A Behavior-Based Malware Spreading Model for Vehicle-to-Vehicle Communications in VANET Networks

: Network attacking using malware has become very popular on the Internet and in many other networks, namely Vehicular Ad-hoc Network (VANET) networks. It is required to have the model describing the malware spreading based on factors, which directly affect this process to limit its inﬂuences. In this paper, we propose a mathematical model called SEIR-S (Susceptible– Exposed–Infectious–Recovered–Susceptible) based on the characteristics of the VANET network and the well-known disease-spreading model SIR (Susceptible–Infectious–Recovered). We take into account possible behaviors of malware and provide the corresponding states to vehicles: Susceptible ( S ), Exposed ( E ), Infectious ( I ), Recovered ( R ). We evaluate the basic reproduction number R 0 of the model and perform a stability analysis of the proposed model. The results show that, when R 0 < 1, the malware spreading will gradually decrease, and, when R 0 > 1, that spreading cannot be extinguished. We also point out the condition that we can control the endemic in the VANET network. In addition, the correctness of the proposed model is veriﬁed using both numerical analysis and agent-based simulation on NetLogo.


VANET Security Challenges
A Vehicular Ad-hoc Network (VANET) is a type of Mobile Ad-hoc Network (MANET). In VANET, the vehicles will be equipped with a signal receiver/transmitter to connect with adjacent vehicles. These vehicles will become the nodes as in an Ad-hoc network. The vehicles will be in contact with each other (Vehicle-to-Vehicle (V2V) Communication) or connect with the infrastructures along the roads to share/receive information (Vehicle-to-Infrastructure (V2I) Communication) (Figure 1). A vehicle can also become a relay node to transmit information to other vehicles using different wireless connection standards.
VANET has become an active area of research and development because it has many advantages to improve safety, convenience, and traffic efficiency, especially in the smart city context. Because the goal of VANET is to enhance the safety of both drivers and passengers, the security issues in VANET, such as integrity, privacy, and confidentiality, always gain huge attention. An inherent disadvantage of VANET is that its transmission information is spread in open access environments, and anyone can access it for both good and bad purposes. Moreover, VANET currently operates on the IEEE 802.11p standard [1,2], which is a technology based on IEEE 802.11a known as a Wireless Local-Area Network In this section, we will briefly review the security challenges in the VANET networks. The black hole attack, also known as a packet drop attack, is the first threat in the VANET. This kind of attack is related to a malicious node within a network. This node will first fool the network's nodes by claiming to have the quickest path to a node that requests a route. The goal is to persuade as many nodes as possible to send their traffic through this rogue node. Then, instead of relaying network traffics to destinations, the malicious node drops the packets and prevents traffics. It results in the source's ability to communicate with the destination being blocked [9][10][11].
Another type of attack in VANET is the wormhole attack. This attack requires establishing a wormhole link between at least two malicious nodes located in distinct physical locations. This link is used to tunnel packets between valid nodes by convincing them that they are neighbors and have the quickest path to the destination. Both attackers will be positioned in the network's most critical positions, constructing an overlay tunnel over the wireless medium to intercept communications throughout the network. As a result, malevolent nodes gain control of every traffic that passes through them, endangering the security of data contained within packets or deleting them entirely. This attack causes significant network disruption, particularly in networks that utilize on-demand routing protocols, such as Ad-hoc On-demand Distance Vector (AODV) or Dynamic Source Routing (DSR) [12].
Broadcasting tampering and message tampering are prevalent attacks in VANET. In broadcasting tampering, the attackers inject false safety messages into the network to cause severe issues. Meanwhile, in message tampering, the attackers attempt to change the content of messages exchanged between vehicles or between vehicles with the roadside unit (RSU). The primary purpose is to interfere with the process of authentication in VANET [13,14]. Node Impersonation [15,16] attack also works in the same manner.
Any type of network can be a victim of Denial of Service Attacks (DoS) and Distributed Denial of Service (DDoS) [17]. These attacks also cause availability threats for VANET. The primary purpose of the attackers is to deny the legal vehicles and communications from accessing the network. In addition, this type of attack can also control the vehicle resources and jamming the communication channels [18].
Another critical threat in VANET is the threat to the authentication process [19][20][21][22]. This threat is usually caused by masquerading attacks. An attacker can disguise itself as a legitimate node by using other vehicles' identities (Media Access Control (MAC) addresses or Internet Protocol (IP) addresses) and carrying out any attacks. The attacker often uses false information, such as message fabrication, alternation, and relay to perform this attack. Replay attack [23] also causes similar consequences.
The vehicles in VANET use Global Positioning System (GPS) module for identifying the geographic location. Therefore, GPS Spoofing [24] is a potential attack related to traceability and authentication. In this attack, the attacker uses a GPS simulator to generate more strong signals than the original satellite signals and fools the legitimate nodes by making them think they are in different locations.
In recent years, malware attack has emerged as a perilous threat for the VANET network. Malware can penetrate the network through the news updates from RSU and spread throughout the entire network, causing major threats to safety, availability, and privacy [25]. The diversity in malware's attack techniques makes detection and preventing this type of attack becomes very difficult. Furthermore, to the present time, there is almost no anti-malware software that can be deployed on actual or embedded in On-Board Units (OBU) or RSU devices. Modern malware, such as Emotet [26], is fully capable of breaking authentication mechanisms with brute-force technique and quickly spreading between vehicles, causing tremendous consequences. In this study, we will focus on malware attacks and build the malware spreading model in VANET based on the characteristics of this network and the behaviors of malware.

