Application of Impulsive SIRQ Models for the Development of Forecasting and Cyberattack Mitigation Scenarios

Abstract

This paper proposes an impulsive SIRQ model for the analysis of computer network resilience against malware propagation and distributed denial-of-service (DDoS) attacks. The model extends classical epidemic frameworks by combining the continuous-time dynamics of malicious object spreading with discrete control actions corresponding to mass updates, node isolation, and access control policies. A qualitative analysis of the resulting system of impulsive differential equations is performed. The basic reproduction number ${\mathcal{R}}_0$, identified as a threshold parameter characterizing the intensity of attack propagation, and sufficient conditions for the global asymptotic stability of the infection-free state are established. It is shown that, under periodic impulsive control, the infection-free state can be stabilized with respect to the target population coordinates even when ${\mathcal{R}}_0>1$. An exponential decay estimate for the total active threat is derived, guaranteeing the asymptotic extinction of the infected and quarantined node populations. The proposed approach provides quantitative criteria for the effectiveness of impulsive cyber defense strategies and offers a theoretical foundation for the design of adaptive multi-layer protection systems for critical information infrastructures. Practical interpretation of the results illustrates the dependence of the critical impulsive control period on the model parameters and demonstrates the applicability of the approach to cybersecurity strategy design.

1. Introduction

Over recent years, cyberattacks against critical infrastructure have assumed a systemic character and evolved from isolated incidents into an integral component of hybrid threats. Energy systems, transportation networks, the banking sector, communication systems, and water and heat supply facilities are increasingly becoming targets of well-organized and technically sophisticated adversaries. Of particular concern are distributed denial-of-service (DDoS) attacks [1,2], which are capable of paralyzing the operation of critically important services within minutes, causing significant economic losses and large-scale social consequences.

Unlike traditional cyberattacks, which are typically aimed at data theft or unauthorized access, DDoS attacks primarily seek to disrupt service availability [3]. For critical infrastructure facilities, this entails the risk of halting production processes, losing control over technological systems, and experiencing disruptions in the supply of electricity, water, or heat, and in some cases poses a direct threat to human life and health. Consequently, cybersecurity in this domain acquires strategic importance and is no longer viewed solely as a technical issue, but rather as a transnational security challenge [4,5].

Modern attacks on critical infrastructure are characterized by a high degree of automation, the use of botnets comprising hundreds of thousands of compromised devices, and sophisticated techniques for masquerading as legitimate traffic [2]. This significantly complicates their timely detection by conventional filtering and monitoring mechanisms. Under these conditions, mathematical models are gaining increasing importance, as they make it possible not only to describe the dynamics of attack propagation within a network, but also to forecast its evolution and to assess the effectiveness of various defense strategies [6].

At present, the modeling of malicious object propagation in computer networks is increasingly carried out using methodologies borrowed from classical epidemiological models [7]. The spread of computer viruses, botnets, or DDoS agents exhibits a pronounced structural analogy with the dynamics of biological epidemics [8], which makes compartmental approaches—particularly SIR and SIRQ models—an effective tool for analysis and forecasting [6].

In the cybersecurity context, the variables $\mathcal{S}$ (Susceptible), $\mathcal{I}$ (Infected), $\mathcal{R}$ (Removed/Recovered), and $\mathcal{Q}$ (Quarantined) are interpreted as components of a network: in particular, $\mathcal{I}$ represents bots actively attacking a server, $\mathcal{S}$ denotes potential new bots, $\mathcal{Q}$ corresponds to blocked IP addresses, network segments, or VLANs, and $\mathcal{R}$ refers to cleaned and patched devices. Such a representation makes it possible to estimate the rate of malicious code propagation, identify critical thresholds (analogous to the epidemiological threshold ${\mathcal{R}}_0$), and forecast cyberattack development scenarios in real time [9].

However, the practical operation of a network is characterized by the presence of sudden and irregular influences that cannot be adequately captured within the framework of classical continuous models. Such influences include mass antivirus updates, forced reboots, the enforcement of isolation policies, traffic throttling, or other instantaneous mitigation measures. These effects are naturally described by so-called impulsive systems [10], which make it possible to model discrete control actions embedded within the continuous dynamics of threat propagation.

The application of impulsive approaches in SIR-type models enables the formulation of realistic cyberattack response scenarios. In particular, periodically or quasi-periodically acting impulses allow one to represent situations in which preventive or protective measures are applied irregularly but within certain constraints—for example, in the case of unscheduled updates, nonuniform security checks, or automated responses to traffic anomalies. The analysis of the existence and asymptotic stability of infection-free periodic or quasi-periodic solutions of such systems reflects the conditions under which a network can maintain functional stability [11,12] and return to a secure state after sudden impulsive perturbations. This constitutes an important component that qualitatively distinguishes the controllability of complex systems described by classical models with well-studied mathematical formalisms [13,14,15,16].

