and Mckendrick [8] proposed the classical SIR model to explain the rapid rise and fall in the number of infected patients observed in epidemics, which also suits the worm spread. Based on the classical SIR model, Zou et al. derived an Internet worm model called the two-factor model [9]. Quarantine strategy, which borrows from the method of epidemic disease control, has been widely used in worm containment and produced a tremendous effect on controlling worm propagation [10–14]. Zou et al. proposed a worm propagation model under dynamic quarantine defense based on the principle “assume [sic] guilty before proven innocent” [10]. Wang et al. proposed a novel epidemic model named SEIQV model which combines both vaccinations and dynamic quarantine methods [11]. However, there is time delay in actual network environment, which may lead to bifurcation phenomenon. Much research has been done on time delay and bifurcation [15–25]. Han and Tan studied the dynamic spread behavior of worms by incorporating the delay factor [19]. Dong et al. proposed a computer virus model with time delay based on SEIR model and regarded time delay as bifurcating parameter to study the dynamical behaviors including local asymptotical stability and local Hopf bifurcation [20]. Yao et al. constructed a model with time delay under quarantine strategy [21]. Wu et al. investigated the problem of sliding mode control of Markovian jump singular time-delay systems [23]. Li and Zhang established a delay-dependent bounded real lemma for singular linear parameter-varying systems with time-variant delay [24]. The problems of D-stability and nonfragile control for a class of discrete-time descriptor Takagi-Sugeno fuzzy systems with multiple state delays are discussed in [25].
However, the above works consider less of the effect of removable devices on worm propagation. As mentioned above, removable devices have become a main pathway for some worms to intrude those hosts not connected to the Internet. Song et al. presented a worm model incorporating specific features to worms spreading via both web-based scanning and removable devices [26]. Zhu et al. studied the dynamics of interaction infection between computers and removable devices in [27]. However, time delay and bifurcation research are not considered in their work. In this paper, by considering the interaction infection between hosts and removable devices, we model a delayed worm propagation dynamical system which combines both vaccination and quarantine strategy. Local asymptotic stability of the positive equilibrium and local Hopf bifurcation are discussed to analyze the influence of time delay on worm propagation dynamical system.
The main contributions of this paper can be summarized as follows.
Considering the influence of removable devices on Internet worm propagation and the time delay caused by anomaly IDS, we propose a novel worm propagation dynamical system with time delay.
We analyze the system stability at positive equilibrium and derive the time delay threshold at which Hopf bifurcation occurs.
By numerical analysis, we illustrate the correctness of theoretical analysis.
The discrete-time simulation is adopted to simulate the worm propagation in real network environment. The results demonstrate the reasonableness of the worm propagation model.
The rest of the paper is organized as follows. In Section 2, considering the influence of removable devices, a worm propagation dynamical system with time delay under quarantine strategy is constructed. In Section 3, local stability of the positive equilibrium and local Hopf bifurcation are investigated. In Section 4, several numerical analyses supporting the theoretical analysis are given. Section 5 makes a comparison between simulation experiments and numerical ones. Finally, we give our conclusions in Section 6.
2. Model Formulation
The system contains both hosts and removable devices. In this model, all hosts are in one of following five states: susceptible (S), infectious (I), delayed (D), quarantined (Q), and removed (R). All removable devices are divided into two groups: susceptible (RS) and infectious (RI). N and RN denote the total number of hosts and removable devices, respectively. That is, S+I+D+Q+R=N; RS+RI=RN. Susceptible (S) hosts, which are vulnerable to the attack from worms, will be infected by infectious hosts or removable devices; then they will infect other hosts connected to them or removable devices plugged into them. Infectious (I) hosts will be immunized by antivirus software at the rate of γ1. Removed (R) hosts, which have been immunized by antivirus software, will become susceptible at reassembly rate ω. Hosts whose behavior looks anomaly will be quarantined by IDS and then they will become in a quarantined (Q) state. A susceptible removable device (RS) will be infected when inserted into an infectious host. Worm in an infectious removable device (RI) will be eliminated when connected to removed hosts; then it will become in a susceptible state.
