SIR Model of Epidemics

SIR is an epidemics based model [61] that may be used in cyber security to study how a malware infection spread among different machines. SIR stands for Susceptible, Infected , Recovered. SIR model represents a disease spread where individuals are susceptible to a disease, potentially contract the disease, recover and become immune to future infections after recovery. There is also a variant of SIR called Susceptible, Infected, Removed, that allow infected individuals to die due to the disease and thus leave the considered population. An individual potentially moves from the susceptible to the infected group when s/he comes in contact with an infected individual.

Given specific assumptions on the average number of spread transmission possible from a given infected individual in each period and on the recovering rate of each individual, there are specific algorithms that shows the result of spread transmission; in [61] if individuals are going to die from an infectious disease it is better that they die fast for the purpose of ending the epidemic; the other result is that it is not needed to immunize everyone in the population in order to prevent an epidemic.

There are several analogies between the malware and the epidemics affecting the animal word. Cyber security domain considers each individual as a machine that may be infected by a malware and a recover capability as the action of antivirus software that are in place to remove the infections. Dying individuals represent the machines that have been fatally compromised. In [61], an individual can pass from S to I and from I to R. When R is reached, the subject is removed from the study (this can occur for death or because the subject become immune to this disease). The passage between each state is governed by several variables. In [62,63], the work of Tassier [61] has been tailored to deal with cyber disease spreading along an ICT network composed by a SCADA system interconnected to a corporate network. The network has been simply described by a graph. Each ICT device (an individual in [61]) is a node of the network, and there is an arc if two nodes can communicate each other (the arcs are symmetric).

The Susceptible, Infected and Resistant (SIR) model was originally developed to study the evolution of a disease over a population, where each individual could be susceptible to the infection, having contracted the infection, or be immune/resistant. The similarity with malwares is very high but ICT models as the one in [62,63] got the problem that model variables have different values depending on the cyber security solution adopted for each kind of node.

Let be the number of the nodes of the net, it is constant. Let j  1, . . . , N each node, and for every node, d is the number of the neighbours of the node . α is the malware spread

value. There are several kinds of malwares, and we can differentiate them for the spreading velocity. A malware that spread itself too fast can be easily detectable due to the high traffic on the net. So, β α  d indicates on how many neighbours the malware send itself.

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 96 on 153

Each host device gets its own security policies (e.g. system patched), or simply relies on an operative system non compatible with the specific malware (e.g. a malware written for Windows cannot infect a Linux machine). A system full patched isn't secure 100% because there are always the zero-days vulnerabilities. Let γ that probability (probability to contract

the malware).

In [61], once a node becomes infected, a variable ( ) keeps into account that after a certain time the node automatically will become resistant. In [62,63 ] to remove the malware it's necessary to do some actions, such as an antivirus scan or maintenance.

The antivirus is able just to detect malware with a known signature, with a certain probability, or based on a heuristic. _ is the probability that the antivirus can detect (and then remove) the malware and k is the rate at which the scan is performed. In Tassier k, β are constants

and and γ are not defined.

In [62,63 ] the spreading algorithm is:

At time t:

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 97 on 153

7.5.1 Netlogo

[62] implements SIR model which represents cyber disease spreading along an ICT network composed by a SCADA system interconnected to a corporate network by means of Netlogo. Netlogo [64] is a multi-agent programmable modelling environment. It provides an user interface with three tabs:

Interface tab - This tab is used both by the end-user and by the programmer. The programmer uses this tab to create buttons (e.g. for the setup and the start of the simulation) and the screen for the visualization. The end user indeed uses this tab just for see the simulation process.

Information tab - This tab is standard and not modifiable that is common for all the Netlogo’s program. It can be used by an end user to gain some extra general information about Netlogo.

Procedure tab - In this tab the programmer write its code. It is composed by several procedures and some variable are sets by the interface tab with some sliders. These kinds of variable are global. In the procedure you can’t pass a variable, so if you have to use a variable over several procedure, you have to declare them global.

Netlogo use three types of agents: turtles, links and patches. Mobile agents (turtles) move over a grid of stationary agents (patches). Link agents connect turtles to make networks, graphs, and aggregates. Netlogo allows the creation of sub-kind of turtles and links (called breed). A breed is a collection of agents with the same proprieties. [62] uses breed agents to group the same kind of devices (i.e. with same vulnerabilities/security policies) in order to easily set and/or to specify model variables.