The use of such models is critically important for the development of adaptive cyberattack mitigation strategies and for forecasting their evolution [6]. They make it possible to:

• Assess network infection rates as a function of network topology and the security level of individual nodes [17];
• Evaluate the effectiveness of different types of impulsive control, ranging from mass updates to the isolation of individual segments [18];
• Develop resilience scenarios for critical infrastructure under conditions of repeated attacks [19];
• Model the behavior of malicious botnets and substantiate optimal intervention points [20];
• Forecast the consequences of large-scale DDoS campaigns in environments with varying densities of vulnerable IoT devices [21];
• Design multi-layered cyber defense systems based on principles of controllability and asymptotic stability [22].

Thus, extending epidemic models to incorporate impulsive periodic effects enhances their applied value and enables the development of realistic tools for risk forecasting and control in the field of cybersecurity. This approach combines the mathematical rigor of classical stability theory with the practical demands of modern complex telecommunication and information systems, and can be effectively employed in tasks related to planning, threat analysis, and the design of adaptive protection strategies for both epidemiological and cyber applications.

Analysis of epidemic cyber models is closely linked to the general theory of nonlinear dynamical systems. In particular, studies of the stability, threshold phenomena, and long-term behavior of solutions play a central role. Recent research in nonlinear dynamics has also addressed bifurcation phenomena in discrete population models. In particular, ref. [23] examines the stability, persistence, and bifurcation parameters of the Darwin–Ricker–Cushing model. While such studies reveal rich dynamical behavior of autonomous discrete nonlinear systems, cybersecurity models generally exhibit a hybrid impulsive structure with external control inputs, where the primary focus is on analyzing threshold conditions for stability and effective attack mitigation regimes.

Motivated by these approaches, this work proposes an impulsive SIRQ-type model designed to describe the interaction between malware propagation processes and periodic cybersecurity interventions. The model combines continuous infection dynamics with discrete protective actions corresponding to large-scale security operations, such as applying updates or isolating network nodes. The main emphasis of this study is on investigating conditions for system stability and determining the critical impulse control period, which indicates whether periodic protective measures can effectively suppress the propagation of cyberattacks.

2. Motivation and Problem Statement

In the proposed model, the entire set of network nodes is divided into two populations: an attacking population and a targeted population. It is natural to assume that the primary objective of an adversary is to identify as many vulnerable nodes as possible within the attacking population and subsequently exploit them to carry out an attack against a specified targeted population. In practice, the total size of the targeted population can be assumed to be constant. Accordingly, the loss of any infected nodes as a result of a DDoS attack is considered to be compensated through their recovery, cleansing from compromise (“infection”) in a quarantine mode, and subsequent return to the class of recovered target nodes [9]. This assumption ensures the constancy of the targeted population size throughout the entire modeling process.

Vulnerable nodes operate according to a dual scheme: on the one hand, they are used to discover new nodes for the subsequent propagation of the attack, and on the other hand, they are directly involved in attacks on target resources (Figure 1). At the same time, vulnerable nodes do not enter a state of permanent recovery and, after completing the corresponding stages, return to the susceptible class.

Since attacks on critical infrastructure facilities are typically extremely intensive and destructive, the target network resources must therefore be equipped with significantly more powerful protection and response mechanisms compared to conventional information systems.

In the model presented in Figure 1, the following system of variables and parameters is employed. The symbol S denotes the class of susceptible attacking nodes, i.e., nodes of the attacking population that have not yet been involved in the attack but may be compromised. The class $\mathcal{I}$ corresponds to infected attacking nodes that actively participate in the generation of malicious traffic and the execution of DDoS attacks.

The quantity ${\mathcal{S}}_t$ characterizes the number of susceptible target nodes that are in a normal operational state but may be affected by an attack. The variable ${\mathcal{I}}_t$ corresponds to infected target nodes whose functioning is disrupted as a result of a DDoS attack. The notation ${\mathcal{Q}}_t$ denotes target nodes that have been placed in a quarantine mode in order to localize the attack and carry out recovery measures. The class ${\mathcal{R}}_t$ describes recovered target nodes that, after cleansing and technical maintenance, have returned to normal operating conditions [9].

The parameter $\beta$ is the infection contact rate and determines the intensity of attack propagation in the network, proportional to the product of the numbers of susceptible and infected nodes. The parameter $\mu$ characterizes the natural rate of removal and admission of attacking nodes in the network, corresponding to node failures due to technical reasons and the appearance of new nodes, respectively. The parameter $\epsilon$ defines the rate at which infected attacking nodes return to the susceptible class, while the parameter ${\epsilon }_t$ describes the rate of immunity loss of recovered target nodes and their subsequent transition back to the susceptible class.

The intensity of transferring infected nodes into quarantine is determined by the parameter $\gamma$. The parameter $\eta$ characterizes the rate at which quarantined nodes, after undergoing recovery procedures, return to the class of recovered target nodes.

Note that the parameters $\beta$, $\delta$, $\eta$, $\epsilon$, $\mu$, and $\gamma$ are positive.

