Contents lists available atScienceDirect
Nonlinear Analysis: Real World Applications
journal homepage:www.elsevier.com/locate/nonrwaFuzzy epidemic model for the transmission of worms in
computer network
Bimal Kumar Mishra
a,∗, Samir Kumar Pandey
baDepartment of Applied Mathematics, Birla Institute of Technology, Mesra, Ranchi, 835215, India
bDepartment of Applied Mathematics, Ramchandra Chandravansi Institute of Technology, Bishrampur, Palamau, 822124, India
a r t i c l e i n f o Article history: Received 3 February 2010 Accepted 1 May 2010 Keywords: Epidemic model Worms Fuzzy sets/logic Computer network Fuzzy reproductive number
a b s t r a c t
An e-epidemic SIRS (susceptible–infectious–recovered–susceptible) model for the fuzzy transmission of worms in computer network is formulated. We have analyzed the compar-ison between classical basic reproduction number and fuzzy basic reproduction number, that is, when both coincide and when both differ. The three cases of epidemic control strate-gies of worms in the computer network – low, medium, and, high – are analyzed, which may help us to understand the attacking behavior and also may lead to control of worms. Numerical methods are employed to solve and simulate the system of equations developed.
©2010 Elsevier Ltd. All rights reserved.
1. Introduction
The growth of Internet technology has thrown severe challenges in form of requirement of a suitable cyber defense sys-tem to safeguard the valuable information stored on syssys-tem and for information in transit. Towards this goal it makes us nec-essary to study and understand the different type of worms and develop mathematical models to represent their behavior. Worms behave like infectious diseases and are epidemic in nature. A computer worm is a self contained program that is able to spread functional copies of itself or its segment to other computer system without a dependency on another program to host its code. Model’s ability to predict worm’s behavior depends greatly on the assumptions made in the modeling process. The mathematical models will be generalized to represent the behavior of numerous other worms. The generalized model will be incorporated into a cyber defense system to proactively safeguard the information and information interchange.
The action of worms throughout a network can be studied by using epidemiological models for disease propagation [1–10]. Based on the Kermack and McKendrick SIR classical epidemic model [11–13], dynamical models for malicious objects propagation were proposed, providing estimations for temporal evolutions of nodes depending on network parameters considering topological aspects of the network [1–3,14–17]. The kind of approach was applied to e-mail propagation schemes [18] and modification of SIR models generated guides for infection prevention by using the concept of epidemiological threshold [1–3,19]. Richard and Mark [20] propose an improved SEI (susceptible–exposed–infected) model to simulate virus propagation. However, they do not show the length of latency and take into account the impact of anti-virus software. The model SEIR proposed by the authors [21] assumes that recovery hosts have a permanent immunization period with a certain probability, which is not consistent with real situation. In order to overcome limitation, Mishra and Saini [1] present an SEIRS model with latent and temporary immune periods, which can reveal common worm propagation. Recently, more research attention has been paid to the combination of virus propagation model and antivirus countermeasures to study the prevalence of virus, e.g., virus immunization [3,22–26] and quarantine [27–29]. Extending the SEIRS model of [1], Mishra et al. introduced new compartment quarantine and its effect has been analyzed in [30].
∗Corresponding author. Tel.: +91 9430764860.
E-mail addresses:[email protected](B.K. Mishra),[email protected](S.K. Pandey). 1468-1218/$ – see front matter©2010 Elsevier Ltd. All rights reserved.
α ε γ
Fig. 1. Schematic diagram for flow of worms in computer network.
Transmissions of malicious objects (virus, worms, Trojans) in computer network are analogous to biological infectious diseases and are epidemic in nature. Epidemic systems, in particular those dealing with infectious diseases, have strong non-linearities and should be treated in a different way. These non-linearities are due to the fact that force of epidemic of an infectious agent, depends, among other things, on the fraction of susceptible nodes and fraction of infectious nodes. Both susceptibility and infectiousness are intrinsically fuzzy concepts and are, therefore, ideal subjects for fuzzy logic analysis. The mathematical models of transmission of worms in computer network are always subject to inaccuracies related to the nature of the state variables involved, parameters and/or initial conditions. In these models, the estimation of parameters is usually based on statistical methods, starting from data obtained experimentally to the choice of the method adapted to their identification. In this paper, we have used the concept of Fuzzy Set/Relations Theory which is an extension of the concept of a crisp set. It also deals with the techniques of computing and manipulating with fuzzy sets. Though Fuzzy epidemic models for human infectious disease have been well studied [31–39] but very few applications and research papers, using fuzzy logic, in the transmission of malicious objects in computer network exists in literature.
