A Malware Propagation Model with Dual Delay in the Industrial Control Network

. Te malware attacks targeting the industrial control network are gradually increasing, and the nonlinear phenomenon makes it difcult to predict the propagation behavior of malware. Once the dynamic system becomes unstable, the propagation of malware will be out of control, whichwill seriouslythreaten thesecurityof theindustrialcontrolnetwork.So,it isnecessaryto modelandstudy thepropagation of malware in the industrial control network. In this paper, a SIDQR model with dual delay is proposed by fully considering the characteristics of the industrial control network. By analyzing the nonlinear dynamics of the model, the Hopf bifurcation is discussed in detail when the value of dual delay is greater than zero, and the expression for the threshold is also provided. Te results of the experiments indicate that the system may have multiple bifurcation points. By comparing diferent immune and quarantine rates, it is found that the immune rate can be appropriately increased and the isolation rate can be appropriately reduced in the industrial control network, which can suppress the spread of malware without interrupting the industrial production.


Introduction
Te industrial control network is the key foundation for realizing digital transformation.It is an emerging business form and application model formed by the deep integration of new information technology and the industrial economy.ICS (industrial control system) has become an important component of many national infrastructures.With the continuous upgrading of the ICS, the connection between the industrial control network and the Internet is increasingly close, which leads to the further increase of security risks.
Te number of the industrial control network security accidents is increasing year by year.In 2010, the Bushehr nuclear power plant in Iran was attacked by the Stuxnet worm [1].Since then, many malwares targeting the industrial control network have been discovered, such as Night Dragon [2], Flame [3], Duqu/Duqu2.0 [4], Blaster [5], and Black-Energy [6].Te typical PLC (programmable logic controller) worm Blaster spread through the control system of Siemens SIMATIC S7-1200 without any PCs.PLC Blaster can scan the ICS networks to fnd new targets and then attack the PLC and complete self-replication in the infected PLC.Some new types of malware can spread not only in PC networks but also in PLCs in the industrial control network.In 2012, Russian security experts discovered the fame virus spreading widely in the energy industry in the Middle East [7].In December 2015, Ukraine was attacked by hackers which led to a largescale power outage [8].Te malware Industroyer [9], which was found in 2017, is aimed at key ICS and can lead to power outages.In December 2017, due to the zero-day vulnerability of Schneider's Triconex SIS, a power plant in the Middle East was attacked and ultimately had to shut down [10].Te ransomware WannaCry can spread crazily globally in the same year and attack critical infrastructure [11].In 2018, a chlorine gas station in Ukraine was attacked by VPNFilter virus [12].In 2019, the power grid of Venezuela was attacked, and it led to large-scale power outages across the country [13].Te industrial control network has its own characteristics, for example, industrial control protocols are lack of built-in security mechanisms.Also, the processing capacity of ICS is weak, and the system update is lagging behind.Based on the above situation, in order to address the security issues faced by the industrial control network, it is necessary to understand the propagation patterns of malware in the industrial control network and propose appropriate containment strategies.Terefore, it is particularly necessary to model and analyze the propagation behavior of malicious software in industrial control networks.
