An Epidemic Model of Computer Worms with Time Delay and Variable Infection Rate

With rapid development of Internet, network security issues become increasingly serious. Temporary patches have been put on the infectious hosts, whichmay lose efficacy on occasions.This leads to a time delay when vaccinated hosts change to susceptible hosts. On the other hand, the worm infection is usually a nonlinear process. Considering the actual situation, a variable infection rate is introduced to describe the spread process of worms. According to above aspects, we propose a time-delayed worm propagation model with variable infection rate. Then the existence condition and the stability of the positive equilibrium are derived. Due to the existence of time delay, the worm propagation system may be unstable and out of control. Moreover, the threshold τ 0 of Hopf bifurcation is obtained.Thewormpropagation system is stable if time delay is less than τ0.When time delay is over τ0, the systemwill be unstable. In addition, numerical experiments have been performed, which canmatch the conclusions we deduce.The numerical experiments also show that there exists a threshold in the parameter a, which implies that we should choose appropriate infection rate β(t) to constrain worm prevalence. Finally, simulation experiments are carried out to prove the validity of our conclusions.


Introduction
With the deep application of the Internet, network security plays a more and more important role in recent years.Among the security events, the consequences of large-scale network attacks (such as worm attacks and DOS attacks) are especially serious.Meanwhile, the characteristics of worm attacks are wide infection scale, fast spread speed, and serious harm.Consequently, many experts focus on the spread of Internet worms.Some traditional epidemic models of infectious diseases were used to describe the propagation of Internet worms [1] when the Red Code worms broke out.In order to study the spread of malware among mobile phones, the SIS model [2] is proposed by some researchers.Qing and Wen introduced the Kermack-McKendrick model, which is also called SIR model [3].Then many mathematical models [4][5][6][7][8][9] inspired by the SIR model have been employed to constrain the propagation of Internet worms.Some research achievements [10][11][12] showed that the spread dynamic system of malware would be unstable and bifurcation and chaos would appear.Considering the fact that the intrusion detection system (IDS) may lead to time delay, Yao et al. [13][14][15] obtained the threshold of time delay when Hopf bifurcation occurred.Pulse quarantine strategy [16] also has been taken to constrain the propagation of worms in network.Due to the effect of different topologies, some experts presented different models [9,17] to analyse the results.
Although most of previous works can offer useful insight into the Internet worm propagations, some of them fail to grasp the detail that has important impact on the worm propagation.Namely, some of the previous models ignore the variation of the infection rate.They usually regard it as a constant that cannot describe the characteristics and dynamics of worm propagation accurately, such as SIS model [18], SIR models [12,19], SIRS model [20], and SIES model [21].Moreover, some unconventional models such as delayed models [6,22] and impulsive models [23,24] have been proposed.Analogously, these models regard infection rate as a constant as well.In the early stages of worm invasion, the number of infected nodes is small and the linear assumption is still more reasonable.However, as the number of infected nodes increases, the true infection rate will tend to be saturated, and it can be significantly nonlinear.In this case, the linear assumption will overestimate the harmfulness of the worms and lead to great waste of resources.
In this paper, a variable infection rate is introduced into the worm propagation.Some experts have suggested that worm infection is a nonlinear process.The majority of previous models mentioned above are based on the bilinear incidence rate assumption, which is a good approximation of the general incidence rate in the case where the proportion of infected computers is small.However, in reality, the density of infected computers may be large [25].To understand the spreading behaviour of worm propagation better, it is necessary to study epidemic models with general incidence rate.The nonlinear infection rate is used to capture the dynamics of overcrowded infectious networks and high viral loads [26].Gan et al. [25] show that some nonlinear incidence rates may be conducive to the containment of computer viruses.Feng et al. [27] have proposed the SIRS model with a variable infection rate which plays an important role in the spread of the Internet worm.We consider that the vaccinated hosts (the immunizing hosts) may turn to susceptible hosts (the hosts liable to infection by worms) if the worm variants appear or the patches lose efficacy, and this process may take a period of time.Due to the existence of time delay, vaccinated hosts go through a temporary state (delayed state) after the failure of vaccination before becoming susceptible.In this paper, we try to establish a realistic worm propagation model, motivated by the works [7,27].This model can give deep insight into predicting worm spread in networks.
The subsequent materials of this work are organized as follows.In Section 2, we present the SIQVD model.Section 3 analyses the stability of equilibrium and the threshold of Hopf bifurcation.In Section 4, we carry out the numerical analysis and simulation of our model.Section 5 gives the conclusion and proposes useful strategies.