2. The simple SIRS model
A simple classical SIRS model describe the dynamics of directly transmitted worms with interaction among susceptible, infected and recovered nodes in the computer network without neither vital dynamics (i.e. the rates of birth and mortality (reason other than attack of worms) are not considered), nor additional disease fatality rate. The Schematic diagram for the flow of worms in computer network (Fig. 1) model can be represented as:
The system of differential equations of such models is given by: dS dt
= −
α
IS+
γ
S dI dt=
α
IS−
ε
R (1) dR dt=
ε
R−
γ
S where,
S+
I+
R=
1,
(2)andSis the proportion of susceptible nodes,Iis the proportion of infected nodes,Ris the proportion of recovered nodes,
α
is the contact rate,ε
is the recovery rate andγ
is the rate of susceptible after recovery. We now suppose an extension of the SIRS model incorporating heterogeneities, considering that nodes with different amount of worms contribute differently to the worm propagation.3. The SIRS fuzzy model
We assume that the population heterogeneity is given by the worm load of infected nodes. That is, the higher the worm load, the higher will be the chance of worm transmission. We take
α
=
α(
x)
measures the chance of a transmission to occur in a meeting between a susceptible and an infected nodes with an amount of wormsx. Then some values ofα
are more possible than others and that turnsα
into a membership function of a fuzzy number. To obtain the membership functionα
, we assume when the amount of worms in a node is relatively low, the chance of transmission is negligible and that there is a minimum amount of wormsxminneeded to cause transmission. Furthermore, for a certain amount of wormsxM, thechance of transmission is maximum and equal to one. We also suppose that the amount of worms in a node in a computer is always limited byxmax. Then we define the following membership function, whose representation is depicted inFig. 2[39].
α(
x)
=
0,
ifx<
xmin x−
xmin xM−
xmin,
ifxmin<
x<
xM 1,
ifxM<
x<
xmax.
(3)Now, the node’s recovery rate
ε
=
ε(
x)
is also a function of the worm load. The higher the worm load, the longer it will take to recover from infection. i.e.,ε
should be a decreasing function ofx(Fig. 3). That is,ε(
x)
=
ε
0−
1xmax
x
+
1 (4)α(x)
xmin xM xmax
Fig. 2. Fuzzy coefficient of worm transmissionα=α(x).
ε ε
0 (x)
xmax x
Fig. 3. Recovery fuzzy rateε=ε(x).
γ γ
0 (x)
xmax xxx
Fig. 4. Fuzzy rate of susceptibilityγ=γ (x).
Now,
γ
=
γ (
x)
is the rate of susceptible after recovery, that is, the recovered nodes may be susceptible again. The higher we use secondary devices and/or internet services, the higher it will be susceptible after recovery. So, it will be increasing function ofx(Fig. 4) and we define this function as,γ (
x)
=
1−
γ
0xmax
x (5)
where,
γ
0>
0 (and<
1) is the lowest susceptibility rate after recovery.We also assume that the amount of worms differ in different nodes of the computer network, that is,xcan be seen as a fuzzy number with a triangular shape, according to the following membership function (Fig. 5):
ρ(
x)
=
1−
|
x− ¯
x|
δ
,
ifx∈ [¯
x−
δ,
x¯
+
δ
]
0
,
ifx6∈ [¯
x−
δ,
x¯
+
δ
]
(6) where the parameterx
¯
is a central value andδ
gives the dispersion of each one of the fuzzy sets assumed byx. For a fixed¯
+
ρ
Fig. 5. Membership function of the variablex, mount of the worms –ρ[39].
4. Solution and equilibrium points
To study the evolution of number of infected nodes, that is, if the number of infected nodes increases indefinitely or not, we study the stability of equilibrium points. For this, from the system(1)and Eq.(2), we have
dS
dt
= −
α
IS+
γ
S (A)dI
dt
=
α
IS−
ε(
1−
S−
I).