The quarantine strategy is an effective measure to defend against worms’ attack and make up the deficiency of vaccination strategy. In this paper, anomaly intrusion detection system is chosen for applying quarantine strategy. Comparing with misuse IDS, anomaly IDS has great advantage in detecting unknown intrusion or the variants of known intrusion. However, anomaly IDS judges whether a detected behavior is an attack or not via comparing detected behavior with the normal or expected behavior of system and user. If a deviation occurs, the detected behavior is treated as an intrusion immediately. Because of the difficulty in collecting and building the normal behavior database, high false-alarm rate is considered the main drawback of anomaly IDS. In order to reduce the false alarm of anomaly IDS, the mechanism of time window is adopted. A suspicious behavior will not trigger an alarm immediately. On the contrary, anomaly IDS has a period of time to analyze the accumulated behavior. Therefore, an intermediate state, delayed (D) state, is added into the propagation model. The larger the value of time window, the less the false alarm aroused by anomaly IDS, because there is enough time for anomaly IDS to recognize whether a behavior is an intrusion or not. However, the overlarge time window may lead to worm propagation dynamical system being unstable and out of control. The main notations and definitions are listed in Table 1. The state transition diagram is given by Figure 1.
Notations and definitions of the model.
Notations
Definitions
N
Total number of hosts in the network
RN
Total number of removable devices in the network
S(t)
Number of susceptible hosts at time t
I(t)
Number of infectious hosts at time t
D(t)
Number of delayed hosts at time t
Q(t)
Number of quarantined hosts at time t-τ
R(t)
Number of removed hosts at time t
RS(t)
Number of susceptible removable devices at time t
RI(t)
Number of infectious removable devices at time t
β1
Infection ratio of infectious hosts
β2
Contact infection rate between computers and removable devices
γ1
Recovery rate of infectious hosts
γ2
Recovery rate of infectious removable devices
ω
Reassembly rate of immunized hosts
θ1
Quarantine rate of susceptible hosts
θ2
Quarantine rate of infectious hosts
δ
Immunization rate of quarantined hosts
τ
Time delay of detection by anomaly intrusion detection system
The state transition diagram.
On the basis of current research, we present a delayed worm propagation model which combines both vaccination and quarantine strategy. Several appropriate assumptions are given as follows.
β1 denotes the infection ratio of infectious hosts. Therefore, at time t, the infection force of infectious computers to susceptible computers is given by β1S(t)I(t).
Infectious removable devices have the same infectious ability as the infectious hosts. β2 is the contact infection rate between computers and removable devices, that is, the interactive infection rate when a removable device links to a host. The probability of connecting removable devices for every host is RN/N, and the probability of removable device exactly being in the infectious state is RI(t)/RN. Therefore, the infection force of infectious removable devices to susceptible hosts is β2(RN/N)(RI(t)/RN)S(t).
Susceptible removable devices will be infected when connecting to an infectious host, and then they will infect any other hosts to which they are connected. Meanwhile, worms of infectious removable devices will be eliminated when connecting to one immunized host. That is, the infection force of infectious hosts to susceptible removable devices is β2(I(t)/N)RS(t), and the recovery force of removed hosts to infectious removable devices is γ2(R(t)/N)RI(t).
Owing to the influence of time delay τ, the increment of the number of quarantined hosts is the ones quarantined at time t-τ. Therefore, the increment is θ1S(t-τ)+θ2I(t-τ).
The time window mechanism leads to an intermediate state, delayed state (D). The increment of the number of delayed hosts at time t is given by θ1S(t)+θ2I(t); the decrement of delayed hosts is the number of those being quarantined, that is, θ1S(t-τ)+θ2I(t-τ).
Based on the analyses and assumptions above, the delayed differential equations of the model are formulated as (1). The differential on the left of equations means the change rate of related states at time t. Consider
(1)dS(t)dt=-β1S(t)I(t)-β2RI(t)NS(t)+ωR(t)-θ1S(t),dI(t)dt=β1S(t)I(t)+β2RI(t)NS(t)-γ1I(t)-θ2I(t),dR(t)dt=γ1I(t)-ωR(t)+δQ(t),dD(t)dt=θ1S(t)-θ1S(t-τ)+θ2I(t)-θ2I(t-τ),dQ(t)dt=θ1S(t-τ)+θ2I(t-τ)-δQ(t),dRS(t)dt=-β2I(t)NRS(t)+γ2R(t)NRI(t),dRI(t)dt=β2I(t)NRS(t)-γ2R(t)NRI(t).
