Dynamical analysis of a malware propagation model considering the impacts of mobile devices and software diversification

Accepted Manuscript Dynamical analysis of a malware propagation model considering the impacts of mobile devices and software diversification Soodeh Hosseini, Mohammad Abdollahi Azgomi

PII: DOI: Reference:

S0378-4371(19)30551-5 https://doi.org/10.1016/j.physa.2019.04.161 PHYSA 20925

To appear in:

Physica A

Received date : 2 June 2018 Please cite this article as: S. Hosseini and M.A. Azgomi, Dynamical analysis of a malware propagation model considering the impacts of mobile devices and software diversification, Physica A (2019), https://doi.org/10.1016/j.physa.2019.04.161 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

*Manuscript Click here to view linked References

Dynamical Analysis of a Malware Propagation Model Considering the Impacts of Mobile Devices and Software Diversification Soodeh Hosseini1 and Mohammad Abdollahi Azgomi2* 1

Department of Computer Science, Faculty of Mathematics and Computer, Shahid Bahonar University of Kerman, Kerman, Iran. 2 School of Computer Engineering, Iran University of Science and Technology, Tehran, Iran E-mail: [email protected] and [email protected]

Abstract The aim has been to model the dynamics of malware propagation in scale-free networks (SFNs) with birth and death rates. The proposed model is a variant of susceptible-exposed-infectious-recovered-susceptible with a vaccination (SEIRS-V). This model is extended for modeling malware propagation between computer nodes and mobile devices (MDs), which is called MD-SEIRS-V. Unlike other existing models, MD-SEIRS-V principally considers the impacts of diversification as a defense mechanism to reduce epidemic spreading in SFNs. Dynamical behavior of the model is determined by the basic reproductive ratio. Furthermore, we calculate the critical number of diverse software packages installed on computer nodes that can be used as a parameter to prevent epidemic spreading. The dynamics of malware propagation is analyzed and shown that the local and global stability of malware-free equilibrium are equivalent. We have also carried out a series of numerical simulations to evaluate the dynamical behaviors of malware propagation in SFNs. Keywords: Malware propagation modeling, epidemic model, scale-free networks (SFNs), mobile device, software diversification.

1. Introduction With the widespread use of the Internet, Web and online social networks, the number of security vulnerabilities and threats has increased significantly. Different kinds of malware (i.e., worms and viruses) have become a major threat for the security of systems and networks [1]. Thus, data owners, and network administrators have to pay more costs to prevent malware spreading and halt them in real networks. The researches have shown that these networks have power-law degree distribution and heterogeneous network topology [2]. These real networks are often referred to as scale-free networks (SFNs). *

Address for correspondence: School of Computer Engineering, Iran University of Science and Technology, Hengam St., Resalat Sq., Tehran, Iran, Postal Code: 16846-13114, Fax: +98-21-73021480, E-mail: [email protected].

1

Malware is growing in number and complexity. On the other hand, systems are often running same or similar software packages, which referred to as monoculture [3]. One securityweakening reason is related to the similar software systems that ease the malware spreading in networks that share common vulnerabilities [4]. Due to security concerns of common vulnerabilities in identical systems and thus the spread of malware, diversification received much attention as a cyber-defense mechanism in large-scale networks. Diversity generates different variants of software with different structures, but identical semantics (or behaviors) and functionally equivalent [3]. Diversification reduces common vulnerabilities and mitigates the impacts of monoculture, also for an attacker is very difficult to be able to design a unique attack to exploit common vulnerabilities in the system components [3]. The majority of previous studies have focused on modeling malware propagation in monoculture networks regardless of diversification as a protection mechanism in SFNs. Some studies performed at reducing the spread of epidemics in SFNs by specifying defensive points [5] and the use of immunization strategies [6]. Most researches in the field of modeling malware propagation in Internet, peer-to-peer (P2P) networks and SFNs are based on classical epidemic models [7, 8]. In this paper, we propose a susceptible-exposed-infectious-recovered-susceptible with a vaccination (SEIRS-V) epidemic model for computer nodes and a susceptible-exposed-infectious (SEI) epidemic model for mobile devices (MDs) to model the impacts of diversification in reducing malware propagation in SFNs. Since during the malware propagation, the network topology varies dynamically. Thus the model is developed considering topology dynamics by taking into account leaving and joining nodes and MDs. The new model, abbreviated as MDSEIRS-V, is proposed to study the dynamical behavior of malware propagation in SFNs. The proposed model is somewhat similar to the mathematical model for the spread of malaria in human and mosquito population [9]. The proposed model considers the MD-malware spreading between computer and MD (such as mobile hard disk, memory card, flash disk and etc.) by determining the MD state and new parameters. Modeling malware propagation process allows us to get a better understanding of the dynamics of malware propagation. Applying the defense mechanisms of diversification and vaccination helps to prevent malware propagation on SFNs. From the epidemiological point of view, global stability analysis of the proposed model is

2

considerable. The stability analysis of the model is an important activity in the epidemiological area. We investigate the impact of the basic reproductive ratio in global dynamics of the model and calculate the critical number of diverse software packages to break up monoculture. The contributions in this paper are as follows: First, we propose a new dynamic model of malware propagation by considering the effect of diversification. The proposed MD-SEIRS-V model is an extension of the SEIRS epidemic model by adding the vaccination state and the MD state. Second, we analyze the malware-free equilibrium point and obtain the important parameters, such as, the basic reproductive ratio and the critical value of diverse software packages to quantify the guideline for defense against malware threats in SFNs. Third, we analyze the local and global stability of the malware-free equilibrium of the MD-SEIRS-V model and study the dynamical behaviors of the model. The rest of the paper is organized as follows. In Section 2, we briefly review the background of the work in the fields of epidemiological models, scale-free networks and software diversity. We survey the related work in Section 3. We introduce a new dynamic model of malware propagation in Section 4. In Section 5, we analyze the dynamical behaviors of the proposed model. A series of numerical simulations supporting the theoretical results are presented in Section 6. Finally, Section 7 concludes the paper, and indicates future research directions.

2. Background In this section, we briefly introduce the concepts of epidemiological model, software diversity, and scale-free networks. 2.1. Epidemiological Models Recent researches express the risk of infection propagation between computers in the network is similar to the disease outbreak in societies. Thus, the epidemiological mathematical models can be used and adapted for modeling infection propagation. In epidemiology field, both stochastic models and deterministic models are effective for modeling the propagation of diseases [10]. Stochastic models are suitable for small-scale network with trouble-free virus dynamics, while deterministic models are appropriate for largescale network and express the malware propagation under the hypothesis of mass action [10]. A 3

