Content uploaded by Aresh Dadlani

Author content

All content in this area was uploaded by Aresh Dadlani on Oct 18, 2014

Content may be subject to copyright.

1089-7798 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See

http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI

10.1109/LCOMM.2014.2361525, IEEE Communications Letters

IEEE COMMUNICATIONS LETTERS, VOL. XX, NO. XX, XXXX 1

Stability and Immunization Analysis of a Malware

Spread Model over Scale-Free Networks

Aresh Dadlani, Graduate Student Member, IEEE, Muthukrishnan Senthil Kumar, Kiseon Kim, Senior

Member, IEEE, and Khosrow Sohraby, Senior Member, IEEE

Abstract—The spreading dynamics and control of infectious

agents depend primarily on the connectivity properties of under-

lying networks. In here, we investigate the stability of the sus-

ceptible-infected-susceptible (SIS) epidemic model incorporated

with multiple infection stages and propagation vectors to mimic

malware behavior over scale-free communication networks. In

particular, we derive the basic reproductive ratio (R0) and pro-

vide results for stability analysis at infection-free and infection-

chronic equilibrium points. Based on R0, the effectiveness of

four prevailing immunization strategies as countermeasures are

studied and compared. The outperformance of proportional and

targeted immunization are justiﬁed via numerical results.

Index Terms—Malware modeling, epidemiology, scale-free net-

work, basic reproductive ratio, stability analysis, immunization.

I. INTRODUCTION

RECENT ﬁndings in the ﬁeld of network science indicate

that the inset of an endemic state is not only corre-

lated with the infection schemes, but also with the network

topology under study. This has led to a surge in scrutinizing

the spreading behavior of new epidemics over networks [1].

Disordered networks with extreme heterogeneity such as the

Internet and the World Wide Web are shown to be scale-

free (SF), i.e. they exhibit a power-law degree distribution.

These networks, unlike homogeneous networks, are more

vulnerable to the spread and persistence of malwares due to

their diverging connectivity ﬂuctuations [2]. In virtue of such

weakness, tailored immunization strategies are in high demand

to ensure the stability of large-scale networking systems. In

fact, the ability to mathematically model, predict, and restrain

the continuing threat of computer malware proliferation over

such technological networks is now a challenging task.

A handful of existing works address the complex behavior

of malwares using compartmental differential equations [3]–

[6]. While built upon the basic SIS theme, these models do

not consider the joint impact of additional reﬁnements to

The research was funded by the Basic Research Project through a grant

provided by the Gwangju Institute of Science and Technology (GIST), and by

the Grant K20901002277-12E0100-06010 funded by the Ministry of Science,

ICT and Future Planning (MSIP) (2009-00422).

A. Dadlani and K. Kim are with the School of Information and Commu-

nications, Department of Nanobio Materials and Electronics, GIST, Gwangju

500-712, South Korea (e-mail: {dadlani, kskim}@gist.ac.kr).

M. S. Kumar is with the Department of Applied Mathematics and Com-

putational Sciences, PSG College of Technology, Coimbatore 641-004, India

(e-mail: msk@amc.psgtech.ac.in).

K. Sohraby is with the Department of Computer Science and Electrical

Engineering, University of Missouri - Kansas City, MO 64110-2499, USA

(e-mail: sohrabyk@umkc.edu).

ܵሺݐሻߙ

ߣ

ߚ்

.... ܫ்ሺݐሻ

ܫሺݐሻܫଵሺݐሻ

ߚଵߚଶ

ܸ

ሺݐሻܸ

ଵሺݐሻܸ

ெሺݐሻ....

ߟ

ߟଵ

ߟெ

ߛெߛଵߛ

Fig. 1: The reﬁned SIS model for malware spread.

evaluate the efﬁciency of immunization strategies. In reality,

a multipartite malware may not only infect a network node

in multiple phases (also known as infection delay), but also

propagate via email attachments, ﬁle sharing, and phishing

schemes. Though epidemic thresholds for the SIS model with

time delay and propagation vectors are derived in [7], no study

on the potency of immunization tactics for the model exists.