3. Stability at the Positive Equilibrium and Bifurcation AnalysisTheorem 1.
The system (1) has a unique positive equilibrium E*=(S*,I*,D*,Q*,R*,RS*,RI*), where
(2)I*=b2S*2+b3S*b4-b1S*,D*=θ1S*τ+θ2I*τ,Q*=θ1S*+θ2I*δ,R*=γ1I*+θ1S*+θ2I*ω,RI*=β2RNI*β2I*+γ2R*.
Proof.
For system (1), according to [28], if all the derivatives on the left of equal sign of the system are set to 0, which implies that the system becomes stable, we can derive
(3)I=b2S*2+b3S*b4-b1S*,Q=θ1S*+θ2I*δ,R=γ1I*+θ1S*+θ2I*ω,RI=β2RNI*β2I*+γ2R*,
where
(4)b1=ωβ1β2+γ1γ2β1+β1γ2θ2,b2=β1γ2θ1,b3=β22ωRNN-θ1γ2(γ1+θ2),b4=(γ1+θ2)(ωβ2+γ1γ2+γ2θ2).
Assume that system (1) becomes stable at time T. By integrating the fourth equation of system (1) with time t from 0 to T+τ, we can get
(5)D=θ1S*τ+θ2I*τ.
Since S+I+D+Q+R=N,
(6)S*+b2S*2+b3S*b4-b1S*+θ1S*τ+θ2I*τ+θ1S*+θ2I*δ+γ1I*+θ1S*+θ2I*ω=N.
Obviously, (6) has one unique positive root I*. So there is one unique positive equilibrium E*=(S*,I*,D*,Q*,R*,RS*,RI*) of system (1). The proof is completed.
Since S+I+D+Q+R=N, RS+RI=RN, Q=N-S-I-D-R, RS=RN-RI. System (1) can be simplified to
(7)dS(t)dt=-β1S(t)I(t)-β2RI(t)NS(t)+ωR(t)-θ1S(t),dI(t)dt=β1S(t)I(t)+β2RI(t)NS(t)-γ1I(t)-θ2I(t),dR(t)dt=γ1I(t)-ωR(t)+δ(N-S(t)-I(t)-D(t)-R(t)),dD(t)dt=θ1S(t)-θ1S(t-τ)+θ2I(t)-θ2I(t-τ),dRI(t)dt=β2I(t)N(RN-RI(t))-γ2R(t)NRI(t).
The Jacobian matrix of (7) about E*=(S*,I*,D*,R*,RI*) is given by(8)J(E*)=(-β1I*-β2RI*N-θ1-β1S*ω0-β2S*Nβ1I*+β2RI*Nβ1S*-γ1-θ200β2S*N-δγ1-δ-ω-δ-δ0θ1-θ1e-λτθ2-θ2e-λτ0000β2(RN-RI*)N-γ2RI*N0-β2I*+γ2R*N).Let
(9)c1=β1I*+β2RI*N,c2=β1S*,c3=β2S*N,c4=β2(RN-RI*)N,c5=γ2RI*N,c6=β2I*+γ2R*N,p4=c6-c2+γ1+θ2+ω+δ+c1+θ1,p3=c6(-c2+γ1+θ2)+(ω+δ+c1+θ1)(c6-c2+r1+θ2)+(c1+θ1)(ω+δ)-c3c4+c1c2+δω,p2=c6(ω+δ+c1+θ1)(-c2+γ1+θ2)+((c1+θ1)(ω+δ)+δω)(c6-c2+γ1+θ2)-c3c4(θ1+ω+δ)+c1c2(c6+ω+δ)+(c1ω-c3c5)(δ-γ1)+δ(c3+ωθ1),p1=(c6(c1+θ1)(ω+δ)+c6δω+δc3)(-c2+γ1+θ2)+(c1c2c6-θ1c3c4)(ω+δ)+(c1c6ω-θ1c3c5)(δ-γ1)-δω(c3c4+θ2+θ1(c6-c2+γ1+θ2))+δc5(c2c3+c3θ1-θ2θ3),p0=δω(θ2c6-θ1c3c4+θ1c6(-c2+γ1+θ2))+δc5(-c3θ2(c1+θ1))θ1c2c3+θ2c1c3+c3θ1(-c2+γ1+θ2)nnnnnnn-c3θ2(c1+θ1)),q2=-δθ1ω,q1=-δω(θ2+θ1(c6-c2+γ1+θ2))-δc5(c3θ1-c3θ2),q0=δω(θ2c6-θ1c3c4+c6θ1(-c2+γ1+θ2))+δc5(-c3θ2(c1+θ1))θ1c2c3+θ2c1c3+θ1c3(-c2+γ1+θ2)nnnnnnn-c3θ2(c1+θ1)).
