Modeling the propagation of mobile malware on complex networks

Modeling the propagation of mobile malware on complex networks

Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264 Contents lists available at ScienceDirect Commun Nonlinear Sci Numer Simulat journal homepage: ...
Download PDF
1MB Sizes 2 Downloads 148 Views
Report

Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

Contents lists available at ScienceDirect

Commun Nonlinear Sci Numer Simulat journal homepage: www.elsevier.com/locate/cnsns

Modeling the propagation of mobile malware on complex networks Wanping Liu a,∗, Chao Liu a, Zheng Yang a, Xiaoyang Liu a, Yihao Zhang a, Zuxue Wei b a b

College of Computer Science and Engineering, Chongqing University of Technology, Chongqing 400054, China College of Electronic and Information Engineering, Chongqing Three Gorges University, Chongqing 404100, China

a r t i c l e

i n f o

Article history: Received 2 November 2015 Revised 31 December 2015 Accepted 24 January 2016 Available online 3 February 2016 Keywords: Malware propagation Mobile network Complex network Network topology

a b s t r a c t In this paper, the spreading behavior of malware across mobile devices is addressed. By introducing complex networks to model mobile networks, which follows the power-law degree distribution, a novel epidemic model for mobile malware propagation is proposed. The spreading threshold that guarantees the dynamics of the model is calculated. Theoretically, the asymptotic stability of the malware-free equilibrium is confirmed when the threshold is below the unity, and the global stability is further proved under some sufficient conditions. The influences of different model parameters as well as the network topology on malware propagation are also analyzed. Our theoretical studies and numerical simulations show that networks with higher heterogeneity conduce to the diffusion of malware, and complex networks with lower power-law exponents benefit malware spreading. © 2016 Elsevier B.V. All rights reserved.

1. Introduction With the rapid worldwide adoption and innovation of mobile devices, the massive growth of mobile applications makes a significant influence on our economic and social life. Owing to the mobility of wireless devices, people are more convenient to handle business affairs, e.g., shopping online and immediately completing the payment via their smartphones. Unfortunately, the secure ecosystem of mobile devices is becoming a challenging problem. A large amount of vulnerabilities within mobile devices are usually exploited by cyber-criminals to compromise the integrity, confidentiality or availability of the system. In recent years attacks and threats occurred on mobile devices are frequently reported. Mobile malware refers to a new kind of malicious software programmed specifically to target mobile devices, such as smartphones or tablets. Cyber attacks by this type of malware present one of the most dangerous threats to the security and integrity of mobile telecommunications networks. Most of mobile malware is designed for malicious attackers to remotely control the device or to unknowingly steal valuable information stored in the device [1]. The Cabir and Commwarrior, for example, infected hundreds of thousands of smartphones at alarming speeds and the resulting malware epidemics cost both the public and the private sector a great amount of money. Attacks through Internet have become the subject of extensive empirical, theoretical and simulation studies. These investigations have greatly contributed to our understanding of the properties of malicious objects and have inspired the design ∗

Corresponding author. Tel.: +86 2362563072. E-mail address: [email protected] (W. Liu).

http://dx.doi.org/10.1016/j.cnsns.2016.01.019 1007-5704/© 2016 Elsevier B.V. All rights reserved.

250

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

of more effective immunization strategies to prevent and combat malware epidemics [2–4]. As mobile malware proliferates both in their volume and complexity, new models and strategies are necessary to prevent intrusions and to cope with their impact [5–7]. Motivated by the strong similarities between malicious codes and biological epidemics [8–11], some models and strategies implemented against infectious diseases are modified to study and fight malicious software [12–16]. However, all susceptible nodes in these models are considered to be homogeneous and are categorized into a single compartment called susceptible (S). This is not consistent with the real situation that the susceptible mobile devices are actually heterogeneous in terms of varying levels of security protection. Motivated by this fact, Liu et al. [17] made a more practical assumption that the immunization of different susceptible nodes against malware can be variable, and developed a new model, known as WSIS model, in which the whole susceptible nodes are further divided into two groups: strongly-protected and weakly-protected, depending on whether they have up-to-date real-time protection of security products or not. But, the effect of network topology on malware propagation is ignored in the above models. Complex networks, or scale-free networks, are confirmed to be ubiquitous in nature and society, such as biological networks, technological networks, social networks, and computer networks [18]. Specifically, they are a kind of networks that feature patterns of connection between their vertices that are neither purely regular nor purely random. That is, the nodeconnectivity of these networks follows a power law distribution [19]. Despite their relevance to many real-life phenomena the properties of these networks are much less studied than abstract graphs. By now, investigation of malware spreading in general mobile networks is in its infancy, and there have been very limited studies which address this problem. Like traditional malicious software, mobile malware can proliferate through dozens of different ways, such as Email networks, social networks, and communication networks. However, the difference is that mobile malicious objects can also spread using short-range radio transmissions (Bluetooth network and WiFi-based wireless ad hoc networks), because of the novel feature that Internet connectivity is not necessarily required for their spread. The transmission of malware comes through a contact or interaction between a susceptible and an infected node. It is confirmed that the topological characteristics of networks significantly affect malware propagation. The study of malware spread on complex networks is important as their topology provides a clear-cut example of the above mobile propagation networks [20]. In this work we introduce static complex networks to model the propagation networks and develop a novel mathematical model for the spread of mobile malware over mobile networks. The properties of malware epidemics in these networks are investigated via the theory of complex networks. Theoretical results and numerical simulations show that epidemic spreading in complex networks is significantly different from the previously studied epidemics in regular networks. The initial growth of the epidemic is significantly slower than the exponential growth observed for malware spreading in the fully-connected networks, and the epidemic prevalence exhibits a density-dependent critical threshold which is higher than the value predicted by the mean-field theory. We show that these differences are due to the network topology which characterizes these networks. 2. Model description We are devoted in this section to developing a new compartmental model for the spread of mobile malware. Before proceeding with the mathematical formulation, we briefly discuss the basic assumptions that guide the structural side of the proposed model. The practical networks over which mobile malware propagates are abstracted and described by graphs, where the nodes and links represent terminal devices connected to mobile/communication networks and communication links between them, respectively. In the sequel, the propagation networks are considered to be characterized by static complex networks whose node degrees are supposed to asymptotically follow a power law distribution, i.e., P (k ) ∼ k−r (r is a constant index) which means the probability of nodes with exact k neighbors. In our model, we neglect the details of malware infection. The total size of the network is considered to be fixed, and all the hosts are generally categorized as three groups: weakly-protected susceptible nodes (W-nodes), strongly-protected susceptible nodes (S-nodes), and infected nodes (I-nodes). From the perspective of complex network theory, our new model is intended to focus on the impact of network topology on the spread of malware. Thus, in order to deeply describe the evolutions of malware spread, each compartment is further divided into several sub-compartments corresponding to the node degree. For convenience, some notations and quantities are introduced as follows: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11)