Researchers have proposed some important epidemic models to explore the dynamic behavior of malware propagation.For example, in the SIS model [14][15][16][17] and the SIR model [18][19][20][21][22], the early studies were focused on ordinary networks.On the basis of these traditional models, researchers have proposed new models to study the propagation of different types of malware.Chen et al. analyzed the propagation behavior of malware in Bluetooth and mobile applications and proposed a malicious software propagation model in mobile networks [23].Inspired by the SEIR model [24], Xiao et al. introduced a new state (i.e., quarantined state) in the epidemic model, which is a malware propagation model in WiFi environments [25].Wang et al. proposed a microscopic mathematical model to describe the propagation behavior of malware in a sensor network and designed a LDS (local defense strategy) using mobile "patches" (mobile components that can distribute patches) [26].In the malware propagation model, if time delay (such as patch release and quarantine) is not considered, the model is an ordinary diferential dynamical system, and the above models all belong to this category.If such delay factors are considered, the resulting model is a delay diferential dynamic system.Yao et al. considered the delay caused by IDS (intrusion detection systems), analyzed nonlinear phenomena, and proposed a threshold for bifurcation [27].Ren et al. considered the delay factor on the basis of the SIR model and analyzed the stability conditions of the dynamic system [28].Subsequently, they proposed an epidemic model with time-varying latency and analyzed the bifurcation phenomenon [29].On this basis, Wang et al. analyzed and discussed the chaos phenomenon of time-delay models [30].Feng et al. considered the situation of dual delay and antimalware measures and studied the Hopf bifurcation phenomenon in malware propagation [31].Wang et al. studied the threshold problem of stability in dynamic systems when the propagation rate varies linearly [32].Khan et al. investigated a discretized two-dimensional model, and the results for the existence and uniqueness, and conditions for local stability with topological classifcations of the equilibrium solutions are determined [33].Wang et al. investigated the selection mechanism of the minimal wave speed for traveling waves to an epidemic model, and a threshold is defned by the eigenvalue problem of the linearized system [34].
Currently, there is limited research on the spread of malware in the industrial control network.Te network of real industrial control systems is relatively complex, and the nonlinear phenomena (such as bifurcation and chaos) in the propagation process of malware also make it difcult to predict its propagation behavior, which can also lead to the failure of containment strategies, and then, it will lead to system instability and hinder the normal operation of industrial production.So we will propose a malware propagation model for the industrial control network.Te industrial control network is diferent from the Internet, the industrial control equipment generally do not have powerful processors like computers, and the bandwidth requirements of the industrial control networks are much lower than those of the Internet.At the same time, the quarantine of industrial control equipment also needs to take into account production activities.Terefore, when dealing with infected industrial control equipment, it is difcult to repair them as quickly as computers.So we introduce immune delay and quarantine delay into the model, and it can describe the infuence of malware containment strategies on the propagation in the industrial control network more accurately.Currently, some researchers have conducted some research on the problem of dual delay.Zhang et al. proposed the conditions for the asymptotic stability of Hopf bifurcation with dual delay [35].Fan et al. introduced the stability and bifurcation of a coupled HR model with dual delay [36].He et al. proposed a neural network model with unidirectional coupling delay and discovered double Hopf bifurcations in this model [37].
Based on the above works, we consider the dual delay in the industrial control network and propose a new malware propagation model and the propagation behavior of malware, and the bifurcation phenomena is analyzed under diferent cases.Te innovation of this model lies in the inclusion of two diferent delays, which makes it more suitable for the actual situation of the industrial control network.Tis model can provide a security defense strategy against the spread of malware for the industrial control networks without afecting industrial production as much as possible.In addition, in the industrial control networks, our research results demonstrate how to suppress the spread of malware while maintaining the stability of industrial control systems.Te organization of the paper is as follows: Section 2 explains how the model is established in the industrial control network, Section 3 analyzes the stability of the equilibrium of the dynamic system, Section 4 presents the experimental results, and Section 5 is a conclusion.

