Adaptive Human Behavior in a Two-Worm Interaction Model

The complex interactions among internet worms have great impact on the dynamics of worms. To contain the propagation of worms, it is necessary to characterize these interactions. Therefore, a two-worm interaction model is presented in this paper. Different from previous researches, we have considered the influence of adaptive human reaction stirred by one cooperative worm on the other worm in the model. The model’s equilibria and their stability conditions are obtained mathematically and verified by simulations. Results indicate that considering adaptive human behavior significantly changes the prospective propagation course of worms and that this consideration has implications for designing counterworm methods.


Introduction
Nowadays, malware including worms, viruses, botnets et al. is prevalent on the internet, which has led to serious problems to the security of internet.For example, more than one hundred million web-based infections are detected by Kaspersky Lab in February 2012 1 .According to Crandall et al. 2 , the fight against malware, which is often viewed as an "arms race," is quickly becoming unsustainable as so many malware samples are collected each day.However, malware has also created a complex environment for itself.Understanding the effects of interactions of malware with other malware and with its environment may suggest new defense methods that give fundamental advantages to the defender.
Mathematical models have been proposed to characterize the spreading of malware.Han and Tan 3 analyzed the influence of time delay on computer virus by using a susceptible-infected-recovered-susceptible model.They obtained the critical value of time delay which determined whether the model had periodic solution or not.Song et al. 4 presented a model focusing on the worms spreading via both Web-based scanning and removable devices.They found that the existence of infected removable devices was in favor of the outbreak of worms, and limiting the number of removable devices would prevent the worms' outbreak.In 5 , Mishra and Pandey focused on the vertical transmission of worms in computer network.Ren et al. 6 presented a novel model and analyzed the effect of antivirus ability.Different from other models, the ability of anti-virus software in their model was dependent on the number of infected computers.Some other models 7-10 have also been given in recent year.However, all of these studies have focused on one type of malware.
Tanachaiwiwat and Helmy 11 proposed the first model focusing on the interactions between two types of competitive worms, to our knowledge.In 12 , Song et al. presented an interaction model between two different types of botnets and analyzed the influences of the strategies selected by interacting botnet owners on the propagation of both botnets.
In this paper, we present a two-worm model to analyze the influence of one cooperative worm on the other worm.Different from previous models 11, 12 , the influence of adaptive human behavior stirred by the cooperative worm has been included in the model.Our work is motivated by the phenomenon that many worms cooperative worms, e.g., Email-Worm.Win32.Bagle.p,Email-Worm.Win32.Roron.12,and so on can block the antivirus software and the firewall, which will be beneficial to the spreading of other worms 13 but may lead to people's reaction to the infection state.
The remainder of this paper is organized as follows.In Section 2, we present the model and interpret the actual meanings of the model's parameters.Then, we give the analytical results in Section 3 and validate the analytical results using various simulations in Section 4. After that, we summarize our results in Section 5.

Model Description
The basic model used in this paper is the susceptible-infected-susceptible SIS model 14 .
To depict the interactions between one cooperative worm and the other worm, here named as noncooperative worm, we enhance the model by dividing the infected compartment into three parts.
Thus, the model, presented here, includes four compartments: susceptible computers S , computers infected by worm1 cooperative worm I 1 -computers that are currently infected by the cooperative worm and are susceptible to the noncooperative worm; computers infected by worm2 noncooperative worm I 2 -computers that are currently infected by some noncooperative worm and are susceptible to the cooperative worm, and computers infected by both worms I 12 .
Here, we assume that the anti-virus software and the firewall will be blocked whenever computers are infected with the cooperative worm.We also assume that a computer's anti-virus software and firewall are always open unless stopped by the cooperative worm.
Let β 1 and β 2 denote the susceptible computer's infection rates due to the successful scanning of a computer infected with the cooperative worm and the successful scanning of a computer infected with the noncooperative worm, respectively.To model the influence of anti-virus software and firewall, an increasing factor in infection rate is given by μ μ > 1 while trying to infect a computer with its anti-virus software and firewall closed.
As in 12, 15 , when the operating system was reinstalled, infected computers would return to the susceptible state.Here, we denote the random reinstallation rate as δ.We also assume an increasing in the reinstallation rate whenever a computer is infected with the cooperative worm.It is reasonable since the cooperative worm will block the anti-virus software and firewall, and this may stimulate user's reaction to the invasion of malware.For simplicity, let δ 1 δ 1 > δ be the rate which combines the random reinstallation rate and the reinstallation rate caused by user's adaptive behavior.
The probability of successfully finding a susceptible computer in one scan is S/N, where N is the total number of computers considered.Then, β 1 S/N and β 2 S/N are the susceptible computer's infection numbers per time step caused by a computer infected with the cooperative worm and the noncooperative worm, respectively.
Thus, the model is given below:

2.1
where Note that the model is conservative for total computers N since we do not include both new computers and obsolete computers in 2.1 .Then, the model can be rewritten as

2.2
The initial state of the system 2.2 is set to I 1 0 I 0 1 , I 2 0 I 0 2 , and I 12 0 The values of S 0 , I 0 1 , I 0 2 , and I 0 12 are given in the simulation section.

Equilibria
The equilibria of system 2.2 are given by

3.1c
Let R 1 0 be the basic reproduction number, the number of secondary infections deriving from a single primary infection, of the cooperative worm, and R 2 0 , R 12 0 be the basic reproduction numbers of the noncooperative worm when the cooperative worm dies out or exists, respectively.Then, we have where As the derivations of R 1 0 and R 2 0 are very simple, we only give the derivation of R 12 0 here.Adding 3.1a to 3.1c leads to or R 12 0 means that the cooperative worm exists.Thus, we only consider the condition when I 1 I 12 N − δ 1 /β 1 .Using this condition in 3.1b and 3.1c , we get

3.7
This yields According to the right hand side of 3.8 , we can get the term of R 12 0 .Furthermore, 3.4 can be obtained by substituting I 2 in 3.8 into 3.1a .For the simplified system 2.2 , there always exists a disease-free equilibrium 0, 0, 0 for I 1 , I 2 , I 12 .If R 1 0 > 1 and R 12 0 < 1, there exists an equilibrium N − δ 1 /β 1 N, 0, 0 , corresponding to the cooperative worm endemic equilibrium.If R 1 0 < 1 and R 2 0 > 1, the noncooperative worm endemic equilibrium 0, N − δ/β 2 N, 0 will exist.The coexistence endemic equilibrium I * 1 , I * 2 , I * 12 occurs if R 1 0 > 1 and R 12 0 > 1, where I * 1 is the same as in 3.4 , 3.9 Thus, 3.3a and 3.3b give the noncooperative worm's existence thresholds when the cooperative worm dies out or exists, respectively, that is, to ensure the existence of noncooperative worm, β 2 must be greater than the threshold value δ predicted by R 2 0 1 cooperative worm dies out or the threshold value 1 cooperative worm exists .

3.11
By means of similarity transformation upon the matrix 3.11 , we have

3.12
The characteristic equation of 3.12 is given by

3.15
Thus, H 1 > 0 and H 2 > 0 provided that a 22 < 0. Consider According to the root extracting formula, the equation, 0 > 1 and β 1 > β st 1 can guarantee a 22 < 0, according to the text mentioned above, a 22 < 0 can guarantee that both H 1 and H 2 are greater than zero, which means that both eigenvalues in the square brackets of 3.13 have negative real parts.Thus, if R 1 0 > 1, R 12 0 > 1 and β 1 > β st 1 , there exists a coexistence endemic equilibrium, and it is asymptotically stable.The proof is completed.