In this paper, we derive the basic reproductive ratio (R0)

[8] to analyze the equilibrium stability of the model in [7].

Being a key concept widely-used in epidemic theory, R0refers

to the total number of secondary infections produced as the

result of introducing an infected node in the infection-free

population. Using this notion, we examine the model with

respect to the effects of various immunization strategies using

mean-ﬁeld approximation (MFA) over SF networks.

II. MODEL FORMULATION AND STABILITY ANALYSIS

The malware propagation model adopted from [7] is shown

in Fig.1, where S(t),Ii(t), and Vj(t)denote the densities

of susceptible nodes, nodes in the ith infection stage (i=

0,1,...,T), and the jth propagation vector (j= 0,1,...,M)

at time t, respectively. Since infection delay and propagation

vector can be found simultaneously within various infectious

cases, a susceptible node enters the initial infection stage (I0)

with rate λor via some infective vector, say Vj, with rate

γj. Once infected, the infection progresses from stage Im−1

to Imwith rate βm(m= 1,2,...,T). Finally, the infected

node returns to the susceptible class with rate α. Also, the

transition rate of Vjfrom Sto I0is given as ηj. Using the

Barab´asi-Albert (BA) model [9] as the prototype example of

SF networks, the malware model can be formulated as:

˙

Ik,0(t) = −β1Ik,0(t) + λkSk(t)Θ(t) +

M

X

j=0

γjSk(t)Vj(t),

˙

Ik,i(t) = −βi+1Ik,i (t) + βiIk,i−1(t); i= 1, ..., T −1,

˙

Ik,T (t) = −αIk,T (t) + βTIk,T −1(t),

˙

Vj(t) = −Vj(t) + ηj(1 −Vj(t)) Θ(t); j= 0, ..., M , (1)

1089-7798 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See

http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI

10.1109/LCOMM.2014.2361525, IEEE Communications Letters

IEEE COMMUNICATIONS LETTERS, VOL. XX, NO. XX, XXXX 2

where krefers to the degree such that Sk(t)+PT

m=0 Ik,m(t) =

1and Θ(t)is the probability that any given link points to

an infected node. With hkiand P(k)deﬁned as the average

degree of the network and the connectivity distribution [2],

respectively, and B=1

α+1

β1+...+1

βT, the self-consistency

equality in steady-state is derived to be [7]:

F(Θ) = Bβ1

hkiX

k

kP (k)Ik,0.(2)

Given (2), it is easier to obtain the R0measure than the critical

epidemic threshold for the malware model. Thus, R0is:

R0=dF

dΘ

Θ=0 =B

hkiλk2+hki

M

X

j=0

ηjγj,(3)

where k2=Pkk2P(k). For stability analysis, we deﬁne Γ

as the non-negative region in which the system has equilibrium

points. Therefore, for some maximum degree K(1≤k≤K):

Γ = n(I1,0,...,I1,T ,...,IK,0,...,IK,T , V0,...,VM)

∈R(T+1)K+(M+1)|Sk+

T

X

i=0

Ik,i ≤1; Vj≤ηj

1 + ηjo.(4)

Consequently, if R0<1, there exists an infection-free equi-

librium (IFE) E0and if R0>1, the system has an infection-

chronic equilibrium (ICE) E∗inside region Γ.

Theorem 1: If R0<1, the IFE E0is globally asymptotically

stable in Γ. Otherwise, if R0>1,E0is unstable and the

system is uniformly persistent in Γ.

