Hindawi Publishing Corporation Abstract and Applied Analysis Volume 2013, Article ID 531781,13 pages http://dx.doi.org/10.1155/2013/531781

Research Article

The Influence of User Protection Behaviors on the Control of Internet Worm Propagation

Yihong Li,1 Jinxiao Pan,1,2 Lipeng Song,3 and Zhen Jin2

1 National Key Laboratory for Electronic Measurement Technology, North University of China, Taiyuan 030051, China

2 Department of Mathematics, North University of China, Taiyuan 030051, China

3 Department of Computer Science and Technology, North University of China, Taiyuan 030051, China

Correspondence should be addressed to Zhen Jin; jinzhn@263.net Received 6 May 2013; Revised 21 July 2013; Accepted 21 July 2013 Academic Editor: Yanni Xiao

Copyright © 2013 Yihong Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Computer users' reactions to the outbreak of Internet worm directly determine the defense capability of the computer and play an important role in the spread of worm. In this paper, in order to characterize the impacts of adaptive user protection behaviors, an improved SIS model is proposed to describe the Internet worm propagation. The results of theoretical analysis indicate that the protective campaigns of users can indeed reduce the worm's reproduction number to values less than one. But it may not be sufficient to eradicate the worm. In certain condition, a backward bifurcation leading to bistability can occur. These are new findings in the worm propagation model that bring new challenges to control the spread of the worm and further demonstrate the importance of user behaviors in controlling the worm propagation. Corresponding to the analysis results, defense and control strategies are provided.

1. Introduction

A generalized Internet worm is a kind of computer program that can replicate itself and spread from one host to another through the network [1]. Internet worms are built to propagate without warning or user interaction with the characters of rapid pervasive speed, large invasive scale, and severe destructive power. In the modern information and network security, Internet worms have become one of the most serious security threats to the Internet [2].

In order to effectively defense the Internet worm attack and reduce the damage caused by them, the propagation mechanism and control strategies of Internet worms have become active research topics. Mathematical models have been an important tool for investigating and quantifying such effects. Many research efforts have focused on developing effective worm propagation model to understand their propagation mechanisms and examine the effects of defensive measures [3-7]. However, all of these studies are focused on the computer host [8-10] and ignore the user behavior which is closely related to the worm propagation [11].

As stated in [12], the most effective way to protect a host from worm is to patch. But it is almost impossible to achieve for some reasons, one of which is the lack of the security awareness of the computer user. It serves to show that user behaviors play an important role in the spread of Internet worm, and understanding the influence of these behaviors on the spread of worm can be a key to improve control efforts. Several studies have been carried out to evaluate the impact and role of the user behavior factors on worm propagation [13-19], but almost all of these studies are focused on the user's habitual actions. However, in the real world, users can take actions to combat worm prevalence, and under different actions, there will be different worm prevalence processes [20]. Only a few recent attempts have considered the self-induced behavior changes users adopt during an outbreak. Some approaches model user behaviors by modifying infectious rate or removed rate [21, 22]. However, to fully understand the impact of user behaviors on worm dynamics, there still lacks a formulation of a general behavior worm model.

In the actual network environment, during the outbreak of the Internet worm, the computer users may filter and

block suspicious messages with a firewall, no longer browse websites that are suspicious, update the antivirus software to new version timely, and so forth, which can be called user protection behaviors. Certainly, these protection measures can cause associated costs. For instance, some important information maybe filtered out, or the speed of the computer operation can be slowed down. Moreover, these bring some inconvenience to normal activities. So users always compare the risk of worm infection with the associated cost of protection measures and then make a personal decision according to the current situation of worm propagation. As a consequence, the states of the computers switch between vulnerable state and protected state relying on the corresponding protection behaviors of users. From this new perspective, in this paper the computers are categorized according to the user behavioral responses to the spread of worm. The degree of protection is different because of the difference of user's attitudes, belief systems, opinions, awareness of the worm, and environment. For the sake of simplicity, the computers that have not been infected by the worm are divided into two classes roughly, where one is the vulnerable computers and the other one is the protected computers. Incorporated with the worm dynamics, we study the effect of user protection behaviors on worm propagation and control.

The rest of this paper is organized as follows. In Section 2, a worm propagation model coupled with user protection behaviors is established. The basic reproduction number is obtained in Section 3, and the equilibria and the corresponding stability are studied. In Section 4, we carry out some sensitivity analysis about the parameters. In the following section are the simulation results and control strategies. Finally, we conclude in Section 6 with a summary of our findings.