3. Impulsive SIRQ Model

Accordingly, the model can be mathematically represented by a system of differential equations of the form:

$$\left\{\begin{array}{c}\dot{{\mathcal{S}}_t}=-\beta {\mathcal{S}}_{\mathcal{t}}I+{\epsilon }_t{\mathcal{R}}_t,\\ \dot{{\mathcal{I}}_t}=\beta {\mathcal{S}}_t\mathcal{I}-\gamma {\mathcal{I}}_t, \\ \dot{{\mathcal{Q}}_t}=\gamma {\mathcal{I}}_t-\eta {\mathcal{Q}}_t, \\ {\dot{\mathcal{R}}}_t=\eta {\mathcal{Q}}_t-{\epsilon }_t{\mathcal{R}}_t. \end{array}\right.$$

(1)

Here, ${\mathcal{S}}_t+{\mathcal{I}}_t+{\mathcal{Q}}_t+{\mathcal{R}}_t=1.$

$$\left\{\begin{array}{c}\dot{\mathcal{S}}=\mu -\beta S\mathcal{I}+\mu S+\epsilon \mathcal{I},\\ \dot{\mathcal{I}}=\mu SI-\left(\mu +\epsilon \right)\mathcal{I}. \end{array}\right.$$

(2)

Here, $\mathcal{S}+\mathcal{I}=1.$

Eliminating from systems (1) and (2) ${\mathcal{R}}_t=1-{\mathcal{S}}_t-{\mathcal{I}}_t-{\mathcal{Q}}_t$ and $\mathcal{S}=1-\mathcal{I},$ we obtain

$$\left\{\begin{array}{c}\dot{{\mathcal{S}}_t}=-\beta {\mathcal{S}}_t\mathcal{I}+{\epsilon }_t\left(1-{\mathcal{S}}_t-{\mathcal{I}}_t-{\mathcal{Q}}_t\right),\\ \dot{{\mathcal{I}}_t}=\beta {\mathcal{S}}_t\mathcal{I}-\gamma {\mathcal{I}}_t, \\ \dot{{\mathcal{Q}}_t}=\gamma {\mathcal{I}}_t-\eta {\mathcal{Q}}_t, \\ \dot{\mathcal{I}}=\beta \left(1-\mathcal{I}\right)\mathcal{I}-\left(\mu +\epsilon \right)\mathcal{I}. \end{array}\right.$$

(3)

Let us put

$$\mathrm{\Omega }=\left\{P=\left\{{\mathcal{S}}_t, {\mathcal{I}}_t, {\mathcal{Q}}_t,\mathcal{I}\right\}\in {\mathbb{R}}_{+}^4 \right| {\mathcal{S}}_t+{\mathcal{I}}_t+{\mathcal{Q}}_t\le 1,\mathcal{I}\le 1\}.$$

An important indicator characterizing the epidemic threshold is ${\mathcal{R}}_0$, the value of which is determined by the ratio

$${\mathcal{R}}_0={\displaystyle \frac{\beta }{\mu +\epsilon }}.$$

Theorem 1 ([9]). 

For any initial data $P\left(0\right)\in \mathrm{\Omega }$, the solution $P\left(t\right)$ of system (3) exists in the interval $[0,+\mathrm{\infty })$ and satisfies $P\left(t\right)\in \mathrm{\Omega }$ for all $t\ge 0$.

If ${\mathcal{R}}_0\le 1$, then there exists a unique equilibrium point (infection-free) in the set $\mathrm{\Omega }$,

$$P_0^{*}=\left\{{\mathcal{S}}_t^{*}=1, {\mathcal{I}}_t^{*}=0, {\mathcal{Q}}_t^{*}=0, {\mathcal{I}}^{*}=0\right\},$$

which is globally asymptotically stable in $\mathrm{\Omega }$.

If ${\mathcal{R}}_0>1$, an avalanche-like propagation of the attack occurs. In this case, $P_0^{*}$ is unstable and another equilibrium point

$$P_0^{**}=\left\{{\mathcal{S}}_t^{**},{\mathcal{I}}_t^{*},{\mathcal{Q}}_t^{*},{\mathcal{I}}^{*}\right\}$$

with positive components (endemic equilibrium) emerges in $\mathrm{\Omega }$, which is globally asymptotically stable in $\mathrm{int}\mathrm{\Omega }$.

By modeling the processes of updating the corresponding antivirus software of the target node population as abrupt reductions in the number of vulnerable nodes at prescribed time instants, we arrive at an impulsive problem:

$${\left.∆{\mathcal{S}}_t\right|}_{t=t_n}= {\mathcal{S}}_t\left(t_n+0\right)-{\mathcal{S}}_t\left(t_n\right)=-b_n\mathcal{S}\left(t_n\right),$$

(4)

where $\left\{b_n\right\}\subset \left(\mathrm{0,1}\right),$ $\left\{t_n\right\}$ are the given values and moments of impulse disturbances, respectively.

We assume that the presence of the immunizing perturbation (4) can fundamentally alter the linear behavior of the solutions of system (3) described in Theorem 1.

In particular, when ${\mathcal{R}}_0>1$ and under certain conditions on the sequences $\left\{b_n\right\}$ and $\left\{t_n\right\}$, system (3), (4) admits an infection-free periodic solution $\bar{P}\left(t\right)$ that is asymptotically stable with respect to the subset of coordinates corresponding to the target nodes.