stochastic model is formulated in terms of a stochastic process with a collection of random variables based on probability theory. Malware propagation in the networks is a stochastic process. In malware propagation modeling in large-scale network, deterministic models will lead to better solutions. The reason why random events have so little impact on the malware propagation in large-scale network is that the population is huge [10]. During the epidemic outbreak process, the nodes are categorized as follows: susceptible (S), infected (I), or recovered (R). In susceptible state, the nodes are vulnerable to infection. In infected state, the nodes are already infectious and can attack other vulnerable nodes, and in recovered state, the nodes have recovered from infection. In the following, we review the most commonly used epidemic models. In the classical simple epidemic model, each node remains in one of the following two status: susceptible or infectious. In this model assumes that once a node is infected through malware, it will persistently remain in infectious state. Thus the state transition of any node in this model will be: susceptible → infectious [11]. In epidemiology area, the Kermack-Mckendrick (KM) model is referred to as the susceptible-infectious-removed (SIR) epidemic model [11]. This model respects the removal process of infectious nodes. It assumes that throughout an epidemic spreading of a transmittable disease, some infectious nodes can recover from the disease, either due to immunization or due to death. The recovered nodes are not able to be infected again. In SIS model, each node remains in either susceptible or infectious state. In this model, susceptible nodes become infected after being attacked by their infected neighbors and then will become susceptible again after recovering from the infection [12]. In mathematical epidemiology, models can be formulated by differential equations (DEs), which classify as ordinary or partial DEs. ODE epidemic models involve a single independent variable with derivatives relative to that variable [11, 12]. On the other hand, PDE epidemic models include two or more independent variables with at least one partial derivative [13, 14]. 2.2. Software Diversity The principle of diversity comprises the creation of components that are deliberately different in substantive ways [15]. These differences can consist of the vendor source, operating system, software version, network connectivity, programming language, software version, targeted standards, and so on [15]. In the presence of diversity, detecting and exploiting a common 4

vulnerability to perform attacks that can be propagated automatically through the network will become quite difficult for an adversary. Nowadays, cyber-attacks are enhancing in number and complexity, also software systems’ security is a serious subject [3]. Software systems are running identical software, which is known as monoculture. Monoculture has crucial security concerns because identical components share common vulnerabilities, and propagate malware [3]. In general, there are two kinds of software diversity: true diversity and artificial diversity. True diversity is obtained when different working teams use different programming languages and algorithms to generate diverse variants of the same software with the same functionality without common vulnerabilities. The cost of true diversity is high while the number of diverse software packages is low. In artificial diversity, diverse software packages are generated by automatic program transformations. The cost of artificial diversity is reasonable and the number of diverse software packages is high, because users will automatically download software with different binary instead of downloading software packages with identical binary. Principally, true diversity or artificial diversity can mitigate the epidemic spreading on the network. 2.3.

Scale-Free Networks

Many large real networks, such as Internet, online social networks, biological networks and economic networks have a scale-free degree distribution [16]. In these networks, the degree distribution is power-law with

, where power-law exponent γ follows often in the

range from 2 to 3. There are two issues in SFNs, which are real-world networks [16]: the first one is how the realworld networks take scale-free degree distributions, and the second one is what structural features the SFNs possess. For the first issue, two key characteristics of real networks are the growth and the preferential attachment, which cause to identify the scale-free degree distribution. When a new node appears, it tends to connect to nodes to high degree [17]. As to the second issue, real SFNs are usually heterogeneous networks, which have few nodes of very high degree (i.e., hubs) and many nodes of low degrees. SFNs with heterogeneous degree distribution and high connectivity fluctuations are very vulnerable to the propagation and persistence of infections [18]. SFNs are classified in the

5

literature as follows [19]: SFNs with no local clustering based on Barabási-Albert (BA) model [17] and SFNs with high clustering properties based on Klemm and Eguiluz model [20].

3. Related Work The study of malware spreading in complex networks is an attractive field between computer science researchers, since infection spreading between computers is alike to disease outbreaks between individuals, introduced the epidemiological model to formulate the infections spreading mathematically. Many researchers have investigated the malware propagation in the epidemiology field with susceptible-infected-susceptible (SIS), susceptible-infected-recovered (SIR), susceptible-infected-recovered-susceptible (SIRS), or susceptible-exposed-infectedrecovered (SEIR) epidemic models. Pastor-Satorras et al. [21] focused on paradigmatic models in infectious disease modeling to understand the dynamic of contagion processes in complex networks. The complex characteristics of real world networks have an important impact on the behavior of equilibrium and non-equilibrium phenomena [21]. Massaro et al. [22] studied the interplay between the epidemic outbreak and risk perception in multiplex networks. They developed the model considering that in real life people can be infected by physical contacts, but often get information from an information network, that may be different from the physical ones completely [22]. Anderson et al. [23] combined mathematical models with the use of epidemiological concepts. They demonstrated how diseases trend should be interpreted, how the effective factors can be used to control or eradicate infections [23]. Grassly et al. [24] provided an introduction to the disease transmission process, how this stochastic process can be illustrated mathematically and how this representation of mathematics can be applied to analyze the dynamics of epidemic spreading. Hazarika et al. [9] proposed an SIRS model for humans and an SI model for mosquitoes. They performed stability analysis of the malaria model. The models in above papers were ODE epidemic models with one or more functions of a single variable. Friedman et al. [13] introduced the partial differential equation (PDE) SI epidemic model with diffusion-linked continuum sets of compartments. Posny et al. [14] studied the dynamics of the cholera epidemic with a new reaction–diffusion model and calculated its basic reproductive ratio.

6

In mathematical epidemiology, the majority of studies focused on the computation of the basic reproduction number; the existence of the equilibria; the local stability and global stability of the disease-free equilibrium and endemic equilibrium; the extinction, permanence and persistence of the disease [25-34]. In this area, the global stability is of the outmost importance. Diaz et al. [25] presented a differential equation-based model for the control of malaria epidemic that considers both the population dynamics of the vectors and the malaria epidemic dynamics. They analyzed the equilibrium point and the Lyapunov stability of the equilibria [25]. Equilibrium points are stationary solutions, where the populations stay constant in time [25, 27]. The analysis of the equilibrium points of the system can be restricted to their stability in the Lyapunov sense [25, 26]. The equilibrium point is stable if a small deviation from the equilibrium does not cause to a solution that diverges from the point [25]. Enatsu et al. [26] used key properties of Lyapunov functional techniques and established the global stability of a delayed SIRS epidemic model. They offered a unified construction of Lyapunov functions for both cases that the basic reproductive ratio is less than or equal, and larger than one [26]. Li et al. [29] studied the infection spreading in complex heterogeneous networks based on an SIRS epidemic model with birth and death rates. By a threshold value, the dynamics of the networkbased SIRS model determined, also they studied global stability of the disease-free and endemic equilibria by constructing a Lyapunov function with the LaSalle’s invariance principle [29]. Enatsu et al. [30] by constructing a suitable Lyapunov function considered the global dynamics of the SIRS epidemic model with nonlinear incidence rates and distributed delays. Huang et al. [31] based on SIR and SEIR epidemic models with nonlinear incidence rate studied global stability of the disease-free equilibrium and the endemic equilibrium by constructing Lyapunov function and using the Lyapunov-LaSalle invariance principle. Mishra et al. [32] illustrated a mathematical epidemic model on the transmission of worms in wireless sensor network. They investigated the dynamics of worm spreading with respect to time. Also, they found basic reproduction number, equilibrium points, and stability of the worm-free equilibrium. Zhu et al. [33] investigated the global stability of a generalized epidemic model on complex heterogeneous networks, and studied the impact of heterogeneity on diseases spreading. Kondakci et al. [34] proposed a recurrent epidemic model (REM) to explore the dynamics of Internet epidemiology through the phases of susceptibility to recovery.

