Non-replicative dispatch

System Dynamics

A fractionR0of nodes, referred to asdispatchers, are pre-loaded with security patches. A dis- patcher can be stationary such as a base-station or an access point in a 3G/4G cellular network, or a roaming agent as in a delay-tolerant network (DTN). The dispatchers are immune to infec- tion themselves and are therefore always in the recovered state. The dispatchers can transmit the patches to the susceptible and infective nodes andimmunizethe susceptibles and possiblyheal the infectives to the recovered state.

three of the above states: we choose(S, I, D). At the start of the recovery process, that is at time zero, some but not all nodes are infected:0< I(0) =I0<1, and WLoG only the dispatchers are in the recovered state:R(0) =R0,0< R0<1,I0+R0<1, and WLoG no node is dead:D(0) = 0. Thus,S(0) = 1−I0−R0.

As before, two nodes are said to be incontactwhenever they communicate. Following the de- scription of assumptions in Chapter 2, specifically the homogeneous mixing property, each pair of infective-susceptible nodes contact at rateβˆ. A dispatcher initiates a communication with an- other node at a possibly different rateβ.˜ Let the fraction of activated dispatchers at timetbeε(t). Upon a contact between an activated dispatcher and another node at timet, the security patch is transmitted from the dispatcher to the receiver node with probabilityu(t)which we refer to as the patch transmission rate. Note that, as we alluded to in Chapter 2, distinction between an infective node and a susceptible node is difficult a priori. Indeed, we assume that from the sys- tem’s point of view, information about whether or not a node is infective, is not available to that node or to any other node. Therefore, information about the state of the nodes which a dispatcher communicates with is either nonexistent or at best represents a statistics about the average state of the whole network, which is identical for all dispatchers. Hence, at any given timet,the se- lection of which dispatchers to be activated is nonspecific (as long as the fraction of activated ones isε(t)), and the activated dispatcher nodes use the sameu(t), as opposed to an individual based strategy. Nevertheless, the fraction of activated dispatchersεand the rate of dispatching ucan be allowed to vary with time,i.e., selected dynamically, though identically among individ- ual nodes. In fact as we demonstrate in§6.5, such dynamic selections substantially enhance the efficacy of the countermeasure. Implementation of such dynamic policies, however, may require global coordination among the dispatchers. But as we will prove later (§§6.2,6.3), optimal strate- gies follow very simple structures which make them amenable to implementation. Moreover, as our numerical computations in Appendix A suggest, the overall cost is robust against drifts in the local clocks of the dispatchers.

If the receptor of a security patch is a susceptible node, it installs the security patch, is subse- quently immunized, and its state changes to recovered. If however the receptor is an infective, the patch may fail to heal it, or, the worm may obstruct or delay its installation. As we mentioned in chapter 2, we capture the above possibility, by introducing a coefficient0≤π≤1. π= 0corre- sponds to the case where the patch is completely unable to remove the worm from infectives, and only immunizes the susceptibles, whereasπ= 1represents the other extreme scenario where a patch can equally well immunize and heal susceptibles and infectives, and intermediate values ofπrepresent probabilistic or delayed recovery for infectives. Let

ϑ(t) :=u(t)ε(t), and let β0:= lim N→∞N× ˆ β, β1:= lim N→∞N× ˜ β. (6.1.1)

Now the evolution of the state of the system can be modeled as the following system of differen- tial equations:

˙

S(t) =−β0I(t)S(t)−β1ϑ(t)R0S(t) (6.1.2a)

˙

I(t) =β0I(t)S(t)−πβ1ϑ(t)R0I(t)−δI(t) (6.1.2b)

˙

D(t) =δI(t) (6.1.2c)

with initial constraints:

I(0) =I0, S(0) = 1−I0−R0, D(0) = 0 (6.1.3)

and also satisfy the following constraints at allt:

0≤S(t), I(t), D(t), S(t) +I(t) +D(t)≤1. (6.1.4)

Aggregate Cost

The network may suffer over time from the infected hosts, used by the worm to (i) eavesdrop and analyze and/or (ii) alter or destroy the traffic that is generated or relayed by the infected

hosts. An attacker also inflicts cost by killing nodes. At each timet, the network incurs a cost at the rate off(I(t))due to the presence of the infectives, andg(D(t))owing to the loss of nodes through mortality, wheref(.)is a non-decreasing, twice-differentiable, convex function ofIsuch thatf(0) = 0andf(I)>0forI > 0,g(.)is a non-decreasing differentiable function ofD such thatg(0) = 0.

Here, we motivate a cost function based on the overall bandwidth consumed through dis- semination of the security patches. Recall that there are a total of N R0 dispatchers,ε(t)frac- tion of them are activated at time t, which transmit the patches at rate u(t). Thus the total rate of bandwidth consumed for distribution of the patches at time t is directly proportional toε(t)u(t)R0 =ϑ(t)R0.The network incurs a cost at rateh(R0ϑ(t))due to the above bandwidth consumption, whereh(x)is a twice-differentiable and increasing function inxsuch thath(0) = 0

andh(x)>0whenx >0. Note that the assumptions onf(.), g(.), h(.)are mild and natural and a large class of functions satisfy them.

