Analysis of Two-Worm Interaction Model in Heterogeneous M 2 M Network

With the rapid development of M2M (Machine-to-Machine) networks, the damages caused by malicious worms are getting more and more serious. By considering the influences of the network heterogeneity on worm spreading, we are the first to study the complex interaction dynamics between benign worms and malicious worms in heterogeneous M2M network. We analyze and compare three worm propagation models based on different immunization schemes. By investigating the local stability of the worm-free equilibrium, we obtain the basic reproduction number 0 R . Besides, by using suitable Lyapunov functions, we prove that the worm-free equilibrium is globally asymptotically stable if 0 1 R  , otherwise unstable. The dynamics of worm models is completely determined by 0 R . In the absence of birth, death and users’ treatment, we obtain the final size formula of worms. This study shows that the nodes with higher node degree are more susceptible to be infected than those with lower node degree. In addition, the effects of various immunization schemes are studied. Numerical simulations verify our theoretical results. The research results are meaningful for us to further understand the spread of worms in heterogeneous M2M network, and enact effectual control tactics.


Introduction
With the development of cloud computing and M2M technologies, the threat from worms and their variants is becoming increasingly serious.According to the 2015 Symantec Global Internet Security Threat Report [1], the year 2014 is a year with far-reaching vulnerabilities, faster attacks, files held for ransom, and far more malicious code than in previous years.Many measures are taken against the propagation of malicious worms, such as anti-virus software, patch, firewall, etc.However, those measures cannot understand the transmission mechanisms of worms, and cannot predict the spread trends of worms [2].Thus, those general defense and detection measures cannot help us to provide more effective measures against malicious worms and their variants.
Mathematical modeling is an important tool in analyzing and controlling the spread of malicious worms.The process of model formulation comprehensively uses assumptions, parameters, and variables.Besides, those models provide us theoretical conclusions, such as basic reproduction rate, feasible region, effective contact rate, and thresholds.Theoretical analysis and numerical simulations are useful tools for testing theoretical results, determining how to change sensitive parameter values, getting key parameters according to known date, and establishing effective control measures.Mathematical models effectively help us understand the mechanisms of worm propagation, predict the spread trends of worm, and develop better approaches for decreasing the transmission of malicious worms.
According to network characteristics, networks can be divided into two kinds: homogeneous and heterogeneous networks.In a homogeneous network, most nodes have similar degrees, and nodes' degree distribution is very similar; homogeneous networks include regular networks [3], Erdӧs-Renyi random networks [4], and small-world networks [5].Many epidemic models [6][7][8][9][10][11][12][13][14][15] have been developed to understand the spreading dynamics based on the fully-connected assumption of the homogeneous network.In those models, whole nodes are divided into different compartments corresponding to different epidemiological states.Nevertheless, this fully-connected assumption is inconsistent with the real world network topology; that is, the assumption that each computer has an equal probability of scanning any other individual in the network is unreasonable.Thus, the homogeneous mixing hypothesis is an overly simplified assumption, and is generally unrealistic.It is not appropriate for modeling epidemic models in heterogeneous networks.Contrary to homogeneous networks, most nodes of heterogeneous network have large fluctuations in degree distribution; heterogeneous networks include scale-free networks [16], broad-scale networks [5] and M2M wireless networks.Several models [17][18][19][20][21][22][23][24] have been developed to model such complex patterns of interactions in complex network.Of course, the spreading mechanism and dynamics of worm models in different kind networks are different.The M2M (Machine-to-Machine) network is a network that is based on the intelligent interaction among smart devices, and the blending of several heterogeneous networks, such as WAN (Wide Area Network), LAN (Local Area Network) and PAN (Personal Area Network).This decade, M2M communications over wired and wireless links continue to grow, and as such, various applications of M2M have already started to emerge in various sectors such as vehicular, healthcare, smart home technologies, and so on [25].In recent years, the damages caused by malicious worms and their variants in M2M wireless networks are becoming increasingly serious, due to the variety of network forms, the openness of information, the mobility of communication applications, the security vulnerability of operating systems, the complexity of network nodes, and so on.Thus, in order to control the large-scale propagation of malicious worms in M2M network, we must consider the heterogeneity of the M2M network into the modeling process.