Then, for the equilibrium points, we take, ddSt
=
0 and ddtI=
0, we get three equilibrium pointsP1(
1,
0,
0),
P2(
0,
1,
0)
andP3
ε(αα(γ−+γ )ε),
γα,
γ (αα(γ−+γ )ε). The analysis of the stability of the system(1)shows thatP1,
P2are unstable butP3(withγ
≤
α
) is asymptotically stable, which indicates that even if the number of infected nodes increases (supposing initiallyI0small), thisnumber will stabilize inγ (αα(γ−+γ )ε). Moreover,ε(αα(γ−+γ )ε)of the population will not be affected. Now, taking into account the worm load, we have,
P3
=
ε(
x)(α(
x)
−
γ (
x))
α(
x)(γ (
x)
+
ε(
x))
,
γ (
x)
α(
x)
,
γ (
x)(α(
x)
−
γ (
x))
α(
x)(γ (
x)
+
ε(
x))
.
Asγ (α(xx))
<
1, so, a value of bifurcation forxisx∗, the solution of the equationγ (
x)
=
α(
x)
will be, x∗=
xMxmaxxmax
+
(
1−
γ
0)(
xM−
xmin)
.
(7)Andxmin
≤
x∗≤
xM.The worm loadx∗is the value of the bifurcation of the model since for the valuesx
<
x∗the model has two unstableequilibrium pointsP1andP2and ifx
>
x∗the model has an asymptotically stable pointP3. In this way, we can think ofx∗asa parameter related to the worm control in the sense that if a worm is transmitted in some number of nodes, it should be noted that,xis not higher thanx∗.
5. The basic reproduction number
As we know that, the basic reproduction number (R0) is obtained through the analysis of the stability of the trivial
equilibrium point. For the classical SIRS modelR0
=
αε, that is, the worms will not be in nodes if αε<
1 and it will beifαε
>
1. As in this case, we have taken,α
=
α(
x)
andε
=
ε(
x)
, then we write,R0(
x)
=
α(ε(xx)).To control the worm transmission, we impose maxR0
(
x) <
1. But it is better to take an average value ofR0(
x)
because it can be an extreme attitude. For this, we consider the distribution of the worm load as given by a triangular fuzzy numberρ(
x)
. Then, we define the fuzzy basic reproduction number, Rf0=
1ε
0where FEV is Fuzzy Expected Value. Note thatR0
(
x)
may be greater than one butε
0R0(
x)
≤
1, so that the valueR f 0is welldefined. This is defined as the average number of secondary cases caused by just one infected node introduced into entirely susceptible nodes.
To get FEV
[
ε
0R0(
x)
]
we need to define a fuzzy measureµ
and use the possibility measure:µ(
A)
=
supx∈A
ρ(
x
),
A⊂
R.
This is a measure tells that the infectivity of a group is the one presented by the node belonging to the group with the maximal infectivity.
We now estimateRf0assuming that the amount of worms classified as low, medium and high. The fuzzy sets given by the membership function
ρ(
x)
for different cases are:(a) low, if
¯
x+
δ <
xmin;(b) medium, ifx
¯
−
δ >
xminandx¯
+
δ
≤
xM; and(c) high, ifx
¯
−
δ >
xM.Case(a) It is quite obvious thatRf0
<
1 ifxis low.Now, to obtainRf0for cases (b) and (c), sinceR0
(
x)
=
α(ε(xx)) is an increasing function ofx, thenH(θ)
=
µ
[
x0,
xmax] =
supx0≤x≤xmax
ρ(
x)
, where,H(θ)
=
µ
{
I(
x,
t)
≥
θ
}
and FEV[
I(
x,
t)
]
is the fixed point ofH(θ)
[38] andx0is the solution of the equationε
0α(ε(xx))=
θ
. Since the fixed point ofH(θ)
is same as that of FEV[
ε
0R0(
x)
]
.Case(b) By the direct calculation, we conclude that,
H
(θ)
=
1 if 0≤
θ
≤
ε
0α(
x¯
)
ε(
x¯
)
ρ(
x0)
ifε
0α(
¯
x)
ε(
¯
x)
< θ
≤
ε
0α(
¯
x+
δ)
ε(
¯
x+
δ)
0 ifε
0α(
¯
x+
δ)
ε(
¯
x+
δ)
< θ
≤
1
.
