Influences of Removable Devices on the Anti-Threat Model : Dynamic Analysis and Control Strategies

With the rapid development of M2M wireless network, damages caused by malicious worms are getting more and more serious. The main goal of this paper is to explore the influences of removable devices on the interaction dynamics between malicious worms and benign worms by using a mathematical model. The model takes two important network environment factors into consideration: benign worms and the influences of removable devices. Besides, the model’s basic reproduction number is obtained, along with the correct control conditions of the local and global asymptotical stability of the worm-free equilibrium. Simulation results show that the effectiveness of our proposed model in terms of reflecting the influences of removable devices on the interaction dynamics of an anti-treat model. Based on numerical analyses and simulations, effective methods are proposed to contain the propagation of malicious worms by using anti-worms.


Introduction
Worm is a program that can run by itself and can replicate and spread autonomously in the network.With the rapid development of information technology, M2M technologies have been widely used in mobile communication, medical care, military reconnaissance, and so on.An M2M wireless network is a network which is based on the intelligent interaction among smart devices, and it is a blending of several heterogeneous networks, such as WAN (Wide Area Network), LAN (Local Area Network) and PAN (Personal Area Network), its application has evolved widely.According to the 2015 Symantec Global Internet Security Threat Report [1], the year 2014 was a year with far-reaching vulnerabilities, faster attacks, files held for ransom, and far more malicious code than in previous years.While people are enjoying the convenience, the damages caused by malicious worms and their variants in M2M wireless network are becoming increasingly serious, due to the variety of network forms, the openness of information, the mobility of communication applications, the security vulnerability of operating systems, the complexity of network nodes, and so on.The most significant difference between a traditional computer network infection and M2M wireless network is that the latter evolved much faster and can cause broader and more dangerous harm, as the latter contains more mobile devices and wireless devices.
Currently, a number of detection and defense technologies have been proposed to contain worm propagation, but they cannot fundamentally solve those problems.In addition to benign worms, there exist beneficial worms which can dynamically proactive defense against the malicious worm propagation and patch for the susceptible hosts.Thus benign worms can solve the malicious worm propagation problem to a large degree and they have been a potential solution to restrain and resist the spread of malicious worms.Even though users lack cybersecurity awareness or take poor security measures, benign worms also can maintain the network security.Therefore, worm-anti-worm strategy is a best-effort approach to contain the spread of malicious worms.That is why in this paper we first consider using benign worms to counter the malicious worms.Motivated by this, we propose a novel dynamical model to study the dynamics of interaction infection between malicious worms and benign worms.Through theory analysis and simulation, this article studies the dynamical behaviors of the twoworm interaction.
As we all know, removable devices provide another way other than the Internet for the spread of worms.However, nearly all previous models [2][3][4][5][6][7][8][9][10][11][12][13][14][15] ignore the fact that worms can infect not only the computers but also many kinds of external wireless or wired removable devices, e.g., external hard drives, USB drives, mobile phones, wireless handheld devices, etc.With the development of WiFi and M2M wireless network technology, the M2M wireless network has a certain large coverage area in large cities, and even in some remote areas.While people are enjoying the convenience, worms can exploit the various wireless networks and threaten the cyber space.According to the Symantec security response, the first wireless worm appeared in 2004, which exploited vulnerabilities in the Symbian OS and propagated through Bluetooth wireless connections.Different from the spreading form of worms in traditional networks, worms can inadvertently send copies of themselves to some other nodes that can be infected.Studies show that, due to most wireless protocols allowing neighborhood discovery, proximity of wireless devices can promote worm propagation.Besides, the mobility of removable devices helps to transport worms to a lager geographic space and allows them to last for a longer time.
Therefore, it is important to study the dynamics of interaction infection between computers and removable devices.Motivated by this, we propose a novel dynamical model based on the above facts.
In this article, we analyze the malicious worm propagation in an M2M wireless network by using the mathematical model.We consider the influences of removable devices on the interaction dynamics between malicious worms and benign worms in our model.By investigating the local stability of the worm-free equilibrium, we obtain the basic reproduction number.By choosing a suitable Lyapunov function, we prove the asymptotical stability of worm propagation.Crucially, we obtain the effective threshold of controlling the spread of malicious worms.
The rest of this paper is organized as follows.Section 2 describes some related works of worm propagation models.Section 3 presents the novel worm anti-treat model and gives the relevant proofs of stability.Simulation and control strategies are given in Section 4. Finally, Section 5 concludes this paper.