: the maximum node degree of a static complex network, indicating that P (k ) = 0 for all k > . Wk (t): the number of W-nodes with degree k at time t. Sk (t): the number of S-nodes with degree k at time t. Ik (t): the number of I-nodes with degree k at time t. Nk (t): the number of nodes over the network with degree k at time t. That is, Nk (t ) := Wk (t ) + Sk (t ) + Ik (t ).  W(t): the number of W-nodes at time t, i.e., W (t ) = k Wk (t ).  S(t): the number of S-nodes at time t, i.e., S(t ) = k Sk (t ).  I(t): the number of I-nodes at time t, i.e., I (t ) = k Ik (t ). N(t): the total number of nodes at time t. That is, N (t ) := W (t ) + S(t ) + I (t ). wk (t ): the relative density of W-nodes with degree k at time t, i.e., wk (t ) = Wk (t )/Nk (t ). sk (t): the relative density of S-nodes with degree k at time t, i.e., sk (t ) = Sk (t )/Nk (t ).

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

251

Fig. 1. Transition diagram for the new complex-network model. The yellow circle represents weakly-protected susceptible nodes (marked by W), the green circle represents strongly-protected nodes (marked by S) and the red circle represents infected nodes (marked by I). (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)

(12) (13) (14) (15) (16) (17) (18)

ik (t): the relative density of I-nodes with degree k at time t, i.e., ik (t ) = Ik (t )/Nk (t ). w(t ): the density of W-nodes at time t, i.e., w(t ) = W (t )/N (t ). s(t): the density of S-nodes at time t, i.e., s(t ) = S(t )/N (t ). i(t): the density of I-nodes at time t, i.e., i(t ) = I (t )/N (t ). w(t ) = (w1 (t ), w2 (t ), . . . , w (t )). s(t ) = (s1 (t ), s2 (t ), . . . , s (t )). i(t ) = (i1 (t ), i2 (t ), . . . , i (t )).

Next, some parameters are introduced and several assumptions are also imposed, see also [17]. (A1) The parameter ε represents the probability that a weakly-protected susceptible node turns to be an S-node per unit time. (A2) The parameter α is the probability that a strongly-protected susceptible node turns back to be a W-node per unit time. (A3) The parameter βw represents the infection rate with which a W-node is successfully infected by an adjacent I-node per unit time. (A4) The parameter β s is the infection rate that an S-node is infected by an attached I-node per unit time, and βs < βw . (A5) Vigilant users are possible to find their mobile devices infected by malware through certain signs. Thus users with higher awareness are assumed to take measures to clear the malware of infected nodes, and install real-time updated security programs to protect their devices, making these I-nodes turn back into the S-compartment. Based on this, a parameter γ is introduced to depict the probability that an I-node enters the S-compartment per unit time. In our new model, we also assume that the probability that a communication link has an I-node as one endpoint does not depend on the degree of the other endpoint of the link and, thus, it is just a function of i(t ). Let (i(t )) denote this  probability and let k stand for the average node degree, i.e., k =  k=1 kP (k ). Through direct probabilistic calculations, we immediately obtain

(i(t )) =

 1  kP (k )ik (t ). k

(1)

k=1

Then, a W-node with degree k will be infected (per unit time) by a probability of 1 − [1 − βw (i(t ))]k ≈ kβw (i(t )), and thus the number of k−degree W-nodes being infected with a unit time is approximated by kβwWk (i(t )). Likewise, a S-node with degree k will be infected (per unit time) by a probability of 1 − [1 − βs (i(t ))]k ≈ kβs (i(t )), and thus the number of k−degree S-nodes being infected with a unit time is approximated by kβs Sk (i(t )). Based on the above basic assumptions, the dynamical transfer of the states of the nodes among the compartments is schematically shown in Fig. 1. Besides, all the parameters are considered to be constant. By applying the mean-field technique to the above assumptions, we get the following complex-network epidemic model of malware propagation

⎧ dWk (t ) ⎪ = −εWk (t ) + α Sk (t ) − βw kWk (t )(i(t )), ⎪ ⎪ ⎨ dt dSk (t ) = εWk (t ) − α Sk (t ) − βs kSk (t )(i(t )) + γ Ik (t ), ⎪ dt ⎪ ⎪ dI ( t ) ⎩ k = βw kWk (t )(i(t )) + βs kSk (t )(i(t )) − γ Ik (t ),

(2)

dt

where the initial states Wk (0), Sk (0), Ik (0) ≥ 0, k = 1, 2, . . . , . Remark 2.1. Compared with the WSIS model proposed in [17] which can only roughly depict the evolutions of three basic states, this new model is able to describe the evolutions of the number of each sub-compartment with a specific node degree.

