Content uploaded by Aresh Dadlani
Author content
All content in this area was uploaded by Aresh Dadlani on May 01, 2020
Content may be subject to copyright.
1
Heterogeneous Projection of Disruptive Malware Prevalence in
Mobile Social Networks
Aldiyar Dabarov, Madiyar Sharipov, Aresh Dadlani, Muthukrishnan S. Kumar, Walid Saad, Choong Seon Hong
Abstract—Segregating the latency phase from the actual disrup-
tive phase of certain mobile malware grades offers more oppor-
tunities to effectively mitigate the viral spread in its early stages.
Inspired by epidemiology, in this paper, a stochastic propagation
model that accounts for infection latency of disruptive malware in
both personal and spatial social links between constituent mobile
network user pairs is proposed. To elucidate the true impact of
unique user attributes on the virulence of the proposed spreading
process, heterogeneity in transition rates is also considered in an
approximated mean-field epidemic network model. Furthermore,
derivations for the system equilibrium and stability analysis are
provided. Simulation results showcase the viability of our model
in contrasting between latent and disruptive infection stages with
respect to a homogeneous population-level benchmark model.
Index Terms—Mobile social networks, heterogeneous epidemic
model, disruptive virus, mean-field theory, equilibrium analysis.
I. INTRODUCTION
PREDOMINANTLY driven by the prevalent use of personal
mobile devices, the evolution of assortative interactions
between mobile social network (MSN) users has initiated an
array of research topics [1]. The heterogeneity of users and of the
multi-faceted relations among them however, further complicate
the characterization of information flow intertwined with the
underlying network structure. While information diffusion can
take many forms, the precision of modeling frameworks in
foreseeing malware outbreaks in MSNs remains a key challenge.
With the expanding smartphone market, the vectors exploited
by different malware strains to infect susceptible smart devices
have also grown in variety [2], [3]. Some commonly adopted
vectors for cyber attacks include Bluetooth (BT), email attach-
ments, and SMS/MMS messaging services (MS). Digital viruses
can exploit both personal and spatial social links to propagate
in MSNs [4]–[6]. Personal links are established based on the
contact lists and anonymized call records in each handset, while
standard short-range communication protocols such as wireless
BT define the spatial ties between neighboring mobile users
within a given transmission range.
Epidemic models have been instrumental in quantitatively
predicting malware outbreaks in generic social networks. In
regard with population-level models, the authors in [5] charac-
terize hybrid mobile viruses that exploit BT and MS protocols
to target the susceptible user base. In [6], the mixed behaviors of
long-range infection spreading pattern through MS and ripple-
based infection via BT using ordinary differential equations
is investigated. Epidemic-based information dissemination in
MSNs using opportunistic peer-to-peer links has been studied
in [7]. More recently, mean-field approximations of individual-
based spreading processes have been compelling in exposing
the relationship between epidemic thresholds and the spectral
radius of contact networks. However, relatively fewer agent-
based epidemic models exist that describe the time evolution
of the state occupancy probabilities in terms of the number of
Markovian users over complex networks [8]–[11]. The authors
in [8] proved that the infection-free equilibrium in aggregated-
Markovian random graph processes is almost surely exponen-
tial. To account for user tendency to switch between alternative
social preferences, the authors in [9] generalized the seminal
work in [10] to derive the steady-state phase transition thresholds
between extinction, co-existence, and absolute dominance of
memes. In [11], the authors proposed a continuous-time bi-
layer network model with generic infection rates to analyze the
dynamics of competitive spreading in multi-virus scenarios.
Unlike conventional virus models that impair the functional-
ity of mobile gadgets immediately after being transmitted, dis-
ruptive viruses such as Commwarrior, Mellisa, CIH, and Blue-
Borne have a two-phase life cycle: the latent phase succeeded
by the disruptive phase [12]. In the former phase, the malware
infects other connected susceptible nodes by replicating itself
while residing in the victimized host, whereas the functionality
of the infected host is hindered only in the latter phase. All
the above efforts ([5]–[9], [11]) fail to discern between the two
phases therefore, resulting in over-estimated predictions on the
fraction of mobile users infected by disruptive malware. To our
best knowledge, there exists no prior analytical work quantifying
the infection latency for hybrid disruptive malware spread in
MSNs, where microscopic user-level dynamics are incorporated
and the state transition rates are subjective to each user.
To fill this gap, the main contribution of this paper is a
novel mean-field approximated epidemic model to characterize
the spreading pattern of disruptive malware promoted through
BT and MS protocols in generic MSNs by subsuming the
heterogeneity in user-level interactions. To ensure the validity of
the resulting prediction in steady-state, we prove the existence
of a unique viral equilibrium and investigate the asymptotic
stability of the viral-free equilibrium for our model. We then
demonstrate the precision of the proposed network model by
benchmarking it against a homogeneously-mixing population-
level epidemic model via simulations. Results obtained show the
efficacy of the model in differentiating between users infected
via the two transmission modes. In absence of large empirical
data samples, such a fine-tuned projection model would help
devise effective control strategies in significantly shorter time
and minimize the investment costs incurred.