Existing Worm Propagation Models
In the past several decades, based on the great similarity between biological viruses and network worms, many worm propagation models were presented to understand the propagation mechanisms of worms and study the corresponding control strategies.
The classical simple epidemic models [2] only consist of two states of nodes: susceptible and infectious, which is also called the SI model.Due to the fact that the SI model does not consider the cases where the infected and infectious nodes are patched or removed, it is not suitable for a real situation.The Kermack-McKendrick epidemic model [3] (also known as KM model) makes up the shortcoming of SI model, and considers an additional removal state, the nodes translate from the susceptible to the infectious or to the removal state.Paper [4] proposed an extended stochastic diffusion model for the KM model in which the infectivity of an individual depends on the time since the individual became infective [5].The article [6] provided a two-factor worm model based on the classical epidemic KM model, it carefully analyzed the propagation of Red Code by considering more external factors (one is the dynamic countermeasures taken by ISPs and users, the other is the slowed down worm infection rate because of network congestion and troubles to some routers).Later, many extended models were proposed, e.g., SEIRS model [7], VEISV model [8], SEIQRS model [9], SEIDQV model [10], which separate nodes' states into more varieties and consider passive recovery measures without adding active defense measures.
Worm-Anti-Worm (WAW) models consider two kinds of worms: a malicious worm and a benign worm [11].Benign worm proactive defenses against the malicious worm propagation and patches for the susceptible hosts.Models [12][13][14][15] explored the interaction dynamics between malicious worms and benign worms.When the benign worm is absent, a WAW model is subject to the two-factor model.
To capture the influences of removable devices on the spread of worm, some worm models have been proposed.Based on the KM model, Song et al. presented a model to characterize the essential properties of AutoRun worms, in which a removable device would be infected with a certain rate if it was used on an infectious computer and then it can infect other computers whenever in was used on them [16].In [17,18], Yang et al. addressed the influences of removable devices on the spread of viruses and investigated more complex dynamics.These models provide a reasonable qualitative understanding of the conditions under considering the influences of removable devices.

The Limitation of Existing Worm Propagation Models
Researchers have qualitatively understood the propagation mechanisms of worms and studied the corresponding control strategies by using mathematical modeling.Unfortunately, to our knowledge, none of the existing models have researched the influences of removable devices on the interaction dynamics between malicious worms and benign worms.

Our Proposed Worm Propagation Model
In our model, based on the diversity of nodes types in M2M wireless network, we explore the influences of removable devices on the interaction dynamics between malicious worms and benign worms.We take two important network environment factors into consideration: benign worms and the influences of removable devices.We find the basic reproduction number of our model and the correct control conditions of the local and global asymptotical stabilities of the worm-free equilibrium.We also obtain the effective threshold of controlling the spread of malicious worms.Furthermore, simulation results show the effectiveness of our model.Finally, effective control strategies are proposed to combat malicious worms.

The Model
In a wireless M2M network, we divide nodes into two types: fixed nodes and removable nodes.Fixed nodes are fixed computers, while removable nodes are wireless mobile devices with networking capability, such as mobile phones and tablet computers, or removable devices with no networking capability, such as hard drives and USB drives.The worm propagation behavior on fixed nodes is similar to the spreading behavior of worms in a traditional network, but different from it when it comes to removable devices.All the wireless removable devices autonomously roam in the network: when wireless devices are connected to network and move to the sensing area of nodes, the worms can detect possible vulnerabilities in the equipment and prepare for the infections.When removable devices without networking capability are connected to computers, the worms that exist in them can infect susceptible computers; moreover, they also can be infected by worms that exist in those computers.
Our model is based on the following assumptions: (1) Our model falls under the category of a homogeneous worm propagation model, that means, our model ignores the network topology and it is based on the concept of a network fully-connected graph; (2)    β β , ω ω     , based on Figure 1 we can obtain the equations of the model as follows: From system Equation (1), we can set the model's feasible region as 6 U {( , , , , , ) : , , , , , 0, , } U is positively invariant for system Equation (1), we will analyze the stabilities of Equation (1) in the set U.