252

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

In view of the assumption that, for every k, Nk (t ) = Wk (t ) + Sk (t ) + Ik (t ) is a constant, the second set of equations in system (2) can be ignored. For each k, dividing by Nk (t) the other two corresponding equations of the above system would yield an equivalent version of system (2) as

⎧ dw (t ) k ⎪ = α − (ε + α )wk (t ) − α ik (t ) ⎪ ⎪ ⎨ dt −βw kwk (t )(i(t )), 1 ≤ k ≤ , dik (t ) ⎪ ⎪ = k(βw − βs )wk (t )(i(t )) − γ ik (t ) ⎪ ⎩ dt +βs k(1 − ik (t ))(i(t )), 1 ≤ k ≤ ,

(3)

with initial conditions wk (0 ), ik (0 ) ≥ 0 and wk (0 ) + ik (0 ) ≤ 1, k = 1, 2, . . . , . The meaningful domain for system (3) is ∗ = {z = (z1 , z2 , . . . , z2 ) ∈ R2+ |z j + z j+ ≤ 1 for all 1 ≤ j ≤ }. 3. Epidemic threshold and equilibria A malware-free equilibrium point of system (3) refers to an equilibrium with all infection components being zero, i.e., ik (t ) = 0 for all k = 1, 2, . . . , . System (3) staying at such an equilibrium admits no infected nodes. Obviously, system (3) 0 always has a unique malware-free equilibrium E0 = (w0 , i )T = (w01 , . . . , w0 , i01 , . . . , i0 )T , where w0k = α /(ε + α ), i0k = 0, for k = 1, . . . , . In addition, a malware equilibrium of system (3) is defined as an equilibrium with at least one nonzero infection component. Specifically, system (3) staying at such an equilibrium admits at least one infected node. van den Driessche and Watmough [21] gave a method to compute the epidemic thresholds (sometimes also called the basic reproduction numbers) for a general class of compartmental dynamic models. Following this method, the epidemic threshold of system (3) is calculated as

R0 :=

k2  αβw + εβs , k γ (α + ε )

(4)

 2 where k2  =  k=1 k P (k ) which represents the second origin moment of the node degree. Next, we discuss the existence of the malware equilibrium of system (3). Lemma 3.1. Consider system (3). The following statements hold: (1) There exists no malware equilibrium if R0 ≤ 1. ∗ (2) There exists a unique malware equilibrium E∗ = (w∗ , i )T = (w∗1 , . . . , w∗ , i∗1 , . . . , i∗ )T , if R0 > 1, where

γ , 1 ≤ k ≤ , α k(βw − βs )∗ γ + βs k∗ + α + ε + βw k∗ ∗ α (1 − ik ) w∗k = , 1 ≤ k ≤ , ε + α + βw k∗ i∗k = 1 −

∗ is the unique positive root of the following equation: f (x ) =

 1  k k=1

γ

kP (k )γ + x − 1 = 0. α k(βw − βs )x + βs kx + α + ε + βw kx

(5)



Proof. Let E∗ = (w∗ , i ) = (w∗1 , . . . , w∗ , i∗1 , . . . , i∗ ) be a malware equilibrium of system (3). Then, there exists at leat one ∗ j ∈ {1, 2, . . . , } such that i∗j > 0, and so we have (i ) > 0, where the function  is defined by Eq. (1). By solving the system ∗

0 = −ε w∗k + α (1 − w∗k − i∗k ) − βw kw∗k (i ), k = 1, . . . , , ∗



0 = k(βw − βs )w∗k (i ) + βs k(1 − i∗k )(i ) − γ i∗k , k = 1, . . . , ,

we obtain

γ ∗ , α k(βw − βs )(i ) γ + βs k(i∗ ) + ∗ α + ε + βw k(i ) ∗ α ( 1 − i ) k w∗k = , ε + α + βw k(i∗ ) i∗k = 1 −

(6)

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

253



where k = 1, . . . , . Substituting (6) into the expression of (i ) yields

(i∗ ) =

 1  kP (k )i∗k k k=1

= 1−

 1  k k=1

γ

kP (k )γ . α k(βw − βs )(i∗ ) ∗ + βs k(i ) + ∗ α + ε + βw k(i )



Thus, (i ) is a positive root of Eq. (5). Through calculations, we can get the derivative of the function f(x) as



f (x ) = 1 −

α (βw − βs )(α + ε ) (α + ε + βw kx )2  2 . α k(βw − βs )x γ + βs kx α + ε + βw kx

2  k P (k ) 

γ k k=1

βs +

It can be seen that f (x) is strictly increasing for x > 0 and f (0 ) = 1 − R0 . Thus, if R0 ≤ 1, then f (0) ≥ 0 and f (x) > 0 for x > 0. Since f (0 ) = 0, Eq. (5) admits no positive root in the interval (0, 1). Hence, assertion (1) holds. Next, assume that R0 > 1. Then we have f (0) < 0, which indicates that there exists a sufficiently small δ > 0 such that f (x) < 0 for x ∈ [0, δ ). Because f (0 ) = 0, we have f(δ ) < 0. Then, it follows by f(1) > 0 that Eq. (5) has a unique positive root, denoted by ∗ , which falls in the interval (δ , 1). Hence, assertion (2) also holds. The proof is complete.  It follows by Lemma 3.1 that

i∗1 < i∗2 < · · · < i∗k < · · · < i∗ , and

lim i∗k = 1,

k→∞

which imply that the infection density increases with the degree of nodes, and the density would tend to a constant while the node degree goes to infinity. Moreover, this also indicates that devices of higher node degrees are more susceptible to infection than those of lower node degrees. To some extent, this coincides with the reality and motivates us to strengthen efforts to the protection of mobile devices of higher degrees.

