Analysis of a Delayed Internet Worm Propagation Model with Impulsive Quarantine Strategy

Internet worms exploiting zero-day vulnerabilities have drawn significant attention owing to their enormous threats to Internet in the real world. To begin with, a worm propagation model with time delay in vaccination is formulated. Through theoretical analysis, it is proved that the worm propagation system is stable when the time delay is less than the threshold τ 0 and Hopf bifurcation appears when time delay is equal to or greater than τ 0 . Then, a worm propagation model with constant quarantine strategy is proposed.Through quantitative analysis, it is found that constant quarantine strategy has some inhibition effect but does not eliminate bifurcation. Considering all the above, we put forward impulsive quarantine strategy to eliminate worms.Theoretical results imply that the novel proposed strategy can eliminate bifurcation and control the stability of worm propagation. Finally, simulation results match numerical experiments well, which fully supports our analysis.


Introduction
With the rapid growth of information technologies and network applications, severe challenges, in form of requirement of a suitable defense system, have been posed to make sure of the safety of the valuable information stored on system and in transit.For example, worms that exploit zeroday vulnerabilities have brought severe threats to Internet security in the real world.To date, none of the patches could effectively and reliably immunize the hosts thoroughly against being attacked by those worms.It may take a period of time for users to immunize their computers if they are in infected state.In addition, the failure of some vaccination measures or worm-variants may also lead to high risks that the hosts being immunized would be infected again.On the other hand, the propagation of worms in a system of interacting computers could be compared to contagious diseases in human population.In computer science field, computers are like individuals in an ecological system and thus the same mechanism of birth and death should be considered.Being infected by network worms or quarantined by IDS (intrusion detection systems), hosts will become dangerous and their owners will have to reinstall the system.Another factor to consider is that when new computers are brought, most of them have preinstalled operating systems but without newest safety patches while old computers are discarded and recycled.Consequently, in order to imitate the real world, birth and death rates should be introduced to worm propagations model.Considering all the above, we firstly construct a worm propagation model with time delay in vaccination based on the classical epidemic Kermack-Mckendrick model [1] to describe the current situation.Through theoretical analysis, it is proved that Hopf bifurcation appears when time delay is equal to or greater than the threshold  0 , which leads the number of infected hosts to be unpredictable and the propagation of worms to be out of control.In order to make up the deficiency of vaccination strategy and eliminate the negative impact of time delay, quarantine strategies are proposed to improve vaccination effect and eliminate bifurcation.The current quarantine strategy generally depends on the intrusion detection system, which can be classified into two categories: misuse and anomaly intrusion detection.Misuse intrusion detection system can accurately detect known worms.Based on misuse intrusion detection system, we propose constant quarantine strategy.Although it does improve vaccination effect, the system is still out of control and Hopf bifurcation is not eliminated either.Furthermore, the system fails to detect unknown worms and wormvariants.Anomaly intrusion detection system is of help in detecting these kinds of worm.However, it is always accompanied by high false-positive rate.Consequently, this paper proposes a worm propagation model with impulsive quarantine strategy based on a hybrid intrusion detection system that combines both misuse and anomaly intrusion detection to make up for the gaps existing in the two systems.After adoption impulsive quarantine strategy, it is clearly proved that Hopf bifurcation is eliminated thoroughly so that the system is stable.
The rest of the paper is organized as follows.In the next section, related work on time delay and quarantine strategy is introduced.Section 3 provides a worm propagation model with time delay in vaccination.In Section 4, we construct a delayed worm propagation model with constant quarantine and analyze it in detail.Then, in Section 5, a delayed worm propagation model using impulsive quarantine strategy is proposed, and its analysis is performed.Section 6 presents numerical analyses and simulation experiments based on Slammer worm.Simulation results match well with numerical ones.Finally, Section 7 gives the conclusions.