2. The Worm Propagation Model

We focus on studying the impact of the user behaviors on the worm propagation and control so as to provide theoretical basis for the worm control. Therefore, we shall exclusively consider the random-scanning worm, regardless of the topo-logical structure of the network. That is, all computer hosts in the network are mixing homogeneously and have the vulnerabilities that can be used by the worm.

All computers are divided into three classes: vulnerable computers (worm-free computers), protected computers, and infectious computers (computers that have been infected by the worm and can transmit it to the vulnerable computers). Let S^i), S2(t), and I(t) denote, at time t, the numbers of vulnerable, protected, and infectious computers, respectively. Then S1(t) + S2(t) + I(t) = N(t) is the total number of computers.

By carefully considering the features of Internet worm, the following hypotheses are made.

(H1) All newly connected computers are worm-free. These computers are connected to the Internet at positive constant A, of which a fraction p is protected.

(H2) Computers are disconnected from the Internet at rate p.

Figure 1: The flowchart of computer worm spreading.

(H3) Infectious computers are cured at positive constant rate y by running with antivirus software or reinstalling the system, of which a fraction q is protected.

(H4) Compared to the vulnerable computers, the protected ones have the smaller infection rate by worm. We utilize the fraction 1 - a to measure the effect of reducing the infection rate due to the protection behaviors. a = 0 means the protection is completely effective in preventing infection, while a = 1 means the protection is utterly ineffective. In fact, we know the protection may not be 100% or completely useless, so we consider the case 0 < a < 1, which is more realistic.

(H5) The transformation rate of a computer from vulnerable state to protected state is 0. In the opposite direction, the transformation rate is d.

Integrating the user protection behaviors into the worm propagation, we have the following graphic of the state transition in Figure 1.

According to the flowchart, the worm propagation process that is coupled with the user protection behaviors can be

described as the following model: §

=(l-p)A -l30I-±2 - ySx - № + (l-q)yl + 0S2,

S2 = pA+$S! -VS2 +qrI-dS2> (1)

i = PoI-h + opol2t2 -pi- yl,

where p0 denotes the infection rate of vulnerable computers due to the successful scans of an infectious computer per time step and ap0 is the infection rate of protected computers due to the successful scans of an infectious computer per time step. The probability of successfully finding a vulnerable computer (protected computer) in one scan is S1/232(S2/232), where 232 is the size of IPv4 address space (the scanning

space). Then, ft0S1/232(aft0S2/232) is the number of vulnerable computers (protected computers) infected by an infectious computer per time step. So ft0IS1/232(aft0IS2/232) is the number ofvulnerable computers (protected computers) infected by infectious computers per time step.

Summing up the three equations in system (1), we obtain

= A- pN.

When t ^ N ^ A/p = N*. It is easy to see that system (1) can be shown to be mathematically well posed in the positive invariant region D = |(S1; S2,I) | 0 < S1+S2 + 1 < N*} and solutions in D exist for all positive time.

Now, we take transformation x = S1/N*, y = S2/N*, z = I/N* to system (1). For convenience, S1, S2, and I are used to represent x, y, and z in the following equations:

S^ = (l-p)^- ftS1I - y.S1 - + (l-q)yl + 0S2,

S2 = p^ + - aftS2I - ^S2 + qyl - dS2, (3)

i = ftS1I + aftS2I -pi- yl,

where ft = ft0N*/232 and S1 + S2 + 1=1 is satisfied.

3. The Analysis of Dynamical Behaviors

The objective of this section is to perform theoretical analysis of system (3). We first give the basic reproduction number. Secondly, we study the equilibria and their stability. Finally, we prove the occurrence of saddle-node bifurcation.

3.1. The Basic Reproduction Number. Usually, the basic reproduction number, denoted as R0, is "the expected number of secondary cases produced, in a completely susceptible population, by a typical infective individual" [23,24]. Similarly, for a worm propagation model the basic reproduction number is defined as the average number of previously worm-free computers that are infected by a single infectious computer during its lifecycle. In our model, infectious computers come from two sources: those vulnerable (S°) that get infected and those protected (S^) that get infected. By the physical meanings of the system parameters in system (3) (or (1)), the following results are obtained:

(a) the average lifetime of an infectious computer is T =

1/(p + y);

(b) an infectious computer converts a vulnerable computer to an infectious one at rate ft;

(c) an infectious computer converts a protected computer to an infectious one at rate aft.