4. Theoretical analysis of the model and numerical simulations In this section, we intend to study model (3) theoretically. The stability of the equilibria is examined.

4.1. Local stability of the malware-free equilibrium First, the following lemma is necessary for proving the local stability of the malware-free equilibrium E0 . Lemma 4.1. Denote a  ×  matrix



( 1 × 1 )P ( 1 ) ⎢ ( 2 × 1 )P ( 1 ) M = ⎢ .. ⎣ .

( × 1 )P (1 )

( 1 × 2 )P ( 2 ) ( 2 × 2 )P ( 2 )

.. . ( × 2 )P (2 )

... ... ...

⎤ (1 × )P () (2 × )P () ⎥ ⎥, .. ⎦ .

( × )P ()

 −r where  is the maximum node degree of the static complex network considered in this paper, P (k ) = k−r /  k=1 k , k = 1, . . . , . Then, we get that det(M − xE ) = (−x )−1 (k2  − x ), where E represents the  ×  identity matrix. The proof of Lemma 4.1 is simple. Certain algebraic calculations yield the recursive relationship, and the claimed result follows by induction on . By denoting z(t ) = (w(t ), i(t ))T , system (3) can be rewritten in matrix-vector notation as

dz(t ) = b + Bz(t ) + G(z(t )), dt

(7)

254

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

with the initial vector z(0 ) ∈ ∗ , and b = α (e , 0 )T ,e and 0 represent the -order unit vector and zero vector, respectively, and



− (α + ε ) ⎢ 0

⎢ ⎢ ⎢ ⎢ ⎢ ⎢ B=⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎣

0 − (α + ε )

··· ···

0 0

−α 0

0 −α

. . .

. . .

. . .

. . .

. . .

0 0

0 0

··· ···

− (α + ε ) 0

0

0

···

0

.. .

.. .

0

0

0

···

(1 × 2 )P (2 ) βks (2 × 2 )P (2 ) βks − γ

( × 1 )P (1 ) βks

( × 2 )P (2 ) βks

.. .

.. .

0

(1 × 1 )P (1 ) βks − γ (2 × 1 )P (1 ) βks

0

··· ···

0 0

. . . ··· ... ...

−α (1 × )P () βks (2 × )P () βks

.. .

.. .

...

( × )P () βks − γ



⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥, ⎥ ⎥ ⎥ ⎥ ⎥ ⎦

G(z(t )) = (i(t ))(g1 , g2 , . . . , g , g∗1 , g∗2 , . . . , g∗ )T ,

where g j = −βw jw j (t ), g∗j = j ((βw − βs )w j (t ) − βs i j (t )), j = 1, 2, . . . , , and E stands for the -order unit matrix. By denoting B11 = −(α + ε )E , B12 = −α E , B22 = βks M − γ E , then the matrix B can be written as



B=

B11 0



B12 . B22

Next, we will show that the meaningful domain ∗ of system (3) is invariant, and the following lemma is necessary, also see [22,23]. Lemma 4.2. Consider a system dx/dt = f(x ) which is defined at least in a compact set C. Then, C is invariant if, for every point y on ∂ C (the boundary of C), the vector f(y ) is tangent to or pointing into C. Then we have the following lemma which concerns the set ∗ . Lemma 4.3. The set ∗ is positively invariant for system (3). Proof. It suffices to show that z(0 ) ∈ ∗ implies z(t ) ∈ ∗ for all t ≥ 0. Note that ∂ ∗ (the boundary of ∗ ) consists of the following 3 hyperplanes:

V j = {z ∈ ∗ |z j = 0}, j = 1, 2, . . . , , H j = {z ∈ ∗ |z j+ = 0}, j = 1, 2, . . . , ,

Q j = {z ∈ ∗ |z j + z j+ = 1}, j = 1, 2, . . . , ,

which have j

φ j = {0, . . . , 0, −1, 0, . . . , 0}, j = 1, 2, . . . , , j+

ϕ j = {0, . . . , 0, −1, 0, . . . , 0}, j = 1, 2, . . . , , j

j+

ψ j = {0, . . . , 0, 1, 0, . . . , 0, 1 , 0, . . . , 0}, j = 1, 2, . . . , , as their outer normal vectors, respectively. Next, consider system (3), for j = 1, . . . , , calculations yield



 

dz |z∈V j , φ j dt dz |z∈H j , ϕ j dt

dz |z∈Q j , ψ j dt



= −α (1 − z j+ ) ≤ 0,

 = − j ((βw − βs )z j + βs )

1  kP (k )zk+ ≤ 0, k k = j

 = −ε z j − γ z j+ ≤ 0.

Hence, the claimed result follows by Lemma 4.2.  Next, the theorem below is devoted to prove the stability of the malware-free equilibrium E0 . Theorem 4.1. Consider system (3). The malware-free equilibrium E0 is locally asymptotically stable if R0 < 1.