Related Work
With the similarity between Internet worms and biological diseases, epidemiological models have been widely used in modeling the propagation of worms [2][3][4][5][6].To make the worm transmission in computer network work as in the real word, the research within the data-driven framework has been done [7][8][9].Although some human factors are included, these models cannot restrain worms effectively.Thus, a variety of containment strategies have been applied to worm propagation models.As far as we know, the use of quarantine strategies has produced a great effect on controlling disease.People use quarantine strategies widely in worm containment enlightened by this [10][11][12][13][14][15][16].In addition, some scholars have done research on time delay [17][18][19].
However, previous studies have failed to consider the appropriate quarantine strategy to eliminate the negative effect of time delay.For instance, the pulse quarantine strategy that Yao has proposed [12] does lead to worm elimination with a relatively low value, but time delay is not considered, which leads to Hopf bifurcation so that the worm propagation system will be unstable and out of control.In this paper, constant quarantine and impulsive quarantine strategies are proposed to constrain the worms spreading and even eliminate Hopf bifurcation.

Worm Propagation Model with Time Delay in Vaccination
With regard to worms exploiting zero-day vulnerabilities, none of the patches could effectively and reliably immunize the hosts.After the hosts are being infected, some measures, such as cutting off the network connection, running manual antivirus, or setting firewall, are taken to remove the worms.With these measures being carried out, the hosts cannot further infect other susceptible hosts, but they are in fact not vaccinated completely.Namely, detecting and cleaning worms take a period of time.Therefore, time delay should be considered in actual conditions.Since time delay exists, infected hosts go through a temporary state (delayed) after vaccination.Consequently, on the basis of KM model, we give a worm propagation model with time delay in vaccination.
We assume all hosts are in one of four states: susceptible state (S), infected state (I), delayed state (D), and vaccinated state (V).The state transition diagram of the delayed model is given in Figure 1.
Let () denote the number of susceptible hosts at time , () denote the number of infected hosts at time , () denote the number of delayed hosts at time , and () denote the number of vaccinated hosts at time . is the infection rate at which susceptible hosts are infected by infected hosts and  is the rate of removal of infected from circulation.As worms and worm-variants exist,  is the rate that vaccinated hosts back to susceptible hosts.The newborn hosts enter the system with the same rate ], of which a portion 1 −  is recovered by installing patches at birth.Time delay is denoted by .
In order to show it clearly, we list in Notations section some frequently used notations in this paper.( Mathematical Problems in Engineering 3 As mentioned above, the population size is set , which is set to unity:  () +  () +  () +  () = . (2)

Stability of the Positive Equilibrium and Bifurcation Analysis
Theorem 1.The system has a unique positive equilibrium  * ( * ,  * ,  * ,  * ) when it satisfies the following condition: Proof.For system (1), if all the derivatives on the left of equal sign of the system are set to 0, which implies that the system becomes stable, we can derive Substituting the value of each variable in (3) for each of (2), then we can derive Obviously, if ( 1 ) is satisfied, (4) has one unique positive root  * and there is one unique positive equilibrium  * ( * ,  * ,  * ,  * ) of system (1).The proof is completed.
Theorem 2. The positive equilibrium  * is locally asymptotically stable without time delay, if the following holds: Proof.If  = 0, (7) reduces to According to Routh-Hurwitz criterion, all the roots of (9) have negative real parts.Therefore, it can be deduced that the positive equilibrium  * is locally asymptotically stable without time delay.The proof is completed.
(2) If the conditions (a) and (b) are not satisfied, then all roots of (7) have negative real parts for all  ≥ 0.
According to lemma, it is proved that (14) has at least a positive root  0 , namely, the characteristic equation (7) has a pair of purely imaginary roots ± 0 .
Lemma 5. Suppose ℎ  ( 0 ) ̸ = 0.If  =  0 , then ± 0 is a pair of purely imaginary roots of (7).In addition, if the conditions in Lemma 3 are satisfied, then This signifies that there exists at least one eigenvalue with positive real part for  >   .Differentiating both sides of (7) with respect to , it can be written as Therefore, where Λ =  0  2 0 ; then it follows the hypothesis The root of characteristic equation (7) crosses from left to right on the imaginary axis as  continuously varies from a value less than   to one greater than   according to Routh's theorem.Therefore, according to the Hopf bifurcation theorem [20] for functional differential equations, the transverse condition holds and the conditions for Hopf bifurcation are satisfied at  =   .Then the following result can be obtained.Theorem 6. Suppose that the conditions ( 1 ) and ( 2 ) are satisfied.
This implies that when time delay  <  0 , the system will stabilize at its infection equilibrium point, which is beneficial to implement a containment strategy; when  ≥  0 , the system will be unstable and worms cannot be effectively controlled.