7

To the best of our knowledge, in the field of epidemiology and malware propagation modeling in heterogeneous networks (e.g., SFNs), the effect of software diversity as an efficient protection mechanism has not been investigated yet. Software diversity increases the costs of an attacker and stop monoculture network with the same software. Because of the importance of software security and reducing malware spreading, we surveyed a set of semantics-preserving techniques of programs [35]. These diversity techniques have been introduced for raising the complexity of exploiting vulnerabilities [36, 43]. The techniques of diversification through automatic program transformations provide an achievable defense against unknown threats. Some of these techniques are: instruction set randomization (ISR) [37], address space randomization (ASR) [4], data space randomization (DSR) [4], stack base randomization, heap layout randomization, reverse stack, system call number randomization, library entry point randomization [35], adding dummy buffers and variables, changing the order of heap-memory requests [38]. Rodes et al. [39] described a new method to defense against stack-based attacks (including intra-frame overflows and non-control data attacks) using stack layout transformation. They used a combination of diversifications, including variable reordering, random-sized padding between variables, and placement of canaries [39]. Diversification can occur at each phase in the software life-cycle that includes the stages [40]: development, compilation, linking, deployment, loading and running. In [41], many coloring algorithms (such as randomized coloring algorithm, color swapping algorithm, color flipping algorithm, or hybrid algorithms) are expressed to assign various software packages to network’s nodes shown as a graph to decrease attacks. Each color in the graph is equal to a distinct software package. These algorithms increase the network heterogeneity through reducing the number of monochromatic edges. Liu et al. [42] proposed a role-based graph coloring algorithm, which has used a software diversity method to defend against the sensor worm attacks. Using these algorithms, two goals are obtained [41]: The first goal includes minimizing the number of defective edges (i.e., the edges connected to similar packages or monochromatic nodes). The second goal includes increasing the number of disconnected components running similar software packages. These goals prevent the outbreak of infection from the infected nodes to other nodes. It is noteworthy that, the dynamics of systems is modeled by continuous-time or discrete-time models. The discrete-time models are based on discrete time points and intervals and represented 8

by difference equations, while the continuous-time models are based on infinitesimal mathematics and the changes occur in a moment of time and require no discrete intervals. The continuous-time models are represented by differential equations [44].

4. The Proposed Model In this section, we propose an epidemic model of susceptible-exposed-infectious-recoveredsusceptible with a vaccination (SEIRS-V), which is extended by the epidemic model of mobile device (MD) malware propagation between computer nodes and MDs in SFN. MDs related to computer nodes, include USB flash disk, hard driver, portable USB storage devices and so on. Furthermore, we consider software diversity on computer nodes to reduce malware spreading and prevent common exploitable vulnerabilities in the network. MD-malware is more stubborn than network malware; because the vast majority of users do not apply security mechanism when use MDs. Moreover, the residual faults constitute dormant vulnerabilities, which would eventually be exploited by malware. 4.1. Model Description We describe a new dynamic model of malware propagation in SFNs, which is abbreviated as MD-SEIRS-V. In the epidemic model of MD-malware propagation we have new states and new parameters. New states (

) in the MD epidemic model will correspond to node states in

the computer network (

in SEIRS-V epidemic model), where,

presents the state of a MD and network,

(subscript)

(subscript) indicates the state of a computer node in the

(subscript) shows the degree of each node, also

(subscript) denotes the assignment

diverse software packages or colors for each node in SFN. In this model,

different software

packages are assigned to the network’s nodes according to the proposed coloring algorithm presented in [51]. The coloring algorithm decreases the number of neighbors of the same type that run the same software component and share common vulnerabilities. Using software diversity, the software packages have different binaries instead of identical binary, thus, an attacker cannot exploit a common vulnerability. Each diverse software package is equal to a different color (

),

denotes the network size, in

, we have no diversity, which is

called monoculture. The assumption utilized in the MD-SEIRS-V model is as follows: 9

1. We assume that diverse software packages generate by artificial diversity. 2. Network topology is based on the BA SFN with considering clustering. 3. All MDs interaction with computer nodes in SFNs and can transfer files or information from MDs to computer nodes, or vice versa. 4. Initially, all nodes in SFN are susceptible apart from a number of infected nodes (i.e., ), also all MDs are susceptible except a number of infected MD (i.e.,

).

5. For increasing the accuracy of the simulations, every experiment is performed by 30 runs in average. During the epidemic outbreak process, the computer nodes in the MD-SEIRS-V epidemic models are categorized as susceptible ( ), exposed ( ), infected ( ), recovered ( ) or vaccinated (V): -

: The density of susceptible nodes (

of degree

and type at the time .

-

: The density of exposed nodes (

of degree

and type at the time

-

: The density of infected nodes (

of degree

and type at the time .

-

: The density of recovered nodes of degree

and type at the time .

-

: The density of vaccinated nodes of degree

and type at the time .

The MDs states in the MD-SEIRS-V epidemic model are categorized as susceptible ( ), exposed ( ), infected ( ): -

: The density of susceptible MDs at the time .

-

: The density of exposed MDs at the time

-

: The density of infected MDS at the time .

Modeling malware propagation helps us study defense mechanisms to avoid malware propagation and thereby reducing the effects of attacks. Figure 1 shows the state transition diagram of the MD-SEIRS-V model. As shown in Figure 1, the susceptible nodes of the type

are not immediately infected after

being attacked by their infected neighbors of the same type or by the infected MDs that insert into the USB drive at each time step, but it has been exposed to infection for a while with the infection rate and

or , which

is the infection propagation rate from their infected neighbors

is propagation rate from the MDs to the computer nodes. After elapsing latent period,

the computer nodes become infectious with the rate 10

. When the MDs are connected to the

infected nodes in the SFN, can transfer into infection with the infection rate

, the infected

MDs are not immediately infected; there is latency time before infection. The infected nodes of the type

and the infected MDs become recovered with the recovery rate

and

at time t.

The recovered nodes of the type and the recovered MDs can become susceptible again with the recovery loss rate

and

. Also, the vaccinated nodes of the type

same type with the vaccinating loss rate vaccinate with rate

become susceptible to the

, the susceptible nodes in the network can directly

before getting infected by the infected MDs or the infected neighbor. The

recovery nodes and the vaccinated nodes do not have a permanent immunization period in the network and can still be infected by malware. Table 1 shows the parameters or variables used in the proposed model. 4.2.Model Formulation Here, we introduce the analytical MD-SEIRS-V model for modeling malware propagation using continuous time differential equations. The analytical MD-SEIRS-V model is an extension of the SEIRS-V epidemic model by inserting the MD epidemic model. Also, in the analytical model, we consider software diversity as a protection strategy to limit malware propagation. We introduce a formulation of the proposed model to study the dynamical behaviors of malware spreading in SFNs with the birth and death rates, where the deaths are balanced by the births. We model malware propagation in BA model of SFN. The BA model grows SFN with integer parameter

≥ 1 [21, 28]. We consider degree

between

to

(

where

is

minimum degree and

is maximum degree of nodes. The infectivity of each node is equivalent

to its degree (k) and

diverse software packages in the network. On average, a node of the

degree k has k/c neighbors of the same type, with

denotes

the probability that a connection from a node exists to an infected node of the same type, where is the degree distribution, and

is the mean degree. The mean degree of

each subgraph with considering diversity will be

. At time t, newly infected computer

nodes of type c will be able to infect their susceptible neighbors of the same type because of a common vulnerability, thus we have

, where

is the infection

related to the node degree and software diversity among computer nodes. The infected MDs can infect computer nodes by means of USB drive; hence the infection propagation from MD to 11

computer nodes with considering the average number of USB drive (d) is

.