II. SY ST EM MO DE L DESCRIPTION
Consider a typical MSN of size 𝑁, where each mobile user,
labeled from 1 to 𝑁, interact with each other using smart devices.
2
ݎ
Infected user Susceptible users
Beyond BT range user
BT transmission range of radius ݎ
MS transmission links
User ݅
ܫ
ୗ(ݐ)ܮ
ୗ(ݐ)ܵ(ݐ)ܮ
(ݐ)ܫ
(ݐ)
ܽ
ߛ
ߜ
ߠ
ߛ
ୗ
ߠ
ୗ
ߜ
ୗ
ܽ
ୗ
Fig. 1: Propagation mechanism and the proposed epidemic model of
a disruptive malware in MSNs.
To distinguish between social links created by spatial BT and
personal MS links in the network, we define respectively, graphs
𝐺1(V,E1)and 𝐺2(V ,E2), where V={1,2, . . . , 𝑁}. Link
(𝑖, 𝑗 ) ∈ E 1if users 𝑖and 𝑗are within the BT transmission range
of radius 𝑟BT. Similarly, link (𝑖, 𝑗) ∈ E2if user 𝑖is connected
to user 𝑗in the personal social network. Let 𝑨,[𝑎𝑖 𝑗 ]𝑁×𝑁
and 𝑩,[𝑏𝑖 𝑗 ]𝑁×𝑁be the irreducible adjacency matrices
corresponding to 𝐺1and 𝐺2, respectively. We assume that the
network is undirected and thus, matrices 𝑨and 𝑩are symmetric.
Consistent with definitions in the literature, each user is either
in the susceptible (𝑆), latent (𝐿), or disruptive (𝐼) state at any
given time as shown in Fig. 1. User𝑖is said to be susceptible if it
is healthy and not yet infected by the malware. Upon receiving
the malware, the user becomes latent if the infection is in the
latent phase and then turns disruptive in the successive phase
[12]. To represent the state of the network at time 𝑡, we define
the stochastic process {𝑋𝑖(𝑡);𝑡≥0}, where ∀𝑖∈ V,𝑋𝑖(𝑡)is:
𝑋𝑖(𝑡)=
0 ; if user 𝑖is susceptible at 𝑡,
1 ; if user 𝑖is latent by BT at 𝑡,
2 ; if user 𝑖is disruptive by BT at 𝑡,
3 ; if user 𝑖is latent by MS at 𝑡,
4 ; if user 𝑖is disruptive by MS at 𝑡.
(1)
Using (1), we now denote the probability of user 𝑖being in any
one of the five possible states as 𝑆𝑖(𝑡)=Pr{𝑋𝑖(𝑡)=0},𝐿BT
𝑖(𝑡)=
Pr{𝑋𝑖(𝑡)=1},𝐼BT
𝑖(𝑡)=Pr{𝑋𝑖(𝑡)=2},𝐿MS
𝑖(𝑡)=Pr{𝑋𝑖(𝑡)=3},
and 𝐼MS
𝑖(𝑡)=Pr{𝑋𝑖(𝑡)=4}, where 1≤𝑖≤𝑁and 𝑆𝑖(𝑡) + 𝐿BT
𝑖(𝑡)+
𝐼BT
𝑖(𝑡)+𝐿MS
𝑖(𝑡)+𝐼MS
𝑖(𝑡)=1.
A susceptible user 𝑖is infected by user 𝑗via BT asynchronous
connectionless link (ACL) in the discoverable mode at the
constant rate of 𝛽𝐿BT
𝑗>0if user 𝑗is in the latent infection
state and with rate 𝛽𝐼BT
𝑗>0if user 𝑗is in the disruptive state.
Likewise, in MS-mediated propagation, user 𝑖is infected by
latent (disruptive) user 𝑗at the constant rate of 𝛽𝐿MS
𝑗(𝛽𝐼MS
𝑗)>0.
The latency time for latent user 𝑖affected through BT (MS) is
assumed to be exponentially distributed with the latency rate
of 𝛿BT
𝑖(𝛿MS
𝑖)>0[5], [6]. Due to frequent updates of mobile
operating systems and anti-viruses, a latent (disruptive) user
𝑖recovers back to susceptibility at rates 𝛾BT
𝑖(𝜃BT
𝑖)>0and
𝛾MS
𝑖(𝜃MS
𝑖)>0in the BT and MS settings, respectively.