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

255

Proof. The Jacobian matrix of system (3) evaluated at the malware-free equilibrium E0 is



B11 J= 0



B12 + T1 , B22 + T2

where

T1 = −

βw α (βw − βs )α M ,T = M . k(ε + α )  2 k(ε + α ) 

Note that B22 + T2 = ζ M − γ E , where

ζ=

αβw + εβs . k(ε + α )

Then, it follows by Lemma 4.1 that the characteristic equation of the above Jacobian matrix is



det(J − λE2 ) = det

B11 − λE 0

B12 + T1 B22 + T2 − λE



= det(B11 − λE ) det(B22 + T2 − λE )

= (−(α + ε ) − λ ) det(ζ M − (γ + λ )E ) = (−(α + ε ) − λ ) [−(γ + λ )]−1 ×(ζ k2  − γ − λ ) = 0. Obviously, this equation possesses a negative root λ1 = −(α + ε ) with multiplicity  and a negative root λ2 = −γ with multiplicity  − 1. Besides, there exists another root λ3 = ζ k2  − γ = γ (R0 − 1 ), which is obviously negative while R0 < 1. Thus, all roots of the characteristic equation have negative real parts, implying that E0 is locally asymptotically stable. The proof is complete.  4.2. Global stability of the malware-free equilibrium By letting y(t ) = (w(t ), i(t ))T − E0 , system (3) can be equivalently rewritten in matrix-vector notation as

dy(t ) = Ay(t ) + H(y(t )), dt

(8)

with the initial vector y(0 ) ∈  := {z − E0 |z ∈ ∗ }, and



A=

B11 0



B12 + T1 , ζ M − γ E

H(y(t )) = (y(t )) × (h1 , h2 , . . . , h , h∗1 , h∗2 , . . . , h∗ )T , where h j = −βw jy j (t ), h∗j = j ((βw − βs )y j (t ) − βs y j+ (t )), j = 1, 2, . . . , , and

(y(t )) =

 1  kP (k )yk+ (t ). k k=1

Note that y = 0 is an equilibrium point of system (8) which corresponds to the malware-free equilibrium E0 of system (3). Theorem 4.2. Consider system (3). The malware-free equilibrium E0 is globally asymptotically stable with respect to ∗ if

4 (βw − βs )(ε + α ) ≤ Ra := min { j2 P ( j )}, βs βw k 1≤ j≤

(9)

and

R0 ≤ Rb :=

2k2  . ( + 1 ) max1≤ j≤ { jP ( j )}

(10)

Proof. To confirm the global stability of the malware-free equilibrium E0 , it suffices to prove that the equilibrium point y = 0 of system (8) is globally asymptotically stable with respect to the region . Next, we denote y = (Y1T , Y2T )T , where Y1 = (y1 , . . . , y )T , Y2 = (y+1 , . . . , y2 )T . Consider the candidate function

L (y ) =

1 T Y Y1 + ηT Y2 . 2 1

where η = (η1 , . . . , η )T is a positive constant vector to be determined, and η j > 0, j = 1, 2, . . . , .

256

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

Note that y j+ (t ) = i j (t ) for each j = 1, . . . , . Thus, it follows clearly by y j+ (t ) ≥ 0 that L ≥ 0 and L = 0 if and only if y = 0 with respect to . That is, L is positive definite. The time derivative of L along an orbit of system (8) is

L |( 8 ) = Y1T

dY1 dY2 dy + ηT = (Y1T , ηT ) = (Y1T , ηT )(Ay + H(y )) dt dt dt



= (Y1T , ηT )



B11 B12 + T1 0ζ M − γ E



Y1 Y2

+ (Y1T , ηT )H(y )

= Y1T B11Y1 + Y1T (B12 + T1 )Y2 + ηT (ζ M − γ E )Y2 + (Y1T , ηT )H(y )

= −(α + ε )Y1T Y1 − αY1T Y2 + Y1T T1Y2 + ζ ηT MY2 − γ ηT Y2 + (Y1T , ηT )H(y ). It is easy to get that

−αY1T Y1 − αY1T Y2 −

 α

4

y2+ j = −α

j=1

 

(y2j + y j y+ j ) −

j=1

= −α

  

yj +

j=1

y + j 2

2

 α

4

y2+ j

j=1

≤ 0.

By certain calculations, we derive

Y1T T1Y2 + (Y1T , ηT )H(y )

βw α Y T M Y + (Y1T , ηT )H(y ) k(ε + α ) 1  2           βw α =− (y ) jy j + (y ) −βw jy2j + jη j (βw − βs )y j − βs y+ j ε+α j=1 j=1 j=1        βw α 2 = −(y ) βw jy j + (y ) jy j η j (βw − βs ) − − (y ) jη j βs y+ j . ε+α j=1 j=1 j=1 =−

By setting η j (βw − βs ) − βw α /(ε + α ) = 0, i.e.,

ηj =

βw α , (βw − βs )(ε + α )

(11)

we have

Y1T T1Y2 + (Y1T , ηT )H(y ) + (y )

 

jη j βs y+ j = −(y )

j=1

 

βw jy2j ≤ 0.

j=1

Following (11), we denote η j = τ , j = 1, . . . , . It follows by (9) that for each j = 1, . . . , , we have

4 4 2 α (βw − βs )(ε + α ) = ≤ min { j2 P ( j )} ≤ j P( j) τ βs βs βw k 1≤ j≤ k α τ βs τ βs 2 ≤ ⇒ min { j2 P ( j )} ≤ j P ( j ). 4 k 1≤ j≤ k Therefore, we get  α

4

j=1

y2+ j − (y )

 

jη j βs y+ j =

j=1

 α

4

y2+ j −

j=1

 τ βs  j2 P ( j )y2+ j 4 k j=1 j=1    α τ βs 2 − = j P ( j ) y2+ j ≤ 0. 4 k j=1



 α

   τ βs  jP ( j )y+ j jy+ j k j=1 j=1

y2+ j −

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

257

Fig. 2. Ra and Rb as functions of the maximum node degree  and the complex network index r.