Consequently, infection propagation between computer nodes is as follows: (1)

.

In the following, we describe the computer nodes of the degree

and type in the MD-SEIRS-V

model: -

Susceptible (

): All nodes have the software vulnerability that the malware can exploit

[43]. The infected computer nodes turn into the exposed state (

) and leave the

susceptible state. The reduction of the density of the susceptible nodes transmitting to the exposed at the time t using Eq. (1), and the increase of the density of the susceptible nodes transmitting from the recovered and vaccinated states of the same type (

),

will consider the following equation for the susceptible state with birth and death rates: (2) .

-

Exposed (

): Computer nodes are not immediately infected after being attacked by their

infected neighbors of the same type or by the infected MDs; the malware in this state is not activated. As stated earlier, the density of susceptible nodes, which has been attacked them, will be added to the density of exposed nodes using Eq. (1), the exposed nodes of type c will be infected after elapsing latency time and then will start to infect their susceptible neighbors of the same type (

), by considering the death rate, we will denote the following

equation for the exposed state: (3) .

-

Infected (

): The malware in this state is activated. The density of infected nodes is

increased by the density of exposed nodes of the same type at the time t. Moreover, it will be decreased by the removal processes (death, recovery). When the infected nodes contact with the MDs, the infection transfer into the MDs, the following equation for infected state will be as follows: .

12

(4)

-

Recovered (

): The infected nodes of the type c and the infected MDs will be recovered

with antivirus countermeasures, thus the density of recovered nodes is increased of the same type. Furthermore, it will be decreased when the recovered nodes of the type

become

susceptible to the same type due to updates of virus-bases, loss of immunization, reinstalling operating system and etcetera [45]. Also, the recovered nodes can become the susceptible MDs. By considering the death rate or the replacement rate, which may occur in the recovered state, we will determine the following equation for the recovered state: .

-

Vaccinated (

(5)

): The nodes in the ‘‘susceptible’’ state will change to the ‘‘vaccinated’’

before getting infected by the MDs or the infected neighbors with taking countermeasures, e.g., patching, intrusion-detection system (IDS), or antivirus software [45]. Thus the density of the vaccinated nodes is increased of the same type. Also, the vaccinated nodes of the type c after elapsing vaccinated will be susceptible again and the density of them is decreased. By considering the death rate or replacement rate, we will have the following equation for the vaccinated state: (6)

.

In summary, the differential equations of the SEIRS-V epidemic model for computer nodes are as follows:

.

(7)

. . . .

In the following, we describe an SEI epidemic model for the mobile devices (MDs): -

Susceptible (Su): The susceptible states will be transit into the exposed states in the MDs, when the MDs have been infected by infectious computer nodes with the infection rate

.

Hence, the density of them will decrease. Furthermore, we will have the increase of the 13

density of the susceptible MDs transmitting from the recovered nodes. Also by considering the death and birth rate in the MDs, we obtain the following equation for the susceptible state: .

-

(8)

Exposed (Eu ): The density of the susceptible states, which have been infected by infected computer nodes by USB drives with the infection rate

, will be added to the density of

exposed states in the MDs. The exposed states will be infected after elapsing latency time and then will start to infect states. By considering the death or replacement rate, we will denote the following equation for the exposed state: .

-

(9)

Infected (Iu): The density of infected MDs is increased by the density of exposed states. Moreover, they will be decreased by the removal processes (death, recovery). When the infected MDs contact with the computer nodes, the infection transfers into the computer nodes, the following equation for the infected MDs will be as follows: (10)

.

In summary, the differential equations of the SEI epidemic model for the mobile devices (MDs) are as follows: . (11)

. .

Consequently, the differential equations of the analytical MD-SEIRS-V model are as follows:

.

(12)

. . . .

14

. . .

With initial conditions . for any For

and

each

,

adding

,

.

the

five

equations

of

Eq.

(7)

gives

Thus

. And for , inserting the three equations of Eq. (11) gives , Hence

. Therefore,

limit sets of the model of Eq. (12) are included in the following bounded region in the nonnegative

. The feasible region for the model of Eq. (12) is

}, State

space

of

the

model

of

Eq.

(12)

is

non-negative

cone,

= },

is the maximum number of connectivity each computer node, we

have five computer nodes (

) and three MDs states (

).

is a positive invariant set for the model of Eq. (12), and it is sufficient to study the dynamics of the model of Eq. (12) in

since it is dissipative and the global attractor is contained in

[28]. Solution of the initial value problem beginning in

and defined by Eq. (12) exist and are unique

on maximal interval [32]. It is important to show that all state variables in model of Eq. (12) are nonnegative and not larger than 1. Thus, the following lemma and its proof are presented, which are based on [29]: Lemma 1: Suppose that ( model

of

Eq.

) be the solution of MD-SEIRS-V (12)

satisfying

15

the

initial

conditions.

Then

and and

for all

.

Proof: Note that

. Using the first equation of the model of Eq. (12) and continuity of

we can find a small all

such that

for

. Now, we prove

for

. Without loss of generality, we can assume that there exists and

for

we

such that

. From the second equation of the model of Eq.

(12), we obtain

for for

, which implies

. Considering the third equation of the model of Eq. (12),

have

for for

.

Similarly,

and the continuity of

,

and

.

Thus,

we

obtain

for

yield

and

. Now,

respectively. Hence,

the first equation of the model of Eq. (12) indicates that . This points,

for some

contradiction. Hence,

for all

of Eq. (12), we obtain

for all

and all

for all

, which is seemingly a

. Considering the second equation of the model . Finally, we reach that

. Similarly, we prove that

,

,

and

for

.

Taking the sum of equations of the MD-SEIRS-V model (12), we obtain for all

, which imply

and

and

are constant.

and assume that

all =

and

). Since

(We , thus

for for all

all

. and

Therefore, we complete the proof of Lemma 1.

16

Also,

we .

reach

that

5. Dynamical Analysis of the Proposed Model In this section, we express existence of equilibria and stability analysis of the model. We consider an algebraic solution to the malware-free equilibrium and determine a stability analysis of the malware-free equilibrium. Moreover, we acquire the reproductive ratio to analyze dynamical behavior of the model. Also, we obtain the number of diverse software packages required to limit the outbreak of malware. For finding equilibrium points, the steady states of the model of Eq. (12) are as follows: . And by the following calculation, we indicate that the model of Eq. (12) has a malware-free equilibrium: .