The corresponding continuous-time Markov process of the
proposed model becomes analytically intractable as the state
space size grows exponentially with increase in |V |. Approxi-
mation techniques are normally applied to resolve the state space
size problem at the expense of accuracy. Deductions from mean-
field approximated network models are shown to be asymp-
totically almost exact to sufficiently large real-world networks
as they provide an upper bound for the exact probability of
user infection [13]. Accordingly, we adopt a first-order mean-
field approximation to reduce the dimensionality of the exact
Markovian network model down to 4𝑁space.
Given a sufficiently small time interval of (𝑡+Δ𝑡), for Δ𝑡 > 0,
the following state transition probabilities for mobile user 𝑖hold
valid, where the remaining invalid state transition conditional
probabilities are denoted by the asymptotic notation 𝑜(Δ𝑡):
Pr{𝑋𝑖(𝑡+Δ𝑡)=1|𝑋𝑖(𝑡)=0}=𝑎BT
𝑖Δ𝑡+𝑜(Δ𝑡),
Pr{𝑋𝑖(𝑡+Δ𝑡)=3|𝑋𝑖(𝑡)=0}=𝑎MS
𝑖Δ𝑡+𝑜(Δ𝑡),
Pr{𝑋𝑖(𝑡+Δ𝑡)=0|𝑋𝑖(𝑡)=1}=𝛾BT
𝑖Δ𝑡+𝑜(Δ𝑡),
Pr{𝑋𝑖(𝑡+Δ𝑡)=2|𝑋𝑖(𝑡)=1}=𝛿BT
𝑖Δ𝑡+𝑜(Δ𝑡),
Pr{𝑋𝑖(𝑡+Δ𝑡)=0|𝑋𝑖(𝑡)=2}=𝜃BT
𝑖Δ𝑡+𝑜(Δ𝑡),
Pr{𝑋𝑖(𝑡+Δ𝑡)=0|𝑋𝑖(𝑡)=3}=𝛾MS
𝑖Δ𝑡+𝑜(Δ𝑡),
Pr{𝑋𝑖(𝑡+Δ𝑡)=4|𝑋𝑖(𝑡)=3}=𝛿MS
𝑖Δ𝑡+𝑜(Δ𝑡),
Pr{𝑋𝑖(𝑡+Δ𝑡)=0|𝑋𝑖(𝑡)=4}=𝜃MS
𝑖Δ𝑡+𝑜(Δ𝑡),
(2)
The linear infection rates via BT and MS links, denoted by 𝑎BT
𝑖
and 𝑎MS
𝑖, respectively, are defined as follows:
𝑎BT
𝑖,
𝑁
Õ
𝑗=1
𝑎𝑖, 𝑗 𝛽𝐿BT
𝑗𝐿BT
𝑗(𝑡) + 𝛽𝐼BT
𝑗𝐼BT
𝑗(𝑡)(3)
and 𝑎MS
𝑖,
𝑁
Õ
𝑗=1
𝑏𝑖, 𝑗 𝛽𝐿MS
𝑗𝐿MS
𝑗(𝑡) + 𝛽𝐼MS
𝑗𝐼MS
𝑗(𝑡).(4)
Undertaking the approach in [11], we use (2) to derive 𝐿BT
𝑖(𝑡+
Δ𝑡),𝐼BT
𝑖(𝑡+Δ𝑡),𝐿MS
𝑖(𝑡+Δ𝑡), and 𝐼MS
𝑖(𝑡+Δ𝑡)based on the law of
total probability. We then linearize the resultant system in what
follows to facilitate our analysis in closed form.
A. BT-Mediated Spreading Dynamics
Transition of user 𝑖to the latent state in a BT network at time
(𝑡+Δ𝑡)can occur only if (i) user 𝑖was susceptible or (ii) latent
at time 𝑡. Mathematically, this is expressed as:
𝐿BT
𝑖(𝑡+Δ𝑡)=𝑆𝑖(𝑡) · Pr{𝑋𝑖(𝑡+Δ𝑡)=1|𝑋𝑖(𝑡)=0}
+𝐿BT
𝑖(𝑡) · Pr{𝑋𝑖(𝑡+Δ𝑡)=1|𝑋𝑖(𝑡)=1}.(5)
Similarly, user 𝑖enters the disruptive state at (𝑡+Δ𝑡)via BT
communication only if (i) latent or (ii) disruptive at time 𝑡, i.e.,
𝐼BT
𝑖(𝑡+Δ𝑡)=𝐿BT
𝑖(𝑡) · Pr{𝑋𝑖(𝑡+Δ𝑡)=2|𝑋𝑖(𝑡)=1}
+𝐼BT
𝑖(𝑡) · Pr{𝑋𝑖(𝑡+Δ𝑡)=2|𝑋𝑖(𝑡)=2}.(6)
By substituting (2) in (5) and (6), dividing both sides by Δ𝑡,
and letting Δ𝑡→0, we arrive at the following system:
𝑑𝐿BT
𝑖(𝑡)
𝑑𝑡
=1−𝐿BT
𝑖(𝑡)−𝐼BT
𝑖(𝑡)−𝐿MS
𝑖(𝑡)−𝐼MS
𝑖(𝑡)𝑎BT
𝑖
− (𝛾BT
𝑖+𝛿BT
𝑖)𝐿BT
𝑖(𝑡),∀𝑖=1,2, . . . , 𝑁 ,
𝑑𝐼BT
𝑖(𝑡)
𝑑𝑡
=𝛿BT
𝑖𝐿BT
𝑖(𝑡) − 𝜃BT
𝑖𝐼BT
𝑖(𝑡),∀𝑖=1,2, . . . , 𝑁 .