Model Formulation
In actual industrial control networks, the propagation delay of malware objectively exists and can take various forms.For example, the delay caused by malware latency, and the delay caused by upgrading and patching the software and hardware of susceptible equipment.During the detection process, the time window mechanism is used for quarantine, and it will cause quarantine delay.Based on these characteristics, we propose a malware propagation model with dual delay.Namely, the delay is caused by upgrading and patching the software and hardware of susceptible equipment, and it is called immune delay.Another delay is caused by using the time window mechanism to quarantine infected equipment, which is referred to as quarantine delay.Te time window mechanism can improve the accuracy of detection, so as not to afect the normal production of the factory due to false alarms.Tat is to say, when abnormal behavior is detected, an alarm will not be 2 Complexity triggered immediately.Only when this abnormal behavior reaches a preset threshold, it will be considered an intrusion behavior, and an alarm will be issued.Time window mechanism will cause a delay before quarantine, and it will bring complex dynamic changes to the spread of malware.We will use the stability switching principle [38] to study the stability of the dynamic system with dual delay in the next section, and the assumptions for model formulation are listed as follows: (a) In our model, the industrial control network is assumed as a homogeneous network (b) It is assumed that the total number of all equipment remains unchanged, and the number is N (c) Te equipment in the industrial control network has functions such as software upgrade and patching, and a time window mechanism is adopted In our proposed SIDQR dual-delay model, each industrial control equipment may have six states: susceptible (S) state, infected (I) state, immune delay (D 1 ) state, quarantine delay (D 2 ) state, quarantine (Q) state, and recovery (R) state.Te recovery rate of the susceptible equipment is θ 1 , the quarantine rate of the infected equipment is θ 2 , the infection rate of the susceptible equipment is β, and the recovered rate of the quarantined equipment is c.When facing new malware, there is a probability φ that recovered equipment will return to susceptible equipment.Te transition diagram among the diferent states is shown in Figure 1.In summary, assuming the total number of all equipment is N, the diferential equation system (1) of the SIDQR model with dual delay can be obtained, and the immune delay is τ 1 , and the quarantine delay is τ 2 .

Stability of Equilibrium
Te stability of the equilibrium of system (1) is studied in this section, we focus on discussing the situation of τ 1 > 0, τ 2 > 0, and we provide an expression for the threshold.For system (1), the following theorem can be obtained.

Theorem 1. System (1) has an unique positive equilibrium point E
, where R 0 is the basic reproduction number, and it means that the basic reproduction number is positive as an initial condition.Proof.When system (1) is stable, that is, the left side of the diferential equation system is equal to zero, and thus, the equilibrium point can be obtained: Since the total number of all equipment is N, the equation with I * as the root can be obtained as ( Obviously, equation (3) has a unique positive real root I * and a unique positive equilibrium point ), and system (1) can be simplifed into the following form:

Complexity
Te Jacobi matrix of the equilibrium point is Ten, the following equation can be obtained: where a 1 � I * , a 2 � S * .Due to the existence of two delays in this model, in the process of solving characteristic equations, it is necessary to reduce the order and obtain the algebraic cofactors.Te frst algebraic cofactor is the second algebraic cofactor is and the third algebraic cofactor is Ten, we calculate the three cofactors separately and add them together to obtain the characteristic equation of the system: where For system (1), the stability of the equilibrium point needs to be discussed in diferent cases.Te cases τ 1 � τ 2 � τ, τ 1 � 0, τ 2 > 0, and τ 1 > 0, τ 2 � 0 are essentially the same as the single delay model discussed in paper [27][28][29]32], and we will not repeat the proof here.Our main analysis here is the stability of the equilibrium in the case of τ 1 > 0, τ 2 > 0. In this case, the stability analysis of the system requires fxing the value range of one delay within the threshold, that is, τ 1 > 0, τ 2 < τ k or τ 1 < τ k , τ 2 > 0; at this point, the variable can be considered as one of the delays (τ 1 or τ 2 ).Let us take the case of τ 1 > 0, τ 2 < τ k as an example to discuss here.Te root of the system characteristic equation is λ � iω 1 .By substituting it into equation (10) and separating the real and imaginary parts, we can obtain 4 Complexity By combining equation ( 12) and ( 13), it can be obtained that where Assuming that equation ( 15) has fnite positive roots ω 11 , ω 12 , ω 13 ...ω 1k , using the Routh-Hurwitz criterion, for each value of k, the corresponding threshold of delay is where k and j are both positive real numbers, let τ * 1 � min τ 0 1k  , ω * 1 � ω 1k and the transversality condition holds, and the following conclusion can be obtained based on Rouche's theorem:
(2) When system (1) of the system will undergo a Hopf bifurcation at τ 1 � τ * 1 , and the system will lose stability.(3) In equation (16), k and j are both positive real numbers, and the value of τ 1k is also afected by τ 2 .