The characteristic equation of system (8) can be obtained by
(10)P(λ)+Q(λ)e-λτ=0,
where
(11)P(λ)=λ5+p4λ4+p3λ3+p2λ2+p1λ+p0,Q(λ)=q2λ2+q1λ+q0.
Theorem 2.
The positive equilibrium E* is locally asymptotically stable without time delay, if condition (H1) is satisfied:
(12)H1:p4>0,d1>0,d2>0,(p2+q2)d1-p42d2>0,
where
(13)d1=p3p4-(p2+q2),d2=p1+q1.
Proof.
When τ=0, (10) reduces to
(14)λ5+p4λ4+p3λ3+(p2+q2)λ2+(p1+q1)λ+(p0+q0)=0.
According to Routh-Hurwitz criterion, all roots of (14) have negative real parts. Therefore, it can be concluded that the positive equilibrium E*=(S*,I*,D*,R*,RI*) is locally asymptotically stable without time delay. The proof is completed.
If λ=iω(ω>0) is the root of (10), separating the real and imaginary parts, the following two equations can be obtained:
(15)p4ω4-p2ω2+p0+q1ωsin(ωτ)-q2ω2cos(ωτ)+q0cos(ωτ)=0,ω5-p3ω3+p1ω+q1ωcos(ωτ)+q2ω2sin(ωτ)-q0sin(ωτ)=0.
From (15), the following equation can be obtained:
(16)q12ω2+(q0-q2ω2)2=(p4ω4-p2ω2+p0)2+(ω5-p3ω3+p1ω)2.
That is,
(17)ω8+D3ω6+D2ω4+D1ω2+D0=0,
where
(18)D3=p42-2p3,D2=p32+2p1-2p2p4,D1=p22-q22+2p0p4-2p1p3,D0=p12-q12+2q0q2-2p0p2.
Letting z=ω2, (17) can be written as
(19)h(z)=z4+D3z3+D2z2+D1z+D0.
Zhang et al. [18] obtained the following results on the distribution of roots of (19). Denote
(20)m=12D2-316D32,n=132D33-18D3D2+D1,Δ=(n2)2+(m3)3,σ=-1+3i2,y1=-n2+Δ3+-n2-Δ3,y2=-n2+Δ3σ+-n2-Δ3σ2,y3=-n2+Δ3σ2+-n2-Δ3σ,zi=yi-3D34,(i=1,2,3).
Lemma 3.
For the polynomial equation (19),
if D0<0, then (19) has at least one positive root;
if D0≥0 and Δ≥0, then (19) has positive root if and only if z1>0 and h(z1)<0;
if D0≥0 and Δ<0, then (19) has positive root if and only if there exists at least one z*∈(z1,z2,z3), such that z*>0 and h(z*)≤0.
Lemma 4.
Suppose that condition H1:p4>0, d1>0, d2>0, (p2+q2)d1-p42d2>0 is satisfied.
If one of the followings holds, (a) D0<0; (b) D0≥0, Δ≥0, z1>0 , and h(z1)<0; (c) D0≥0, and Δ<0, and there exits at least a z*∈(z1,z2,z3) such that z*>0 and h(z*)≤0, then all roots of (10) have negative real parts when τ∈[0,τ0); here, τ0 is a certain positive constant.