Malware Attacks in VANET
According to the AV-TEST (https://www.av-test.org/en/statistics/malware/, accessed on 20 September 2021) report, malware has been spreading exponentially since 2013. Especially, the total number of malware generated increased from 719.15 million in 2017 to 1269.75 million in 2021. This report also claims that, in 2021, malware threats occupy 78.66% of the total distribution of threats. There are more statistics about malware attacks that require us to focus specifically on malware problems:

•
In the first half of 2020, SonicWall [49]  Although the number of malwares and malware families is great, not all of them can spread from one host to another. Only a few of them can duplicate themselves to another host or location without user interaction [51], such as computational viruses: macro and script viruses. They can copy themselves and spread to other computers by attaching themselves to various programs and executing code when the user launches those programs. Another type of malware, which is also capable of self-replicating and spreading independently, in the same way as computational viruses, is a worm. However, different from viruses, worms can spread without any interference from the user. It is a scary possibility of malware, and it helps malware spread silently and quickly in any network system that lacks preventive measures and prevention methods.
Besides worms, there are some other types of trojan or backdoor also have similar capabilities. In particular, many types of trojan become "Malware Distribution Service" or "Malware-as-a-Services" (MaaS). It means these trojans will carry other kinds of malwares with many outstanding features to attack computer systems. A typical representative is Emotet. This malware can spread and perform brute-force attacks to destroy encryptions and bypass the authentication systems [52,53]. It is considered a threat for Wi-Fi and other mobile ad-hoc networks, such as VANET and Flying Ad-hoc Network (FANET) [54]. Another example of malware, which spreads between multiple hosts, is spyware [55]. This malware can entirely hide in messages or masquerade as valid applications, such as trojan, and spread between hosts. The characteristics of spyware are to infiltrate into the system and operate silently with connections to Command & Control Server (C2C) to steal user-sensitive information. A rootkit is the last malware we want to introduce. It is often related to hardware and is capable of hiding very well. A rootkit is also considered a type of hardware malware [56], causing much damage and destroying the functions of hardware devices.
Although those malwares have many advanced futures, not all of them can spread on the VANET network and impact OBU devices [25,55,57]. Other computer malwares often affect the systems or devices located in the RSU along the roads. However, it is not possible to ignore these malware types because their features are improved daily, and many malwares already exist, which can spread from mobile devices to wireless routers or wireless signal transceiver equipment [58,59].
Below, we give some hypothetical scenarios in which malware performs its behavior and causes severe consequences to the performance of the network's and user's safety.

•
For drivers, when an OBU system is infected with malware, the driver's personal information can be stolen. Besides, the information about location, carID, means of vehicles, routes, or services can also be exploited and transferred to attackers through Internet connections. Taking advantage of this information, the attackers can perform man-in-the-middle attacks, proofing, or tampering attacks. It can lead to deviations in the message content or control signal and seriously affecting the driver's safety. • VANET applications [60], such as forward collision warning, electronic emergency brake light systems, lane change assistance, and curve speed [61], are critical. Once the malware enters the system and interferes with the operation of the network, these emergence services may be misleading, and it leads to collisions or accidents on the road. • Some malwares can spread to many vehicles and turn these vehicles into malicious bots, thereby creating a botnet network. This botnet network is controlled by attackers and is used to execute DDoS attack commands [62]. Multimedia services or even connected services, network services of legitimate nodes, may be denied or not working correctly. • Automatic parking is a technology that enables a car to park itself without the driver intervening. To execute autonomous parking, a vehicle requires accurate distance estimators and a localization system with sub-meter precision. If the malware changes GPS information or creates a fake location, this application cannot be implemented. • In addition to the above scenarios, there are many other services related to entertainment, weather updates, maps, direction guide, driver assistance, and searching roadside locations, which will also be affected by the activity of malwares in the network.
From the above analysis, we can see that it is essential to keep malware from spreading over the network. Many elements influence this process. To minimize the impact of malware and prevent it from spreading, a malware spreading model based on the fea-tures of each type of network is required. There are some spreading models, which will be recalled in the next section. However, most spreading models only use three states (Susceptible-Infectious-Recovered) for all vehicles.
On the other hand, modern malware has many new features and can cause many different states to vehicles in the network instead of only three states. What states do we need to consider? How does the transition between the states occur? How do the characteristics of VANET impact this state transition? To answer these questions, in this paper, we propose a new malware spreading model based on malware behaviors and characteristics of VANET. Our main contributions are: • Proposing a mathematical SEIR-S model based on the behaviors of malware and the characteristics of VANET with four states: Susceptible (S), Exposed (E), Infectious (I), Recovered (R) to model the malware spreading in VANET.