Although there are approaches to contain the spread of worms, such as antivirus software, intrusion detection system and network firewalls, these approaches can only give an early warning signal about the presence of a worm so that defensive measures can be taken.Currently, worm-anti-worm strategy is one of the most effective ways to restrain the propagation of malicious worms.Benign worms are beneficial worms that can dynamically proactive defend against malicious worm propagation and patch for the susceptible hosts.Even though users lack cybersecurity awareness or make poor security measures, benign worms can also maintain network security.That is why, in this paper, we first consider using benign worms to counter the malicious worms in heterogeneous M2M network.
Many epidemic models [26][27][28][29][30] have studied the spreading dynamics between benign worms and malicious worms in homogeneous networks in recent years, and proved the effectiveness of the worm-anti-worm strategy on decreasing the transmission of malicious worms.However, to our knowledge, there are no epidemic models to consider the worm-anti-worm strategy in a heterogeneous network.Motivated by this, in this paper, we first propose a novel dynamical model to study the dynamics of interactive infection between malicious worms and benign worms in heterogeneous M2M networks.Furthermore, we compare our model to two other worm propagation models that are based on different immunization schemes in heterogeneous M2M networks.Through theory analysis, we find that the dynamics of those models are completely determined by a threshold value, which is the model's basic reproductive number.Besides, in the absence of birth, death and users' treatment, we obtain the final size formula of malicious worms based on comprehensive immunization scheme.Numerical simulations support our results.We believe that the results can help restrain the spread of malicious worms.
The rest of the paper is organized as follows.Section 2 describes some related works of worm propagation models.We formulate the models in Section 3. In Section 4, we obtain the basic reproductive number and prove the local and global stability of the worm-free equilibrium.Section 5 determines the final size formula.In Section 6, a series of numerical experiments are given to verify the theoretical results.Finally, conclusions are given in Section 7.
The homogeneous worm propagation models are based on the concept of a network fully-connected graph, which ignore the real-world network topology.For instance, the classical simple epidemic model [6], the Kermack-McKendrick (KM) epidemic model [7], and the two-factor worm model [8] are all homogeneous models, which model the propagation of random scanning malicious worms.This class of models assumes that each host has an equal probability in connecting to any host in the network.Especially, in [8], Zou et al. extended the KM model [7] and analyzed the propagation of Red Code by considering the dynamic countermeasures taken by ISPs (i.e., Internet Service Providers) and users, and the influence of network congestion on worm infection rate.Later, many extended models [9][10][11][12][13][14][15] are proposed, but they all belong to homogeneous models.
As more and more malicious worms plunge into the Internet, traditional counterwork technologies cannot currently scale to deal with the worm threats, and as such worm-anti-worm (WAW) has become a new active countermeasure.The idea of an anti-worm is to transform a malicious worm into a benign worm, which spreads itself using the same mechanism as the original worm.A benign worm can proactively patch and harden configuration setting, and wipe off malicious worms that have infected hosts.There are many worm-anti-worm epidemic models [26][27][28][29], for instance, based on the two-factor worm model, Zhou et al. [26] modeled each sub type of active benign worms and hybrid worms under the circumstance of no time delay and time delay.Ma et al. [27] explored the influences of removable devices on the interaction dynamics between malicious worms and benign worms, effective methods are proposed to contain the propagation of malicious worms using anti-worms.
The topological worm propagation models describe the worms as relying on the topology for spreading themselves.To the best of our knowledge, Fan et al. [30] first proposed a novel logic matrix approach to modeling the propagation processes of P2P (i.e., Peer to Peer) worms by difference equations, which are essentially discrete-time deterministic propagation models of P2P worms.It is suitable for modeling P2P worms because this model considers the topology of a P2P network.Wang et al. [31] created a microcosmic landscape on worm propagation and successfully analyzed the procedures of worm propagation.Furthermore, some relevant work has been reported in [32][33][34][35].
Faloutsos et al. [36] found that the autonomous Internet topology asymptotically follows a powerlaw degree distribution.Stimulated by this theory, several heterogeneous models [17][18][19][20][21][22][23][24] have studied the spreading behavior of worms on complex networks.In a complex network, each node represents a host in its corresponding epidemiological state, and each edge between two nodes stands for an interaction that may allow worm transmission.Those studies indicate that the connectivity fluctuations of the network strongly enhance the incidence of infection in complex network.