Experiments
In order to demonstrate the impact of dual delay on the propagation of malware, numerical experiments analysis is conducted in this section.Te infection rate is assumed that β � 0.5, the recovered rate of the susceptible equipment is assumed that θ 1 � 0.01, the quarantine rate of the infected equipment is assumed that θ 2 � 0.04, the recovered rate of the quarantined equipment is assumed that c � 0.02, and the probability of the recovered equipment becoming susceptible to infection is φ � 0.05.At the initial stage, the total number of equipment is 10000, assuming that the number of infected equipment (I) is 50 and the other equipment were susceptible (S).Due to the existence of a double delay, this section frst presents the overall nonlinear phenomenon of the model through the bifurcation diagram.
Te dynamic system in this case is equivalent to a single delay situation, where Hopf bifurcation occurs when the delay value exceeds the threshold.Tat is to say, in this situation, it is necessary to control the quarantine delay in the ICS to ensure that the malware will not get out of control.Te quarantine delay needs to be less than the threshold, so that the dynamic system will eventually reach equilibrium after oscillation.Also, the curves of the equipment in diferent states are shown in Figure 3 (τ 1 � 0, τ 2 � 300) and Figure 4 (τ 1 � 0, τ 2 � 550), which also validate Teorem 5 of the single delay model in paper [27].
4.2.Case 2 with τ 2 � 0. What needs to be discussed next is the bifurcation phenomenon of the system when τ 2 � 0. As shown in Figure 5, the Hopf bifurcation diagram in this case is diferent from the ordinary single delay bifurcation.When the value of delay exceeds the threshold, a curve is in a fuctuating state, but it has no efect on the system bifurcation, and the entire dynamic system is still in a bifurcation state.Tis can indicate that in this dual-delay model, τ 1 has a greater impact on the dynamic system, which means that immune delay will make the nonlinear phenomena of the system more complex.Figures 6 and 7 show the curves of the number of equipment at τ 2 � 0, τ 1 � 900 and τ 2 � 0, τ 1 � 1200, respectively.Te propagation process shown in Figures 6 and 7 can verify the results of Figure 5.When τ 2 � 0, that is, the quarantine delay is zero, the dynamic system may be in a bifurcation state.When the immune delay is less than the threshold value (τ 1 < 1100), the system will be stable, and the curves fnally reach equilibrium and no longer fuctuate, as it is shown in Figure 6.In Figure 7, the number of equipments in diferent states fuctuates continuously over time, indicating that the system cannot be controlled.In this situation, the number of infected equipment and the spread trend of malware become difcult to predict.Tis will pose a serious threat to the equipment in the ICS.Complexity 4.3.Case 3 with τ 1 > 0, τ 2 > 0. When τ 1 > 0, τ 2 > 0, it can be seen from the two situations mentioned above that immune delay has a signifcant impact on the stability of the system.Terefore, let us take τ 1 > 0, τ 2 < τ 2k to further discuss the impact on the system.Figure 8 shows the Hopf bifurcation diagram of the system in this case.It can be seen that when neither delay is zero and the value of τ 2 is fxed, then the system will have multiple bifurcation points.Tis indicates that the system will experience bifurcation and then return to a stable state, and then, as the value of τ 1 increases, the system will experience bifurcation again, which is consistent with the content of Teorem 2 in Section 3. To verify the result, the value of τ 1 will be taken within the red circle range in Figure 8, and the curves of diferent state equipment are also shown in Figures 9-11.
In Figures 9-11, the quarantine delay of the system is fxed at τ 2 � 500, and the value of τ 1 is 255, 300, and 400, respectively.It can be seen that as the value of τ 1 increases, the system undergoes a process of stability, bifurcation, and then stability.Tis is completely consistent with the results in the red circle in Figure 8.It indicates that in a dual-delay system, it is necessary to clarify the impact of diferent delays on system stability.For example, in Case 3, we cannot simply demand that the immune delay be as small as possible, because it may also lead to the bifurcation.It requires us to specifcally analyze the impact of immune delay on the dynamic system, accurately control it to ensure system stability, and suppress the spread of malware.
Te experiments above demonstrate how to maintain the stability of the dynamic system by controlling the value of immune delay and quarantine delay.In addition, from equation ( 16), it can be seen that the stability of the dynamic system can also be maintained by adjusting the immune rate θ 1 and quarantine rate θ 2 , that is, by changing the parameters so that the delay is less than the threshold.Figure 12 shows the curve of infected equipment under diferent immune  Complexity rates with τ 1 � 300, τ 2 � 500.It can be seen that as the immune rate θ 1 increases, the system changes from a bifurcation state to a stable state, and the number and peak value of infected equipment also decrease.It indicates that increasing the immune rate can maintain system stability and control the spread of malware.
Figure 13 shows the curve of infected equipment under diferent quarantine rates with τ 1 � 300, τ 2 � 500.From Figure 13, it can be observed that when the quarantine rate θ 2 � 0.04, the curve of infected equipment continues to fuctuate, and the system is in a bifurcation state.As the value of the quarantine rate θ 2 decreases, the number of infected equipment will gradually reach a stable state.
From the results, it can be seen that the spread of malware cannot be controlled solely through a large number of quarantine equipment, which may lead to instability and also have a signifcant impact on industrial production.In summary, in the protection of the ICS, the value of the immune rate can be appropriately increased and the value of the isolation rate can be appropriately reduced, which can ensure the stability of the system and suppress the spread of malware.