Where

,

,

(13)

.

Clearly, the model of Eq. (12) admits a unique malware-free equilibrium on the boundary invariant set

. A positive equilibrium of the model of Eq. (12) in the interior

of the positively , if one exists, is

called an endemic equilibrium [28], and denoted by .

5.1.

Basic Reproductive Ratio and the Number of Diverse Software Packages

In mathematical epidemiology, one of the most fundamental concepts is to determine the threshold, which present whether or not an infectious state can persist in the network. This threshold is called basic reproductive ratio (

. Global dynamics of the model is investigated by

the basic reproductive ratio. Definition 1. Basic reproductive ratio: For MD-SEIRS-V model of Eq. (12), the basic reproductive ratio (

) is equal to the average number of secondary infectious cases that are

generated when one infectious case (infectious MD or computer) is introduced into a given network during the life cycle of malware infection. Hence, if 17

< 1, the malware infection will

be eradicated from the network, and if

> 1, then the malware infection persists at the endemic

level in the network [48]. The following proposition is based on the related work on the analysis of equilibria and stability, such as [27]. Proposition 1. If if

, then, the model of Eq. (12) has the malware-free equilibrium

, then, the model of Eq. (12) has the endemic equilibrium

Now, we find

, and

.

, we apply the next-generation matrix method. In this method, the basic

reproductive ratio is defined by the spectral radius of the next-generation operator [47]. Based on the concept of the next-generation matrix, the basic reproductive ratio of the model is , where infections and

denotes the spectral radius of the matrix G. Here, determines transfers of infections between two states.

determines the new is the malware-free

equilibrium point, where .

For computing (12),

(14)

, we consider only the compartments

of the model of Eq.

.

We rewrite differential equations of the compartments

:

. .

(15) .

.

where: (16)

.

In the matrix F; A, B and C are

and

,

.

Finally, we obtain A, B, and C at

. 18

Now, we find the inverse of :

.

where,

and

. Then, the next-generation matrix

is as

follows: .

(17)

We acquire the largest eigenvalue of the matrix, which is proportionate to the basic reproductive ratio,

. The eigenvalues of

are

}.

Hence:

. Now, we identify the critical number of distinct software packages to guarantee that epidemic does not occur in the network, when we have malware propagation. Hence, the critical number of diverse software packages that cause for the absence of epidemic, is as follows: , (18) .

5.2.

Stability of the Malware-Free Equilibrium

Stability is one of the most noticeable concepts in dynamic systems. The condition of stability determines whether a small perturbation away from equilibrium will increase or if the model returns to the equilibrium point [48]. In this section, we examine that the proposed model is locally as well as globally asymptotic stable at the malware-free equilibrium

, when

the malware-free equilibrium are equivalent.

19

. And the local and global stability of

The following lemma and its proof are based on [32]: Lemma 2: If

, then the malware-free equilibrium

is locally asymptotically stable.

Proof: For the linearization of the model of Eq. (12) at the malware-free equilibrium

, the

corresponding Jacobian matrix is

where

and , where the matrix

Now, the local stability of

, the eigenfunction of

is identity matrix and

is

is eigenvalue.

is denoted by the eigenvalues

of the matrix

. The equilibrium is locally asymptotically stable, if all eigenvalues have negative real parts [32]. Since all eigenvalues are negative ( ,

,

,

,

,

,

,

); thus the model of Eq. (12) is locally

asymptotically stable at the malware-free equilibrium

.

Now, let us examine the global stability of the malware- free equilibrium of the proposed model, and show that the local and global stability of malware-free equilibrium of the model are equivalent. The following lemma and its proof are based on [31, 28]: Lemma 3: If

, then the malware-free equilibrium

of the proposed model is globally

asymptotically stable. Proof: Since at

the first equation of the model of Eq. (12) becomes , it is impossible at any equilibrium to have

. Similarly, at

the sixth equation of the model of Eq. (12) becomes impossible to have

at any equilibrium. If

, this is also ,

from the third or eighth equation of the model of Eq. (12) that 20

or and

then it follows . Denote

for any

, and

,

we have :

. (19)

. . .

Which can be rewritten as,

. Let

associated with the eigenvalue

be the left eigenvector of the matrix

, in other words,

With a Lyapunov candidate:

.

and derivative of L along solution of the model of Eq.

(12), we have: , if Moreover, the Lyapunov–Lasalle invariance principle [49] indicates that all paths in

approach

the largest positively invariant subset of the set B where

[28]. If

, then

indicates

, also,

or

, thus

or

some , they are in the set B. If

for some

. Also, if

, then from the eighth equation of the

model of Eq. (12) and the initial conditions, we have

. Hence, from the fourth and first

equation of the model of Eq. (12),

some

as

as as , implies that

. Similarly, we have

for all j, also

for some . If

. Since the network is connected and each state in

as

and for

then it comes , where is nonnegative. Then

then it follows from the second and sixth equation of the

model of Eq. (12) that arguments for the cases

, and

. Alternatively, it is sufficient to present that

from the second equation of the model of Eq. (12) that

for all j. Also, if

for

, then from the third equation of the model of Eq. (12)

and the initial conditions, we get

so

.

and and

. Therefore

. With the same

, we present that all solution paths in

21

approach

the malware-free equilibrium asymptotically stable in

if

, which means B is singleton {

[28]. Thus,

is globally

.

As a result, the local and global stability of malware-free equilibrium of the proposed model are equivalent.

6. Numerical Simulations In this section, we give a set of simulations to present dynamical behaviors of the proposed model. Using numerical simulations, the result of the model solution is illustrated and the analytic results are validated. In order to study the effects of the parameters on malware spreading process, we use the introduced epidemic model in Section 4. Using the growth and preferential attachment features of Barabási-Albert (BA) algorithm [50], the SFN model is created. Here, the network size is 1000 nodes; the minimum degree is 3 and the maximum degree is 169. The total MDs number is (

and the average number of USB drive is (

. The numerical simulations are done

by MATLAB. Figure 2 shows power-law degree distribution for the BA model in SFNs. As shown in Figure 2, the heterogeneity of the nodes' degree distribution is observed in SFNs. These networks are referred to as heterogeneous networks, which have few nodes of very high degree and many nodes of low degrees. Figure 3 shows the densities of susceptible ( vaccinated (

, infected (

nodes with the densities of susceptible MDs (

infected MDs (

, recovered (

, exposed MDs (

and and

. The values of parameters are given in Figure 3. Using the theoretical

analysis, we calculate (

, exposed (

and determine the critical number of diverse software packages

to prevent malware propagation. The assignment of diverse software packages is

performed based on the coloring algorithm presented in [51]. Substituting the value of parameters into Eq. (18), we can obtain that the basic reproductive ratio is 0.9626 and the critical number of software packages when

is 1. As shown in Figure 3,

, then, the model of Eq. (12) has the malware-free equilibrium point, also the

malware-free equilibrium is globally asymptotically stable. For reaching to malware-free equilibrium without software diversity (

, we adjust the low values for the effective 22

parameters in malware spreading such as εh=0.01, εu=0.01, λuh=0.05, λhu=0.05, β=0.1and the high values for the recovery and vaccination rates (

,

,

). In this figure, red

line shows the status of Ih-state at time t and black dotted line indicates the status of MD in Iustate. In the malware-free equilibrium, they tend to zero. Figure 4 shows the dynamical behavior of the MD-SEIRS-V model when

. In the

malware-free equilibrium, epidemic does not occur in the network and infection is halted almost after passing a few time steps. The final results are indicated after 100 time steps and the initial values of parameters are the same as Figure 3. From Figure 4, we can see some numerical simulation at malware-free stage. The simulations’ results show that the epidemic spreading is eradicated in the network after passing a few time steps also, the and

and the

are tending to 0. Figure 4(a), (b) and (c) represent the recovery of the

states from malware attack by anti-virus software. The effect of treatment (anti-virus)

on the

and the

vaccination on the

is detected in Figure 4(a), (b) and (c). Figure 4(d) shows the impact of , vaccination as a defense mechanism has a powerful impact in eradication of infection in the network.