If conditions (a)–(c) of (1) are not satisfied, then all roots of (10) have negative real parts for all τ≥0.
Proof.
When τ=0, (10) can be reduced to
(21)λ4+p4λ3+p3λ2+(p2+q2)λ+(p1+q1)=0.
According to the Routh-Hurwitz criterion, all roots of (21) have negative real parts if and only if p4>0, d1>0, d2>0, and (p2+q2)d1-p42d2>0.
From Lemma 3, it can be known that if (a)–(c) are not satisfied, then (10) has no roots with zero real part for all τ≥0; if one of (a)–(c) holds, when τ≠τk(j), k=1,2,3,4, j>1, (10) has no roots with zero real part and τ0 is the minimum value of τ, so (10) has purely imaginary roots. According to [18], one obtains the conclusion of the lemma.
Let λ(τ)=v(τ)+iω(τ) be the root of (10), v(τ0)=0 and ω(τ0)=ω0.
From Lemmas 3 and 4, the following are obtained.
When conditions (a)–(c) of Lemma 4(1) are not satisfied, h(z) always has no positive root. Therefore, under these conditions, (10) has no purely imaginary roots for any τ>0, which implies that the positive equilibrium E*=(S*,I*,D*,R*,RI*) of system (7) is absolutely stable. Therefore, the following theorem on the stability of positive equilibrium E*=(S*,I*,D*,R*,RI*) can be easily obtained.
Theorem 5.
Supposing that condition (H1) is satisfied, (a) D0≥0, Δ≥0, z1<0, and h(z1)>0; (b) D0≥0 and Δ<0, and there is no z*∈(z1,z2,z3) such that z*>0 and h(z*)≤0, then the positive equilibrium E*=(S*,I*,D*,R*,RI*) of system (7) is absolutely stable.
In what follows, it is assumed that the coefficients in h(z) satisfy the condition
(H2) (a) D0≥0, Δ≥0, z1<0, and h(z1)>0; (b) D0≥0,Δ<0, and there is no z*∈(z1,z2,z3) such that z*>0 and h(z*)≤0.
According to [29], it is known that (19) has at least a positive root ω0, which implies that characteristic equation (10) has a pair of purely imaginary roots ±iω0.
Since (10) has a pair of purely imaginary roots ±iω0, the corresponding τk>0 is given by (15). Consider
(22)τk=1ω0
arccos
[×((q0-q2ω2)2+q12ω02)-1((q0-q2ω2)(p2ω02-p4ω04-p0)]((q0-q2ω2)(p2ω02-p4ω04-p0)nnnnnnnnnnn+q1ω0(p3ω03-ω05-p1ω0))nnnnnnnnnnn×((q0-q2ω2)2+q12ω02)-1((q0-q2ω2)(p2ω02-p4ω04-p0)]+2kπω0,nnnnnnnnnnbbbnnnnnnnnnnn(k=0,1,2,3,…).
Let λ(τ)=v(τ)+iω(τ) be the root of (10). v(τk)=0 and ω(τk)=ω0 are satisfied when τ=τk.
Lemma 6.
Suppose that h′(z0)≠0. If τ=τ0, then ±iω0 is a pair of purely imaginary roots of (10). In addition, if the conditions of Lemma 4(1) are satisfied, then dReλ(τ0)/dτ>0.
It is claimed that
(23)sgn[dReλdτ]τ=τk=sgn{h′(ω02)}.
This signifies that there is at least one eigenvalue with positive real part for τ>τk.
Differentiating two sides of (10) with respect to τ, it can be written as
(24)(dλdτ)-1=((5λ4+4p4λ3+3p3λ2+2p2λ+p1)+(2q2λ+q1)e-λτ-(q2λ2+q1λ+q0)τe-λτ)×((q2λ2+q1λ+q0)λe-λτ)-1=(5λ4+4p4λ3+3p3λ2+2p2λ+p1)eλτ(q2λ2+q1λ+q0)λ+2q2λ+q1(q2λ2+q1λ+q0)λ-τλ.