A Delayed Worm Propagation Model with Constant Quarantine
Enlightened by the methods in disease control, quarantine is selected as an effective way to diminish the speed of worm propagation.The current quarantine strategy generally depends on the intrusion detection system, which can be classified into two categories: misuse and anomaly intrusion detection [12].As the delayed model cannot make sure of the system stable and controlled, quarantine strategies should be taken into consideration to further control the worm propagation.

Using Constant Quarantine Strategy to Model a Delayed
Worm Propagation.Misuse intrusion detection system builds a database with the feature of known attack behaviors.The system can recognize the invaders once their behaviors agree with one of the databases and accurately detect known worms [12].By applying misuse intrusion detection system for its relatively high accuracy, we add a new state called quarantine state () [9], but only infected hosts will be quarantined.() denote the number of quarantined hosts at time .Unlike the quarantine strategy against epidemics, the implementation of constant quarantine strategy depends on the misuse intrusion detection system.Infected hosts will be quarantined at rate  which depends on the performance of intrusion detection system and network devices.When infected hosts are quarantined, they will get rid of worms and get patched at rate .The state transition diagram of constant quarantine model is given in Figure 2.

Description of Constant Quarantine Model.
According to the definitions above in the paper, the differential equations of constant quarantine model are given as follows: Similarly,

Stability of the Positive Equilibrium and Bifurcation Analysis
Theorem 7. The system has a unique positive equilibrium  * ( * ,  * ,  * ,  * ,  * ) when it satisfies the following condition: Proof.For system (22), if all the derivatives on the left of equal sign of the system are set to 0, which implies that the system becomes stable, we can get Substituting the value of each variable in (24) for each of ( 23), then we can get Obviously, if ( 1 ) is satisfied, (25) has one unique positive root  * , and there is one unique positive equilibrium  * ( * ,  * ,  * ,  * ,  * ) of system (22).The proof is completed.
According to (23) The Jacobi matrix of (26) about  * ( * ,  * ,  * ,  * ) is given by The characteristic equation of that matrix can be obtained by Let where then Theorem 8.The positive equilibrium  * is locally asymptotically stable without time delay, if the following holds: where Proof.If  = 0, (28) reduces to According to Routh-Hurwitz criterion, all the roots of (33) have negative real parts.Therefore, it can be deduced that the positive equilibrium  * is locally asymptotically stable without time delay.The proof is completed.
Assume that the coefficients in ℎ() satisfy the condition as follows: According to lemma, it is proved that (37) has at least a positive root  0 , namely, the characteristic equation (28) has a pair of purely imaginary roots ± 0 .
In view of the fact that (28) has a pair of purely imaginary roots ± 0 , the corresponding   > 0 is given by eliminating sin() in (34): Mathematical Problems in Engineering 7 Let () = V() + () be the root of (28), so that V(  ) = 0 and (  ) =  0 are satisfied when  =   .
Lemma 11.Suppose ℎ  ( 0 ) ̸ = 0.If  =  0 , then ± 0 is a pair of purely imaginary roots of (28).In addition, if the conditions in Lemma 9 are satisfied, then This signifies that there exists at least one eigenvalue with positive real part for  >   .Differentiating both sides of (28) with respect to , it can be written as Therefore where Γ =  1 2  0 4 +  0  0 2 ; then it follows the hypothesis ( 3 ) The root of characteristic equation (28) crosses from left to right on the imaginary axis as  continuously varies from a value less than   to one greater than   according to Routh's theorem.Therefore, according to the Hopf bifurcation theorem for functional differential equations, the transverse condition holds and the conditions for Hopf bifurcation are satisfied at  =   .Then the following result can be obtained.
This implies that when time delay  <  0 , the system will be stable at its infection equilibrium point so that it is easy to control and eliminate worms; when  ≥  0 , the system will be unstable but the threshold  0 is greater than delayed model's, which illustrates the model with constant quarantine strategy gets stable easier and the users have more time to remove worms.

