3A.3 CA proctype
4.2 Malware Schemes in IoT
malware propagation from the viewpoint of both whole networks and individual objects. Understanding the propagation characteristics of malware in both macro- scopic and microscopic fashion could aid in estimation of the damage caused by the malware and the development of detection processes.
4.2.1 Modeling from the view of individuals
Darabi Sahneh and Scoglio proposed using continuous-time Markov process to build the model [43], and Karyotis proposed a model for malware propagation using Markov random field (MRF) [29], which are both based on a stochas- tic model. Szongott et al. proposed a spatial-temporal model [48]. It seems that there is enough knowledge on malware propagation modeling; however, all these studies are from the network viewpoint; that is, they regard the nodes as smart- phones and the edges as the contact of smartphones in a graph, and implicitly assume that all nodes should possess the same infection rate, unlike our models, which from the viewpoint of the individual. In the real world, every smartphone should have a different reaction when facing spreading malware. Thus, the net- work view is not suitable to solve this problem [52], because the identities are actually lost when we consider the issue from this viewpoint.
4.2.2 Modeling from the viewpoint of whole networks
Since the spread of epidemics among people is similar to the spread of mal- ware over the IoT platform, we typically adopt ideas from epidemiological mod- els [3, 18, 26] to build the models for malwares [10, 15, 17, 19]. The current propagation dynamics of malware can be classified into categories: deterministic models, stochastic models, and spatial-temporal models [40]. Deterministic models use differential equations to describe the spread of infectious malware from the network’s point of view, including susceptible-infection (SI) mod- els [16, 28], susceptible-infection-susceptible (SIS) models [7, 8, 25, 35, 39], and susceptible-infection-recover (SIR) models [31, 33]. The authors of [33] fur- ther considered the concept of an incubation period from the perspective of the whole network.
Malicious codes such as Internet worms may leverage the inherently fixed topology to sabotage network operations [22, 46] due to the complicated interac- tions and immense size of communication networks. In [30, 47], the authors find that the spread of Internet worms is similar to the spreading patterns of epidemics and poses severe threats to system security. In [6], Castellano and Pastor-Satorras show that an epidemic will break out if the infection rate exceeds a certain thresh- old in a network with fixed topology, and the threshold tends to vanish when the network has a skewed degree distribution [24], such as the Internet [20]. In [9], Chen and Carley propose countermeasure competing strategies based on the idea that computer viruses and countermeasures spread through two separate but interlinked complex networks.
Investigations into the dynamics of Internet worm propagation show that the damage caused by Internet worms can be greatly mitigated with efficacious detection techniques or defense at the imminent stages [15, 45, 50, 54, 56–
58]. Hu et al. also show that a tightly interconnected proximity network can
be exploited as a substrate for spreading malware to launch massive fraudulent attacks [27]. Moreover, in the case of mobile environments, malware can still propagate in such intermittently connected networks by taking advantage of opportunistic encounters [49]. Wang et al. studied spreading patterns of mobile phone viruses, which may traverse through multimedia messaging services (MMS) or Bluetooth, using simulations [51]. In [16], Cheng et al. further mod- eled malware propagation in generalized social networks consisting of delo- calized and localized links. The results show that the contamination by mal- ware speeds up drastically if the malware is able to propagate through hetero- geneous links.
4.2.3 Control of malware propagation
In the following, we are going to explore the immunity mechanisms via epidemi- ology, as well as direct mapping to control of malware propagation. Two schemes are considered, as follows.
Self-healingscheme: On the expiration of the global timer, the infected nodes delete the data, and therefore the nodes transit from the infected state to the recovered state.
Vaccine-spreadingscheme: A recovered node participates in vaccinating the susceptible nodes against the malware. In this case, a susceptible node becomes a vaccinee and is therefore immune to the epidemic. The prob- ability that a susceptible node becomes a vaccinee is denoted byκ.
Throughout this chapter, we will investigate the engineering interpretations and the effects of these two immunity schemes on control of malware propa- gation. To the best of the authors’ knowledge, the trade-offs between the time- dependent control capability and the resulting malware propagation dynamics still remain open [21], and the task is further complicated in IoT networks with heterogeneous links.
Traditionally, most research implicitly assumes that the control capability (i.e., the ability to recover from infection) takes effect immediately after the mal- ware propagation. However, this assumption may not be viable in IoT networks, especially for the execution of real-time applications such as antivirus processes [21, 38], since the control signals (e.g., security patches or system updates) are usually not available when a new malware emerges. Alternatively, we consider a more realistic scenario: that the control capability is a function of its distribu- tion time.
4.2.4 Optimal control of malware propagation
How to solve the optimal control signal distribution time is an important issue to mitigate the effects from malware [11, 13]. We first formulate the problem via
optimal control theory [34] with the aim of minimizing the accumulated cost, which relates not only to the damage caused by malware but also to the number of replicated data packets in relay-assisted networks. However, optimal control the- ory assumes full manipulation of the control function, and therefore its solution is inadequate for determining the optimal control signal distribution time. Consid- ering time-dependent control capability, dynamic programming [4] is proposed to obtain the optimal control signal distribution time in real time with respect to the information dissemination process. We also provide early-stage analysis [56]
to obtain closed-form expressions of such an SIR model. Using the proposed techniques, we show that the accumulated cost for information dissemination in mobile networks and generalized social networks can be greatly reduced via the proposed approach. Furthermore, the controllability of a network is illustrated by the phase diagram to study the relations between control capability and infec- tion rate.