(7)
3
B. MS-Mediated Spreading Dynamics
The MS spreading model is derived in a similar manner, with
the resulting system having the same structure as (7), except
for the matrix 𝑩corresponding to the personal social network,
where 𝑎BT
𝑖is replaced by 𝑎MS
𝑖:
𝑑𝐿MS
𝑖(𝑡)
𝑑𝑡
=1−𝐿BT
𝑖(𝑡)−𝐼BT
𝑖(𝑡)−𝐿MS
𝑖(𝑡)−𝐼MS
𝑖(𝑡)𝑎MS
𝑖
−(𝛾MS
𝑖+𝛿MS
𝑖)𝐿MS
𝑖(𝑡),∀𝑖=1,2, . . . , 𝑁 ,
𝑑𝐼MS
𝑖(𝑡)
𝑑𝑡
=𝛿MS
𝑖𝐿MS
𝑖(𝑡) − 𝜃MS
𝑖𝐼MS
𝑖(𝑡),∀𝑖=1,2, . . . , 𝑁 .
(8)
Hence, the approximated network model is a system of 4𝑁
differential equations represented by (7) and (8) collectively.
III. EQUILIBRIUM AND STABI LI TY ANALYS IS
We now postulate a theorem related to the global stability
of the trivial infection-free equilibrium, given by 𝑬0, and then
derive the unique non-trivial virulent equilibrium, 𝑬∗. In steady-
state, such analysis ensures that our non-linear model reaches an
equilibrium point irrespective of the initial number of infected
users. This is thus, necessary to justify the prediction fidelity of
our model by showing that it stabilizes in a positively invariant
state space [11]. To this end, we define vector 𝑫(𝑡)as:
𝑫(𝑡),𝐿BT
1(𝑡), . . . , 𝐿BT
𝑁(𝑡), 𝐼BT
1(𝑡), . . . , 𝐼 BT
𝑁(𝑡),
𝐿MS
1(𝑡), . . . , 𝐿MS
𝑁(𝑡), 𝐼MS
1(𝑡), . . . , 𝐼 MS
𝑁(𝑡)𝑇
=𝐿BT
1... 𝑁 (𝑡), 𝐼BT
1... 𝑁 (𝑡), 𝐿MS
1... 𝑁 (𝑡), 𝐼MS
1... 𝑁 (𝑡)𝑇.(9)
Also, let the reduced state space, Ω, be given as:
Ω = 𝐿BT
1... 𝑁 (𝑡), 𝐼BT
1... 𝑁 (𝑡), 𝐿MS
1... 𝑁 (𝑡), 𝐼MS
1... 𝑁 (𝑡)𝑇∈R4𝑁
+
𝐿BT
𝑖(𝑡)+𝐼BT
𝑖(𝑡)+𝐿MS
𝑖(𝑡)+𝐼MS
𝑖(𝑡) ≤ 1, 𝑖 =1, . . . , 𝑁.
(10)
Since 𝐿BT
𝑖(𝑡),𝐼BT
𝑖(𝑡),𝐿MS
𝑖(𝑡), and 𝐼MS
𝑖(𝑡)are probabilistic
values in [0,1]that sum up to one for all 𝑡≥0,Ωis positively
invariant for the model in (7) and (8) [12]. In other words,
𝑫(0) ∈ Ωimplies that 𝑫(𝑡) ∈ Ωfor all 𝑡values. Our
proposed system has a trivial steady-state equilibrium 𝑬0=
(0,0, . . . , 0)𝑇which is always infection-free. An equilibrium
is said to be globally stable if it is both, asymptotically stable
and globally attracting. For matrices 𝒀1,𝑨·diag(𝛽𝐿BT
𝑖)and
𝒁1,𝑩·diag(𝛽𝐿MS
𝑖), the following theorem examines the global
stability condition for 𝑬0, where 𝑐,min1≤𝑖≤𝑁{𝛾BT
𝑖, 𝛾MS
𝑖},𝑰
is the identity matrix of order 𝑁, and 𝜆1(·) is the spectral radius
of a square matrix.