•
Providing the formula to calculate basic reproduction number R 0 and analyzing the stability of malware-free equilibrium, as well as endemic equilibrium. The value R 0 indicated whether the process of malware spreading would be weakened or remained high over time.

•
Pointing out the possibility of controlling the malware epidemic by controlling the transition rate (or patching rate) from Infectious state to Recovered state.
The remainder of this paper is organized as follows: Section 2 presents the related works in this field. In Section 3, we recall the well-known SIR (Susceptible-Infectious-Recovered) model. Section 4 details the proposed Malware Spreading Model in VANET. Section 5 conducts the stability analysis and the evaluation using simulation. In Section 6, we conclude what has been achieved in this paper and point out some limitations of the proposed model.

Related Works
Many factors affect the spread of malware in VANET. These factors are often divided into three groups: mobility factors, communication factors, and malware infection factors [57].

•
Mobility factors: traffic density, velocity, interval, number of lanes. • Communication factors: the form of topology, level of connectivity, the distance between vehicles, path loss effect, fading effect, communication range, packet collision, hops per second (most of these parameters are then used to approximate the probability of a link between two VANET nodes using a log-normal shadow fading model [25]). • Malware infection factors: the time required for self-copy, malware strength, malware lifetime (persistence techniques), infection vectors.
Syed A. Khayam and Hayder Radha explored the characteristics influencing active worm spread over VANET in Reference [25]. Syed A. Khayam and Hayder Radha investigated the traffic model and behavior of a VANET link operating as a log-normal shadow fading channel in this paper. They proposed a stochastic model for the propagation of a worm via a VANET based on the classic SIR epidemic model. However, the assumptions about traffic distribution and the distance between vehicles (using uniform distribution) were not suitable for real cases.
Maziar Nekovee, in Reference [63], used a realistic model of node movement with a velocity-dependent shadow-fading model of wireless VANET links to create a model of worm spreading with highway traffic in a VANET. Maziar Nekovee also analyzed the network's entire topology. However, the author assumed that the average speed allocated to all vehicles on the road is constant and that the vehicles are distributed uniformly, which may not be the case in real traffic flow. The worm propagation model used in this study is a multi-hop broadcast with infection probability. Maziar Nekovee concluded that worm propagation is highly dependent on node mobility patterns and traffic conditions in a VANET. Additionally, in all traffic conditions evaluated, the initial spreading rate is much slower than the exponential spreading rate found in Internet worm attacks.
Wang et al. [64] focused their study on modeling and simulating worm propagation in static and dynamic topology on urban situations rather than highway scenarios. They employed a well-known Intelligent Driver Model (IDM) [65] for the vehicle mobility model. Although the study's mobility model differs from that of Reference [63], both studies developed a velocity-dependent shadow-fading model based on the traditional log-normal shadow-fading model. That is, the authors constructed the worm propagation model using the average link probability between two vehicles. The findings indicate that the rate at which a wireless worm spreads in urban traffic is highly dependent on the transmission range, velocity, and vehicle density. The worm can infect an entire network of vehicles with extensive transmission ranges, high driving speeds, and high densities. Additionally, as velocity increases, the effect of transmission ranges on worm spread is weakened, resulting in a gradually decreasing infection rate required to infect the entire network. As with Maziar Nekovee, Wang et al. described the worm propagation model using a multi-hop broadcast with infection probability.
In Reference [66], Lin Cheng and Rahul Shakya incorporated propagation and fading effects based on the dual-slope path loss and shadowing model. This spreading model is used for highway corridor and static topology. In comparison to other research, this one contributes in that the authors collected actual data under varying traffic volumes to determine vehicle distribution under diverse traffic situations. The multi-hop broadcast propagation model in this study also considered the factors, such as velocity, time interval, path loss effect, fading effect, and packet collision.
Oscar Trullols-Cruces et al., in Reference [67], studied worm epidemics in vehicular networks with highway and urban scenarios. Their evaluation was carried out on a large scale (a 10,000 km 2 region with over 3600 km of heterogeneous roads) with realistic datasets of road traffic. When developing a model of broadcast-carrier worm propagation, the authors took into account the time necessary for self-copy and malware strength. Additionally, Oscar Trullols-Cruces et al. considered the condition in which the worm propagates to only one neighboring vehicle, named the unicast carrier model. The simulation results indicate that the worm diffusion's exceptional performance is due to (i) the increased mobility of nodes in the vehicular network and (ii) the large number of short-lived connections formed by vehicle movement. Both of these variables contribute to the optimal condition for self-propagation of a fast worm.
In Reference [68], Some studies focus on the impact of worm propagation on V2X communications, the factors affecting malware spreading, or proposing similar worm models. The readers can refer to the studies in References [69][70][71][72][73][74][75] for more details.
In the research mentioned above, we noticed that any spreading model consists of two parts: (i) VANET model, including mobility and channel models, related to mobility and communication factors. (ii) Malware spreading model, which is related to malware infection factors. However, these research studies primarily focused on building the models showing VANET characteristics instead of being interest in the behavior of malware. In this paper, we try to build a malware spreading model based on VANET characteristics, malware's possible behaviors, and the corresponding states of a vehicle in the network. We will analyze the spreading states based on the basic reproduction number and provide the condition to control the spread of malware.