Proof: Following the approach in [5], the Lyapunov

function for the system is expressed as follows:

L(t) = X

k

ak

T

X

i=0

Ik,i(t)+

M

X

j=0

Vj(t),(5)

where ak=kP (k)/hki. Differentiating (5) w.r.t. tand

substituting for ˙

Ik,i(t)and ˙

Vj(t)from (1) eventually yields:

L′(t) = −αX

k

akIk,T (t)−Θ(t)

B(1 −R0)

−

M

X

j=0 Vj(t)−ηj(1 −Vj(t))Θ(t).

(6)

Hence, L′(t)<0only if R0<1and Vj≤ηj

1+ηj. Furthermore,

if R0>1and Vj(t)>ηj

1+ηj, it follows that L′(t)>0in a

small enough neighborhood of E0in Γ. Therefore, for R0>1,

all solutions in Γsufﬁciently close to E0move away from E0

thus, making it unstable. This completes the proof.

Theorem 2: If R0>1, the system has a unique ICE E∗.

Proof: To get E∗, we have ˙

Ik,i(t) = 0 and ˙

Vj(t) = 0 as t

tends to inﬁnity. Undertaking the same approach as in [6], the

equilibrium E∗(I∞

k,0,...,I∞

k,T , V ∞

0, . . . , V ∞

M) should satisfy:

−β1I∞

k,0+λkS∞

kΘ∞+

M

X

j=0

γjS∞

kV∞

j= 0 ,

−βi+1I∞

k,i +βiI∞

k,i−1= 0 ; i= 1, ..., T −1,

−αI∞

k,T +βTI∞

k,T −1= 0 ,

−V∞

j+ηj(1 −V∞

j)Θ∞= 0 ; j= 0, ..., M ,

(7)

0

10

20

30

40

50

0.0

0.2

0.4

0.6

0.8

1.0

time HtL

Fraction of Infec ted Nodes H‚i=0

TIk,i L

Model H1L:l=0.024, a=0.2, R0=2.18

SIS: l=0.024, a=0.2, R0=1.208

Model H1L:l=0.005, a=0.4,

R0=0.4104

SIS: l=0.005, a=0.4,

R0=0.1258

Simulation

Analysis

Fig. 2: Numerical results and simulation validation for model

(1) and the basic SIS model.

where Θ∞= (PnnP (n)I∞

n)/hkiand I∞

n=PT

i=0 I∞

n,i.

From the second and fourth equations of (7), we arrive at

V∞

j=ηjΘ∞/(1 + ηjΘ∞)and PT

i=0 I∞

k,i =Bβ1I∞

k,0, which

when substituted in the ﬁrst equation of (7) results in:

I∞

k,0=λkΘ∞+PM

j=0

γjηjΘ∞

1+ηjΘ∞

β11 + λkBΘ∞+BPM

j=0

γjηjΘ∞

1+ηjΘ∞.(8)

On substituting (8) in the deﬁnition of Θ∞and denoting it as

f(Θ) for simplicity, we get the following expression:

f(Θ) = BX

k

P(k)λkΘ + PM

j=0

γjηjΘ

1+ηjΘ

1 + λkBΘ + BPM

j=0

γjηjΘ

1+ηjΘ.(9)

Obviously, the trivial solution of (9) is f(0) = 0. For a

non-trivial solution (0<Θ≤1), conditions df(Θ)

dΘ|Θ=0 >1

and f(1) ≤1must be satisﬁed. So, we have:

B

hkiλk2+hki

M

X

j=0

ηjγj>1.(10)

Putting (10) in (8) yields 0< I∞

k,i, V ∞

j≤1for i= 0,1, ..., T

and j= 0,1, ..., M . Hence, E∗is well-deﬁned and there exists

one and only one ICE for (1) when R0>1.