Theorem 1. Equilibrium 𝑬0is globally asymptotically stable
with respect to Ωif 𝜆1(𝒀1+𝒁1−𝑐𝑰)<0.
Proof. Let 𝐶𝑖(𝑡)be the sum 𝐿BT
𝑖(𝑡) + 𝐼BT
𝑖(𝑡) + 𝐿MS
𝑖(𝑡) + 𝐼MS
𝑖(𝑡).
For all 𝑖∈ V, taking the derivative of 𝐶𝑖(𝑡)yields:
𝑑𝐶𝑖(𝑡)
𝑑𝑡
=1−𝐶𝑖(𝑡)𝑎BT
𝑖+𝑎MS
𝑖−𝛾BT
𝑖𝐿BT
𝑖(𝑡) − 𝜃BT
𝑖𝐼BT
𝑖(𝑡)
−𝛾MS
𝑖𝐿MS
𝑖(𝑡) − 𝜃MS
𝑖𝐼MS
𝑖(𝑡)
≤
𝑁
Õ
𝑗=1
𝑎𝑖, 𝑗 𝛽𝐿BT
𝑗𝐶𝑗(𝑡) +
𝑁
Õ
𝑗=1
𝑏𝑖, 𝑗 𝛽𝐿MS
𝑗𝐶𝑗(𝑡) − 𝑐 𝐶𝑖(𝑡),
For 𝒘(𝑡),𝑤1(𝑡), 𝑤2(𝑡), . . . , 𝑤𝑁(𝑡)𝑇and 𝑤𝑖(0)=𝐶𝑖(0),
∀𝑖∈ V, the comparison system can be expressed as:
𝑑𝑤𝑖(𝑡)
𝑑𝑡
=
𝑁
Õ
𝑗=1
𝑎𝑖, 𝑗 𝛽𝐿BT
𝑗𝑤𝑗(𝑡) +
𝑁
Õ
𝑗=1
𝑏𝑖, 𝑗 𝛽𝐿MS
𝑗𝑤𝑗(𝑡) − 𝑐 𝑤𝑖(𝑡),
and re-written in matrix form as 𝒘0(𝑡)=(𝒀1+𝒁1−𝑐𝑰)𝒘(𝑡).
Since 𝜆1(𝒀1+𝒁1−𝑐𝑰)<0, it follows from the fundamental the-
ory on linear differential systems that 𝒘(𝑡) → 0. Consequently,
according to Chaplygin lemma on differential inequalities, we
have 𝑫(𝑡) ≤ 𝒘(𝑡)for all 𝑡 > 0values. Thus, as 𝑡approaches
infinity, 𝑫(𝑡) → 0, which completes the proof.
In epidemiology, the existence of the non-trivial viral equi-
librium 𝑬∗is determined by the outbreak threshold, commonly
known as the basic reproduction ratio (R0). In particular, the
infection eventually dies out in the network (i.e., reaches 𝑬0)
if R0<1and persists (i.e., converges to 𝑬∗) if R0>1. Such
an equilibrium can now be obtained by considering (7) and (8)
together in steady-state. Thus, for all 𝑖=1,2, . . . , 𝑁 , setting the
left-side derivatives of the equations to zero yields the following:
𝐼BT
𝑖=𝛿BT
𝑖
𝜃BT
𝑖
𝐿BT
𝑖,
𝐼MS
𝑖=𝛿MS
𝑖
𝜃MS
𝑖
𝐿MS
𝑖,
𝜖BT
𝑖𝐿BT
𝑖= 1−𝐿BT
𝑖−𝛿BT
𝑖
𝜃BT
𝑖
𝐿BT
𝑖−𝐿MS
𝑖−𝛿MS
𝑖
𝜃MS
𝑖
𝐿MS
𝑖!𝑎BT
𝑖,
𝜖MS
𝑖𝐿MS
𝑖= 1−𝐿BT
𝑖−𝛿BT
𝑖
𝜃BT
𝑖
𝐿BT
𝑖−𝐿MS
𝑖−𝛿MS
𝑖
𝜃MS
𝑖
𝐿MS
𝑖!𝑎MS
𝑖,
(11)
where 𝜖BT
𝑖and 𝜖MS
𝑖denote (𝛿BT
𝑖+𝛾BT
𝑖)and (𝛿MS
𝑖+𝛾MS
𝑖),
respectively. By solving (11) for 𝐿BT
𝑖,𝐼BT
𝑖,𝐿MS
𝑖, and 𝐼MS
𝑖, it
can be easily deduced that 𝑫(𝑡)is a non-trivial equilibrium of
the proposed model if and only if ∀𝑖∈ V:
𝐼BT
𝑖=𝑎BT
𝑖𝛿BT
𝑖𝜖MS
𝑖𝜃MS
𝑖
𝜖MS
𝑖𝜃MS
𝑖(𝜖BT
𝑖𝜃BT
𝑖+𝑎BT
𝑖𝜈BT
𝑖) + 𝑎MS
𝑖𝜖BT
𝑖𝜈MS
𝑖𝜃BT
𝑖
,
𝐼MS
𝑖=𝑎MS
𝑖𝛿MS
𝑖𝜖BT
𝑖𝜃BT
𝑖
𝜖MS
𝑖𝜃MS
𝑖(𝜖BT
𝑖𝜃BT
𝑖+𝑎BT
𝑖𝜈BT
𝑖) + 𝑎MS
𝑖𝜖BT
𝑖𝜈MS
𝑖𝜃BT
𝑖
,
𝐿BT
𝑖=𝑎BT
𝑖𝜃BT
𝑖𝜖MS
𝑖𝜃MS
𝑖
𝜖MS
𝑖𝜃MS
𝑖(𝜖BT
𝑖𝜃BT
𝑖+𝑎BT
𝑖𝜈BT
𝑖) + 𝑎MS
𝑖𝜖BT
𝑖𝜈MS
𝑖𝜃BT
𝑖
,
𝐿MS
𝑖=𝑎MS
𝑖𝜃BT
𝑖𝜖BT
𝑖𝜃MS
𝑖
𝜖MS
𝑖𝜃MS
𝑖(𝜖BT
𝑖𝜃BT
𝑖+𝑎BT
𝑖𝜈BT
𝑖) + 𝑎MS
𝑖𝜖BT
𝑖𝜈MS
𝑖𝜃BT
𝑖
,
(12)
where 𝜈BT
𝑖and 𝜈MS
𝑖represent (𝛿BT
𝑖+𝜃BT
𝑖)and (𝛿MS
𝑖+𝜃MS
𝑖),
respectively. Proof of the sufficient conditions for (12) to exist
has been excluded due to the page limitation. Nonetheless, we
refer the reader to [12] for details on a similar derivation.