SIR Model
Because our proposed malware spreading model in the VANET network is based on the most basic model of epidemics, the SIR model of Kermack and McKendrick [76], we will present a brief SIR model in this section.
In the SIR model, the population was divided into three groups, based on the disease state: (i) those who are capable of getting diseased (Susceptible); (ii) those who are infected and can spread to other people (Infected), and (iii) those who are no longer able to get sick (Removed or Recovered). In this model, the state of a person can only move from S to I (infected) or from I to R (recovered or dead, but cannot be infected again) (Figure 2).

Susceptible
Infectious Recovered Figure 2. SIR spreading model.
The number of people in each group at a time t is denoted S(t), I(t), and R(t). In the simple SIR model, the total population is considered to be constant, which means S(t) + I(t) + R(t) = N does not depend on t. The most concerning quantity is I(t): the rise or fall (according to t), and its magnitude, indicate the epidemic's tendency to spread and scale.
When the population N is "large enough", the change of the SIR model can be approximated by the following system of differential equations: (1) The equations, in turn, represent the changing rate (left-hand side) of the S, I, and R at the time t according to the state of the system at that time (right-hand side). The β parameter represents the infection rate (per capita), which can be interpreted as a probability (average) for a healthy person to be infected (transferred from S to I). Parameter γ presents the recovery rate. In other words, the average disease period (i.e., in I state) is 1/γ.
One of the essential quantities for an epidemic model is the basic reproduction number, or often called the " R 0 coefficient". If R 0 < 1, the disease will be extinguished before the outbreak, and if R 0 > 1, the disease will break out. For example, in the above simple SIR model, R 0 = βN/γ, in which βN is the average number of healthy people that a person with the disease can spread to in disease period 1/γ. Intuitively, it is pretty reasonable: if a person with the disease spreads to more than one person, the number of people with the disease must increase, and if, on average, a person with the disease infecting less than one other person, the number of people suffering must decrease gradually.

Notation
In Table 1, we briefly sum up the symbols and descriptions that we use in this paper. The rate that a vehicle is removed from the network but not due to the impact of malware P 0 -Malware-free equilibrium P * -Endemic equilibrium G -Next-generation matrix R 0 -Basic reproduction number