Note that

Ru : = =

 2 2k2  2 j=1 j P ( j ) = ( + 1 ) max1≤ j≤ { jP ( j )} ( + 1 ) max1≤ j≤ { jP ( j )}     2 jP ( j ) 2 j ≤ j = 1. ( + 1 ) max{ jP ( j )} ( + 1 ) j=1

j=1

It follows by (4) and (10) that for every j = 1, . . . , , we have

2k2  k2  αβw + εβs = R0 ≤ k γ (α + ε ) ( + 1 ) max1≤ j≤ { jP ( j )} ζ ( + 1 ) ζ ( + 1 ) max { jP ( j )} ≥ jP ( j ). ⇒ γ ≥ 2

2

1≤ j≤

Thus, it follows by y j+ ≥ 0 for each j = 1, . . . ,  that

ζ ηT MY2 − γ ηT Y2 = ζ k(y )

 

jη j − γ

j=1

=

=

2  



jP ( j )y+ j − γ τ

j=1

ζ ( + 1 ) 2

j=1

η j y + j

j=1

 τ ζ ( + 1 ) 

τ

 



 

y + j

j=1

jP ( j ) − γ y+ j ≤ 0.

It follows by the above inequalities that

L |( 8 ) = −(α + ε )Y1T Y1 − αY1T Y2 + Y1T T1Y2 + ζ ηT MY2 − γ ηT Y2 + (Y1T , ηT )H(y )



= −εY1T Y1 −

αY1T Y1 + αY1T Y2 +

 +

Y1T T1Y2

 +

+(

Y1T ,

 α

4

y2+ j

+ (ζ ηT MY2 − γ ηT Y2 )

j=1

η )H(y ) + (y ) T



 

 jη j βs y+ j

j=1

 α

4

j=1

y2+ j − (y )

 



jη j βs y+ j

≤ 0.

j=1

Thus, we can derive that L ≤ 0 for all y ∈ . It is easily confirmed that L = 0 if and only if y = 0 with respect to . That is, L is negative definite. Therefore, y = 0 is globally asymptotically stable with respect to . The proof is complete.  Note that both Ra and Rb , defined in (9) and (4.2), respectively, are determined by the maximum node degree  and the network index r, which characterize a specific complex network. Next, the values of Ra and Rb as functions of  and r are shown in Fig. 2. It can be seen that both Ra and Rb are considerably affected by r. In Fig. 2(a), it is shown that for a given  the value of Ra reaches the peak when r is around 2, whereas it is shown in Fig. 2(b) that the value of Rb decreases with the increase of r.

258

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

Fig. 3. Time evolutions of the fractions of W-nodes and I-nodes of degree k, i.e., wk (t ) and ik (t), are shown for complex networks characterized by the parameters in Example 4.1.

4.3. Numerical simulations First, we present the formulae of w(t ), s(t ) and i(t) which are expressed by wk (t ), sk (t ) and ik (t), respectively. Note that

wk (t ) = then we get

Wk (t ) S (t ) I (t ) , s (t ) = k , i (t ) = k , Nk (t ) k Nk (t ) k Nk (t ) 

w(t ) =

k Wk

N 

s(t ) =

k

 i(t ) =

(t )



Sk (t ) = N

k Ik

N

(t )

k

= 

k

k sk

(t )Nk (t ) N

 =

wk (t )Nk (t )  = wk (t )P (k ), N

k ik

(t )Nk (t ) N

=



sk (t )P (k ),

k

=



ik (t )P (k ).

k

It has been proved in Theorem 4.1 that the malware-free equilibrium E0 of system (3) is locally stable. Besides, the global stability of E0 with respect to the meaningful region ∗ is also addressed in Theorem 4.2 under certain sufficient parameter conditions. Here, however, we will show that a lot of numerical experiments, such as the following Example 4.1, imply that the malware-free equilibrium E0 is globally asymptotically stable with respect to ∗ if R0 < 1. Example 4.1. Consider a complex network with  = 50, r = 1.5, and consider system (3) with parameters α = 0.04, ε = 0.02, βw = 5βs = 4 × 10−4 , γ = 0.03. In this case, it follows by (4) that R0 = 0.1833, which is less than unity. Thus, it follows by Theorem 4.1 that the malwarefree equilibrium E0 of system (3) is locally stable. Further calculations show that Rb = 0.1875 > R0 , i.e., condition (10) holds for this case, whereas condition (9) is not satisfied since Ra = 0.3137 < (1/βs − 1/βw )(ε + α ) = 600. Therefore, Theorem 4.2 is unable to theoretically guarantee the global stability of the malware-free equilibrium for this case. However, Fig. 3 below shows information about evolutions of the components of system (3) with parameters given in Example 4.1, where the initial values are randomly given. It can be seen that wk (t ), k = 1, . . . , 50 converge to the constant 0.6667, and ik (t ), k = 1, . . . , 50 finally tend to zero. In Fig. 4, the phase diagram of w(t ) and i(t) is shown for 30 different sets of randomly given initial values of system (3). It is clearly observed that all trajectories converge to the green point (0.6667, 0). Based on a large number of numerical simulations, such as Fig. 4, as well as Theorem 4.2, we present the following conjecture. Conjecture 4.1. Consider system (3). Then the malware-free equilibrium E0 is globally asymptotically stable with respect to ∗ if R0 < 1. In Fig. 5, we compare the evolutions of the new model (3) and the previous WSIS model proposed in [17]. The initial values are both randomly given by w(0 ) = 0.4, i(0 ) = 0.42. It can be seen that the number of infective nodes in the new

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

259

Fig. 4. Phase diagram of w(t ) and i(t) with 30 different sets of random initial values for system (3) with parameters given in Example 4.1.