In summary, Theorem 1 showed that the state of the network
model derived in (7) and (8) will always belong to Ω. If the
network approaches the trivial equilibrium 𝑬0on the long-run,
then the malware spread in the user population would eventually
die out leaving all devices susceptible. There however, exists
another unique equilibrium 𝑬∗at which some constant fraction
of the population will always remain infected. Hence, if the
4
(a) Time evolution of susceptible population. (b) Time evolution of latent population. (c) Time evolution of disruptive population.
Fig. 2: Transient and steady-state comparison between the proposed (𝑀1) and benchmark (𝑀2) models, where 𝑟BT =10 meters
and the initial number of infected users are 𝐿BT (0)=𝐿MS (0)=10 and 𝐼BT (0)=𝐼MS (0)=15 users as in [6] and [12].
TABLE I: Network simulation parameters and settings.
Transition rates Value
Latent infection rate, 𝛽𝐿BT (=𝛽𝐿MS )0.015
Disruptive infection rate, 𝛽𝐼BT (=𝛽𝐼MS)0.01
Latency rate, 𝛿BT (=𝛿MS)0.04
Latent user recovery rate, 𝛾BT (=𝛾MS)0.03
Infected user recovery rate, 𝜃BT (=𝜃MS )0.06
Initial latent users, 𝐿BT(0)=𝐿MS(0)10
Initial infected users, 𝐼BT (0)=𝐼MS (0)15
network reaches 𝑬∗, our model is capable of not only distin-
guishing latent users from disruptive users, but also identifying
the transmission protocol promoting the malware spread using
(12). In turn, such information allows for early and effective
implementation of cost-aware control measures.
IV. SIMULATION RESULTS AN D DISCUSSIONS
In this section, Monte Carlo and numerical simulations are
conducted to validate the accuracy of our model (𝑀1) derived
in (7) and (8). An arbitrary MSN of 𝑁=1000 mobile users is
implemented using the GEMFsim tool [14]. For comparison, we
consider 𝑁homogeneously mixing users distributed randomly
in a 100 ×100 geographical area with density 𝜎similar to
[6] as the benchmark. Unlike 𝑀1, where the user interactions
are governed by contact matrices 𝑨and 𝑩, all users in the
benchmark model (𝑀2) have equal probability to receive the
malware via MS while each infected user can contact 𝜎𝜋𝑟 2
BT
neighboring nodes in discoverable BT mode. It is noteworthy
to mention that 𝑀2is a limiting case of 𝑀1and the two models
would converge in the case of a fully connected network. Thus,
the 𝑀1approximation is more reliable for statistical analysis
of empirical data as it spans over a wider range of network
structures.