Obviously, if
δ >
0,
His a continuous and decreasing function, and in this case, we have that FEV[
ε
0R0(
x)
]
is equal to thefixed point ofH. Also, we have by direct calculation,
α(
x¯
)
ε
¯
x<
FEV[
ε
0R0(
x)
]
ε
0<
α(
x¯
+
δ)
ε(
x¯
+
δ)
or R0(
x¯
) <
R f 0<
R0(
x¯
+
δ).
Case(c) As in the previous case, we conclude that, ε(1x¯)
<
Rf0<
ε(¯x1+δ) and it guarantees that the worms invade since Rf0>
ε(1x¯)>
1.6. Comparison betweenR0andR0f
Here we have analyzed the three cases discussed in the previous section related to the three classifications for the amount of infections: low, medium and high worm load. In any of the three cases, we have,
α(
x¯
)
ε(
¯
x)
<
FEV[
ε
0R0(
x)
]
ε
0<
α(
x¯
+
δ)
ε(
x¯
+
δ)
or R0(
x¯
) <
R f 0<
R0(
x¯
+
δ).
As the functionR0
(
x)
=
α(ε(xx))is continuous and curved shape based on the Intermediate Value Theorem, there is only onexˆ
,withx
¯
<
ˆ
x<
x¯
+
δ
, so that:Rf0
=
R0(
xˆ
) >
R0(
x¯
).
(9)It means that, there is an amount of infection
ˆ
xwhereR0(classical) and theRf0(fuzzy) coincide. Moreover, the medium valueof the number of secondary cases (Rf0) is higher than the number of secondary cases due to the medium amount of infection (R0
(
¯
x)
).7. Epidemic control strategies
The system of Eqs.(1)is the classical mathematical model to study about the worm transmission of SIRS type in a homogeneous system of total number of nodes in computer network. Although we use such a system of equations to model the evolution of worm transmission in a heterogeneous system of nodes, such as the one presented in our model where the nodes are distinguished by the amount of infection and, consequently, they present different rates of contact
α(
x)
, of recoveryε(
x)
and of susceptibilityγ (
x)
. We understand(1)as a family of systems depending on the parameterx. However,TIME POPULA TION GR OUPS- S , I AND R 0 10 20 30 40 50 60 70 80 90 100 0 5 10 15 20 25 30 35 40 45 50
GRAPHS FOR THE SIR MODEL
SUSCEPTIBLE
INFECTED
REMOVED
Fig. 6. Dynamical behavior of the system withα=0.4, ε=0.2, γ=0.24.
if we intend to simplify it in the sense of replacing that family of systems by a unique system of equations, with the same outcomes (that is, the same number of secondary cases) that the family as a whole, the above analysis shows that, among the different systems of families, there is one which performs this role, namely, that which parameters are
α
=
α(
xˆ
), ε
=
ε(
xˆ
)
and
γ
=
γ (
xˆ
)
and not that which represents the system of nodes with medium amount of infectionxˆ
. Moreover, according to(9),R0(
¯
x)
as an indicator of worm control forces us to find out the correct parameter for the total number of nodes as awhole, that isR0
(
xˆ
)
. To justify even more the legitimacy of system(1)with the parameterxˆ
, to describe the dynamics of theworms in the total number of nodes as a whole, we will study the control of the worms in the total number of nodes through R0
(
ˆ
x)
=
Rf 0:
i. For the case where the amount of infection is low, we havex
ˆ
<
¯
x+
δ
≥
xmin.ThereforeR0
(
xˆ
)
=
0 and the worm will not establish itself.ii. For the case the amount of infection is high, we havex
ˆ
>
x¯
>
x¯
+
δ
≥
xM. Therefore,R0(
xˆ
)
=
ε(1x¯)>
1, indicating thatthe worm will invade.