Simulation
In this paper, we use the improved Euler method to simulate the system 2.2 .In the simulation, the total number of computers N is set to 1000000.The initially infected computers with cooperative worm I 0 1 , the initially infected computers with noncooperative worm I 0 2 , and the initially infected computers with both worms I 0 12 are set to 100, 100, and 0, respectively, for all simulations.Thus, the initially susceptible computers S 0 are 999800.
Here, we first give the convergence proof of the numerical method used in the simulation.Let I I 1 , I 2 , I 12 , a three-dimensional vector.Then, the system 2.2 can be rewritten as , where f is a three-dimensional vector function in R 4 .It is obvious that f is a continuous and differential function in R 4 .Thus, f satisfies the Lipschitz condition, and we have f t, The Euler iteration equation is where k 0, 1, 2, . .., I 0 n 1 I n hf t n , I n , and n 0, 1, 2, . ... h t n 1 − t n , representing the step value in the Euler iteration algorithm.Then, Thus, the Euler iteration algorithm used in this paper is convergent as we can ensure that hL/2 < 1 by selecting the step value h .
Note that in i β 2 0.0264 is less than the existence threshold 0.0285 predicted by 3.3b .Thus, the noncooperative worm will die out although β 2 is greater than the existence threshold 0.025 predicted by 3.3a .Similar results can also be reached with the other three sets of variables.
Figure 1 shows the simulation results of the noncooperative worm using the first two sets of variables.Figure 2 shows the simulation results using another two sets of variables.
As shown in Figure 1, when the cooperative worm exists and R 12 0 < 1, the noncooperative worm dies out; when the cooperative worm terminates and R 2 0 > 1, the noncooperative worm survives.In Figure 2, when the cooperative worm exists and R 12 0 > 1, the noncooperative worm survives; when the cooperative worm terminates and R 2 0 < 1, the noncooperative worm dies out.Thus, both Figures 1 and 2 demonstrate that the simulation results are consistent with the theoretical prediction.
Figures 1 and 2 also show that the cooperative worm has dual influences on the noncooperative worm, which is different from our intuition.In Figure 1, the existence of cooperative worm i contains the propagation of noncooperative worm.However, the existence of cooperative worm iii favors the propagation of noncooperative worm in Figure 2.
To get the effective noncooperative worm containment strategy, we further explore the influence of adaptive human behavior δ 1 on the noncooperative worm.We simulated with various δ 1 and calculated the thresholds of β 2 predicted by R 2 0 1 and R 12 0 1.Figures 3 a ,  3 b , and 3 c plot the results with μ 1.2, 1.5 and 2, respectively.
According to Figures 3 a , 3 b , and 3 c , adaptive human behavior reflected by δ 1 has great influence on the propagation of noncooperative worm.The threshold dash line increases rapidly with the increase of δ 1 no matter what value μ is.Moreover, when δ 1 ≥ 0.014, the thresholds dash line in all figures are much higher than the corresponding values solid line when no human behavior is considered the cooperative worm dies out , which also means a promising worm-counter-worm method.
We also verified the accuracy of coexistence endemic equilibrium's stability thresholds given by Theorem 3.4 .Here, the simulation parameters are set to i β 1 0.  Note that the cooperative worm I 1 I 12 N − δ 1 /β 1 N is a constant with any given β 1 and δ 1 .Thus, we only plot the noncooperative worm's propagation process in Figures 4 a and

Conclusion
Recently, the researches concerning network security and malware have focused on the fight between antimalware system and malware 3-10 .In this paper, we have explored the interactions between one cooperative worm and the other noncooperative worm; especially we focus on the influence of adaptive human behavior, to find an inherent advantage in the fight against attackers.Different from our intuition, the results presented in this paper have shown that the cooperative worm has dual effects on the propagation of the noncooperative worm due to the existence of adaptive human behavior, which is a valuable information for defenders in designing counter-worm methods 17, 18 .In the future, we plan to use real trace data to test our model and get the most effective policy to motivate people.

Figure 1 :Figure 2 :Figure 3 :
Figure 1: Fraction of computers infected with noncooperative worm: i green: the cooperative worm exists and R 12 0 < 1 and ii blue: the cooperative worm dies out and R 2 0 > 1.
4 b .As shown in Figure 4 a , when β 1 > β st1 , the noncooperative worm approaches a stable state.However, in Figure4b , when β 1 < β st 1 , we can see a clearly oscillatory epidemic phenomenon, which validates the conclusion of Theorem 3.4 .
a 22 a 33 λ a 22 a 33 − a 23 a