The Limitation of Existing Worm Propagation Models
Although all the previous models have qualitatively understood the propagation mechanisms of worms and study the corresponding control strategies by mathematical modeling, the common shortcoming of the existing models is that they do not research the influences of network heterogeneity on the interaction dynamics between malicious worms and benign worms in a heterogeneous M2M network.That is, those homogeneous models ignore the network heterogeneity, and those heterogeneous models ignore the influences of network heterogeneity on the interaction of two worms.

Our Proposed Worm Propagation Model
In our model, we firstly propose a novel dynamic model to study the interaction dynamics of the worm-anti-worm strategy in heterogeneous M2M network.We then compare our model to two other worm propagation models, which are based on different immunization schemes.Through theory analysis, we find that the dynamics of those models are completely determined by a threshold value.
By choosing suitable Lyapunov functions, the global asymptotical stability of worm-free equilibrium is proved.Besides, in the absence of birth, death and users' treatment, we obtain the final size formula of malicious worms based on comprehensive immunization scheme.After that, the effects of various immunization schemes are compared.Finally, numerical simulations verify our results.

The Model
In order to study the influences of the M2M network heterogeneity on worm spreading, in our models, a group ( , ) G V E  is used to represent the topological structure of the M2M network, where V is the set of all nodes and E is the set of all edges.In this group, a node corresponds to a computer, and an edge represents the potential communication between two nodes.The number of edges emanating from a node is called as the degree of a node.We assume that the total computers can be broken into a number of homogeneous sub-compartments, i.e., all nodes in the same sub-compartment are dynamically equivalent, without any difference.We classify the nodes into compartments based on the number of node degree, i.e., nodes in the same sub-compartment have the same number of node degrees.Our model is based on a system of ordinary differential equations describing the evolution of the number of individuals in each compartment.Based on the above assumptions, we classify the total nodes into  different groups, where k N k   is the total number of nodes that have k -degree, and  is the maximum node degree of total nodes.( is the nodes size of the whole network.In order to reflect the heterogeneous nature of an M2M network, we consider nodes degree distribution ( ) p k , i.e., ( ) / k p k N N  , which is the probability that a node degree chosen randomly is k -degree.
According to our different purposes, the infection rates of nodes can be classified into the following compartments: susceptible nodes ( ) S , malicious infectious nodes ( ) I , benign infectious nodes ( ) B and recovered nodes ( ) V .The corresponding notations are as following: ( ) ( ) ( ) ( ) , the relative densities of S -nodes, I -nodes, B -nodes, and V -nodes with k -degree at time t .Some frequently used notations of this paper are listed in Table 1.
Table 1.Notations of this paper.


The maximum node degree of total nodes ( ) The relative density of S -nodes with k -degree at time t ( ) The relative density of I -nodes with k -degree at time t ( ) The relative density of B -nodes with k -degree at time t ( ) The relative density of V -nodes with k -degree at time t k N The total number of nodes with k -degree N The nodes size of the whole network


The recovery rate of S -nodes become V -nodes due to the treatment effect 2


The recovery rate of I -nodes become V -nodes due to the treatment effect The probability that a randomly chosen link points to a I -node 2 ( ) t  The probability that a randomly chosen link points to a B -node ( ) p k The probability that a node chosen randomly with k -degree  In Figure 1, represents the probability that a randomly chosen link points to a malicious infectious node, i.e. the relative density of I -nodes at time t . is the birth or death rate of a node; thus, ( ) Due to the infection of the malicious nodes, S -nodes becomes I -nodes at constant rate 1  .
Thus, 1 1 k kS   is the number of S -nodes turn into I -nodes at time t . 1  and 2  are, respectively, the recovery rate of S -nodes and I -nodes due to the treatment effect of users.Based on Figure 1, we can get the dynamical differential equations for each compartment with k -degree as following: The initial condition of System ( 1) is (0 , and its feasible region is , which is a positively invariant.

The Model of k k k k S I B V
In the k k k k S I B V model, we divide nodes into four compartments: S -nodes, I -nodes, B-nodes and V -nodes.The transfer diagram of each compartment with k -degree ( 1, 2,..., ) k   is schematically depicted in Figure 2. Besides, the other model parameters are the same as defined in Figure 1.Based on Figure 2, the dynamical differential equations for each compartment with k -degree is donated as: The initial condition of System ( 2) is (0) (0) (0), (0) 0 , and its feasible region is , which is a positively invariant.