Link Characteristics in the VANET Network
The proposed malware spreading model is based on two essential elements: (i) VANET characteristics and (ii) propagation characteristics of malware. Therefore, in this section, we will investigate an important model expressing the VANET elements affecting the spread of malware. The model that we mentioned here is the shadow fading link model.
In the usual geometric link model, a node can communicate with another node in its radius r0 (Figure 3a). Nevertheless, due to the influence of many external elements, the links are not entirely within a circle with r0 radius. It may have the shape as in Figure 3b, which is called the shadow fading link model.  There have been many different link models, as we have reviewed in the related works section. Each model has its advantages and disadvantages. However, because we focus primarily on building the malware spreading model based on the well-known SIR model and the possible states of a vehicle corresponding to the behavior of malware, therefore, we will reuse some results and models built before to describe the characteristics of the VANET network instead of creating a new link model. Specifically, we will use the log-normal shadow fading link model proposed by Syed A. Khayam and Hayder Radha in Reference [25] because it is considered one of the first studies describing the relationship between the characteristics of VANET with the spreading characteristics of a worm. Moreover, this study is also based on the SIR model as the way we are doing. This shadow fading model was used to calculate the probability of two nodes communicating via a communication channel.
According to Reference [25], the average probability of a communication link between two nodes in VANET can be represented by the average effective distance and a pre-defined receiver sensitivity using the error function [77] as follows: The descriptions of parameters in (2) are presented in Table 1. There are some notes as follows: • v a τ/L defined the average distance between two vehicles. • Path loss exponent α depends on the environment (generally 2 ≤ α ≤ 5). It is a parameter that indicates the rate at which the received signal strength (RSS) diminishes with distance and varies according to the propagation environment. • The error function is defined by: • In Reference [25], the authors used p link to construct the geometric random graph and then examine worm spread's pace using the geometric random graph's average degree. In this paper, we only use p link as an input parameter for our model because this model depends on VANET characteristics. The assessment of the ability to spread and the speed of malware propagation will be performed by evaluating our proposed epidemic spreading model. • We combine all parameters and models related to VANET's characteristics and call the VANET model ( Figure 4). • In the next section, for simplicity, we will use the symbol p instead of p link .

Proposed Malware Spreading Model SEIR-S 4.3.1. Motivation
As described in related works, some studies have used the SIR model to build a worm spreading model in VANET. However, the SIR model is straightforward and can describe only some basic states of vehicles when considering the spread of malware. There are many other states related to different characteristics of different malware types. In [40], the author presented some usual types of behavior and dynamic malware spreading models, including Susceptible (S), Exposed (E), Infectious (I), Recovered (R), Quarantined (Q), Vaccinated (V), and Immunized (I). It can be seen that these states correspond to the states in epidemiology. We can build many different versions from these states depending on each specific case, such as SIRS, SEIR, SEIQRS, SEIQV, and SIRQ. The combination of these states has motivated us to build a new model for malware spreading in the VANET network.
While the Susceptible and Infectious have the same meaning as in the epidemic model, the Exposed state should be explained further. A node in the network has this state if it has been infected with malware but has not infected other vehicles. We propose to use this state because there are many types of malware using Windows API functions [78], such as Sleep, Sleepex, NtdelayExecution, and GetSystemTimeSfiletime [79], to delay their operations on the victim system for a period. Malware does this with many purposes:

•
To control the resource consumption. This activity supports malware in avoiding detection and preventing denial of service because of a high load. • To control the execution of other threads by suspending and resuming the threads at specific intervals. • To hide itself with a long sleep until some condition triggers the start of its activity. • To cause the dynamic analysis to time out because this kind of analysis usually is limited in a certain period.
In addition, when observing the VANET network, we noticed that an infected vehicle usually needs a particular period to contact another vehicle and infect that vehicle, especially in the case of low density.
In epidemiology, an infected person has been healed and back to the community in the Recovered state. For the vehicles in VANET, it is the case when malware is handled, and the vehicle can back to regular operation. For example, the user can use some patchings [25,80] to eliminate the malware when detecting an infected vehicle. Note that, in this process, when using multi-channel operation [81], the vehicle can still maintain its connection with the network using the control channel (CCH) and does not perform any transmission on the service channel (SCH). Therefore, it cannot cause any other infections. After removing the malware, these vehicles can return to the S state. We propose the transition state from R to S because, in VANET, many types of different malwares can exist. Other malwares can infect this vehicle again.
We do not use a Quarantined state because there is no way to insulate a vehicle but still maintain that vehicle's existence in the network. In this paper, the Vaccinated, Immunized states are also not considered because, until now, to the best of our knowledge, there is almost no anti-malware software for devices used in VANET.
From the above analysis, we propose a model that describes the spread of malware in VANET via the states of the vehicles. This model is called SEIR-S.

SEIR-S Model Mathematical Model Formulation
In this section, we present details of the proposed model SEIR-S. This model operates with four states of the vehicles: (i) S-vehicles are at risk of infection with malware; (ii) Evehicles are infected but have not caused infections for other vehicles; (iii) I-the vehicles have been infected, and they are infecting other vehicles; (iv) R-the vehicles have been removed malware, and are ready to perform the communications in the network.
This model is built on some conventions as follows: • Vehicles only get infected from other vehicles belonging to I. • A vehicle will switch from S state to I state (S → I) or E state (S → E) with a certain probability after being infected from I.

•
If a vehicle is in the chain of infection and is in E state, it will switch to I state (E → I) with a specific rate. However, it can also be detected and removed (E → R).