iii. For the case of medium amount of infection we have: a. ifx∗
>
xˆ
thenR 0(
xˆ
)
=
α( ˆ x) ε(ˆx)<
α(x∗)ε(x∗)
=
1, indicating that the worm will not invade; and b. ifx∗<
xˆ
thenR 0(
xˆ
)
=
α( ˆ x) ε(ˆx)>
α(x∗)ε(x∗)
=
1 indicating that the worm will invade.Finally, it is shown thatRf0is the positive solution of an equation of second degree, with characteristics that allow us to deduce and decrease the medium amount of infection, by the use of continuous run of anti-virus software, for example, and quarantine (decreasing
δ
) of the infected nodes.8. Conclusion
A compartmental e-epidemic model SIRS for the transmission of worms in computer network is studied. Numerical methods are employed to solve the system(A)and the behavior of the susceptible, infectious, and recovered nodes with respect to time are observed which is depicted inFig. 6. Stability of the system can be observed fromFig. 6. The parameters, we have used to develop the system of equations, are treated as a membership function depending onx, a fuzzy number, and also the family of system depending on this fuzzy numberx. Using this, we getRf0(fuzzy basic reproduction number), by the help ofR0(classical basic reproduction number) and conclude that, by the help of Intermediate Value Theorem, there
will be an amount of infected nodes in the computer network, where bothR0andRf0coincides. We also analyzed the three
cases of epidemic control strategies as, when the amount of infection will be low, worms will not be in the network, for the high amount of infection, worm will invade and for the medium amount of infection, worm may or may not invade the computer network.
References
[1] Bimal Kumar Mishra, D.K. Saini, SEIRS epidemic model with delay for transmission of malicious objects in computer network, Appl. Math. Comput. 188 (2) (2007) 1476–1482.
[2] Bimal Kumar Mishra, Dinesh Saini, Mathematical models on computer viruses, Appl. Math. Comput. 187 (2) (2007) 929–936.
[3] Bimal Kumar Mishra, Navnit Jha, Fixed period of temporary immunity after run of anti-malicious software on computer nodes, Appl. Math. Comput. 190 (2) (2007) 1207–1212.
[4] E. Gelenbe, Dealing with software viruses: a biological paradigm, Inform. Secur. Tech. Rep. 12 (4) (2007) 242–250.
[5] Erol Gelenbe, Keeping viruses under control, in: Computer and Information Sciences—ISCIS 2005, 20th International Symposium, in: Lecturer Notes in Computer Science, vol. 3733, Springer, 2005.
[6] Erol Gelenbe, Varol Kaptan, Yu Wang, Biological metaphors for agent behavior, in: Computer and Information Sciences—ISCIS 2004, 19th International Symposium, in: Lecturer Notes in Computer Science, vol. 3280, Springer-Verlag, 2004, pp. 667–675.
[7] J.R.C. Piqueira, F.B. Cesar, Dynamic models for computer virus propagation, Math. Probl. Eng.doi:10.1155/2008/940526.
[8] J.R.C. Piqueira, B.F. Navarro, L.H.A. Monteiro, Epidemiological models applied to virus in computer network, J. Comput. Sci. 1 (1) (2005) 31–34. [9] S. Forest, S. Hofmeyr, A. Somayaji, T. Longstaff, Self-nonself discrimination in a computer, in: Proceeding of IEEE Symposium on Computer Security
and Privacy, 1994, pp. 202–212.
[10] Y. Wang, C.X. Wang, Modeling the effect of timing parameters on virus propagation, in: 2003 ACM Workshop on Rapid Malcode, ACM, 2003, pp. 61–66. [11] W.O. Kermack, A.G. McKendrick, Contributions of mathematical theory to epidemics, Proc. R. Soc. Lond. Ser. A 115 (1927) 700–721.
[12] W.O. Kermack, A.G. McKendrick, Contributions of mathematical theory to epidemics, Proc. R. Soc. Lond. Ser. A 138 (1932) 55–83. [13] W.O. Kermack, A.G. McKendrick, Contributions of mathematical theory to epidemics, Proc. R. Soc. Lond. Ser. A 141 (1933) 94–122.
[14] C.C. Zou, W.B. Gong, D. Towsley, L.X. Gao, The monitoring and early detection of internet worms, IEEE/ACM Trans. Netw. 13 (5) (2005) 961–974. [15] J.O. Kephart, S.R. White, D.M. Chess, Computers and epidemiology, IEEE Spectr. (1993) 20–26.