Figure 5 shows the densities of computer nodes and MDs with respect to time. Here we increase the

,

,

,

and

values to observe the dynamical behavior of the model. Other

parameter values are the same as Figure 3. Substituting the value of parameters into Eq. (18),

will be obtained more than one, In other

words, the malware infection will be persistent in the network. As shown in Figure 5, with increasing the ,

,

,

and

values, the malware epidemic occurs in the network. Here,

we need software diversity to achieve malware-free status. Using theoretical analysis and substituting the values of parameters into Eq. (18), we can obtain that the critical number of diverse software packages

is 6 to ensure that malware propagation does not become an

epidemic in the network. We assign six diverse software packages to the network’s nodes. By applying software diversity (

, the value of

will be less than one. Also, the

malware will gradually disappear in the network. The results will be shown in Figure 6. Figure 6 shows the densities of computer nodes and MDs with considering software diversity (

. The final simulation results are indicated after 100 time steps.

As shown in Figure 6, the assignment of diverse software packages ( ) reduces malware propagation because the infected nodes will be able to infect only susceptible nodes with the 23

same type (with the same software packages) because of the exploitability of common vulnerability by a malware, also these nodes can infect the susceptible MDs. With assigning six diverse software packages to the network nodes

, we obtain

, which means the

malware infection in the computer nodes and the MDs is eradicated and the malware-free equilibrium is obtained. The validation of the analytical model in Figure 5, with respect to is evidenced by numerical simulation in Figure 6. Figure 7 shows the effects of the state transition parameters in the computer network nodes and the MDs to determine the dynamics of the model. These parameters change the values of , and they are function of Ih and Iu with respect to time. The values of

and

and

is

calculated using theoretical analysis, and substituting the value of parameters into Eq. (18), these values give us an indication of comprehending the malware propagation process on the model. From Figure 7, we can observe different spreading results by adjusting parameters µu, µh, εh, εu, λuh, λhu, and β, which introduced in Table 1. Furthermore, we can see the effects of parameters on the density of infected nodes (Ih) and infected MDs (Iu) in the model of Eq. (12). Figure 7 (a) and (b) have the same parameter values. As shown in Figure 7 (a)(1) and (b)(1), when

,

we have malware-free stage, because we decrease the effective parameter in malware spreading such as εh, εu, λuh, λhu, and β; thus infection can faster remove. In this situation, the parameter values are the same as Figure 3, with these parameter values, we obtain the malware-free equilibrium without software diversity (

. The malware spreading despair speed in (a)(1) is

faster than (b)(1), because λuh and β are effective in terms of decreasing the density of infected nodes (Ih) and reducing the malware propagation speed. As seen in Figure 7 (a)(2) and (b)(2), when

, epidemic occurs in the network and we get the endemic equilibrium point

because we increase the valuable parameter values in malware propagation. In this situation, the peak value of Iu in (b)(2) is smaller than Ih in (a)(2), because the infectivity of a computer node is proportional to its degree, thus the speed of malware propagation in Ih is rapidly. Here, the parameter values are the same as Figure 5, also with these parameter values; we need six diverse software packages (

to get the malware-free equilibrium. In Figure 7 (a)(3) and

(b)(3), we increase the death rate of nodes and MDs (

), other parameter values are same as

Figure 7 (a)(2) and (b)(2). With increasing the µu and µh values, the malware propagation process is smaller than Figure 7 (a)(2) and (b)(2), and the value of

24

is lower. But the malware

epidemic is still in the network. For reaching to the malware-free equilibrium stage, we should assign four distinct software packages (

to the network nodes.

Figure 8 shows the impact of diverse software packages ( ) on malware propagation process in our model. The following results are obtained under the same parameter values with various software packages, the parameter values are the same as Figure 5. We can see the

impacts in

the density of infected computer nodes and MDs. As shown in Figure 8, the results of experiments indicate that the increase of diverse software packages ( ) reduces the density of infected nodes and MDs. In

, we do not have software

diversity hence, epidemic spreading occurs in the network. As mentioned earlier, since the infectivity of each computer node is proportional to its degree, the peak value of Ih in (a) is longer than Iu in (b). With these parameter values, we calculate to obtain malware-free stage. In not removed. In

thus, we need

, the epidemic spreading is reduced, but

, the malware propagation is eradicated in the network after a few time

steps. The trend of disappearing of the density of infected MDs in (b) is faster than (a). Generally, the decline speed in Figure 8 (a) is slower and the spread peak time in (a) is longer in comparison with Figure 8 (b).

7. Conclusions In this paper, we introduced an SEIRS-V epidemic model of malware propagation with considering the mobile devices (MD)-malware propagation between computer nodes in scalefree networks (SFNs) and MDs. Almost all existing models of malware propagation do not consider the impact of mobile devices on epidemic spreading. Therefore, we proposed a new dynamic malware propagation model for MDs, which is named MD-SEIRS-V. We have also used diversification as an effective protection strategy on the computer nodes in SFN to reduce malware propagation. With the aim of halting malware propagation and breaking up software monoculture, we have assigned diverse software packages to the network nodes using a coloring algorithm. During the malware propagation process, the network topology varies considering leaving and joining of nodes and MDs. Network topology is created based on the Barabási-Albert (BA) model with power-law degree distribution and it has an important role in malware spreading.

25

We have adapted the techniques of mathematical epidemiology (such as basic reproductive ratio, stability theory) to study the dynamical behavior of the model. Based on basic reproductive ratio (

, we derived the critical value of diverse software packages (i.e.,

) to guarantee that a

malware infection does not become an epidemic in SFNs. Furthermore, the dynamic behavior of the MD-SEIRS-V model is analyzed. As a result, the malware-free equilibrium is locally and globally asymptotically stable when

; otherwise, it is unstable when

.

We have also conducted a series of numerical simulations to confirm the correctness of the analytical results. Moreover, we have studied the impacts of different parameters on the model. The simulation results represented that the dynamics of the model is completely governed by the basic reproductive ratio and the number of diverse software packages (i.e., ). As

increases

gradually, the basic reproductive ratio goes on decreasing and the permanency condition will become less. By assigning the

, we obtained malware-free equilibrium in the model. As

results indicated, the diversification and vaccination mechanisms reduce the malware propagation speed and the density of infected nodes in the network. In future, we intend to extend the study of diversification through automatic program transformation techniques for the assignment of diverse software packages. Also, we would like to acquire local stability and global stability of the endemic equilibrium in the proposed model.