Fig. 5. Comparison of the evolutions of W-nodes and I-nodes between the new model and the WSIS model with parameters in Example 4.1.

model decreases more quickly than that of the previous WSIS model, which is consistent to the fact that the propagation of malware is more rapid over fully-connected networks than complex networks. The following numerical example is designed to show the dynamics of the malware equilibrium E∗ . Example 4.2. Consider a complex network of  = 50, r = 1.5 and consider system (3) with parameters α = 0.04, ε = 0.02, βw = 5βs = 4 × 10−3 , γ = 0.01. In this case, it follows by (4) that R0 = 5.4984 (greater than unity). The initial values are randomly given. Fig. 6 and Fig. 7 show the evolutions of wk (t ), k = 1, . . . , 50 and ik (t ), k = 1, . . . , 50, respectively. It can be seen from Fig. 6 that all of wk (t )(k = 1, . . . , 50 ) finally tend to corresponding constants w∗k shown in Lemma 3.1, respectively. Likewise, Fig. 7 shows the evolutions of ik (t )(k = 1, . . . , 50 ) which also converge to corresponding constants i∗k given in Lemma 3.1, respectively. In the following Fig. 8, we also compare the new model (3) and the previous WSIS model proposed in [17]. The initial values for model (3) are randomly given, and w(0 ) = 0.4, i(0 ) = 0.42, which are same to those of the WSIS model. It can be seen that these two models have different malware equilibria. The number of infective nodes in the new model finally tends

260

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

Fig. 6. Time evolutions of wk (t ) of system (3) with parameters given in Example 4.2. The yellow dotted line illustrates the evolution of w(t ). (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)

Fig. 7. Time evolutions of ik (t) of system (3) with parameters given in Example 4.2. The red dotted line illustrates the evolution of i(t). (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)

Fig. 8. Comparison of the evolutions of W-nodes and I-nodes between our new model and the precious WSIS model about the malware equilibrium.

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

261

Fig. 9. Phase diagram of w(t ) and i(t) with 30 different sets of random initial values for system (3) with parameters given in Experiment 4.2.

to a smaller constant than the previous WSIS model, which implies the impact of network topology on the propagation of malware, i.e., malware spreads more rapidly over fully-connected networks than complex networks. Based on a large number of similar experimental results (e.g., Fig. 9) as well as Example 4.2, we present the following conjecture. Conjecture 4.2. Consider system (3). Then the malware equilibrium E∗ is globally asymptotically stable with respect to ∗ if R0 > 1. 5. Parameter analysis and numerical simulations This section is devoted to examining the effect of model parameters as well as the network topology on malware prevalence. To a certain degree, the practical meaning of the basic reproduction numbers of epidemic compartmental models reflects the spread of malware. Thus, analysis of the epidemic threshold may provide some insights to make appropriate measures to effectively inhibit or even control malware diffusion on networks. Next, we view the parameters γ , βw , βs , α , ε in (4) as variables, respectively. Then, it is easily observed by (4) that R0 is strictly decreasing with respect to γ , and R0 is strictly increasing with respect to βw or β s . For the parameters α and ε , straightforward calculations yield

∂ R0 k2  ε (βw − βs ) = > 0, ∂α k γ (α + ε )2 ∂ R0 k2  α (βs − βw ) = < 0. ∂ε k γ (α + ε )2 Thus, the threshold R0 is monotonically increasing with respect to the parameter α , while it is strictly decreasing with respect to the parameter ε . From the above analysis, we can infer the following conclusions: (1) Reducing the transition rate α , to some extent, could inhibit the spread of mobile malware. (2) Raising the transition rate ε is conducive to the inhibition of mobile malware. By viewing the parameters α and ε of (4) as variables, it follows by (4) that

R0 =

k2  αβw + εβs k2  βw + βs (ε /α ) k2  βw (α /ε ) + βs = = , k γ (α + ε ) k γ (1 + ε /α ) k γ (α /ε + 1 )

which implies

lim R0 =

α /ε→0

k2  βs k2  βw ≤ R0 ≤ lim R0 = . ε/α →0 k γ k γ

Next, some numerical experiments are designed to illustrate the above results.

262

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

Fig. 10. Evolutions of i(t) based on system (3) with varying γ and parameters given in Experiment 5.1.

Fig. 11. Evolutions of i(t) of system (3) with varying β s and parameters given in Experiment 5.2.

Experiment 5.1. Consider a complex network of  = 50, r = 1.5 and consider system (3) with parameters α = 0.04, ε = 0.02, βw = 5βs = 2 × 10−3 . Fig. 10 shows the evolutions of i(t) of system (3) with several different values of γ . As shown in Fig. 10, the values of i(t) finally converge to the corresponding equilibrium points at higher speeds as the parameter γ grows. Experiment 5.2. Consider a complex network of  = 50, r = 1.5 and consider system (3) with parameters α = 0.04, ε = 0.02, γ = 0.005. Fig. 11 shows the evolutions of i(t) of system (3) with several different values of βw and β s satisfying βw = 5βs . It can be seen from Fig. 11 that the values of i(t) converge to the corresponding equilibrium points at lower speed as the parameter β s decreases. The following experiment is devoted to showing the influence of network topology on malware propagation. Experiment 5.3. Consider system (3) with parameters α = 0.04, ε = 0.02, βw = 5βs = 2 × 10−3 , γ = 0.01, and consider a complex network of  = 50. The following Table 1 gives the values of R0 and other related quantities corresponding to some values of r, showing that they decrease with increasing of the index parameter r. To be more specific, Fig. 12 shows

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

263

Table 1 Several values of the threshold R0 and corresponding indicator values. r

R0

k

k2 

k2 /k

1.1 1.2 1.3 1.4 1.5

3.5646 3.3772 3.1780 2.9681 2.7492

9.7431 8.4832 7.3477 6.3436 5.4709

236.8002 195.3362 159.2116 128.3756 102.5491

24.3043 23.0262 21.6682 20.2371 18.7444

Fig. 12. Plot of i(t) of system (3) with parameters given in Experiment 5.3.