[16] M.J. Keeling, K.T.D. Eames, Network and epidemic models, J. R. Soc. Interface 2 (4) (2005) 295–307.
[17] Ma.M. Williamson, J. Leill, An epidemiological model of virus spread and cleanup, 2003.http://www.hpl.hp.com/techreports/. [18] M.E.J. Newman, S. Forrest, J. Balthrop, Email networks and the spread of computer virus, Phys. Rev. E 66 (2002) 035101-1–035101-4. [19] M. Draief, A. Ganesh, L. Massouili, Thresholds for virus spread on network, Ann. Appl. Probab. 18 (2) (2008) 359–369.
[20] W.T. Richard, J.C. Mark, Modeling virus propagation in peer-to-peer networks, in: IEEE International Conference on Information, Communication and Signal Processing, ICICS, 2005, pp. 981–985.
[21] Ping Yan, Shengqiang Liu, SEIR epidemic model with delay, J. Aust. Math. Soc. Ser. B 48 (1) (2006) 119–134.
[22] J.O. Kephart, A biologically inspired immune system for computers, in: Proceeding of International Joint Conference on Artificial Intelligence, 1995. [23] N. Madar, T. Kalisky, R. Cohen, D. Ben Avraham, S. Havlin, Immunization and epidemic dynamics in complex networks, Eur. Phys. J. B 38 (2004)
269–276.
[24] R. Pastor-Satorras, A. Vespignani, Epidemics and immunization in scale-free networks, in: Handbook of Graphs and Network: From the Genome to the Internet, Wiley-VCH, Berlin, 2002.
[25] R.M. May, A.L. Lloyd, Infection dynamics on scale-free networks, Phys. Rev. E 64 (066112) (2001) 1–3.
[26] S. Datta, H. Wang, The effectiveness of vaccinations on the spread of email-borne computer virus, in: IEEE CCECE/CCGEL, IEEE, 2005, pp. 219–223. [27] C.C. Zou, W. Gong, D. Towsley, Worm propagation modeling and analysis under dynamic quarantine defense, in: Proceeding of the ACM CCS Workshop
on Rapid Malcode, ACM, 2003, pp. 51–60.
[28] D. Moore, C. Shannon, G.M. Voelker, S. Savage, Internet quarantine: requirements for containing self-propagating code, in: Proceeding of IEEE INFOCOM 2003, IEEE, 2003.
[29] T. Chen, N. Jamil, Effectiveness of quarantine in worm epidemic, in: IEEE International Conference on Communications 2006, IEEE, 2006, pp. 2142–2147.
[30] Bimal K. Mishra, Navnit Jha, SEIQRS model for the transmission of malicious objects in computer network, Appl. Math. Model. 34 (2010) 710–715. [31] G.J. Klir, B. Yuan, Fuzzy Sets and Fuzzy Logic, Prentice Hall, Upper Saddle River, 1995.
[32] E. Massad, M.N. Burattini, N.R.S. Ortega, Fuzzy logic and measles vaccination: designing a control strategy, Int. J. Epidemiol. 28 (3) (1999) 550–557. [33] N.R.S. Ortega, P.C. Sallum, E. Massad, Fuzzy dynamical systems in epidemic modelling, Kybernetes 29 (12) (2000) 201–218.
[34] K.J. Rothman, S. Greenland, Modern Epidemiology, Lippincott-Raven, Philadelphia, 1998.
[35] G. Shafer, Belief functions and possibility measures, in: Bezdek J.C. (Ed.), Analysis of Fuzzy Information Mathematics and Logic, vol. 1, USA, 1987, pp. 51–84.
[36] R.R. Yager, D.P. Filev, Essentials of Fuzzy Modeling and Control, Wiley-Interscience, New York, 1994. [37] J. Yen, R. Langari, Fuzzy Logic: Intelligence, Control, and Information, Prentice-Hall, New Jersey, 1999.
[38] E. Massad, et al., Fuzzy Logic in Action: Applications and Epidemiology and Beyond, in: STUDFUZZ, vol. 232, Springer-Verlag, Berlin, Heidelberg, 2008. [39] L.C. Barros, R.C. Bassanezi, M.B.F. Leite, The epidemiological models SI with a fuzzy transmission, Comput. Math. Appl. 45 (2003) 1619–1628.