Let us consider the following problem (4):

$$\begin{gathered} 0<t_1<t_2<\cdots <t_p<T, \hspace{1em}{t}_{n+p}=t_n+T, \hspace{1em}n\ge 1, \\ {b}_{n+p}=b_n, \hspace{1em}n\ge 1. \end{gathered}$$

(5)

Theorem 2.

Under conditions (5), problem (3) admits a  $T$-periodic impulsive solution  $\overline{P}(t)=\{\overline{\mathcal{S}}(t), 0, 0, 0\}$, which is infection-free. Moreover,

$$\underset{t\ge 0}{\sup }\overline{\mathcal{S}}(t)\to 0, \hspace{1em}T\to 0.$$

(6)

Proof. 

Let us find $\overline{\mathcal{S}}\left(t\right)$ as a $T$-periodic impulse solution of the problem

$$\left\{\begin{array}{c}\dot{\mathcal{S}}=\epsilon \left(1-s\right), \\ {\left.∆\mathcal{S}\right|}_{t=t_n}=-b_{n}S\left(t_n\right). \end{array}\right.$$

(7)

System (7) is obtained from (3) for ${\mathcal{I}}_t\equiv 0$, ${\mathcal{Q}}_t\equiv 0$, $\mathcal{I}\equiv 0$. For convenience, we denote $\mathcal{S}={\mathcal{S}}_t$, $\epsilon ={\epsilon }_t$. On the interval of continuity $\left[\tau ,t\right]$

$$\mathcal{S}\left(t\right)=\left(\mathcal{S}\left(\tau \right)-1\right)e^{-\epsilon \left(t-T\right)}+1.$$

Therefore

$$\mathcal{S}\left(t_1+0\right)=\left[\left(\mathcal{S}\left(0\right)-1\right)e^{-\epsilon t_1}+1\right]\left(1-b_1\right)=\mathcal{S}\left(0\right)e^{-\epsilon t_1}\left(1-b_1\right)+{\alpha }_1,$$

where $0<{\alpha }_1<1-e^{-\epsilon t_1}$.

Next, we calculate $\mathcal{S}\left(t_2+0\right)$, $\mathcal{S}\left(t_3+0\right)$, etc. At the $p$-th step, we obtain

$$\mathcal{S}\left(t_p+0\right)=\mathcal{S}\left(0\right)e^{-\epsilon t_p}\prod _{i=1}^p\left(1-b_i\right)+{\alpha }_p,$$

where $0<{\alpha }_p<1-e^{-\epsilon t_p}$.

Therefore

$$\mathcal{S}\left(T\right)=\mathcal{S}\left(0\right)e^{-\epsilon T}\prod _{i=1}^p\left(1-b_i\right)+\left({\alpha }_p-1\right)e^{-\epsilon \left(T-t_p\right)}+1.$$

Then the initial data for the $T$-periodic solution $\overline{\mathcal{S}}\left(t\right)$ is determined in the following way:

$$\mathcal{S}\left(0\right)={\displaystyle \frac{\left({\alpha }_p-1\right)e^{-\epsilon \left(T-t_p\right)}+1}{1-e^{-\epsilon T}\prod _{i=1}^p\left(1-b_i\right)}}.$$

(8)

At the same time, from (8)

$$\mathcal{S}\left(0\right)<{\displaystyle \frac{1-e^{-\epsilon T}}{1-e^{-\epsilon T}\prod _{i=1}^p\left(1-b_i\right)}},$$

which means that $\mathcal{S}\left(0\right)\to 0$ when $T\to 0$. Then from (7) we deduce that $\forall \epsilon >0$ $\exists T^{*}>0$ $\forall T\in (0,T^{*})$

$$\overline{\mathcal{S}}\left(t\right)<\epsilon$$

for $\forall t\ge 0$.

Hence we have (6). □

Corollary 1.

In problem (7), the $T$-periodic solution $\overline{\mathcal{S}}\left(t\right)$ is asymptotically stable; that is, for any $\mathcal{S}\left(0\right)\in \left(\mathrm{0,1}\right)$, the corresponding solution $\mathcal{S}\left(t\right)$ of problem (7) satisfies:

$$\mathcal{S}\left(t\right)-\overline{\mathcal{S}}\left(t\right)\to 0, \hspace{1em}t\to \infty .$$

(9)

It is easy to see that for ${\mathcal{R}}_0>1$ the equilibrium position $\mathcal{I}=0$ of the fourth equation of system (3) is unstable. Moreover, for $\forall \mathcal{I}\left(0\right)\in \left(\mathrm{0,1}\right),$ $\forall t>0,$ $\mathcal{I}\left(t\right)\in \left(\mathrm{0,1}\right)$

$$\underset{t\to \infty }{\lim }\mathcal{I}\left(t\right)=1-{\displaystyle \frac{1}{{\mathcal{R}}_0}}.$$

Thus, it is fundamentally impossible to achieve asymptotic stability of $\overline{P}\left(t\right)=\left\{\overline{\mathcal{S}}\left(t\right),0,0,0\right\}$ with respect to all coordinates. However, from the standpoint of the original model, this is not required. It is essential to achieve asymptotic stability of the infection-free impulsive solution with respect to the first three coordinates, which correspond to the state of the target node population.

