3A.3 CA proctype
4.4 Modeling Malware Dynamics from the Network Viewpoint
4.4.1 Malware dynamics: SI model
In this subsection, we look into the SI model, in which a susceptible node acquires infection and never becomes susceptible again. This is due to users’
lack of concern about the threat of malware and the limited capability of current antiviral software. Obviously, we have
I(t) +S(t) =Ipro(t) +Iin f(t) +S(t) =1 (4.6) and
I(t) =˙ I˙pro(t) +I˙in f(t) (4.7) Without loss of generality, we assume that only one handset is infected at the initial stage, that is, I(0) =Iin f(0) =1 and Ipro(0) =0. Malware is prop- agated through proximity-based and infrastructure-based communication links.
The control signal distribution resembles the malware propagation in the sense that it is distributed through these heterogeneous links to alleviate network cost.
The state equation of infrastructure-based infection is
I˙in f(t) =λin f(ηin f−1)S(t)I(t) (4.8) where ηin f −1 accounts for the fact that a node being infected implies that at least one of its neighbors is infected [10].
On the other hand, due to the interdependency of proximity-based and infrastructure-based infections, the proximity-based infection stretches out from the infected source nodes generated by infrastructure-based infections, as shown in Figure 4.2. The proximity-based infection spreads out like a ripple centered at the infected source node, and grows with time. In other words, the spatial spread- ing of the epidemics through proximity-based communications is only con- tributed by the wavefronts of infection circles, while the infected nodes located in the interior of the infection circles are not engaged in further spatial infec- tions. For a single ripple with radiusr(t),ρπr2(t) =N·Ipro(t), and the infected population in the peripheral circular strip of widthδisρπr2(t)−ρπ(r(t)−δ)2. We have
ϒS→Ipro(t) = 1 Nλpro1
2ηproS(t)
ρπr2(t)−ρπ(r(t)−δ)2
= 1 Nλpro1
2ηproS(t)
2ρπδr(t)−ρπδ2
= 1
NλproηproS(t)
δ q
ρπNIpro(t)−1 2ρπδ2
∼= 1
NσλproηproS(t)q
NIpro(t) (4.9)
whereσ =δ√
ρπand12ρπδ2is usually negligible compared withN [37]. Please note thatϒX→Y(t)is the expected population transition rate from stateXto state Y at timet. 12ηproaccounts for the average number of proximity-based commu- nication contacts that are located outside of the peripheral circular strip. Since infrastructure-based infection creates multiple infected source nodes over time, we denote the incremental spatially infected population of a ripple that is gener- ated at timezand keeps stretching forstime units by
W˙(z,s), dW(z,s)
ds =σλproηproS(z+s)p
W(z,s) (4.10)
whereW(z,0) =1. The state equation of the aggregated proximity-based infec- tion can be characterized as
I˙pro(t) = 1 N
Z t 0
I˙in f(τ)W˙(τ,t−τ)dτ (4.11) This means that ˙Iin f(t)dτinfected source nodes are generated at timeτ, and each contributes to ˙W(τ,t−τ)incremental spatial infection at timet. The overall state equation ofI(t)becomes
Hiva-Network.Com
I(t) =˙ λin f(ηin f−1)S(t)I(t) + 1 N
Z t 0
I˙in f(τ)W˙(τ,t−τ)dτ (4.12)
4.4.1.1 Numerical results
Figure 4.10 illustrates the analytical and simulation plots depicting the propa- gation dynamics of a hybrid malware spreading via only proximity-based com- munications, only infrastructure-based communications, and both among 2000 nodes uniformly deployed in a 50×50 plane underρ=0.8. We consider the impact of ηpro on the propagation process in terms of speed and reachabil- ity. The parameter setups areλpro=λin f =0.05 andηin f =6 (follow the data sheet in [51]). We observe that the curves of propagation dynamics closely match our analytical model; the limited discrepancy that exists is mainly due to the fact that the hybrid malware may propagate to objects that have already been infected, and uncertain boundary conditions could not be considered in the analysis.
This figure also shows that propagation via only proximity-based commu- nication is relatively slow compared with that via only infrastructure-based communications due to spatial spreading characteristics. We also observe the same phenomenon for the hybrid malware with much faster propaga- tion speed, where the rapid invasion via infrastructure-based communications dominates the propagation dynamics. When ηpro increases from 2 to 3, our model indicates a significant increase in the propagation speed in the early stages of the spreading process. This is in accordance with the fact that a largerηpro results in a larger infected subpopulation, which could exploit both proximity-based and infrastructure-based communications to spread, increasing propagation severity.
Note that the agent-based emulation model [5] and simulation [51] try to characterize behaviors of theN nodes and all interactions among them, which requires huge computational power. In contrast, our model aggregates the N nodes into two states and only tracks the behavior of these two states and the interactions between them, such that our model can be more computationally effective.
4.4.1.2 Summary
Compared with the existing agent-based model or simulation with its computa- tional burden, our analytical model based on differential equations works more efficiently and could act as a quick reference to gather approximate knowledge of propagation speed and severity of hybrid malware with various settings of infection rates and average node degrees in IoT networks. The security assess- ment could adopt such results to develop detection and containment strategies and processes so as to avoid a major outbreak.
0 10 20 30 40 50 60 0
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
t
I (t)I (t)
Analytical results Both, ηpro = 3
Infrastructure based only, ηpro = 3
Both, ηpro = 2
Proximity based only, ηpro = 2
0 50 100
0 0.02 0.04
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Simulation results
0 20 40 60
0 2 4 6× 10−3 Proximity based only, ηpro = 3
Infrastructure based only, ηpro = 2
0 10 20 30 40 50 60
t Both, ηpro = 3
Infrastructure based only, ηpro = 3
Both, ηpro = 2
Proximity based only, ηpro = 2 Proximity based only, ηpro = 3
Infrastructure based only, ηpro = 2 (a)
(b)
Figure 4.10: Infected population in IoT networks.N= 2000,L= 50,I0=1/N,λinf= λpro= 0.05,ηd= 6,ηpro= 3 and 2.