•
After removing malware, a vehicle can return to the S state (R → S). The vehicle, which is removed from the network will not be able to re-enter the network. • The total number of nodes in the network changes over time due to new vehicles entering the network, and some vehicles are removed from the network. • In each state, a vehicle may be removed from the network but not caused by malware. For example, due to damaged vehicles, the connection device fails. We assume that this rate is the same in all S, E, I, and R states. In addition, although malware can still cause loss of connection and get a vehicle out of the network, we assume that probability is small and ignore this case. Figure 4 presents the SEIR-S model with VANET characteristics and parameters, which rule the change of states.  VANET has a dynamic link structure between vehicles in the network. Therefore, in VANET, besides the contact rate of vehicles in a time unit, we need to consider the probability of a connection between vehicles in each contact. That is the probability p link shown in (2).
It should be noted that the values above the lines in Figure 4  With parameters b, c, we can find the number of vehicles switching from S to E and S to I at each time. As presented above, due to the characteristics of the VANET network, the probability that a vehicle will be infected when contacting the other vehicle also depends on the probability that those vehicles create the connection. Therefore, the number of vehicles switching from S to E is bpSI/N and from S to I is determined by cpSI/N. Based on the SIR model, we build a differential equation system that describes the transition between states in the SEIR-S model as follows: where derivative notation S , E , I , R are the rates of change of S, E, I, R versus time: N is the total number of vehicles in the network at the time t: Summing equations in (4), we can obtain (S + E + I + R) ≤ aN − k(S + E + I + R). Because 0 ≤ a, k ≤ 1, we will have lim sup t→∞ [S + E + I + R] ≤ N, so the set Ω = (S, E, I, R) ∈ R 4 , S + E + I + R ≤ N is positively invariant for (4). Therefore, we will consider the global stability of (4) on the set Ω.

Malware-Free Equilibrium and Basic Reproduction Number R 0
To study the stability of model (4), first, we must find the malware-free equilibrium point at steady states of the SEIR-S model.
It is easy to see that model (4) always has a malware-free equilibrium when all equations in (5) are equal to 0 at P 0 = S 0 , E 0 , I 0 , R 0 . With E 0 = 0, I 0 = 0, R 0 = 0, we have P 0 = aN k , 0, 0, 0 . Let x = (S * , E * , I * , R * ). x is the group states in the model (4), in which the malware spreads in the network, or it is also called malware-epidemic state. Then, the model (4) can be written as: where F (x) is the matrix representing the rate of appearance of new infections in the infection states. V (x) is the matrix showing the change between the states without the impact of new infections.
Differentiating F (x) and V (x) with respect to S, E, I, R and evaluating at the malwarefree equilibrium P 0 = aN k , 0, 0, 0 , respectively, we have Jacobian matrices: At this point, we can find the basic reproduction number R 0 . We recall that R 0 is the estimated number of secondary cases generated by a typical infective individual in an entirely susceptible community. Diekmann et al., in Reference [82], defined R 0 as the spectral radius of the next generation matrix. The next-generation matrix is defined as the square matrix G with the ijth element of G, g ij , representing the expected number of secondary infections of type i generated by a single infected individual of type j, once again assuming that the population of type i is completely susceptible. That is, each element of the matrix G represents a reproduction number, but one where who infects whom is accounted for [83].
The spectral radius is also known as the dominant eigenvalue of G. It should be noted that G is a non-negative matrix. There will always be a single, unique eigenvalue that is positive, real, and strictly greater than others. It is R 0 .
Following Diekmann et al. [82], we call G = F V −1 the next generation matrix for the model and set: where ρ(A) denotes the spectral radius of a matrix A. Then, we have: Replacing S 0 = aN k to (9), we have: The Stability Analysis for Equilibriums The equations determine the equilibriums of the model (4): As we can see, for the case of E * = 0, I * = 0, R * = 0, we have the malware-free equilibrium P 0 = S 0 , E 0 , I 0 , R 0 = aN k , 0, 0, 0 . For the case of E * > 0, I * > 0, R * > 0, we have the endemic equilibrium P * = (S * , E * , I * , R * ), where: From (12) and (13), we will have: So, we have the endemic equilibrium