Definition 1.

The solution $\overline{P}(t)=\{\overline{\mathcal{S}}(t),0,0,0\}$ of problems (3), (4) is said to be asymptotically stable with respect to the variables $\left({\mathcal{S}}_t, {\mathcal{I}}_t, {\mathcal{Q}}_t\right)$ if for any $\epsilon >0$ there exists $\tau \ge T$ such that

$$\forall P\left(0\right)=\left\{{\mathcal{S}}_t\left(0\right),{\mathcal{I}}_t\left(0\right),{\mathcal{Q}}_t\left(0\right)\mathcal{I}\left(0\right)\right\}\in \mathrm{i}nt \mathrm{\Omega }$$

is true

$${\mathcal{S}}_t\left(t\right)<\overline{\mathcal{S}}\left(t\right)+\epsilon ,$$

$$\left|{\mathcal{I}}_t\left(t\right)\right|+\left|{\mathcal{Q}}_t\left(t\right)\right|<\epsilon .$$

Theorem 3.

Suppose that in problems (5), (6) the impulsive perturbation satisfies condition (5), and let $\overline{P}(t)=\{\overline{\mathcal{S}}(t),0,0,0\}$ be the corresponding infection-free impulsive periodic solution. Then there exists $T^{*}>0$ such that for $T<T^{*}$, the solution $\overline{P}(t)$ is asymptotically stable with respect to the variables $\left({\mathcal{S}}_t, {\mathcal{I}}_t, {\mathcal{Q}}_t\right)$ in the sense of Definition 1.

Proof. 

For fixed functions $\mathcal{I}\left(t\right)$, ${\mathcal{I}}_t\left(t\right)$, and ${\mathcal{Q}}_t\left(t\right)$, consider the impulsive problem associated with the first equation of system (3).

$$\left\{\begin{array}{c}\dot{{\mathcal{S}}_t}=-\beta {\mathcal{S}}_t\mathcal{I}+{\epsilon }_t\left(1-{\mathcal{S}}_t-{\mathcal{I}}_t-{\mathcal{Q}}_t\right),\\ {\left.∆\mathcal{S}\right|}_{t=t_n}=-b_{n}S\left(t_n\right), \end{array}\right.$$

(10)

$${\left.∆\mathcal{S}\right|}_{t=0}={\mathcal{S}}_t^0\in \left(0,1\right).$$

Since $\mathcal{I}\left(t\right)\ge 0$, ${\mathcal{I}}_t\left(t\right)\ge 0$, ${\mathcal{Q}}_t\left(t\right)\ge 0$, then

$$\forall t\ge 0,{\mathcal{S}}_t\left(t\right)\le \mathcal{S}\left(t\right),$$

(11)

where $\mathcal{S}\left(t\right)$ is the solution to (7), $\mathcal{S}\left(0\right)={\mathcal{S}}_t^0$, and therefore, according to Corollary 1 of Theorem 2

$$\mathcal{S}\left(t\right)-\overline{\mathcal{S}}\left(t\right)\to 0, \hspace{1em}t\to \infty .$$

(12)

Now, with fixed $\mathcal{I}\left(t\right)$, ${\mathcal{S}}_t\left(t\right)$, let us consider the second and third equations of system (3)

$$\left\{\begin{array}{c}\dot{{\mathcal{I}}_t}=\beta {\mathcal{S}}_t\mathcal{I}-\gamma {\mathcal{I}}_t,\\ \dot{{\mathcal{Q}}_t}=\gamma {\mathcal{I}}_t-\eta {\mathcal{Q}}_t, \end{array}\right.$$

(13)

$${\mathcal{I}}_t\left(0\right)={\mathcal{I}}_t^0\in \left(0,1\right), \hspace{1em}{\mathcal{Q}}_t\left(0\right)={\mathcal{Q}}_t^0\in \left(0,1\right).$$

Since system (13) is cooperative, then by Kamke’s theorem

$$0\le {\mathcal{I}}_t\left(t\right)\le Y\left(t\right), \hspace{1em}0\le {\mathcal{Q}}_t\left(t\right)\le Z\left(t\right),$$

where $\left\{Y\left(t\right),Z\left(t\right)\right\}$ is the solution of the system

$$\left\{\begin{array}{c}\dot{Y}=\beta S\left(t\right)Z-\gamma Y,\\ \dot{Z}=\gamma Y-\eta Z, \end{array}\right.$$

(14)

$$Y\left(0\right)={\mathcal{I}}_t^0, \hspace{1em}Z\left(0\right)={\mathcal{Q}}_t^0.$$

where $\mathcal{S}\left(t\right)$ satisfies (12).