The k k k S I V Model Based on Targeted Immunization Strategy
The endemic equilibrium of System (1) is * . This indicates that a node with a higher node degree is more susceptible to be infected by worms than that with a lower node degree.In addition, we can conclude that the higher the degree of nodes, the higher the infection density of a network, and thus the density would tend to a constant when the node degree goes to infinity.Indeed, this precisely coincides with reality.Thus, we can use targeted immunization strategy to strengthen protection efforts of the nodes that have a higher node degree [37].First, we introduce lower and upper thresholds 1 K and 2 K , such that if 2 k K  , all nodes with k -degree will be immunized, while if ) a a   of nodes with k -degree will be immunized.Thus, we can define the immunization rate k  as following: is the average immunization rate of the targeted immunization strategy.Then, the ordinary differential equations of System (1) will become The feasible region of System (3) is same with System (1).

The Global Stability of k k k S I V Model
By counting, we can easily obtain the equilibrium of System (1).The worm-free equilibrium is ( , , , , , , ) , where According to the computing method in [38], only the infected compartment k I is involved in the calculation of the basic reproductive number 0 R .At the worm-free equilibrium 0 E , the transmission matrix F is the rate of appearance of new infections and the transmission matrix W is the transfer rate of nodes among compartments; they are, respectively, denoted by 0 0 , , 0 0 0 0 . Therefore, according to Theorems in [38,39], the basic reproduction number R0 is defined as the spectral radius of the next generation matrix Based on 01 R , we have the following theorem: Theorem 1.When 01 1 R  , the worm-free equilibrium * E of System ( 1) is locally and globally asymptotically stable in the model's feasible region 1 U , and unstable when 01 1 R  .
Proof.To measure the global asymptotical stability of worm-free equilibrium, we choose a Lyapunov function like this: . Hence, the time derivative of 1 ( ) L t along the solutions of System ( 1) is formulated as following: We can know that ' 1 ( ) 0 L t  only if 01 1 R  .Therefore, according to LaSalle's invariance principle [40], when 01 1 R  , the worm-free equilibrium 0 E of System (1) is locally and globally asymptotically stable in the model's feasible region 1 U .When 01 1 R  , it means that ' 1 ( ) 0 L t  , and 0 E is unstable in 1 U .Thus, Theorem 1 is proved.□

The Global Stability of k k k k S I B V Model
The worm-free equilibrium of System ( 2) is and the endemic equilibrium is , , , , , , , ) , where , .
Theorems in [38,39], the basic reproduction number R0 is defined as the spectral radius of the next generation matrix Based on 02 R , we have the following theorems: Theorem 2. When 02 1 R  , the worm-free equilibrium * E of System ( 2) is locally and globally asymptotically stable in the model's feasible region 2 U , and unstable when 02 1 R  .
Proof.To measure the global asymptotical stability of worm-free equilibrium, we choose a Lyapunov function like this: 2 ( ) ( ) ( ) . Hence, the time derivative of 2 ( ) L t along the solutions of System ( 2) is formulated as: Therefore, according to LaSalle's invariance principle [40], when 02 1 R  , the worm-free equilibrium 0 E of System ( 2) is locally and globally asymptotically stable in the model's feasible region 2 U .Otherwise, 0 E is unstable in 2 U .Thus, Theorem 2 is proved.□

The Basic Reproductive Number of System (3)
We have known that the initial condition, and the worm-free equilibrium of System (3) are the same as System (1).Besides, the endemic equilibrium of System ( 3 ( , , , , , , ) , where By counting, we can also obtain that the basic reproduction number of System (3) is Thus, when choosing an appropriately small value of 2 K , we can ensure 0   , here,

The Final Size Formula if
The expected final size of worms is defined as the total number of nodes affected by the worm at the end of the epidemic, which is an important indicator of worm outbreak.In this section, by using the same computing method in [38], we will firstly investigate the final size formula of System (2).Secondly, we will get the final size formula of worms based on the comprehensive immunization scheme.