A Delayed Worm Propagation Model with
Impulsive Quarantine 5.1.Using Impulsive Quarantine Strategy to Model a Delayed Worm Propagation.Although constant quarantine strategy based on misuse intrusion detection does improve vaccination effect, the system is out of control and bifurcation is still not eliminated.In addition, the system fails to detect unknown worms and worm-variants.Anomaly intrusion detection system is of help in detecting these kinds of worm.However, the system is accompanied by high false-positive rate.To solve the problem of constant quarantine strategy and anomaly intrusion detection system, we proposed a novel quarantine strategy called impulsive quarantine based on a hybrid intrusion detection system, which can make up for the gaps existing in the two systems.Impulsive quarantine is implemented as follows: constant quarantine of infected hosts found by the misuse detection is performed, while susceptible and infected hosts detected by anomaly detection are quarantined in an impulsive way every  units of time.The advantages of this strategy lie in both avoiding a high false-positive rate caused by anomaly detection and making up for the insufficiency of the misuse detection in detecting unknown worms [12].Impulsive quarantine strategy adds two transitions as a result of the influence of the anomaly detection method.The susceptible and infected hosts detected by anomaly detection method are quarantined at rate  1 and  2 , respectively.Other settings are identical to those of constant quarantine model.The state transition diagram of impulsive quarantine model is given in Figure 3.

𝐷 (𝑛𝑇
where  = 0, 1, 2, . .., the impulsive strategy is applied at a discrete time  = , and  is the interval time of impulsive quarantine. + is the moment at which we apply the th impulsive quarantine measure, whereas  − is the time just before the th impulsive quarantine measure is applied.

Global Attractivity of Infection-Free Periodic
We may see that the first four equations in (47) are independent of the fourth equation.Therefore, the fourth equation can be omitted without loss of generality [21].Hence, model (47) can be rewritten as In the following, we introduce some notations and definitions in subsequent sections.Let Denote  = ( 1 ,  2 ,  3 ,  4 )  , the map defined by the right hand of the four equations of system (48).
Let  be the space of continuous functions on [−, 0] with uniform norm.The initial conditions for (48) are Definition 13.System (48) is said to be permanent if there exists a compact region Ω 0 ∈ int Ω such that every solution of system (48) with initial conditions (50) will eventually enter and remain in region Ω 0 .
We have The proofs of case (i) and case (ii) are given in Theorems 2.1 [24] and 2.2 [25], respectively.We first demonstrate the existence of the infection-free periodic solution, in which infected individuals are entirely absent from the population permanently, that is, () = 0 for all  ≥ 0. Under this condition, the , , and  must satisfy ( First we show below that the susceptible population  oscillates with period , in synchronization with the periodic pulse vaccination.From the first and fourth equations of system (53), we have that S () =  + ( * − )  −](−) ,  <  ≤ ( + 1)  (54) is globally asymptotically stable, where From the second and fifth equations of system (53), we have lim  → ∞ () = 0. Further, it follows from the third and sixth equations of system (53 Therefore ( S(), 0, 0, ([(1−)]+]− S())/(+]+)) is the infection-free periodic solution of system (48).In the rest of this section, we establish the global attractivity condition for the infection-free periodic solution.
For the third equation of system (48), we have Consider comparison differential equation, for  >  2 , It is easy to see that () =  1 /].According to the comparison theorem, there is a  3 >  2 such that, for all  >  3 , Therefore, in view of the positivity of () and sufficiently small  1 , it follows from (69) that lim Moreover, for the first equation of system (48), we have Consider the following equations, for  >  and  >  3 : According to [27], we know that the periodic solution of system ( 72) is globally asymptotically stable, where According to the comparison theorem in impulsive differential equations, there exists an integer  4 >  3 such that Since that  1 is arbitrarily small, consider (63) and (75); we have that is globally attractive, that is, lim For the fourth equation of system (48), we have for  >  4 .