The Basic Reproductive Number of Our Model
The basic reproductive number 0 R , is a key concept in epidemiology, and it is one of the most important and most valuable ideas that mathematical thinking has brought to epidemic theory [19].
In epidemiology, the meaning of 0 R is that the number of susceptible nodes infected by an infected node in its entire infectious time.When 0 1 R  , it means the worms in the network will be cleared finally.When 0 1 R  , we can predict that the worms will be prevalent.Thus, we can control the propagation of worms by controlling 0 R .
By counting, we can easily obtain the equilibriums of model ( 1).The worm-free equilibrium is , the endemic equilibrium is ( , , , ) , where: In order to obtain the basic reproductive number 0 R , let ( , , , , , ) According to the Theorem in [20], we know the basic reproductive number of model Equation ( 1) is  and 2  respectively are the basic reproductive number of malicious worms and benign worms in our model.In this paper we will use 0 analyze the stabilities of system Equation (1).

The Stability Analysis for Worm-Free Equilibrium 0 P
In epidemiology, one equilibrium of a propagation model represents one final spreading trend of worms.The aim of this section is to prove the correctness of the basic reproductive number 0 R by analyzing the stability of worm-free equilibrium, and to get the correct control conditions of worm-free equilibrium by adjusting 0 R .

The Local Asymptotical Stability of Worm-free Equilibrium 0 P
Theorem 1.When 0 1 R  , the unique worm-free equilibrium 0 P is locally asymptotically stable in the model's feasible region U , and unstable when 0 1 R  .
Proof.The Jacobian matrix at the worm-free equilibrium 0 P is The corresponding eigenvalues of 0 ( ) , where , and According to the stability theory in [21], we know that the sufficient conditions are 0 i   for the six-dimensional model to be asymptotically stable, where 1, 2, 3, 4, 5, 6 i  . All parameters of this model are assumed to be positive.Obviously, in this model 1 0   , it is approximatively equal to 1 1   .Therefore, when the condition meets  , the propagation of malicious worms will be controlled.According to Routh-Hurwits criterion [22], the unique worm-free equilibrium 0 P is locally asymptotically stable.
When 0 1 R  , it means that 0 ( ) J P has two or three positive eigenvalues, therefore 0 P is an unstable saddle point in the model's feasible region U .This proof is completed.□ 3.2.2.The Global Asymptotical Stability of Worm-free Equilibrium 0 P Theorem 2. When 0 1 R  , the worm-free equilibrium 0 P is globally asymptotically stable in the model's feasible region U , and unstable when 0 1 R  .
Proof.From the first equation in system Equation (1), we can get . Similarly, from the fifth equation in Equation ( 1), we can get To measure the global asymptotical stability of worm-free equilibrium, we choose a Lyapunov function like this: ( ) ( ) ( ) ( ) ( ) ( ) . Its time derivative along the solutions to the model Equation ( 1) is We can know that only at 0 P , ' ( ) 0 L t  .According to the LaSalle's invariance principle in [23], when 0 1 R  , the worm-free equilibrium 0 P is globally asymptotically stable in the model's feasible region U .When 0 1 R  , it means that ' ( ) 0 L t  and 0 P is unstable in U .This proof is completed.□

Simulations
In this section, we will analyze the stability of our model and the influences of removable devices on the interaction dynamics between the malicious worms and the benign worms, by using MATLAB simulation tool.First, we set (0), (0), (0), (0), (0), (0) 50000,50000, 0, 0,50000,50000 We can obtain the basic reproduction number 0 0.6306 1 R   by using above parameters.The results are shown in Figure 2a.
It shows that the two kinds of malicious worms ( I and I R ) will gradually disappear, which proves the correctness of Theorems 1 and 2. When (b) When 0 1 R  , the two kinds of malicious worms will be prevalent.
As can be seen from Figure 5, a larger online rate of removable nodes results in the increase of the number of nodes infected by malicious worms, and also can speed up the spreading speed of malicious worms.