Conclusion
We fully consider the characteristics of the ICS and equipment in the industrial control network and propose a malware propagation model with dual delay.On this basis, we study the propagation of malware in the industrial control network and the stability and Hopf bifurcation of the dynamic system.Moreover, the containment strategy for malware in the industrial control network is proposed.In particular, the following conclusions can be obtained: (2) Te positive equilibrium point of the system is proven with Jacobian matrix and reduced order, the stability of the dynamic system at τ 1 > 0, τ 2 > 0 is discussed in detail, and an expression for the threshold is provided.When the delay exceeds the threshold, the system becomes unstable and Hopf bifurcation occurs.Also, the system may have multiple bifurcation points at τ 1 > 0, τ 2 > 0.  10 Complexity networks, and the possible bifurcation points of the system in diferent cases are shown.In addition, after comparing diferent immune and quarantine rates, the experimental results show that the immune rate can be appropriately increased and the quarantine rate can be appropriately reduced, which can ensure the stability of the ICS and suppress the spread of malware.
However, when the industrial control network encounters cross-network attacks, the model is not applicable.In addition, the importance of diferent equipment in the industrial control system also varies, and the key equipment such as SCADA servers is likely to play the role of key nodes.If malware prioritizes attacking these critical nodes, the propagation trend will undergo signifcant changes.How will the efectiveness of the containment strategy change when prioritizing the control of these key nodes during the defense process?Tese works need to be improved in subsequent research.

2 φFigure 1 :
Figure 1: Te transition diagram among diferent states in the industrial control network.

( 1 )
In the industrial control network, the characteristics of immunity and quarantine in actual industrial production are considered, and the SIDQR model with dual delay is established.Te model includes six states of industrial equipment: susceptible (S) state, infected (I) state, immune delay (D 1 ) state, quarantine delay (D 2 ) state, quarantine (Q) state, and recovery (R) state.

( 3 )
Under diferent cases, the experiments demonstrate the propagation of malware in the industrial control