References [1]

Nikolopoulos SD, Polenakis I. Preventing Malware Pandemics in Mobile Devices by Establishing Response-time Bounds. Journal of Information Security and Applications 2017; 37: 1–14.

[2]

Friesz TL. Complex Networks and Dynamic Systems: Springer; 2013.

[3]

Gherbi, A, Charpentier, R. Diversity-based approaches to software systems security. Communications in Computer and Information Science 2011; 259: 228-37. [4] Yang Y, Zhu S, Cao G. Improving sensor network immunity under worm attacks: A software diversity approach. Ad Hoc Networks. 2016; 47: 26-40. [5] Wen, S, Zhou, W, Wang, Y, Zhou, W, Xiang, Y. Locating defense positions for thwarting the propagation of topological worms. Communications Letters 2012; 16: 560-3. [6] Dezső, Z, Barabási, A-L. Halting viruses in scale-free networks. Physical Review E 2002; 65:1-4. [7] Li, J-q, Lou, J, Lou, M-z. Some discrete SI and SIS epidemic models. Applied Mathematics and Mechanics 2008; 29: 113-9. [8] Chen T, Zhang X-s, Li H, Wu Y. Fast quarantining of proactive worms in unstructured P2P networks. Journal of Network and Computer Applications. 2011; 34(5):1648-59. [9] Hazarika, GC, Bhattacharjee, A. Analysis of a malaria model with mosquito-dependent transmission coefficient for humans, Proceedings-Mathematical Sciences 2011; 121: 93-109. [10] Zou, CC, Gong, W, Towsley, D. Code red worm propagation modeling and analysis. Proceedings of the 9th ACM Conference on Computer and Communications Security; 2009, p. 138-47.

26

[11] Kermack W. O, Mckendrick A. G. Contributions to the mathematical theory of epidemics. Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences 1927; 115:700-21. [12] Zhang F, Li J, Li J. Epidemic characteristics of two classic SIS models with disease-induced death. Journal of Theoretical Biology. 2017; 424:73-83. [13] Ren J, Xu Y. A compartmental model for computer virus propagation with kill signals. Physica A: Statistical Mechanics and its Applications. 2017; 486: 446-454. [14] Posny D, Wang J. Computing the basic reproductive numbers for epidemiological models in nonhomogeneous environments. Applied Mathematics and Computation 2014, 242:473-490. [15] Amoroso E. G. Cyber-attacks: protecting national infrastructure. Burlington, Massachusetts: Butterworth-Heinemann; 2012. [16] Ou, R, Yang, J. On structural properties of scale-free networks with finite size. Physica A: Statistical Mechanics and its Applications 2012; 391: 887-94. [17] Choromański, K, Matuszak, M, Miȩkisz, J. Scale-free graph with preferential attachment and evolving internal vertex structure. Journal of Statistical Physics 2013; 151: 1175-83. [18] Pastor‐Satorras, R, Vespignani, A. Epidemics and immunization in scale‐free networks. Handbook of graphs and networks: from the genome to the internet 2005; 111-30. [19] Crucitti, P, Latora, V, Marchiori, M, Rapisarda, A. Efficiency of scale-free networks: error and attack tolerance. Physica A: Statistical Mechanics and its Applications 2003; 320: 622-42. [20] Klemm K, Eguiluz V. M. Growing scale-free networks with small-world behavior. Phys Rev E 2002; 65:57-102. [21] Pastor-Satorras R, Castellano C, Van Mieghem P, Vespignani A. Epidemic processes in complex networks, Rev. Mod. Phys. 87, 2015; 925: 1-61. [22] Massaro E, Bagnoli, F. Epidemic spreading and risk perception in multiplex networks a selforganized percolation method. Physical Review E. 90, 2014; 5: 1-8. [23] Anderson R. M, May R. M. Infectious diseases of humans: dynamics and control. Oxford University Press; 1991. [24] Grassly N, Fraser C. Mathematical models of infectious disease transmission. Nature Reviews Microbiology 2008; 6:477–487. [25] Diaz H, Ramirez A, Olarte A, Clavijo C. A model for the control of malaria using genetically modified vectors. Journal of theoretical biology 2011, 276:57-66. [26] Enatsu Y, Nakata Y, Muroya Y. Lyapunov functional techniques for the global stability analysis of a delayed SIRS epidemic model. Nonlinear Analysis: Real World Applications 2012, 13:21202133. [27] Guillén JH, del Rey AM, Encinas LH. Study of the stability of a SEIRS model for computer worm propagation. Physica A: Statistical Mechanics and its Applications. 2017;479:411-21. [28] Wang, Y, Cao, J. Global dynamics of a network epidemic model for waterborne diseases spread. Applied Mathematics and Computation 2014; 237: 474-88. [29] Li, C-H, Tsai, C-C, Yang, S-Y. Analysis of epidemic spreading of an SIRS model in complex heterogeneous networks. Communications in Nonlinear Science and Numerical Simulation 2014; 19: 1042-54. [30] Enatsu, Y, Messina, E, Nakata, Y, Muroya, Y, Russo, E, Vecchio, A. Global dynamics of a delayed SIRS epidemic model with a wide class of nonlinear incidence rates. Journal of Applied Mathematics and Computing 2012; 39: 15-34.