Then for sufficiently large $t$

$$\begin{gathered} {\displaystyle \frac{d}{dt}}\left(2Y\left(t\right)+Z\left(t\right)\right)=2\beta \mathcal{S}\left(t\right)Z-\gamma Y-\eta Z \\ =-{\displaystyle \frac{\gamma }{2}}·2Y-\left(\eta -2\beta \mathcal{S}\left(t\right)\right)Z\le \lambda \left(2Y+Z\right), \end{gathered}$$

(15)

where $\lambda =\min \left\{{\displaystyle \frac{\gamma }{2}},{\displaystyle \frac{\epsilon }{2}}\right\}$, if $T^{*}$ is chosen so that for $T<T^{*}$

$$\underset{t\ge 0}{\sup }\overline{\mathcal{S}}\left(t\right)<{\displaystyle \frac{\epsilon }{4\beta }}.$$

(16)

Thus, $\forall t\ge 0$

$${\mathcal{I}}_t\left(t\right)+{\mathcal{Q}}_t\left(t\right)\le K·\left({\mathcal{I}}_t\left(0\right)+{\mathcal{Q}}_t\left(0\right)\right)e^{-\lambda t},$$

(17)

where $K>0$ is some constant.

Then from (11), (12), (17) we have the desired result. □

4. Discussion

It should be noted that estimate (17) formalizes the requirement of the functional resilience of an information system subjected to aggressive adversarial interference. Even for ${\mathcal{R}}_0>1$ (which corresponds to a natural tendency toward avalanche-like growth of a botnet), properly organized periodic impulses (updates, blocking, and segmentation) ensure exponential reduction of the active component of the attack within the target population (Figure 2).

The left-hand side of inequality (17), ${\mathcal{I}}_t\left(t\right)+{\mathcal{Q}}_t\left(t\right)$, describes the total “active threat” to the target network, comprising active bots $I_t$ and isolated but not-yet-recovered nodes $Q_t$. The factor $e^{-\lambda t}$ guarantees that, under appropriately selected impulsive control (mass updates or node isolation applied with period $T<T^{*}$), the active threat decays at an exponential rate.

The parameter $\lambda =\min \left\{{\displaystyle \frac{\gamma }{2}},{\displaystyle \frac{\epsilon }{2}}\right\}$ reflects the “bottleneck” in the defense mechanism:

• If $\gamma$ is small, the network is characterized by slow isolation processes (IDS/IPS/IDPS and SOC respond sluggishly);
• If $\epsilon$ is small, rapid loss of immunity is observed (outdated patches, policies, etc.).

The constant $K$ aggregates the initial conditions and the comparison inequalities (Kamke conditions); in practical terms, it represents the model’s safety margin.

In Figure 2, the red dashed line depicts the “teeth,” corresponding to the moments of impulsive intervention $t_n$, when software updates or isolation measures lead to an abrupt reduction in the number of infected nodes. The pink dashed line visualizes estimate (17). It demonstrates that, provided the impulse frequency is sufficiently high ($T<T^{*}$), the attack is guaranteed to decay, regardless of any attempts by adversaries to propagate it. Overall, Figure 2 shows that over time the system converges to an infection-free state (the values tend toward zero), which constitutes the objective of protection.

In this way, estimate (17) provides a quantitative guarantee of exponential suppression of the active phase of a DDoS attack in the target network under properly configured impulsive control, which directly corresponds to the engineering requirements for the resilience of critical infrastructure services. Moreover, estimate (17) establishes a necessary condition for ensuring the functional resilience of a critical infrastructure information system and for designing multi-layered defense systems for it.

5. Applied Interpretation of Model Results

To illustrate the practical relevance of the derived theoretical results, we consider an example involving the estimation of the critical impulse control period $T^{*}$, which defines the maximum allowable interval between successive preventive measures (such as security updates, system inspections, and node isolation) necessary to maintain the stability of the infection-free state within the network.

Within the model framework, the parameters can be interpreted in cybersecurity terms as follows:

• $\beta$—the infection rate of nodes, indicating the speed of propagation of malicious code or a botnet;
• $\gamma$—the rate of the detection and isolation of infected nodes, reflecting IDS/IPS or SOC effectiveness;
• $\eta$—the recovery rate of isolated nodes;
• $\epsilon$—the rate of immunity loss, corresponding to patch or security-policy obsolescence.

The stability of the infection-free state is maintained as long as the impulse control period $T$ does not exceed the critical value $T^{*}$, which defines the maximum allowable interval between successive cybersecurity measures. For modern corporate and cloud infrastructures, typical parameter estimates are: $\beta \approx 0.4-0.6$ (infection intensity), $\gamma \approx 0.3-0.5$ (detection rate), $\eta \approx 0.2-0.4$ (recovery rate), and $\epsilon \approx 0.05-0.1$ (rate of immunity loss). These values reflect typical operational scenarios, including the rapid propagation of IoT botnets, delays in SOC response, and regular, though not instantaneous, system recovery.

Based on the established stability conditions, the critical impulse control period can be estimated as

$$T^{*}\approx {\displaystyle \frac{1}{\beta -\gamma }}$$

(18)

under the condition $\beta >\gamma$, that is, when the natural rate of attack propagation exceeds the rate of localization.