the evolutions of i(t) of system (3) with several different values of r shown in Table 1. It is manifest from Fig. 12 that the values of i(t) eventually converge to the corresponding equilibrium point at slower rates as the parameter r increases. It is also shown that a scale-free network with lower power-law exponent would benefit the spread of malware. 6. Conclusions In this paper, a new model is established for the propagation of a new class of malicious codes which specifically target mobile devices. Using the mean-field theory we investigated the epidemic spreading of such mobile malware over complex networks. We incorporated the network topology of these networks via a compartmental model proposed in [17], and also took into account the impact of user awareness on malware spread in these networks. Our studies show that malware epidemics over complex networks are greatly different from the previously studied epidemics in fully-connected networks. The epidemic threshold was found to be density dependent and for all densities considered significantly higher than the value predicted by the previous model. It is highly recommended that the antivirus software should be installed and updated regularly even if the mobile device systems are not noticeably infected. Furthermore, other measures, such as filtering and blocking suspicious messages with fire-wall should also be taken. An understanding of the propagation characteristics of malware attacks on complex networks is of great importance for the design of effective detection and prevention strategies for these networks. The work presented in this paper is a first step in this direction and, we hope, will inspire future empirical and theoretical investigations. From the perspective of complex network theory, our work presents an extensive study of epidemic spreading in the WSIS model, and highlights the important role that network topology and user security awareness play in dynamic processes of malware propagation over networks. Acknowledgments This research was funded by National Natural Science Foundation of China (grant nos. 11547148, 61503052), Research Project of Humanities and Social Sciences of Ministry of Education of China (grant no. 15YJC790061), and Project Supported

264

W. Liu et al. / Commun Nonlinear Sci Numer Simulat 37 (2016) 249–264

by Scientific and Technological Research Program of Chongqing Municipal Education Commission (grant nos. KJ1500904, KJ1500918, KJ1500920, KJ1500926). References [1] Lloyd A, May R. How viruses spread among computers and people. Science 2001;292(5520):1316–17. [2] Goldenberg J, Shavitt Y, Shir E, Solomon S. Distributive immunization of networks against viruses using the ‘honey-pot’ architecture. Nat Phys 2005;1(3):184–8. [3] Pastor-Satorras R, Vespignani A. Immunization of complex networks. Phys Rev E 2002;65(3), Article ID: 036104. [4] Song L, Jin Z, Sun G, Zhang J, Han X. Influence of removable devices on computer worms: dynamic analysis and control strategies. Comput Math Appl 2011;61:1823–9. [5] Gil S, Kott A, Barabási AL. A genetic epidemiology approach to cyber-security. Sci Rep 2014;4, Article ID: 5659. [6] Funka S, Gilad E, Watkins C, Jansen V. The spread of awareness and its impact on epidemic outbreaks. Proc Natl Acad Sci U S A 2009;106(16):6872–7. [7] Zhang C, Zhou S, Miller JC, Cox IJ, Chain BM. Optimizing hybrid spreading in metapopulations. Sci Rep 2015;5, Article ID: 9924. [8] Vespignani A. Complex networks: beyond enemy lines. Nat Phys 2005;1:135–6. [9] Wang X, Liu X, Xu W, Zhang K. Stochastic dynamics of HIV models with switching parameters and pulse control. J Frankl Inst 2015;352:2765–82. [10] Xu W, Wang X, Liu X. Effects of two types of noise and switching on the asymptotic dynamics of an epidemic model. Chin Phys B 2015;24, Article ID: 050204. [11] Wang X, Xu W, Liu X. Stochastic stability of stochastic switched epidemic models with constant and impulsive control schemes. Chaos Solitons Fractals 2015;78:185–93. [12] Mishra BK, Pandey SK. Dynamic model of worm propagation in computer network. Appl Math Model 2014;38:2173–9. [13] Liu W, Liu C, Liu X. A discrete dynamic model for computer worm propagation. In: Proceedings of the mathematics & statistics, vol. 150. Springer; 2015. p. 119–31. http://www.springer.com/us/book/9783319247458. [14] Piqueira JRC, de Vasconcelos AA, Gabriel CECJ, Araujo VO. Dynamic models for computer viruses. Comput Secur 2008;27:355–9. [15] Ahn I, Oh HC, Park J. Investigation of the c-SEIRA model for controlling malicious code infection in computer networks. Appl Math Model 2015;39:4121–33. [16] Mishra BK, Pandey SK. Fuzzy epidemic model for the transmission of worms in computer network. Nonlinear Anal Real World Appl 2010;11:4335–41. [17] Liu W, Liu C, Liu X, Ciu S, Huang X. Modeling the spread of malware with the influence of heterogeneous immunization. Appl Math Model 2016;40(4):3141–52. [18] Pastor-Satorras R, Vespignani A. Epidemic spreading in scale-free networks. Phys Rev Lett 2001;86(14):3200–3. [19] Pastor-Satorras R, Vespignani A. Epidemic dynamics and endemic states in complex networks. Phys Rev E 2001;63(6), Article ID: 066117. [20] Nekovee M. Worm epidemics in wireless ad hoc networks. New J Phys 2007;9, Article ID: 189. [21] van den Driessche P, Watmough J. Reproduction numbers and sub-threshold endemic equilibria for compartmental models of disease transmission. Math Biosci 2002;180(1–2):29–48. [22] Yorke JA. Invariance for ordinary differential equations. Theory Comput Syst 1967;1:353–72. [23] Lajmanovich A, Yorke JA. A deterministic model for gonorrhea in a nonhomogeneous population. Math Biosci 1976;28(3–4):221–36.