27

[31] Huang, G, Takeuchi, Y, Ma, W, Wei, D. Global stability for delay SIR and SEIR epidemic models with nonlinear incidence rate. Bulletin of mathematical biology 2010; 72: 1192-207. [32] Mishra, BK, Keshri, N. Mathematical model on the transmission of worms in wireless sensor network. Applied mathematical modelling 2013; 37: 4103-11. [33] Zhu G, Fu X, Chen G. Spreading dynamics and global stability of a generalized epidemic model on complex heterogeneous networks. Applied Mathematical Modeling 2012, 36:5808-5817. [34] Kondakci, S, Dincer, C. Internet epidemiology: healthy, susceptible, infected, quarantined, and recovered. Security and Communication Networks 2011; 4: 216-38. [35] Jackson, T, Salamat, B, Wagner, G, Wimmer, C, Franz, M. On the effectiveness of multi-variant program execution for vulnerability detection and prevention. Proceedings of the 6th International Workshop on Security Measurements and Metrics; 2010, p. 1-7. [36] Nguyen-Tuong, A, Evans, D, Knight, JC, Cox, B, Davidson, JW. Security through redundant data diversity. Proceedings of the 38th IEEE/IFPF International Conference on Dependable Systems and Networks, Dependable Computing and Communications Symposium; 2008, p. 187-96. [37] Portokalidis, G, Keromytis, AD. Fast and practical instruction-set randomization for commodity systems. Proceedings of the 26th Annual Computer Security Applications Conference; 2010, p. 41-8. [38] Korel, B, Ren, S, Kwiat, K, Auguste, A, Vignaux, A. Improving operation time bounded mission critical systems' attack-survivability through controlled source-code transformation. Proceedings of the 4th international conference on Security of information and networks; 2011, p. 183-90. [39] Rodes, BD, Nguyen-Tuong, A, Hiser, JD, Knight, JC, Davidson, JW. Defense against Stack-Based Attacks Using Speculative Stack Layout Transformation. Runtime Verification; 2013, p. 308-13. [40] Jackson, T, Homescu, A, Crane, S, Larsen, P, Brunthaler, S, Franz, M. Diversifying the software stack using randomized NOP insertion. Moving Target Defense II;2013, p. 151-73. [41] O'Donnell, AJ, Sethu, H. On achieving software diversity for improved network security using distributed coloring algorithms. Proceedings of the 11th ACM conference on Computer and communications security; 2004, p. 121-31. [42] Liu, Y, Zhang, W, Bai, S, Wang, C. Defending sensor worm attack using software diversity approach. Proceedings of the 2rd International Conference on Communications (ICC); 2011, p. 15. [43] Gherbi, A, Charpentier, R, Couture, M. Software diversity for future systems security. Journal of Defense Software Engineering 2011; 25: 10-3. [44] Ossimitz, G, Mrotzek, M. The basics of system dynamics: discrete vs. continuous modelling of time. Proceedings of the 26th International Conference of the System Dynamics Society; 2008. [45] Feng, L, Liao, X, Han, Q, Li, H. Dynamical analysis and control strategies on malware propagation model. Applied Mathematical Modelling 2013; 37: 8225-36. [46] Blanchard P, Devaney R. L, Hall G. R. Differential Equations. Thomson Brooks/Cole Publishing Co, Belmont, CA, fourth ed.; 2006. [47] Diekmann O, Heesterbeek J, Metz JA. On the definition and the computation of the basic reproduction ratio R 0 in models for infectious diseases in heterogeneous populations. Journal of mathematical biology 1990; 28: 365-82. [48] Van den Driessche P. Reproduction numbers of infectious disease models. Infectious Disease Modelling. 2017; 2(3):288-303. [49] LaSalle P. The stability of dynamical systems. CBMS-NSF Regional Conference Series in Applied Mathematics, SIAM, Philadelphia; 1976.

28

[50] Barabási, A-L, Albert, R, Jeong, H. Scale-free characteristics of random networks: the topology of the world-wide web. Physica A: Statistical Mechanics and its Applications 2000; 281: 69-77. [51] Hosseini S, Azgomi MA, Rahmani AT. Malware propagation modeling considering

software diversity and immunization. Journal of Computational Science. 2016;13:49-67.

Figures and Tables:

Iu

µu

µu

µu

Eh

Sh µh

Figure 1.

Su

Eu

R

Ih µh

µh

V

µh

µh

State transition diagram of the MD-SEIRS-V model

7

6

log(P(k))

5

4

3

2

1

0 0

Figure 2.

0.5

1

1.5

2

2.5 log(k)

Power-law degree distribution in BA model.

29

3

3.5

4

4.5

5

1.4 Sh Eh Ih R v Su Eu Iu

1.2

the densities of nodes

1

0.8

0.6

0.4

0.2

0

Figure 3.

0

10

20

30

40

50 time t

60

70

80

90

100

Dynamical behavior of the MD-SEIRS-V model without considering software diversity. Parameters: and

then

.

0.4 0.4 0.3

0.3 0.2

R

R

0.2 0.1

0.1

0

0 2

2 1

-4

x 10

Iu

1

-4

x 10 0

3.6

3.4

3.8

4.2

4 Su

4.4

4.6

4.8

5 -4 x 10

5.2

0

Iu

0.7

0.6

0.5

0.4

0.8

0.9

1

1.1

Sh

0.4

R

0.3 0.8

0.2

0.6 V

0.1

0.4 0

0 0.2

0.2 0 1.1

0.1 0 Ih

0.4

0.5

0.7

0.6

0.8

0.9

1

1.1

Sh

0.05 0.1 1

0.9

0.8

0.15 0.7

0.6

0.5

0.4

0.2

Ih

Sh

Figure 4. Dynamical behavior of the model in the malware-free equilibrium. (a) Dynamical behavior of SuIuRplane. (b) Dynamical behavior of ShIuR-plane. (c) Dynamical behavior of ShIhR-plane. (d) Dynamical behavior of IhShV-plane. Parameters: and then .

30

1.4 Sh Eh Ih R v Su Eu Iu

1.2

the densities of nodes

1

0.8

0.6

0.4

0.2

0

Figure 5.

0

10

20

30

40

50 time t

60

70

80

90

100

Dynamical behavior of the MD-SEIRS-V model. Parameters: and

then

.

0.7 Sh Eh Ih R V Su Iu Eu

The densities of nodes

0.6 0.5 0.4 0.3 0.2 0.1 0

2

3

4 5 6 7 8 9 The number of diverse software packages

10

11

Figure 6. Dynamical behavior of the MD-SEIRS-V model with considering software diversity ( Parameters: and .

31

).

(a)

(b)

0.12

0.1 R0=0.8851 R0= 5.6182 R0= 3.5391

0.1 (2)

0.08

0.08

R0=0.8851 R0= 5.6182 R0= 3.5391

(2)

Iu

Ih

0.06 0.06 (3)

0.04

(3)

0.04

0

0.02

(1)

0.02

(1) 0

0

20

40

60

80

100

0

20

40

60

80

100

time t

time t

Figure 7. The influence of the parameter values and the value of on the density of infected nodes (Ih) and infected MDs (Iu). (a) Dynamical behavior of the density of infected computer nodes (Ih), (1) when then and ; (2) when then and ; and (3) when then and . (b) Dynamical behavior of the density of infected MDs (Iu) with the same parameter values in (a). (b)

(a) 0.1

c=1 c=3 c=6

0.1 0.08

c=1 c=3 c=6

0.08 infected MDs (Iu)

infected computer nodes (Ih)

0.12

0.06 0.04

0.06 0.04 0.02

0.02 0

0

0

Figure 8.

20

40 60 time t

80

100

0

20

40 60 time t

80

100

The influence of the diverse software packages on malware propagation. Parameters:

and . (a) The density of infected computer nodes (Ih) with respect to time. (b) The density of infected MDs (Iu) with respect to time.

Table 1. Parameter C

Parameters of the proposed model Description

Diverse software packages; The infection propagation rate each infected node of the type c; The MD-malware propagation rate from MD to node; The MD-malware propagation rate from node to MD; The rate of latency-loss of latent or exposed nodes of the type c;

32

µh µu

N n

The rate of latency-loss of latent or exposed MD; The rate of recovery each infected node of the type c; The rate of recovery each infected MD; The recovery loss rate for each node of the type c; The recovery loss rate for MD; The loss rate of immunity of the vaccinated nodes of the type c; The rate of vaccinating each susceptible node of the type c; The constant rate of logging into the system (birth rate); The birth rate MDs by adding into the USB; The death rate, which may occur in S, E, I, R and V states by crashing of nodes or the replacement rate of the nodes The death rate of MDs by removing from the USB or the replacement rate of states The average number of USB drives Total number of nodes in the network Total number of MDs

33