Fig.2 depicts the numerical results for propagation dynamics

of the malware model. For a BA network of 1000 nodes and

parameter set-up of (M , T ) = (1,1),β1= 0.3, η1= 0.2,

γ1= 0.1, and PT

i=0 Ik,i(0) = 10, we observe that the

fraction of infected nodes reaches zero when R0= 0.4104,

while an epidemic outbreaks at R0= 2.18. Thus, malware

infection dies out when R0<1and persists in the network

otherwise, which justiﬁes the above-stated theorems. Validated

by simulation, we compare the analytical plots with that of

the basic SIS model to demonstrate the impact of additional

reﬁnements on the increase in the spreading process. Such

increase in the infected density justiﬁes the reduction of the

epidemic threshold for the malware model as studied in [7].

Each simulation result in Fig.2 is averaged over 200 runs.

III. IMPACT OF IMMUNIZATION STRATEGIES

The practice of investigating spreading patterns of malev-

olent softwares in SF networks is complemented by the

1089-7798 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See

http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI

10.1109/LCOMM.2014.2361525, IEEE Communications Letters

IEEE COMMUNICATIONS LETTERS, VOL. XX, NO. XX, XXXX 3

formulation of mitigation strategies tailored to topological

speciﬁcities of such networks. Due to the vanishingly small

epidemic threshold, SF networks show higher susceptibility

to infection. As a result, the ineffectiveness of the intuitive

uniform immunization in eradicating malwares over these

networks has led researchers to design new tactics that take

the rank of constituent nodes into account [2], [5], [6]. Hence-

forth, we examine the impact of the proportional, targeted,

acquaintance, and active immunization strategies for the above

malware model. These strategies, among many, have been

highly appreciated for their performance over SF networks.

A. Proportional Immunization

As stated in the name, the immunizing probability of each

node is proportional to its degree. If we denote the fraction

of immune nodes by gk(0 < gk<1) and assume ¯

λ=

λk(1 −gk), the ﬁrst equation of system (1) changes to:

˙

Ik,0(t) = −β1Ik,0(t) + ¯

λSk(t)Θ(t) +

M

X

j=0

γj¯

λSk(t)Vj(t)

λk .

(11)

Solving the above system in steady-state gives us:

˙

Ik,0=

¯

λΘ + PM

j=0

γj¯

λVj

λk

β11 + ¯

λBΘ + BPM

j=0 γj

¯

λ

λk Vj,

˙

Vj=ηjΘ

1 + ηjΘ.

(12)

Substituting (12) in (2) gives the self-consistency equation,

which when differentiated w.r.t. Θat Θ=0gives the basic

reproductive ratio under proportional immunization, RP

0, as:

RP

0=B

hkiλ(1 −gk)k2+h(1 −gk)ki

M

X

j=0

ηjγj.(13)

If gkis some constant g, then we have RP

0= (1 −g)R0.

B. Targeted Immunization

A better approach to overcome the vulnerability of SF

networks to selective attacks is to immune the most highly

connected nodes. Hence, unlike proportional immunization,

the immunization rate in targeted immunization is deﬁned as:

gk=

1,if k≥κ2,

pk,if κ1≤k < κ2,

0,if k < κ1,

(14)

where κ1and κ2are lower and upper thresholds, respectively,

such that all nodes with degree kare immunized if k≥κ2,

while a portion pk(0< pk<1) of kdegree nodes are

immunized if κ1≤k < κ2. Repeating the same procedure

as in the preceding sub-section, the basic reproductive ratio

under targeted immunization, RT

0, is derived as below:

RT

0= (1 −hgki)R0−B

hkiλ σk2,gk+σk,gk

M

X

j=0

ηjγj,(15)

where σkr,gk=h(kr− hkri)(gk− hgki)ifor r∈ {1,2}and

hgki=PkgkP(k). Thus, we get RT

0<(1−hgki)RP

0/(1−g).