For instance, with parameter values $\beta =0.5, \gamma =0.35$, the critical impulse control period is estimated as

$$T^{*}\approx {\displaystyle \frac{1}{0.15}}\approx 6.7.$$

If one unit of time in the model corresponds to one day, this yields $T^{*}\approx 6–7 \mathrm{days}.$

The results indicate that preventive measures (such as security updates, node inspections, and network segmentation) should be performed at least once per week. Accordingly, the mathematical model corroborates the practical relevance of widely implemented cybersecurity practices, including weekly patch cycles, regular network scans, and periodic mass isolation policies.

The estimated critical impulse control period provides a basis for formulating quantitative recommendations for network cyber defense. Specifically, it defines the maximum allowable interval between preventive measures that ensures attenuation of the active phase of an attack and maintenance of the infection-free state of target infrastructure.

The parameter values presented in

Table 1. Typical parameters of the SIRQ model for different types of network infrastructures.

Network Type	$\mathbf{Infection} \mathbf{Intensity}, \mathit{\beta }$	$\mathbf{Isolation} \mathbf{Rate}, \mathit{\gamma }$	$\mathbf{Recovery} \mathbf{Rate}, \mathit{\eta }$	$\mathbf{Loss} \mathbf{of} \mathbf{Immunity}, \mathit{\epsilon }$	Comments
Corporate (Enterprise)	0.40–0.60	0.30–0.45	0.20–0.35	0.05–0.10	SOC and IDS enable relatively rapid incident localization
Cloud Infrastructure (Cloud)	0.35–0.50	0.40–0.60	0.30–0.50	0.04–0.08	Automated mechanisms for scaling and isolation
IoT Networks	0.60–0.90	0.10–0.25	0.10–0.20	0.10–0.20	Weak segmentation and slow device updates
Critical Infrastructure	0.30–0.45	0.20–0.35	0.15–0.30	0.03–0.07	High reliability requirements, but complex update procedures

and

Table 2. Estimation of the critical impulse control period $T^{*}$.

Network Type	$\mathbf{Typical} \mathbf{Values} (\mathit{\beta }, \mathit{\gamma })$	$\mathbf{Estimated} ({\mathit{T}}^{\mathit{*}})$ (Model Time Units)	Practical Interpretation
Enterprise	(0.5, 0.35)	≈6.7	Security updates and system checks every 5–7 days
Cloud	(0.45, 0.50)	The system is naturally stable	Automated protection mechanisms can contain propagation without regular mass impulses
IoT	(0.8, 0.2)	≈1.7	Daily or near-daily monitoring and checks are required
Critical Infrastructure	(0.4, 0.3)	≈10	Weekly or bi-weekly control cycles are sufficient

were derived by generalizing empirical estimates from studies of cyber incidents, SOC operational statistics, and vulnerability management practices [24,25,26,27,28,29,30].

Infection Intensity ($\mathit{\beta }$). The propagation rate of malicious code largely depends on infrastructure type. For instance, IoT botnets demonstrate rapid growth and active spread in networks with a large number of unprotected devices. This supports the use of relatively high values, $\beta \approx 0.6-0.9$, for IoT networks, and lower values for segmented corporate systems [24].

Detection and Isolation Rate ($\mathit{\gamma }$). Industry SOC performance indicators suggest that the average incident detection time in most organizations ranges from several hours to several days, while in mature SOC environments, it may be under one hour. For DDoS attacks, network traffic anomalies can be detected in approximately 15 min, with full containment typically achieved within about two hours. These observations correspond to parameter values of $\gamma \approx 0.3-0.6$ on a time scale where one unit approximates one day [25,26,27].

Recovery R ate ($\mathit{\eta }$). System recovery after an incident typically takes from several hours to several days, depending on infrastructure complexity and response procedures. In the model, values of $\eta \approx 0.2-0.5$ are assumed [27,28].

Loss of Immunity ($\mathit{\epsilon }$). This parameter reflects the emergence of new vulnerabilities or obsolescence of applied patches. Studies indicate that the average vulnerability remediation time is approximately 33–35 days, while a substantial proportion of systems remain unpatched for extended periods. These conditions correspond to relatively small values, $\epsilon \approx 0.03-0.1$ [29,30].

The presented tables indicate that the critical impulse control period $T^{*}$ depends significantly on the architecture of the network. IoT networks exhibit the smallest values of $T^{*}$, which implies the necessity of very frequent security measures. Corporate systems demonstrate $T^{*}$ values of approximately one week, which is consistent with typical patch management cycles. Cloud infrastructures may be naturally stable due to automated isolation mechanisms. Critical infrastructure allows a larger interval between impulses, but requires stricter change control procedures.

Thus, the model makes it possible to obtain quantitative recommendations regarding the periodicity of cybersecurity measures, which are consistent with modern practices of network security management.

Figure 3 illustrates that as the infection intensity $\beta$ increases, indicating faster attack propagation, the critical period $T^{*}$ decreases sharply. This implies that preventive measures must be performed more frequently. Conversely, as the detection and isolation rate $\gamma$ increases, $T^{*}$ also increases, indicating that the system can tolerate longer intervals between impulses. Furthermore, when $\beta \to \gamma$, $T^{*}\to \mathrm{\infty }$, which signifies that the system becomes naturally stable, as attack propagation is effectively counterbalanced by isolation mechanisms.