The Final Size Formula of System (2)
First, we show that the worms of System (2) will eventually die out, i.e., ( ( ) 0, ) 1 .0, we know that all solutions of System (2) are non-negative and bounded.
In the absence of birth, death and the treatment effect of users, We see that ( ) ( ) S t I t  is bounded below by zero, it has a limit as t   .Because ( ) k S t is decreasing and also bounded by zero, it also has a limit as t   .Therefore, ( ) k I t will tend to zero; that is, ( ) Evidenced by the same token, we know that ( ) If we integrate Equation ( 6) from 0 to  , we can obtain Due to From Equation ( 7), we get Through similar calculation, we obtain (0) From Equations ( 9) and (10), we can calculate that where Integrating System (2) from 0 to t , we get Consider three cases: We know the final size formula is ( ) ( ) 1 ( ) , which is related to the network structure.When other parameters do not change, the degree distribution of the network greatly affects the final size of worms; meanwhile, the higher initial value or more effective infection ability of malicious worms, the larger-scale of malicious worms will be.

The Final Size Formula Based on Comprehensive Immunization Scheme
Since the compiler program of benign worm needs time, we should use the targeted immunization scheme to protect the security of a network before benign worms are put into a network.When benign worm has been compiled, we will only use benign worm scheme to repair a network.That is, from 0 to T , we will only use targeted immunization scheme, and only use benign worm scheme from T to ( ) t t T  .Then, we have Letting t   , and 0 0 0 (0) , (0) , (0) , which is also related to the network structure.

Simulations
In the real world, the degree distribution of network usually obeys a power-law distribution.We choose  3a exhibits the time plot of System (1).It shows that the malicious worms will gradually disappear.When 1 0.1

 
and the other parameters remain the same, 01 2.8843 1 R   .Figure 3b shows that the malicious worms are prevalent in the network and all states reach their equilibrium points.This example proves Theorem 1. Furthermore, considering System (1) with the same parameters as Figure 3b, Figure 3c exhibits the time plot of different node degrees of malicious infectious nodes.It shows that a higher node degree host is more susceptible to be infected than a lower node degree host., Figure 4 shows that 03 R is a function of a and 2 K .It illustrates that 03 R is a decreasing function of a but an increasing function of 2 K , which means, if a is large or 2 K is small, more nodes will be immune.), and benign worms immunization (with the average infection rate of benign worm is ).On purpose, we set the average immunization rates for targeted immunization and benign worms immunization, which are, respectively, 0.087, and then we can make comparison analyses.Figure 6 indicates that, compared to targeted immunization, benign worms immunization has the absolute predominance to control the spread of malicious worms, even though the average infection rate of benign worms is small.

Conclusions
To our knowledge, we are the first to study the complex interactions between benign worms and malicious worms in heterogeneous M2M network.We, respectively, obtain the equilibriums and basic reproduction number of three different models.Meanwhile, we prove that the global dynamics are determined by the threshold value 0 R .In the absence of birth, death and the treatment effect of users, we obtain the final size formula in different immunization schemes.Our results show that the nodes with higher node degrees are more susceptible to infection than those with lower node degrees.Furthermore, the effects of various immunization schemes are studied.Numerical simulations verify our results.This paper provides a strong theoretical basis to take effective measures to control the large-scale propagation of malicious worms in heterogeneous M2M network.In the future, we are going to incorporate time delay of susceptible and/or infectious computers (malicious infected or benign infected) into the proposed worm propagation models, which will greatly enhance the practicability of our models.

1  2 
The effective infection rate of the malicious wormsThe effective infection rate of the benign worms 3The effective repair rate of the benign worms wipe off the malicious worms 1

3. 1 .
The Model of k k k S I V The k k k S I V model only contains three compartments: S -nodes, I -nodes, and V -nodes.Figure 1 is the transfer diagram of each compartment with k -degree ( 1, 2,..., ) k   .

Figure 1 .
Figure 1.The transfer diagram of k k k S I V model.

Figure 2 . 2 
Figure 2. The transfer diagram of k k k k S I B V model.

Figure 4 .
Figure 4. 03 R is a function of a and 2 K .

Figure 6 .
Figure 6.The average densities of malicious infected nodes for different immunization tactics.

Table 1 .
Cont.The self-destruction rate of the benign worms in the B -nodes 