Without loss of generality, the transition rates for all 𝑖∈ V
are taken to be fixed by dropping the subscripts. That is to
say, 𝛽𝐿BT
𝑖=𝛽𝐿BT ,𝛽𝐿MS
𝑖=𝛽𝐿MS ,𝛽𝐼BT
𝑖=𝛽𝐼BT ,𝛽𝐼MS
𝑖=𝛽𝐼MS ,
𝛾BT
𝑖=𝛾BT,𝛾MS
𝑖=𝛾MS,𝛿BT
𝑖=𝛿BT,𝛿MS
𝑖=𝛿MS,𝜃BT
𝑖=𝜃BT, and
𝜃MS
𝑖=𝜃MS. To mimic the disruptive behavior of malware, we
also set 𝛽𝐿BT > 𝛽𝐼BT ,𝛽𝐿MS > 𝛽𝐼MS ,𝜃BT > 𝛾BT , and 𝜃MS > 𝛾MS as
in [12]. Unless explicitly specified, the simulation parameters
and initial network conditions are given in Table I.
Fig. 3: Time evolution of BT-mediated infection (𝐿BT +𝐼BT )for
different values of 𝑟BT.
Fig. 2 shows the population size distribution for each epi-
demic class with respect to time. In contrast to the exponential
decay exhibited by the benchmark model in Fig. 2a, the fraction
of susceptible mobile users decreases to a relatively lower value
of approximately 18% in steady-state. Such behavior can be
explained by the increase in users with latent infection through
both, BT and MS services shown in Fig. 2b. As evident in this
figure, the malware infects nearly 75% of the total population
at 𝑡=10 before stabilizing to a steady value of around 58%.
More specifically, for a BT transmission range of 𝑟BT =10
meters, 10% of the users experience infection latency via BT
and about 65% through MS service at 𝑡=10. In agreement with
the findings in [5], MS is therefore, more effective in spreading
the malware as the underlying contact graph is not limited to any
spatial constraints. While the population of latent users in Fig. 2b
increases rapidly to its maximum in the transient period before
slowly descending towards the infection-chronic equilibrium
point, Fig. 2c shows a gradual growth in the number of disruptive
users. This is a clear indication of the impact of infection latency
on delaying the disruptive phase of the malware in affected user
handsets. From these figures, we observe that the benchmark
either underestimates or overestimates the behavioral dynamics
of our malware model which is corroborated with results from
stochastic simulations (colored lines) averaged over 10 runs.
To highlight the contribution of wireless BT as a short-range
malware spreading vector, Fig. 3 compares the fraction of BT-
5
Fig. 4: Susceptible versus infected user populations w.r.t. 𝑟BT.
mediated infected mobile users (latent as well as disruptive) for
different 𝑟BT values with respect to time. For the same initial
conditions given in Fig. 2, the number of users affected by the
malware through BT enabled connections rises with increase in
the transmission range. In most portable devices equipped with
broadcast communication technology, the distance at which the
information can be exchanged reaches up to 50 meters, if the
devices are in direct line of sight of each other, and between
10 to 20 meters in buildings. Taking into account these extreme
cases, we observe that under ideal environmental conditions,
the malware proliferates over the network in lesser time when
𝑟BT is large. For instance, nearly 95% of the user devices in the
network host the malware before 𝑡=5when 𝑟BT =40 meters,
whereas a shorter range of 𝑟BT =10 meters would result in
less than 10% of the network being infected within the same
time period. Such behavior is due to the fact that increasing
𝑟BT would cover a wider area thus, more likely allowing the
malware to compromise a larger set of the susceptible users in
the defined proximity. As a result, the average connectivity of
each user increases which explains why our model coincides
with the benchmark for larger 𝑟BT values.
The stationary relationship between the susceptible and in-
fected user groups is illustrated under different settings of
𝑟BT in Fig. 4. As time progresses, the number of susceptible
users decreases with increase in infected users. By separating
latent users from disruptive users, the figure reveals that the
latent population increases at a faster rate in comparison to
the disruptive population. This is because disruptive malware
codes are more active in infecting neighboring users while in
their latent period and mainly distort the user data stored in
devices during the disruptive phase. The dynamics of the latent
and disruptive users about the viral equilibrium is also worth
noting. Unlike the latent population that reaches its maximum
before falling towards equilibrium 𝑬∗, the fraction of disruptive
users steeply rises. Moreover, increasing 𝑟BT further raises the
peak at which latent infection outbreak occurs. For example,
extending the BT range from 10 to 40 meters increases the
maximum population of latent users by nearly 21% which in
turn, suppresses the disruptive population growth as 𝛽𝐿BT > 𝛽𝐼BT
and 𝛽𝐿MS > 𝛽𝐼MS are specific only to disruptive malware.