Malware-Free Equilibrium and Its Stability Analysis
It can be easily obtained that model (4) has a malware-free equilibrium given by P 0 = aN k , 0, 0, 0 .
Proof of Lemma 1. According to P 0 = aN k , 0, 0, 0 , the Jacobian matrix at the malwarefree equilibrium P 0 is: The corresponding eigenvalues of J P 0 are real roots λ of the equation: where the left part of (16) is characteristic polynomial, and I 4 is the identity matrix of size 4. Solving the Equation (16), we have λ 1 = −k, λ 2 = −(h + k), λ 3 and λ 4 , where λ 3 , λ 4 are the roots of Equation (17), as follows: Letting ε 1 = e + f + k, ε 2 = g + k, ε 3 = acp k , ε 4 = abep k , Equation (17) becomes: This equation has sum and product of roots, respectively: By the stability theory [84], the sufficient condition for the four-dimensional model to be asymptotically stable is that λ i < 0, for i = 1, 2, 3, 4. It is easy to see λ 1 < 0 and λ 2 < 0. To have λ 3 < 0 and λ 4 < 0, equations in (19) must satisfy: It is equivalent to the following condition: From the second part of (21), we have: From (10) and (22), we have R 0 < 1. The inequation (22) is also equivalent to the following inequation: and it satisfies the first part of (21). Hence, we can conclude that if (21) is satisfied or R 0 < 1, P 0 is locally asymptotically stable. Otherwise, P 0 is unstable.
If R 0 < 1, an infected individual produces on average less than one new infected individual during its infectious period, and the infection cannot spread. On the other hand, if R 0 > 1, each infected individual produces more than one new infection on average, allowing the disease to spread across the community.
Proof of Lemma 2. Let L(S, E, I, R) = I > 0 as a Lyapunov function; then L P 0 = 0. Its derivative along the solutions to the model (4) is: We can see that, L = 0 if and only if I = 0 or R 0 = 0. Thus, the largest compact invariant set in {(S, E, I, R) | L = 0} is the singleton P 0 . When R 0 ≤ 1, the global stability of P 0 follows from LaSalle's invariance principle [85]. LaSalle's invariance principle implies that P 0 is globally asymptotically stable in Ω. When R 0 > 1, it follows the fact L > 0 if I > 0. Thus, the lemma is proved.

Endemic Equilibrium and Its Stability Analysis
Now, we examine the endemic equilibrium's local stability P * = (S * , E * , I * , R * ). The Jacobian matrix of (4) at the endemic equilibrium P * is: where Thus, the corresponding characteristic equation can be denoted as: where From (25), we can obtain elements of the Hurwitz matrix H as follows: From these expressions, we can obtain that, with P * = (S * , E * , I * , R * ), we have H 1 > 0, H 2 > 0, H 3 > 0, and H 4 > 0. According to the theorem of the Routh-Hurwitz criterion [84], all roots of the equation (25) have negative real components. As a result, the endemic equilibrium P * is locally asymptotically stable.
Using the same way of proof as in Lemma 2 with P * = (S * , E * , I * , R * ), we have: Model (4) is globally asymptotically stable if dL dt (S, E, I, R) ≤ 0 at P * = (S * , E * , I * , R * ). It means that we need: From the above discussion, we can summarize the following conclusion: if R 0 ≤ a k , the unique positive equilibrium P * of the model (4) is globally asymptotically stable in Ω.

Malware Epidemic Control
Lemma 2 indicates that the combined efforts (represented by the formulation of R 0 ) can eliminate malware prevalence in the whole network. Under the SEIR-S propagation model, we investigate how to control the malware-free equilibrium in network administration.
There are two patching rates or the recovered rates, which help to control the malware spreading speed. They are transition rate from E to R (denoted by f ) and transition rate from I to R (denoted by g). However, because malware detection in the exposed state is much more complicated than the infectious state, we are primarily interested in the parameter g.
From (10) and (23), we have: To stop the malware's propagation, the patching rate should satisfy the condition (26). If this inequality cannot be satisfied, the malware will spread widely through networks.

Numerical Simulation
In this section, the numerical simulation is used to illustrate and analyze model SEIR-S. We will evaluate the correlation between the states for the process of malware spreading. Note that the numerical simulation results on the graphs (in Figures 5 and 6) are represented by solid lines.
We use two sets of different parameters as in Table 2 for two cases R 0 < 1 and R 0 > 1. Case 1: R 0 < 1 Using the above parameters, we can obtain the basic reproduction number R 0 = 0.632. The malware will be gradually decreased according to Lemma 1 and Lemma 2. It can be seen that, because the parameters b, c (the transition rates from S to E and S to I, respectively), as well as the link probability (p link = 0.894 ), are pretty high, the process of spreading occurs fast in the early stages ( Figure 5). However, after a period, the spreading is slowed down due to the effective patching process. Corresponding to this process, the number of nodes in the S state increases due to adding new vehicles with a parameter and recovered vehicles from the R state.  Case 2: R 0 > 1 With this parameter set, we have R 0 = 1.711. In this case, we only change the transition rate from I to R(g parameter), other parameters remain unchanged. With R 0 > 1 it is easy to realize that the infection state cannot be extinguished in the network. Because b and c do not change, therefore, the infection process took place quickly. The number of infected vehicles with malware quickly reached the maximum value then dropped, but still at a high level ( Figure 6). The decrease in the number of infected vehicles is due to the transition to the R state. Although the S state always gets a certain number of new vehicles, the number of vehicles in this state is almost impossible to increase due to the malware spreading in the network. It is perfectly consistent with the above stability analysis of endemic equilibrium.  Because we only changed the g parameter in both cases, the change of R 0 and the increase in the number of infected vehicles depend on g very clearly. This conclusion was pointed out with condition (26) for malware epidemic control. The dependence of R 0 into g is shown in Figure 7. The result shows that the higher g is (the patching rate increases), the higher R 0 becomes. It means that the spread of malware in the network will gradually decrease over time.