Therefore
(25)sgn[dReλdτ]τ=τk=sgn[Re(dλdτ)-1]λ=iω0=sgn[Re((5λ4+4p4λ3+3p3λ2+2p2λ+p1)eλτ(q2λ2+q1λ+q0)λ+2q2λ+q1(q2λ2+q1λ+q0)λ-τλ((5λ4+4p4λ3+3p3λ2+2p2λ+p1)eλτ(q2λ2+q1λ+q0)λ)]λ=iω0=sgnRe{2q2ω0i+q1(q1ω0i+q0-q2ω2)ω0i((5ω04-4p4ω03i-3p3ω02+2p2ω0i+p1)nnnnnnnnnn×[cos(ω0τk)+isin(ω0τk)]((5ω04-4p4ω03i-3p3ω02+2p2ω0i+p1))×((q1ω0i+q0-q2ω2)ω0i)-1+2q2ω0i+q1(q1ω0i+q0-q2ω2)ω0i}=sgnω02K[4ω06+(3p42-6p3)ω04nnnnnnnnnnnn+(2p32+4p1-4p2p4)ω02nnnnnnnnnnnn+(p22+2p0p4-2p1p3)]=sgnω02Γ=sgnω02Γ{h′(ω02)}=sgn{h′(ω02)},
where K=q12ω04+(q0ω0-q2ω03)2. It follows from the hypothesis (H2) that h′(ω02)≠0 and therefore the transversality condition holds. It can be obtained that
(26)d(Reλ)dτ|τ=τk>0.
The root of characteristic equation (10) crosses from the left to the right on the imaginary axis as τ continuously varies from a value less than τk to one greater than τk according to Rouche’s theorem [15]. Therefore, according to the Hopf bifurcation theorem [30] for functional differential equations, the transversality condition holds and the conditions for Hopf bifurcation are satisfied at τ=τk. Then the following result can be obtained.
Theorem 7.
Supposing that condition (H1) is satisfied,
if τ∈[0,τ0), then the positive equilibrium E*=(S*,I*,D*,R*,RI*) of system (7) is asymptotically stable and unstable when τ>τ0;
if condition (H2) is satisfied, system (7) will undergo a Hopf bifurcation at the positive equilibrium E*=(S*,I*,D*,R*,RI*) when τ=τk (k=0,1,2,…), where τk is defined by (22).
This implies that when the time delay τ<τ0, the system will stabilize at its infection equilibrium point, which is beneficial for us to implement a containment strategy; when time delay τ>τ0, the system will be unstable and worms cannot be effectively controlled.
4. Numerical Analysis
In this section, several numerical results are presented to prove the correctness of theoretical analysis above. 750,000 hosts and 50,000 removable devices are selected as the population size; the worm’s average scan rate is η=4000 per second. The worm infection rate can be calculated as α=ηN/232=0.698, which means that average 0.698 hosts of all the hosts can be scanned by one infectious host. The infection ratio is β1=η/232=0.00000093. The contact infection rate between hosts and removable devices is β2=0.0045. The recovery rates of infectious hosts and removable devices are γ1=0.02 and γ2=0.005, respectively. The immunization rate of quarantined hosts is δ=0.05 and the reassembly rate of immunization hosts is ω=0.08. At the beginning, there are 50 infectious hosts and 20 infectious removable devices, while the rest of hosts and removable devices are susceptible.
In anomaly intrusion detection system, the rate at which infected hosts are detected and quarantined is θ2=0.2 per second. It means that an infected host can be detected and quarantined in about 5 s. The rate at which susceptible hosts are detected and quarantined is θ1=0.00002315 per second; that is, about two false alarms are generated by the anomaly intrusion detection system per day.
When τ=5<τ0, Figure 2 presents the changes of the number of five kinds of hosts and Figure 3 shows the curves of two kinds of removable devices. According to Theorem 5, the positive equilibrium E*=(S*,I*,D*,R*,RI*) is asymptotically stable when τ∈[0,τ0), which is illustrated by the numerical simulations in Figures 2 and 3. Finally, the number of every kind of host and removable device keeps stable.
Propagation trend of the five kinds of hosts when τ<τ0.
Propagation trend of the two kinds of removable devices when τ<τ0.
