Modeling and Analyzing the Spread of Flash Disk Worms via Multiple Subnets

The Flash Disk worms, spreading via both Web-based scanning and removable devices between multiple subnets, have become a serious threat to the Internet, especially those physically isolated subnets. We present a model which incorporates specific features of these worms in this paper. Then, we analyze the dynamic behaviors of the model when one subnet is considered. Analytical result shows that the Flash Disk worm can self-perpetuate when 𝑅 0𝑖 > 1 and will die out otherwise. When multiple subnets are considered, we get that once a computer is infected by the Flash Disk worms, other computers in that subnet will be infected in a short time. Thus, for any subnet, to contain the Flash Disk worms, the most effective way is to prevent the first infected individual by improving the users’ security awareness of using removed devices. Our results are illustrated by numerical simulation.


Introduction
The Flash Disk worms, which spread via both Web-based scanning on the Internet and removable devices, mainly attack SIMATIC and WinCC software.Those worms appear to be aimed directly at controlling physical machinery and attempt to take control of critical physical infrastructure.Stuxnet which is a kind of the Flash Disk worms has infected about 500,000-1000,000 computers, mainly in Iran, India, Indonesia, and Pakistan [1].Nowadays, it becomes a major question to research the Flash Disk worms.
For a great many similarities between computer worms and biological virus [2], some biological epidemic models have been modified to describe the spreading of the Internet worms.For example, the susceptible-infected-susceptible (SIS) model was modified including a reintroduction parameter by Wierman and Marchette [3].In [4], the susceptibleinfected-recovered (SIR) model and a discrete Markov model were presented to capture the short term and long term dynamics of viral propagation.The susceptible-antidotalinfected-contaminated (SAIC) model whose two new compartments were introduced was proposed [5].Besides, there were the susceptible-infected-recovered-susceptible (SIRS), the susceptible-infected-detected-recovered (SIDR), and the susceptible-asymptomatic-symptomatic-recovered (SAIR) models which were adopted [6][7][8][9].However, these models cannot be applied to the worms which spread via both Web-based scanning on the Internet and removable devices.
Jin and Wang describe the FD-SEIR model to analyze and control the Flash Disk worms [10].Besides, Song et al. present the worms model about the cross infection of computers and removable devices [11].However, the two models were analyzed under the condition of computers and removable devices mixed evenly.It is not suitable for the spread of Stuxnet because of the different speed of Stuxnet's spreading in different subnets.Inspired by these models, we will build a model focusing on Stuxnet which spreads via Web-based scanning on the Internet and removable devices in multiple subnets.
The organization of this paper is as follows.In Section 2, we present a model in multiple subnets.In Section 3, we analyze its dynamical behavior in one and more subnets and give some results by numerical simulation in multiple subnets.The paper concludes with a brief discussion in Section 4.

The Model Formulation in Multiple Subnets
The Flash Disk worms spread by Web-based scanning on the Internet and using removable devices between subnets.In the different subnets, the Flash Disk worms may have the different spreading speed.Thus, the propagation of worms can be considered to be a fast system.If they spread slowly, these subnets will be seen as a slow system.For simplicity, we suppose that the removable devices represent all mobile devices related to computer, including flash disk, mobile hard disk, and memory card.Assume that computer hosts are classified in three compartments: susceptible (   ), infected (   ), and recovered (   ) and the removable devices are two compartments: susceptible    and infected    .To consider the spread relationship between computers and removable devices, the model is as follows: where    +    +    =   ,    +    =   , and meaning of the parameters and state variables is shown in Notations and Definitions section.