NetLogo Simulation
In this paper, the simulation experiments are also produced using NetLogo (https: //ccl.northwestern.edu/netlogo/index.shtml, accessed on 20 September 2021), an agentbased simulation environment (ABMS). The ABMS paradigm is a powerful tool for simulating complicated communication networks. Because network nodes behave independently and have individual characteristics during the malware dissemination process, agents are well suited for abstracting them. As a result, we studied the malware spreading process using agent-based modeling. NetLogo is ideally suited for simulating complex systems that change with the times. Modelers can issue commands to hundreds or thousands of "agents" that operate autonomously. It enables the investigation of the relationship between individuals' micro-level behavior and the macro-level patterns that arise from their interaction.
To simulate the malware spreading for the VANET network on NetLogo, we need to ensure the characteristics of the VANET are taken into account. As mentioned above, our primary goal is not to develop a link model for the VANET but to build a malware spreading model based on VANET's characteristics. Therefore, instead of building a traffic model in NetLogo, we will use the initial parameter sets to provide the link probability between the vehicles. It not only reduces the simulation time but also ensures the characteristics of VANET in NetLogo.
The vehicles, i.e., the agents, will move randomly in a specific range. We assume that the vehicles are located at the center of the circle representing the linking range. When a vehicle is in another vehicle's radius area, a connection can happen between those two vehicles. Each state of the vehicle is represented with a corresponding color. We use simulated parameter sets as in numerical simulation to assess the accuracy of the model. Figure 8 illustrates the simulation process of our model with NetLogo. As seen in Figure 8, the results of NetLogo's agent-based SEIR-S model of malware propagation are consistent with the analytical SEIR-S model results in numerical simulation under the same parameters. These results, denoted by dashed lines in Figures 5 and 6, confirm the correctness and validity of the SEIR-S model. We can see that the numerical curves and simulation curves are very similar. There is little difference between the curves because the analytical model has a high level of abstraction. Additionally, the model does not explicitly examine the network topology, and we only used the link probability to ensure the VANET characteristics in NetLogo.

Conclusions
Preventing malware from spreading in any network is a challenging task. Many factors impact this spreading process. It is necessary to build a malware spreading model based on the characteristics of each type of network to limit the impact of malware and prevent malware from spreading. In this paper, we proposed a mathematical SEIR-S model with four states: Susceptible (S), Exposed (E), Infectious (I), Recovered (R) to model the malware spreading behavior in VANET. We considered the characteristics of VANET, especially the link model, which decides the infection rate and the characteristics of modern malwares, which threaten the security in VANET.
We provided the basic reproduction number R 0 and analyzed the stability of malwarefree equilibrium, as well as endemic equilibrium. The value R 0 indicated whether the process of malware spreading would be weakened (R 0 < 1) or remained high over time (R 0 > 1).
The mathematical analysis pointed out the possibility of controlling the malware epidemic by controlling the transition rate (or patching rate) from I to R.
Finally, we used both numerical analysis and agent-based simulation NetLogo to verify the correctness of our model. The comparison results proved the validity of the model. However, we should note that the proposed model still has some limitations as follows: • The model is built on some assumptions, and, in some cases, it may not be suitable for real cases.
• We did not consider the V2I infrastructure in the model. However, the malware also can spread from the RSU to vehicles. • We used the log-normal shadow fading link model proposed by Syed A. Khayam and Hayder Radha in Reference [25] because it is considered one of the first studies describing the relationship between the characteristics of VANET with the spreading characteristics of a worm. However, this link model seems to have some limitations, and we did not evaluate the impacts of these limitations on our proposed model.
In future works, we will consider more malware behaviors to build the model more accurately and find the appropriate methods to prevent malware from spreading in VANET. Funding: This paper has been supported by the RUDN University Strategic Academic Leadership Program.