The aggregate network cost therefore is:1

J =

Z T

0

[f(I(t)) +g(D(t)) +h(R0ϑ(t))]dt. (6.1.5)

SinceJ depends on the integration off(I(t))andg(D(t))over time, J is minimized not only when the levels of infection and dead are suppressed, but also when this is accomplished early. Since J depends on the bandwidth consumption through the integration of theh(·)function, the minimization of J attains desired trade-offs between the speed of infection control and the bandwidth consumed in patching.

Once the functionϑ(.), hereafter denoted as the immunization rate function, is selected, the system state vector(S, I, D)is specified at alltas a solution to (6.1.2) and (6.1.3), and hence the aggregate costJ is determined as well. Thus, the controlϑ(.)is considered only as a function of time rather than that of the system states, and J is denoted asJ(ϑ)instead. The system seeks

to minimize the aggregate costJ(ϑ)by appropriately regulating the immunization rate function ϑ(t)subject to0 ≤ϑ(t)≤ϑmaxfor allt∈[0, T].The bounds onϑ(t)arise since0≤ε(t)≤1and

0 ≤u(t)≤umaxdue to physical constraints of the dispatcher devices. With appropriate scaling by choice ofβ1, we can assumeϑmax= 1.Thus,

0≤ϑ(t)≤1for allt∈[0, T]. (6.1.6)

Definition 1. An immunization rate functionϑ(.)is called an admissible controlif (i)ϑ(.)satis- fies (6.1.6), and (ii)ϑ(.)is piecewise continuous such that the left and right hand limits exist at the points of discontinuity. A pair of state and control functions((S(.), I(.), D(.)), ϑ(.))is called anadmissible pairif (i)ϑ(.)is anadmissible controland (ii) the pair satisfies (6.1.2), (6.1.3).

We soon show in lemma 6.1.1 that for any admissible pair of state and control functions, the state constraints in (6.1.4) are automatically satisfied throughout(0. . . T].Hence, we ignore (6.1.4) and pose the optimal control problem as follows:

Problem Statement1 (Minimum cost immunization). Let((S(.), I(.), D(.)), ϑ(.))be an admissible pair. IfJ(ϑ)≤J(ϑ) for any admissible controlϑ(.)then((S(.), I(.), D(.)), ϑ(.))is called anopti- mal solutionandϑ(.)is called anoptimal controlor theoptimal immunization rate functionandJ(ϑ)

theminimum costunder non-replicative dispatch.

Lemma 6.1.1. Any admissible pair of state and control functions((S(t), I(t), D(t)), ϑ(t)),satisfies the state constraints in(6.1.4)in[0, T]interval. Moreover, all constraints exceptD(t)≥0are satisfied in the strictform in[0, T].

Proof. First, letδ > 0. Since0 < I0+R0 <1,I0, R0 > 0the initial conditions in (6.1.3) ensure that all constraints (6.1.4) are strictly met att= 0, except thatD(0) = 0.The lemma follows if we show that all constraints in (6.1.4) are strictly satisfied in(0, T].

All S(.), I(.)andD(.), resulting from (6.1.2) are continuous functions of time. Thus, since S(0), I(0)>0andS(0)+I(0)+D(0) = 1−R0<1, there exists an interval(0, t0)of nonzero length

on which bothS(t)andI(t)are strictly positive andS(t) +I(t) +D(t)<1.Thus, from (6.1.2) and (6.1.3),D˙(t)>0in[0, t0).Thus, from (6.1.3),D(t)>0in(0, t0). Thus, (6.1.4) is strictly satisfied in

[0, t0).

Now, suppose that the constraints in (6.1.4) are not strictly satisfied in (0, T]. Then, there exists a timet1which is the first time aftert= 0at which, at least one of the constraints in (6.1.4) becomes active. That is, we have (i)S(t1) = 0OR (ii)I(t1) = 0OR (iii)D(t1) = 0OR (iv)S(t1) + I(t1) +D(t1) = 1AND throughout(0, t1),we have0< S(t), I(t), D(t)andS(t) +I(t) +D(t)<1. Thus, for0≤t < t1from (6.1.2), (6.1.3), (6.1.6) and sinceR0<1, we haveS˙(t)≥ −(β0+β1)S(t). Hence,S(t)≥S(0)e−(β0+β1)t_{for all0≤t < t1.SinceS(.)is continuous,S(t1)≥S(0)e}−(β0+β1)t0_. Similarly, we can show thatI(t1)≥I(0)e−(β1+δ)t0_{.Thus, sinceS(0)>0,I(0)>0, (i) and (ii) are} ruled out. Next, from (6.1.2),D˙(t) > 0in(0, t1). Thus, from the continuity ofD(.)and since D(t)>0in(0, t1), (iii) is ruled out. Again, _dtd (S(t) +I(t) +D(t))≤0in(0, t1).Thus, from the continuity ofS(.), I(.), D(.)and sinceS(t)+I(t)+D(t)<1in(0, t1), (iv) is ruled out as well. This negates the existence oft1. Thus, by contradiction, the constraints in (6.1.4) are strictly satisfied in(0, T].

Ifδ = 0, from (6.1.2) and (6.1.3),D(t) = 0for allt ∈[0, T].Using similar arguments we can show thatS(t), I(t)>0andS(t) +I(t)<1for allt∈[0, T].The lemma follows.