When τ gets increased and passes through the threshold τ0, the positive equilibrium E*=(S*,I*,D*,R*,RI*) will lose its stability and a Hopf bifurcation will occur. A family of periodic solution bifurcates from the positive equilibrium E*. When τ=45>τ0, Figure 4 shows the curves of susceptible, infectious, quarantined, and removed hosts and the numerical simulation results of two kinds of removable devices are depicted by Figure 5. From Figures 4 and 5, we can clearly see that every state of hosts and removable devices is unstable. Figure 4 shows that the number of infectious hosts will outburst after a short period of peace and repeat again and again.
Propagation trend of the four kinds of hosts when τ>τ0.
Propagation trend of the two kinds of removable devices when τ>τ0.
In order to state the influence of time delay, the delay τ is set to a different value each time with other parameters remaining unchanged. Figure 6 shows four curves of the number of infectious hosts in the same coordinate with four delays: τ=5, τ=15, τ=45, and τ=90, respectively. Figures 7(a)–7(c) show four curves of the number of infectious hosts in four coordinates. Initially, the four curves are overlapped which means that the time delay has little effect on the initial state of worm spread. With the increase of the time T, the time delay affects the number of infectious hosts. With the increase of time delay, the curve begins to oscillate. The system becomes unstable as time delay passes through the critical value τ0. At the same time, it can be discovered that the amplitude and period of the number of infectious hosts gradually increase.
The number of infectious hosts when τ is changed in one coordinate.
The number of infectious hosts when τ is changed in four coordinates.
Figures 8(a) and 8(b) show the phase portraits of susceptible hosts S(t) and infectious hosts I(t) with τ=30<τ0 and τ=60>τ0, respectively. Figures 9(a) and 9(b) show the projection of the phase portrait of system (1) in (S,I,R)-space when τ=30<τ0 and τ=60>τ0, respectively. It is clear that the curve converges to a fixed point when τ<τ0, which means that the system is stable. When τ>τ0, the curve converges to a limit circle, which implies that the system is unstable and the worm propagation is out of control.
The phase portrait of susceptible hosts S(t) and infectious hosts I(t).
The projection of the phase portrait of system (1) in (S,I,R)-space.
Figure 10 shows the bifurcation diagram with τ from 1 to 90. It is clear that Hopf bifurcation will occur when τ=τ0=35.
Bifurcation diagram of system (1) with τ ranging from 1 to 90.
5. Simulation Experiments
In our simulation experiments, the discrete-time simulation is adopted because of its accuracy and is less time-consuming. The discrete-time simulation is an expanded version of Zou’s program simulating Code Red worm propagation. All of the parameters are consistent with the numerical experiments.
Figures 11(a)–11(d) show the comparisons between numerical and simulation curves of susceptible, infectious, quarantined, and removed hosts when τ=5<τ0, respectively. It is clearly seen that the simulation curves match the numerical ones very well. Figures 12(a)–12(d) show the comparisons between numerical and simulation results of four kinds of hosts when τ=90>τ0. In this figure, two curves are still matched well. It fully illustrates the correctness of our theoretical analysis.
Comparisons between numerical curves and simulation curves when τ<τ0.
Comparisons between numerical curves and simulation curves when τ>τ0.
6. Conclusions
In this paper, considering the influence of removable devices, a delayed worm propagation dynamical system based on anomaly IDS has been constructed. By regarding the time delay caused by time window of anomaly IDS as the bifurcation parameter, the local asymptotic stability at the positive equilibrium and local Hopf bifurcation were discussed. Through theoretical analysis and related experiments, the main conclusions can be summarized as follows.
The critical time delay τ0 where Hopf bifurcation appears is derived:
(27)τ0=1ω0arccos[×((q0-q2ω2)2+q12ω02)-1((q0-q2ω2)(p2ω02-p4ω04-p0)]((q0-q2ω2)(p2ω02-p4ω04-p0)nnnnnnnnnn+q1ω0(p3ω03-ω05-p1ω0))nnnnnnnnnn×((q0-q2ω2)2+q12ω02)-1((q0-q2ω2)(p2ω02-p4ω04-p0)].
When the time delay τ<τ0, worm propagation system is stable and worms’ behavior is easy to predict, which is beneficial for us to implement containment strategy to control and eliminate the worm.