The surface (Figure 4) is defined by the function (18) on condition $\beta >\gamma$. As $\beta \to \gamma$, the critical period $T^{*}\to \mathrm{\infty }$, indicating that the system is naturally stable, as the rate of attack localization compensates for propagation. When $\beta$ significantly exceeds $\gamma$ ($\beta -\gamma \uparrow$), $T^{*}\downarrow$ decreases, implying that cybersecurity measures must be implemented more frequently. Conversely, as $\gamma$ increases, reflecting faster responses by IDS/IPS, automated blocking, or SOAR systems, $T^{*}$ also increases, allowing the system to tolerate less frequent impulse interventions.

The surface $T^{*}(\beta ,\gamma )$ effectively provides a map of optimal cybersecurity measure frequency. For example,

Table 3. Interpretation of cybersecurity measures for different network classes.

Network Type	$\mathbf{Typical} \mathbf{Values} (\mathit{\beta }, \mathit{\gamma })$	$\mathbf{Estimated} ({\mathit{T}}^{\mathit{*}})$ (Model Time Units)	Practical Interpretation
Enterprise	(0.5, 0.35)	≈6.7	Security updates and system checks every 5–7 days
Cloud	(0.45, 0.50)	The system is naturally stable	Automated protection mechanisms can contain propagation without regular mass impulses
IoT	(0.8, 0.2)	≈1.7	Daily or near-daily monitoring and checks are required
Critical Infrastructure	(0.4, 0.3)	≈10	Weekly or bi-weekly control cycles are sufficient

presents an interpretation of this surface for different system types.

In summary, the applied interpretation of the impulsive SIRQ model demonstrates the direct relevance of theoretical results to practical cybersecurity management. Analysis provides quantitative estimates of the critical impulse control period $T^{*}$ across different network architectures, i.e., IoT networks, corporate systems, and critical and cloud infrastructures. The model offers a basis for evidence-based cybersecurity strategies to maintain infection-free states and mitigate the propagation of cyberattacks.

It is worth noting that, while analogous bifurcation analyses have been conducted in ecological population models, such as the Darwin–Cushing model studied by Mokni and Ch-Chaoui [23], which examines single- and two-parameter bifurcations including Neimark–Sacker and period-doubling phenomena arising from intrinsic nonlinear feedback mechanisms, the hybrid impulsive epidemic-type system considered here operates under a fundamentally different regime. System behavior is primarily governed by threshold parameters and external control actions, and the direct application of classical bifurcation structures from discrete ecological models to cybersecurity contexts requires specific theoretical extensions, which may be addressed in future research.

6. Conclusions

This paper proposes an impulsive SIRQ model that generalizes classical epidemic approaches to the analysis of cyberattacks and integrates continuous dynamics of malware propagation in a network with discrete control actions representing mass updates, node isolation, and enforcement of access policies. Such an approach provides an adequate mathematical description of real-world response mechanisms to large-scale viral and DDoS attacks.

The fundamental role of the basic reproduction number ${\mathcal{R}}_0$ is established as a threshold parameter determining attack dynamics: for ${\mathcal{R}}_0\le 1$, the infection-free equilibrium is globally asymptotically stable, whereas for ${\mathcal{R}}_0>1$, the system admits an endemic regime with a nonzero fraction of infected nodes.

The application of periodic impulsive control actions enables stabilization of the infection-free state with respect to the target population even when the threshold value ${\mathcal{R}}_0$ is exceeded. Such stabilization constitutes a practically sufficient condition for ensuring the availability of critical services and maintaining the functional resilience of network infrastructure under large-scale attacks.

The derived estimate (17) establishes exponential decay of total active threat ${\mathcal{I}}_t+{\mathcal{Q}}_t$ with rate $\lambda$, which admits clear applied interpretation in terms of the isolation rate of infected nodes and level of immunity retention in recovered systems. This result gives a quantitative guarantee of the effectiveness of impulsive cyber defense strategies.

The practical interpretation of the obtained results illustrates the dependence of the critical impulse control period on the main model parameters and highlights potential use of the model for cybersecurity strategy design. For typical corporate network parameters $\beta \approx 0.5,\gamma \approx 0.35$, we obtain an estimate of $T^{*}\approx 6-7$ (in model time units), which corresponds to an approximately weekly cycle of security updates and system checks. For IoT networks, where the intensity of malicious code propagation is much higher ($\beta \approx 0.8,\gamma \approx 0.2$), we obtain the value of $T^{*}\approx 1.5-2$, which indicates the need for much more frequent implementation of node control and isolation measures.

Such results extend the application of epidemic models to cybersecurity problems and provide a mathematical foundation for the analysis of the effectiveness of periodic protection strategies in complex network systems. The proposed model forms a theoretical foundation for the design of adaptive cybersecurity systems, determination of the optimal frequency and intensity of preventive impulses, forecasting consequences of large-scale DDoS campaigns, and development of multi-layered defense strategies for critical information infrastructure.