Such distinctions are obscure in existing malware models that
undermine the impact of infection propagation latency.
V. CONCLUSION
In this paper, we introduced a modeling framework for
effective projection of disruptive malware epidemics in MSNs.
Unlike most existing virus epidemic models, we incorporated in-
fection delay specific to disruptive malware programs to differ-
entiate between the steady-state fraction of infected users in the
latent and disruptive stages. Specifically, we proposed a tractable
mean-field approximation model for the underlying Markovian
process to capture the impact of user-level interaction dynamics
on the spreading pattern of the malware through personal and
spatial social connections. By considering heterogeneity in the
state transition rates, global stability and existence of the system
equilibrium points were investigated to justify the steady-state
behavior, based on which more effective containment measures
can be devised. With respect to the benchmark model built
on uniform user interactions, we demonstrated that infection
latency can profoundly impact the accuracy of the proposed
model in not only assessing the spreading risks of the hybrid
malware via spatial and personal communication links in short
time, but also in optimizing investments needed to control the
spread by targeting devices that are in the latent infection stage.
REFERENCES
[1] X. Hu, T. H. S. Chu, V. C. M. Leung, E. C. Ngai, P. Kruchten, and H. C.
Chan, “A survey on mobile social networks: Applications, platforms,
system architectures, and future research directions,” IEEE Commun.
Surveys Tuts., vol. 17, no. 3, pp. 1557–1581, Third Quarter 2015.
[2] S. Peng, S. Yu, and A. Yang, “Smartphone malware and its propagation
modeling: A survey,” IEEE Commun. Surveys Tuts., vol. 16, no. 2, pp.
925–941, Second Quart 2014.
[3] S. Sen, E. Aydogan, and A. I. Aysan, “Coevolution of mobile malware
and anti-malware,” IEEE Trans. Inf. Forensics Security, vol. 13, no. 10,
pp. 2563–2574, Oct. 2018.
[4] N. Abuzainab and W. Saad, “A multiclass mean-field game for thwarting
misinformation spread in the internet of battlefield things,” IEEE Trans.
Commun., vol. 66, no. 12, pp. 6643–6658, Dec. 2018.
[5] P. Wang, M. C. Gonz´
alez, C. A. Hidalgo, and A.-L. Barab´
asi, “Under-
standing the spreading patterns of mobile phone viruses,” Science, vol.
324, no. 5930, pp. 1071–1076, May 2009.
[6] S. Cheng, W. C. Ao, P. Chen, and K. Chen, “On modeling malware
propagation in generalized social networks,” IEEE Commun. Lett.,
vol. 15, no. 1, pp. 25–27, Jan. 2011.
[7] Q. Xu, Z. Su, K. Zhang, P. Ren, and X. S. Shen, “Epidemic information
dissemination in mobile social networks with opportunistic links,” IEEE
Trans. Emerg. Topics Comput., vol. 3, no. 3, pp. 399–409, Sep. 2015.
[8] M. Ogura and V. M. Preciado, “Stability of spreading processes over
time-varying large-scale networks,” IEEE Trans. Netw. Sci. Eng., vol. 3,
no. 1, pp. 44–57, Jan. 2016.
[9] A. Dadlani, M. S. Kumar, M. G. Maddi, and K. Kim, “Mean-field
dynamics of inter-switching memes competing over multiplex social
networks,” IEEE Commun. Lett., vol. 21, no. 5, pp. 967–970, May 2017.
[10] F. Darabi Sahneh, C. Scoglio, and P. Van Mieghem, “Generalized
epidemic mean-field model for spreading processes over multilayer
complex networks,” IEEE/ACM Transactions on Networking, vol. 21,
no. 5, pp. 1609–1620, Oct. 2013.
[11] L. Yang, X. Yang, and Y. Y. Tang, “A bi-virus competing spreading
model with generic infection rates,” IEEE Trans. Netw. Sci. Eng., vol. 5,
no. 1, pp. 2–13, Jan. 2018.
[12] Y. Wu, P. Li, L.-X. Yang, X. Yang, and Y. Y. Tang, “A theoretical
method for assessing disruptive computer viruses,” Physica A, vol. 482,
pp. 325–336, Sep. 2017.
[13] P. V. Mieghem, Graph Spectra for Complex Networks. Cambridge
University Press, 2011.
[14] F. D. Sahneh, A. Vajdi, H. Shakeri, F. Fan, and C. Scoglio, “Gemfsim: A
stochastic simulator for the generalized epidemic modeling framework,”
Journal of Computational Science, vol. 22, pp. 36–44, 2017.