Control Strategies
In this paper, we focus on the influences of parameters concerned with removable devices.Through above analysis we know that a larger number of initial level of infected removable devices and a larger online rate of removable devices are all beneficial for the propagation of malicious worms.Decreasing the value of online rate of removable nodes and limiting the number of removable nodes can confine the propagation of malicious worms.Furthermore, we can increase the basic reproductive number of benign worms   , the malicious worms will disappear from the network.However, the temporal form of the benign worm has several unresolved issues and limitations, such as network congestion, patching safety, and legal issues.In addition, the benign worm strategy faces two problems: (1) When the number of benign worms put into the network is small, it will be difficult to contain a great amount of malicious worms; (2) The spreading speed of benign worms will be quick without any constraints, and their proactive scans will result in the same problems as malicious worms, such as the system overload and the network congestion.Hence we cannot blindly increase the effective infection rate of benign worms and reduce their self-destruct rate to contain the propagation of malicious worms.Obviously, a larger 2 β will quickly kill off malicious worms but meanwhile a larger 2 β will bring a larger amount of traffic than that caused by malicious worms, which could greatly endanger normal network application.Thus, we should choose a reasonable value for 2 β and δ according to the actual situation of network, in order to combat malicious worms synthetically and efficiently.

Conclusions
In this paper, we proposed a mathematical model to explore the influences of removable devices on the interaction dynamics between malicious worms and benign worms based on diversity of nodes types in an M2M wireless network, which considers two important network environment factors: benign worms and removable devices.Firstly, we found out the model's basic reproduction number 0 R , and its threshold value determines whether the malicious worms die out in the network.Numerical analysis shows that if 0 1 R  the worm-free equilibrium is globally asymptotically stable in the model's feasible region U .Otherwise, malicious worms will be prevalent.Secondly, simulations verify the performance of our model is effective in combating with malicious worms.Finally, effective control strategies are proposed to combat malicious worms.In the future, we will take more network environment factors into consideration, e.g., the time delay of benign worms, the latent period of malicious worms, and more characteristics of an M2M network, such as communication technology, communication range, communication speed, network protocols or the capabilities of a typical device, making the adaptability of our model stronger and broader.

2 β
The six states and state transition in our model are shown in Figure1.The notations in Figure1are listed as follows. 1 b and 2 b respectively are the number of new fixed and removable nodes join the network. 1 ω and 2 ω represent the immunized rate of susceptible fixed nodes and susceptible removable nodes by using anti-virus program and firewall, respectively.1 β and are the effective infection rates of malicious worms and benign worms, respectively.1 μ and 2 μ respectively represent the obsolescence rate of fixed nodes and removable nodes.δ is the self-destruct rate of benign worms after completing repair work. is the online rate of removable nodes.

Figure 1 .
Figure 1.State transition diagram of our model.

Figure 3 .
Figure 3.It shows that benign worms can not only decrease the number of two kinds of malicious infected nodes, but can also reduce the malicious worm propagation speed.However, when 1 2

Figure 4 .
Figure 4. Influence of different initial levels of infected removable nodes.

Figure 5 .
Figure 5. Influence of different online rates of removable nodes.

1 
value of 2 β and decreasing the value of δ , making 2  larger than the basic reproductive number of malicious worms We assume that the number of total fixed nodes is N , total removable nodes is N R and other states of nodes do not change in unit time t ; (3) We assume that removable devices are used equally in the whole network; (4) Since the number of removable devices users is huge, and the users exist in all over the network, we assume that removable when they get out of the network; (8) Wireless removable devices' worms have no space constrains and can be connected to a network to carry out a wider range of transmission.In our model, all nodes are in six compartments: susceptible fixed nodes ( S )-nodes are healthy but are not immune to AutoRun worms; fixed nodes infected by malicious worm ( I ); fixed nodes infected by benign worm ( B ); immunized nodes ( V )-nodes have been immunized by anti-virus program, (7)es are uniform distribution in the whole network; (5) All newly fixed nodes and removable nodes accessed the network are susceptible;(6)Once fixed nodes are immunized, they will gain permanent immunity and can no longer be infected by malicious worms;(7)We assume all nodes will remain in their state )