Model Formulation
We propose a model of worm propagation to describe the spreading behaviour of Internet worms more realistically in this paper.Susceptible hosts can turn to the infectious state by many factors.Many classical models employ bilinear infection rate described by , where  is determined by the probability of transmission contact between S (susceptible hosts) and I (infectious hosts).Previous models usually regard  as a constant.In fact, the worm infection is a nonlinear process so that  should be adjusted to ().Infectious hosts can change to vaccinated hosts if there are countermeasures applying to them.The countermeasures include antivirus software, firewall, and patching.Meanwhile, we consider zero-day attacks in this paper.Zero-day attacks spread Internet worms through vulnerabilities of the system or software.Usually, the time of the whole process is not over 24 hours.There are no effective and safe patches when the zero-day attacks appear.So quarantine strategy is proposed to control the worm propagation for the hosts without useful patches.The application of the quarantine strategy relies on We assume that all the hosts change over time among five states: susceptible (S), infectious (I), quarantined (Q), vaccinated (V), and delay (D).Let (), (), (), (), and () denote the number of susceptible, infectious, quarantined, vaccinated, and delay hosts, respectively, at time .We assume that the total number of all the hosts throughout Internet is N.The transition diagram is given in Figure 1.
In order to show the parameters clearly, we list some frequent notations of the model in Notations.
After above description, we can express the model with the following equations: where () changes with time .We regard the infection rate as () =  0  1 (()), where  1 is a nonlinear function of  [27].
For being nonlinear, the function  1 is assumed to satisfy the following assumptions [28]: (1)  1 (0) = 0. ( In other words,  1 is an increasing function that is bounded (by the constant ).
From the above discussion, we can express the model by the following differential equations: where (()) =  1 (())().

Stability of Equilibrium and Bifurcation Analysis
Let Theorem 1. System (2) has a unique positive equilibrium point  * = ( * ,  * ,  * ,  * ,  * ) when  0 ≥ 1, where Proof.When system ( 2) is stable, it satisfies the following equations: We make () > 0; then we have Since the total number of hosts in system ( 5) is , we can get the following equation of : Then we calculate the sign of its derivative as follows: Since   1 () < 0, we can get () −   () > 0. As a result,   () > 0. If there exists a positive root of () = 0, () must satisfy (0) < 0. So we can get From ( 9), we can conclude that (0) < 0 when  0 > 1.Hence, there exists a positive equilibrium point if  0 > 1.The proof is completed.
According to previous lemmas, it can be known that ( 22) has at least a positive root  0 , which also means that the characteristic equation ( 12) has a pair of purely imaginary roots ± 0 .
Since the pair of purely imaginary roots ± 0 is the roots of ( 12), we can get the corresponding   > 0 by uniting (17) and (18).
Let () = V() + () be the root of (12).It is satisfied that V(  ) = 0, (  ) =  0 .Lemma 4. Suppose that ℎ  ( 0 ) ̸ = 0.If  =  0 , then ± 0 is a pair of purely imaginary roots of (12).Moreover, if the conditions in Lemma 3.4 (1) in [14] are satisfied, then This means that there exists at least one eigenvalue with positive real part when  >   .Differentiating on both sides of ( 12) with respect to , we can obtain According to (17) and (18), we obtain the following: where Γ = ( 0  0 −  2  3 0 ) 2 + ( 1  2 0 ) 2 .Then it follows hypothesis ( 3 ) and ℎ  ( 2 0 ) ̸ = 0. Therefore According to Routh's theorem, the root of characteristic equation (12) crosses from left to right on the imaginary axis as  continuously varies from a value less than   to one greater than   .Hence, according to Hopf bifurcation theorem for functional differential equations, the transverse Security and Communication Networks condition holds and the conditions for Hopf bifurcation are satisfied at  =   .Theorem 5. Supposing that the conditions ( 1 ) and ( 2 ) are satisfied, (1) when  <  0 , the positive equilibrium  * = ( * ,  * ,  * ,  * ,  * ) of system ( 2) is locally asymptotically stable and it is unstable when  ≥  0 , (2) when system ( 2) satisfies ( 3 ), the system undergoes a Hopf bifurcation at the positive equilibrium  * = ( * ,  * ,  * ,  * ,  * ) when  =  0 .This implies that when the time delay  <  0 , the system will stabilize at its equilibrium point, which is beneficial for us to implement a containment strategy; when the delay  ≥  0 , the system will be unstable and worms cannot be effectively controlled.