C. Acquaintance Immunization

Applying targeted immunization requires global information

about the network structure (i.e. σ1and σ2), which renders

practical applicability in real-world. Acquaintance immuniza-

tion is an alternative approach in which a random acquaintance

of a randomly chosen fraction qof nodes is selected for

immunization. Thus, the immunization rate is:

gk=qkP (k)

hki; 0 < q < 1.(16)

Deﬁning ωras hkrP(k)i, the basic reproductive ratio for this

immunization strategy, RACQ

0, is derived to be:

RACQ

0=R0−q B

(hki)2λ ω3+ω2

M

X

j=0

ηjγj.(17)

D. Active Immunization

In this immunization strategy, we choose an infected node

and immunize its neighbors with degree k≥κ2. With gk

deﬁned as in (14), the ﬁrst three equations of (1) become:

˙

Ik,0(t) = −δ1Ik,0(t) + λkSk(t)Θ(t) +

M

X

j=0

γjSk(t)Vj(t),

˙

Ik,i(t) = −δi+1Ik,i (t) + δiIk,i−1(t), i = 1, ..., T −1,

˙

Ik,T (t) = −µIk,T (t) + δTIk,T −1(t), j = 0, ..., M , (18)

where δi= (βi+ ¯gk),µ= (α+ ¯gk),¯gk=hkgki/hki, and

hkgki=hkihgki+σk,gk. It can be easily show that the basic

reproductive ratio for active immunization, RACT

0, is:

RACT

0=B1

hkiλk2+hki

M

X

j=0

ηjγj=B1

BR0,(19)

where B1=1

α+¯gk+1

β1+¯gk+...+1

βT+¯gk. Hence, RACT

0

is comparable to R0in effectiveness for small values of ¯gk.

IV. NUMERICAL RESULTS AND DISCUSSIONS

We validate our analysis via numerical simulations for a

BA network comprising of N= 1000 nodes with hki ≃ 2m,

k2≃2m2log(√N), and P(k) = 2m2k−3as given in [2].

In our settings, we consider m= 2 and (κ1, κ2) = (600,800).

Fig.3 illustrates the effectiveness of the four immunization

strategies in terms of their basic reproductive ratios (R∗

0) for

different values of infection rate (λ) and reﬁnements (Mand

T). We ﬁrst investigate the relationship between R∗

0in terms

of λfor (M, T ) = (3,2),α= 0.7,q= 0.9, and pk=k/N

in Fig.3(a). For a fair comparison, we ﬁx the fraction of

immunized nodes to 0.4 and compare the results with that

of the basic SIS model where (M, T ) = (0,0). We observe

that for any λvalue, all four immunization schemes reduce

the number of secondary infections introduced in the network

as compared to the non-immunized case (R0). Among the

four, however, the striking effectiveness of the proportional and

targeted schemes is evident. As λincreases, the rate at which

nodes are newly infected drastically drops under proportional

and targeted immunizations as compared to the other two

http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

10.1109/LCOMM.2014.2361525, IEEE Communications Letters

IEEE COMMUNICATIONS LETTERS, VOL. XX, NO. XX, XXXX 4

100

0

10

20

30

40

50

λ

R0

R0R0

PR0

TR0

ACQ R0

ACT

Basic SIS model

SIS model with

M = 3 and T = 2

*

(a) Basic reproductive ratios (R∗

0) versus spreading rate (λ).

1 2 3 4 5 6 7 8 9 10

0

5

10

15

20

25

30

35

40

45

T

R0

M=0 M=4 M=8

Without

immunization

Proportional

immunization

Targeted

immunization

*

(b) Basic reproductive ratios (R∗

0) versus infection delay (T).

Fig. 3: Reduced basic reproductive ratio (R0) of the malware

model in presence of immunization.

immunization tactics. This is in accordance with the fact that

immunizing nodes with higher connectivity reduces the risk of

infection spreading through them. Choosing proportional and

targeted schemes as the best-case baselines, we plot their cor-

responding reproductive ratios against R0for varying values

of Mand Tin Fig.3(b). In here, we show how generalizing the

malware model to multiple infection stages and propagation

mediums would result in an epidemic outbreak. Even though

imposing proportional and targeted immunization strategies

does not bring the system to an infection-free state, their

effectiveness in reducing the number of newly infected nodes

is visibly distinguishable. For instance, at (M , T ) = (4,5),

R0is reduced by nearly 31% and 63% under proportional

and targeted immunization schemes, respectively.