Model Analysis
In the section, two parts will be analyzed.In the first part, we will not consider the worms spreading among different subnets.In the second part, we will consider worms spreading among different subnets.(

Model Analysis in the 𝑖th
Then we will consider the existence and stability of equilibria for system (2).It is obvious that there is a disease-free equilibrium  0  = (  , 0, 0,   , 0) in system (2).To analyze the existence of the positive equilibria, we firstly give the basic reproduction number: Here  0  is the number of newly infected individuals at the disease-free equilibrium in the th subnet in infectious period.
By calculating, we obtain that    satisfied the following equation: According to Descartes sign rule, if  0  > 1, there exists a unique positive equilibrium Furthermore, we consider the stability of equilibria.We have the following theorems.2) is locally asymptotically stable.
Proof.The Jacobian matrix of (2) at  0  is Then the characteristic equation is It is easily seen that all eigenvalues of  have negative real parts if  0  < 1.Thus, the theorem is proven by Routh-Hurwitz criterion.Theorem 2. When  0  < 1, the disease-free equilibrium  0  of system ( 2) is globally asymptotically stable.
Proof.Take Lyapunov function, which is always positive in  2 + where Then, Then, when  0  < 1, the disease-free equilibrium  0  of system (2) is globally asymptotically stable.The theorem is proven.2) is locally asymptotically stable.
Proof.The matrix of the linearization of system (2) at the unique positive equilibrium  *  is Then the characteristic equation is where Then, The positive equilibrium is The positive equilibrium  *  of system (14), as well as the positive equilibrium  *  of system (2), is globally asymptotically stable when  0  > 1.The theorem is proven.

Model Analysis between Subnets.
In the subsection, we will analyze the existence of positive equilibrium for system (1).For convenience, assume that the fast system is stable in one subnet.Then the slow system is where    +    =   and    +    =   .From system (20), we can obtain    () and    ().If  → 0, where From (21), we know that one can prevent the worm spreading by controlling parameters.If infected computers and removable devices by the worms is less than one, that is,    () < 1 and    () < 1, the worms will die out.Otherwise, they will be epidemic.We should improve the security awareness of using removable devices.For model (20), it is difficult to analyze the dynamic behaviors.In the following part, we will simulate the dynamic behaviors of system (1).Take the determined parameters and the average value of about 100 experimental results.Firstly, let  = 1000,  = 500,  in = 0.5,  out = 0.8,  = 0.006,  = 0.75,  1 = 0.0059,  2 = 0.002,  1 = 0.00057,  2 = 0.00057, and time step Δ = 1.Then we plot figures of dynamical behaviors if we take the different initial value.(i)   0 = 100 if  0  < 1 and   0 = 1 if  0  > 1 when  = 0. From Figure 1, we can see that if  0  < 1, the number of infected computers will gradually reduce and finally disappear.On the contrary, if  0  > 1, the number of infected computers will increase and then tend to a stable status.(ii) Let the initial value   0 = 0 when  = 0 and the other values do not change.We draw change figures for the proportion of infected computers    () with time  in the th subnet (see Figure 2) and multiple subnets (see Figure 3).From Figure 2, we can obtain that if a computer is infected by Stuxnet, other computers will be infected in a short time.From Figure 3, it is found that once a computer is infected by the Flash Disk worms, other computers will be infected among the different subnets after a longer time.Furthermore, comparing Figure 2 with Figure 3, we can find that if a computer is infected by the Flash Disk worms, other computers will be infected in a short time in one subnet.To prevent computer from being infected by the worms, we should take some effective measures.We can improve the safety awareness of using removable devices to prevent the first computer from being infected by the worms.

Conclusion
In this paper, we proposed a new model focusing on the Flash Disk worms spreading via both Web-based scanning and removable devices in multiple subnets.In the th subnet, we deduced the basic reproduction number  0  , a diseasefree equilibrium, and a unique equilibrium.If  0  < 1, the disease-free equilibrium is globally asymptotically stable;  otherwise the Flash Disk worms can self-perpetuate.In the different subnets, we analyzed controlling the number of infected computers by the determined simulation and stochastic simulation.If a computer is infected by the Flash Disk worms, other computers will be infected in a short time in one subnet.We should improve the safety awareness of using removable devices to prevent the first computer from being infected by the worms.The future work will focus on using real trace data to test the model and these strategies.
We will also study some countermeasures against the Flash Disk worms.

Figure 1 :
Figure 1: The change figure of proportion of infected computers with time  when  0  < 1 and  0  > 1, respectively.