Numerical Simulations and Simulations Experiments
In order to verify the theorems proposed in this paper, we have made the numerical experiments in this section.We select the Slammer worm for experiments.The total number of hosts  is assumed as 400000.Based on the actual situation, the worm's average scan rate is  = 4000 per second.We can calculate the infection rate  = /2 32 = 0.00000093.The susceptible hosts change to vaccinated hosts at rate  = 0.001.The recovered rate of infectious hosts is set as  = 0.002.The quarantine rate  of infectious hosts is 0.2 and the immunity rate  of quarantined hosts is 0.05.The vaccinated hosts lose immunity at rate  = 0.08.We choose the nonlinear function  1 (()) = 1/(1 + ()); then we have (()) = ()/(1 + ()), where  is the parameter that represents the infection rate sensitivity to the number of infected hosts () [27].When  is zero, it means that the infection rate is a constant.Then we can get  0 = 1.819 > 1.
At first, the number of infectious hosts is five and the others' states are susceptible.
When  = 10 <  0 , we can see the changes of the numbers of four kinds of hosts in Figure 2. From Figure 2, we can find that every kind of hosts will be stable when  = 400, which implies that  * is locally asymptotically stable.Figure 3 shows the numbers of susceptible, infectious, quarantined, vaccinated, and delayed hosts when  = 60 >  0 .In this figure, it can be clearly found that the curves of hosts are fluctuant and it is hard for us to predict the propagation of worms.
In order to see the influence of time delay, Figure 4 shows the number of infectious hosts in the same coordinate with different time delays  = 5,  = 15,  = 45, and  = 65.Initially, time delay has little effect in the initial stage of worm propagation, which can be obtained by the overlap of the four curves.With the increase of time delay, the curve begins to oscillate.The infecting process gets unstable with time delay passing through the threshold  0 , which meets our conclusions.Figures 5 and 6 show the number of infected hosts in the same condition with  = 0.0000001,  = 0.000001, and  = 0.00001 when  <  0 and  >  0 .From these two figures, we can get the conclusion that the larger  is, the lower peak of the number of infectious hosts is.Therefore, we can choose appropriate  to get proper () to constrain the spread of Internet worms.
Figure 7 shows the phase portrait of susceptible hosts () and infectious hosts () of system (2) when  = 30 <  0 .Moreover, Figure 8 shows the condition when  = 60 >  0 .From the figures, we can find that the curve converges to  a fixed point, which implies that the system is stable when  = 30 <  0 and the curve radiates to a limit cycle, which implies that the system is unstable when  = 60 >  0 .Figures 9 and 10 are the projection of the phase portrait of system (2) in (, , )-space at  = 30 and  = 60.The same conclusion can be obtained by the figures.Figure 11 gives the bifurcation diagram of system (2) with the parameter  = 0.0000001.It can be easily obtained that the Hopf bifurcation occurs at  =  0 = 37, which is similar to results of theoretical derivation.Figure 12 gives the bifurcation diagram of system (2) with the parameter  = 0.00001.The Hopf bifurcation occurs at  =  0 = 76.Comparing the two figures, it is shown that the parameter  has effect on the time of Hopf bifurcation occurrence.As the parameter  increases, the Hopf bifurcation occurs at a later time.
In order to simulate the actual behaviour of worm propagation and verify the correctness of the theoretical analysis and numerical simulation, we carry out the discretetime simulation, which is an expanded version of Zou et al. 's [7] program.The simulation experiment is used to simulate the worm propagation in the real network.There are 400000 hosts in our simulation experiments.At first, we randomly choose five hosts in the network to be infectious hosts and the others' states are set to be susceptible.In the simulation experiments, the implementation of transition rates of the worm propagation model depends on probability.Figure 13 shows the comparisons between numerical and simulation curves of susceptible, infectious, quarantined, and vaccinated hosts when  = 10 <  0 , which implies that the simulation curves match the numerical curves very well.
When the value of  increases and passes over the threshold value of  0 , namely,  = 60 >  0 , numerical and simulation curves of susceptible, infectious, quarantined, and vaccinated hosts can also match very well as Figure 14 shows.We can find that there exists a difference between numerical and simulation curves because of the high precision of numerical and simulation curves because of the high precision of numerical experiment.However, the small difference does not affect the validity of our conclusions.

Conclusions
In this paper, we propose a SIQVD model with the variable infection rate based on the consideration of a quarantine strategy.Then we analyse the stability of the positive equilibrium and Hopf bifurcation.The critical time delay  0 in which Hopf bifurcation appears is obtained.Through the theoretical (1) The worm propagation system is stable when time delay  <  0 .In this condition, we can predict the spread of worms correctly, and the worms can be reduced to a low extent at last.
(2) The worm propagation system is unstable when time delay  ≥  0 , and the system is out of control.Therefore, time delay should be controlled in a proper range:  <  0 .
(3) When parameter  increases an order of magnitude, the infection rate reduces and the peak of the number of infected hosts will decrease very obviously.Meanwhile,  0 will be reduced by the decrease of   (0).Hence, there exists a threshold for , and we can choose proper infection rate by adjusting the value of  to control the prevalence of worms.
The worm propagation model can be used for Internet worms, such as Code Red worms, Slammer worms, and Witty worms.It can predict the spreading behaviour of Internet worms more realistically.In our future work, we will focus more on the network structure and study it further.The immune rate of susceptible hosts :

Notations
The recovered rate of infectious hosts : The quarantine rate of infectious hosts : The immunity rate of quarantined hosts : The rate at which the vaccinated hosts lose immunity.

Figure 2 :Figure 3 :
Figure 2: The worm propagation of the four kinds of hosts' results with  <  0 .

Figure 4 :
Figure 4: The number of infected hosts () with the change of .

Figure 5 :
Figure 5: Relationship between  and the number of () when  = 5.
(): The number of susceptible hosts at time  (): The number of infectious hosts at time  (): The number of quarantined hosts at time  (): The number of vaccinated hosts at time  (): The number of delay hosts at time  : The total number of hosts throughout Internet (): The infection rate at time   0 : The initial infection rate :