In Fig.4, we show the outperformance of proportional and

targeted immunizations in combating the malware spread. For

N= 1000,λ= 0.024,α= 0.2,(M , T ) = (1,1),β1=γ1=

η1= 0.1,V1(0) = 0.2, and P3

i=2 Ik,i(0) = 10, we see that the

infection-chronic system (R0= 2.524) changes to infection-

R0ACQ

1.514

No immun.:

R0

2.524

R0ACT

1.072

R0

P

0.813

R0

T

0.611

0

20

40

60

80

100

120

0.0

0.2

0.4

0.6

0.8

1.0

time HtL

Fraction of Infected Nodes

Fig. 4: Fraction of infected nodes under immunization.

free states of RP

0= 0.813 and RT

0= 0.611 when targeted

and proportional immunizations are applied, respectively. On

the contrary, acquaintance and active immunization schemes

fail to suppress the epidemic outbreak as RAC Q

0and RACT

0

maintain values greater than 1. Note that the rate at which

the malware infection dies out for targeted immunization is

higher than that for proportional immunization. This is because

targeted immunization focuses on immunizing nodes that are

more likely to spread the infection, i.e. nodes that are highly

connected. Once these nodes are immunized, the capability of

SF networks to carry the malware decreases substantially.

V. CONCLUDING REMARKS

We analyzed the stability of a network malware spread

model with infection delay and vectors. Accounting for the

heterogeneous nature of scale-free networks, we investigated

and compared the impact of various schemes for immunizing

the spreading model in terms of basic reproductive ratio. We

showed the effectiveness and convenience of targeted and

proportional immunization strategies in controlling the spread

in comparison to the acquaintance and active counterparts. As-

sessing the model under different immunization cost functions

can be considered as a potential future work.

REFERENCES

[1] S. Peng, S. Yu, and A. Yang, “Smartphone malware and its propagation

modeling: a survey,” IEEE Commun. Surveys Tuts., vol. 16, pp. 925–941,

Second Quarter 2014.

[2] R. Pastor-Satorras and A. Vespignani, “Immunization of complex net-

works,” Phys. Rev. E, vol. 65, p. 036104, Feb. 2002.

[3] M. Ajelli, R. L. Cigno, and A. Montresor, “Modeling botnets and

epidemic malware,” in Proc. IEEE ICC, May 2010, pp. 1–5.

[4] S.-M. Cheng, W. C. Ao, P.-Y. Chen, and K.-C. Chen, “On modeling

malware propagation in generalized social networks,” IEEE Commun.

Lett., vol. 15, pp. 25–27, Jan. 2011.

[5] J.-P. Zhang and Z. Jin, “The analysis of an epidemic model on networks,”

Appl. Math. Comput., vol. 217, pp. 7053–7064, May 2011.

[6] T. Li, Y. Wang, and Z.-H. Guan, “Spreading dynamics of a SIQRS

epidemic model on scale-free networks,” Communications in Nonlinear

Science and Numerical Simulation, vol. 19, pp. 686–692, Mar. 2014.

[7] A. Dadlani, M. S. Kumar, S. Murugan, and K. Kim, “System dynamics

of a reﬁned epidemic model for infection propagation over complex

networks,” to appear in IEEE Syst. J., 2014.

[8] J. M. Heffernan, R. J. Smith, and L. M. Wahl, “Perspectives on the basic

reproductive ratio,” J. R. Soc. Interface, vol. 2, pp. 281–293, Sep. 2005.

[9] A.-L. Barab´asi and R. Albert, “Emergence of scaling in random net-

works,” Science, vol. 286, pp. 509–512, Oct. 1999.