When time delay τ≥τ0, Hopf bifurcation occurs, which implies that the system will be unstable and containment strategy does not work effectively.
Thus, in order to control and even eliminate the worm, the size of time window of anomaly IDS must be less than τ0. In real network environment, various factors can affect worm propagation. This paper concentrates on analyzing the influence of time delay caused by anomaly IDS; other factors having an impact on worm propagation will be the center of our future study.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
Acknowledgments
This paper is supported by the Program for New Century Excellent Talents in University (NCET-13-0113); Natural Science Foundation of Liaoning Province of China under Grant no. 201202059; Program for Liaoning Excellent Talents in University under LR2013011; Fundamental Research Funds of the Central Universities under Grant nos. N120504006 and N100704001; and MOE-Intel Special Fund of Information Technology (MOE-INTEL-2012-06).
PorrasP.SaidiH.YegneswaranV.Unruly USBDevices Expose Networks to Malwarehttp://www.aspirantinfotech.com/sgdownload/lumension/brochure/Unruly-USB-Devices-Expose-Networks-to-Malware.pdfByresE.GinterA.LangillJ.How stuxnet spreads—a study of infection paths in best practice systemsFalliereN.MurchuL. O.ChienE.W32.Stuxnet DossierSymantec Security Response, 2011Win32.Stuxnethttp://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East, http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-eastW32.Flamerhttp://www.symantec.com/security_response/writeup.jsp?docid=2012-052811-0308-99KermackW. O.MckendrickA. G.A contribution to the mathematical theory of epidemicsZouC. C.GongW.TowsleyD.Code red worm propagation modeling and analysisProceedings of the 9th ACM Conference on Computer and Communications SecurityNovember 2002Washington, DC, USA1381472-s2.0-0038349210ZouC. C.GongW. B.TowsleyD.Worm propagation modeling and analysis under dynamic quarantine defenseProceedings of the ACM Workshop on Rapid Malcode (WORM '03)October 2003Washington, DC, USA51602-s2.0-14944368398WangF.ZhangY.WangC.MaJ.MoonS.Stability analysis of a SEIQV epidemic model for rapid spreading wormsYaoY.XiangW.QuA.YuG.GaoF.Hopf bifurcation in an SEIDQV worm propagation model with quarantine strategyYaoY.GuoL.GuoH.YuG.GaoF.TongX.Pulse quarantine strategy of internet worm propagation: modeling and analysisMishraB. K.JhaN.S{EIQRS} model for the transmission of malicious objects in computer networkHassardB. D.KazarinoffN. D.WanY. H.YaoY.ZhangN.XiangW.YuG.GaoF.Modeling and analysis of bifurcation in a delayed worm propagation modelYuW.CaoJ.Hopf bifurcation and stability of periodic solutions for van der Pol equation with time delayZhangJ.LiW.YanX.Hopf bifurcation and stability of periodic solutions in a delayed eco-epidemiological systemHanX.TanQ.Dynamical behavior of computer virus on InternetDongT.LiaoX.LiH.Stability and Hopf bifurcation in a computer virus model with multistate antivirusYaoY.XieX.GuoH.YuG.GaoF.TongX.Hopf bifurcation in an Internet worm propagation model with time delay in quarantineRenJ.YangX.ZhuQ.YangL.ZhangC.A novel computer virus model and its dynamicsWuL.SuX.ShiP.Sliding mode control with bounded l2 gain performance of Markovian jump singular time-delay systemsLiF.ZhangX.A delay-dependent bounded real lemma for singular LPV systems with time-variant delayLiF.ShiP.WuL.ZhangX.Fuzzy-model-based D-stability and non-fragile control for discrete-time descriptor systems with multiple delaysSongL.ZhenJ.SunG.ZhangJ.HanX.Influence of removable devices on computer worms: dynamic analysis and control strategiesZhuQ.YangX.RenJ.Modeling and analysis of the spread of computer virusWangS.LiuQ.YuX.MaY.Bifurcation analysis of a model for network worm propagation with time delayWangL.FanY.LiW.Multiple bifurcations in a predator-prey system with monotonic functional responseHaleJ. K.Verduyn LunelS. M.