Numerical and Simulation Experiments
In order to simulate the worm propagation in the real world, the parameters in the experiments are practical values.The Slammer worm is selected for experiments [10].750,000 hosts are picked as the population size, and the worm's average scan rate is 3300 per second.The worm infection rate can be calculated as  = /2 32 = 0.5763, which means that average 0.5763 hosts of all the hosts can be scanned by one host.The infection rate is  = 3300/2 32 = 0.00000077, the recovery rate of infectious hosts is  = 0.19, the quarantine rate is  = 0.15, and the removal rate of quarantined hosts is  = 0.04.The rest of the parameters are  = 0.9,  = 0.031, and ] = 0.026.At the beginning, there are 50 infected hosts, while others are susceptible.The following numerical analyses are supplement for the above results.

Numerical Experiments of Worm Propagation Model
with Time Delay in Vaccination.According to the above parameters, as shown in Figure 4, the curves of three kinds of host in system (1) are presented when  = 5 <  0 .All of the three kinds of host get stable quickly, which illustrates that  * is asymptotically stable.It implies that the number of infected hosts stays very low and can be predicted.Further strategies can be developed and utilized to eliminate worms.However, when time delay  gets increased and then reach the threshold  0 ,  * will lose its stability and a bifurcation will occur.Figure 5 shows the susceptible, infected, and vaccinated hosts in system (1) when  = 100 >  0 .In this figure, we can clearly see that the number of infected hosts will outburst after a short period of peace and repeat again and again but not in the same period, which means that it is hard to predict the number of infected hosts and to develop further strategies to eliminate worms.
In order to see the influence of time delay,  is set to a different value each time with other parameters remaining the same.Figure 6 shows the number of infected hosts in the same coordinate with time delays  = 5,  = 15,  = 45, and  = 90.Initially, the four curves are overlapped, which means that time delay has little effect in the initial stage of worm propagation.With time delay increasing, the curve begins to oscillate.When time delay passes through the threshold  0 , the infecting process gets unstable.Meanwhile, it can be discovered that the amplitude and period of the number of infected hosts get increased.
In Figure 7, the projection of the phase portrait of system (1) in (, , )-space is presented when  = 35 and  = 45.In Figure 8, when  = 35, it is clear that the curve converges to a fixed point which suggests that the system is stable.When  = 45, the curve converges to a limit circle which implies that the system is unstable.Figure 9 shows bifurcation diagram with  from 1 to 100; Hopf bifurcation will occur when  =  0 = 38.

Numerical Experiments of Worm Propagation Model with
Constant Quarantine Strategy.In order to show the impact of constant quarantine strategy, we analyze the numerical results after adopting the constant quarantine strategy.Further, we compare them with the worm propagation model with time delay.
Figure 10 shows the curves of three kinds of host in system (22) when  = 5 <  0 .All of the three kinds of host get stable quickly, which illustrates that  * is asymptotically stable.When time delay  gets increased and then reach the threshold  0 ,  * will lose its stability and a bifurcation will occur.Figure 11 shows the susceptible, infected, and vaccinated hosts in system (22) when  = 100 >  0 .In this figure, we can clearly see that the number of infected hosts will outburst after a short period of peace and repeat again and again but the range is much less than delayed model's.It implies that the constant quarantine strategy can't eliminate the Hopf bifurcation, but it can reduce the max number of infected hosts.
In Figure 12, when  = 100 >  0 , it is clear that the maximum of infected hosts is diminished sharply from 220,000 to 38,000, which illustrates that constant quarantine strategy has much better inhibition impact than single vaccination.However, constant quarantine strategy cannot eliminate the Hopf bifurcation; the system is still unstable and out of control.
Figure 13 shows the projection of the phase portrait of system (22) in (, , )-space when  = 40 and  = 55.In Figure 14, when  = 40, it is clear that the curve converges to a fixed point which suggests that the system is stable.When  = 55, the curve converges to a limit circle which implies that the system is unstable.Figure 15 shows bifurcation diagram with  from 1 to 90; we find that Hopf bifurcation will occur when  =  0 = 46.The threshold is greater than delayed model's, which illustrates the model gets stable easier and the users have more time to remove worms.

Numerical Experiments of Worm Propagation Model
with Impulsive Quarantine Strategy.The paper performs the numerical experiments and compares the results with constant quarantine model after using impulsive quarantine strategy.The interval time of impulsive quarantine is set  = 10.The susceptible and infected hosts detected by the anomaly intrusion detection method are quarantined at rate  1 = 0.00002315 and  2 = 0.6, respectively.Other parameters are the same as constant quarantine model.Figure 16 shows the curves of four kinds of host when  = 5 <  0 .All of the four kinds of host get stable more quickly, which illustrates that  * is asymptotically stable.After using impulsive quarantine strategy, Figure 17 shows the curves of three kinds of hosts when  = 100 >  0 .All kinds of hosts get stable within 4 hours, which implies that Hopf bifurcation has been eliminated thoroughly.In Figure 18, the number of infected hosts has been shown without quarantine, adopting quarantine strategy, and impulsive quarantine strategy, respectively.It is clear that the number of infected hosts is almost 0 after using the impulsive quarantine strategy, which is even much less than model using constant quarantine strategy.The result means that the impulsive quarantine strategy works well.Thus, the system will be stable and controlled so that the worm will not break out again.[8] simulating Code Red worm propagation.The system in our simulation experiment consists of 750,000 hosts that can reach each other directly, which is consistent with the numerical experiments, and there is no topology issue in our simulation.At the beginning of simulation, 50 hosts are randomly chosen to be infected and the others are all susceptible.In the simulation experiments, the implement of transition rates of the model is based on probability.Under the propagation parameters of the Slammer worm, some simulation experiments are performed.Figure 19 shows that numerical and simulation curve of infected hosts match well when using the constant quarantine strategy and Figure 20 shows that numerical and simulation curve of infected hosts match well after using the impulsive quarantine strategy, whatever the value of  is.

Conclusions
By considering that time delay leads to Hopf bifurcation so that the worm propagation system will be out of control, this paper proposes two quarantine strategies: constant  quarantine and impulsive quarantine strategy to control the stability of worm propagation.Through theoretical analysis and simulation experiments, the following conclusions can be derived.
(1) In order to accord with actual facts in the real world, a worm propagation model with time delay in vaccination is constructed.The critical time delay  0 where Hopf bifurcation appears is obtained.When time delay  <  0 , the worm propagation system will stabilize at its infection equilibrium point, which is beneficial to implement a containment strategy to eliminate the worm completely.When time delay  ≥      0 , Hopf bifurcation appears, implying that the system will be unstable and the worm cannot be effectively controlled.
(2) Constant quarantine strategy based on misuse IDS has only some inhibition impact.Through theoretical analysis, the threshold  0 is greater than delayed model's so that the users have more time to clean worms.Nevertheless, constant quarantine strategy cannot eliminate bifurcation.
(3) Impulsive quarantine strategy is proposed, which can both make up for the gaps existing in the misuse and anomaly IDS and eliminate bifurcation.Through theoretical analysis and numerical experiments, the numerical results match theoretical ones well, which fully support our analysis.
Furthermore, various factors can affect worm propagation.The paper focuses on analyzing the influence of time delay.Other impact factors to worm propagation will be a major emphasis of our future research.

Figure 1 :
Figure 1: State transition diagram of delayed model.

Figure 2 :
Figure 2: State transition diagram of constant quarantine model.

Figure 3 :
Figure 3: State transition diagram of impulsive quarantine model.

Figure 4 :Figure 5 :
Figure 4: Worm propagation trend of model with time delay when  <  0 .

5 Figure 6 :
Figure 6: Number of infected hosts when  is changed.

Figure 17 :
Figure 17: Worm propagation trend of model with impulsive quarantine strategy when  >  0 .

Figure 18 :
Figure 18: Comparison of infected hosts without quarantine, adopting constant quarantine strategy and impulsive quarantine strategy, respectively, when  >  0 .

Figure 19 :
Figure 19: Comparison of numerical and simulation curve of the infected hosts of constant quarantine model.

Figure 20 :
Figure 20: Comparison of numerical and simulation curve of the infected hosts of impulsive quarantine model.