Thus, the modified basic reproduction number with the protection measures is obtained as

= T(ßS0 + aßS02)

(Si + aS0)

where R0 = ft/(p + y) is the basic reproduction number of the SIS model which does not consider the user protection behaviors. The expressions of S° and S° are given in (5). Obviously, the protection behaviors do reduce the basic reproduction number ^pro.

3.2. Stability and Bifurcation Analysis

3.2.1. The Worm-Free Equilibrium and Its Stability. Equilibria are obtained by setting the right side of system (3) equal to zero. From the third equation in system (3), we can obtain 1 = 0 or ftS1 + aftS2 = p + y. If I = 0, the model has a unique worm-free equilibrium:

E2 = (S0 ,S0,O),

where S0 = ((1-p)p + 0)/(p + 0 + fi), S02 = (pp + fi)/(p + 0 + fi).

To study the local stability of the equilibria, we first give the Jacobian matrix of system (3) at an arbitrary equilibrium:

-ßl-p-Q 0 -ßS1 +(l-q)y

0 -aßl - p- 0 -&ßS2 + qy ßl aßl ßS1 + aßS2 -(^ + y)_

Then the corresponding characteristic polynomial at the worm-free equilibrium E0 is derived as

P(\) = (\ + p)(\ + p + 0 +

x(\ + p + y - ßS2 - aßs2) ,

so we obtained that the eigenvalues at the worm-free equilibrium E0 are X1 = -y,, X2 = -(p + 0 + fi) and \3 = pS*0 + aftS02 - (p + y) = (p + y)(Rpro - 1), respectively. Consequentially, the following result is obtained.

Theorem 1. System (3) always has a trivial equilibrium E0, and if Rpro < 1, E0 is locally asymptotically stable.

3.2.2. The Existence and Stability of Endemic Equilibrium. In this section, we study the existence and stability of the endemic equilibria for system (3).

If ftS1 + aftS2 = p + y, combined with the second equation of system (3), we can obtain

(p + y) (aßl + p + 0) - aqyßl - aftpp ß (aßl + p + 0 + a$) '

s = Wß1 + ßpV + <P(V + y) 2 ß (aßl + p + 0 + a(t>) '

Then, substituting S1 and S2 into the first equation of system (3), a quadratic equation is given as

AI2 + BI + C = 0

in terms of I, where

A = a/32,

B = + d + + a (p + y) + qy(1 - a) - a/3], (10)

C = (^ + y) (^ + d + $)(l-Rpro).

Define A = B2 - 4AC; the number of endemic equilibria is dependent on the sign of B, C, and A. After calculation, we can obtain the following results.

Theorem 2. For system (3), consider thefollowing.

(1) If C <0 (Rpro > 1), (9) has a positive root I* = (-B + /A)/2A. Correspondingly, system (3) has one endemic equilibrium E*.

(2) If C = 0 (Rpro = 1) and B < 0, (9) also has a positive root I* = -B/A. Correspondingly, system (3) has one endemic equilibrium E*.

(3) If C>0 (R^ < 1), B <0, there will be three cases.

(i) If A > 0, (9) has two positive roots I*1 = (-B+/A)/2A and I*2 = (-B-/A)/2A. Correspondingly, system (3) has two endemic equilibria E*1 = (S*1 .S*1 J*1) and E*2 = (S*2,Sf,I*2).

(ii) If A = 0, (9) has a positive root V = -B/2A; then system (3) has one endemic equilibrium E*.

(iii) If A < 0, (9) has no positive root, and system (3) has no endemic equilibrium.

Now, we study the stability of endemic equilibria seriatim. Similar to Section 3.2.1, the corresponding characteristic polynomial of an arbitrary endemic equilibrium is derived as

Q (X) = (X + p) [A2 + (ßI + aßI + p + 9 + $)X + (2AI + B)l].

Obviously, for any endemic equilibrium, there is an eigenvalue X1 = -p < 0. In order to study the other ones, we set

f (X) = X2 + (ßI + oßI + ^ + d + cf)X + (2AI + B) I.

Then the signs of eigenvalues corresponding to the endemic equilibrium are dependent on the distribution of the roots of f(X) = 0.

Corresponding to the cases about the existence, we obtain the stability of endemic equilibrium in each case, which are stated as follows.

Theorem 3. For system (3), consider thefollowing.

(1) If C < 0 (Rpro > 1), then r = (-B + -A)/2A, 2AP + B = "/A > 0. In this case, f(X) has no intersection point with positive real axis; thus E* is locally asymptotically stable.

(2) If C = 0 (Rpro = 1) and B < 0, then I* = -B/A, 2AV + B = -B > 0; same as case (1), E* is locally asymptotically stable.

(3) If C>0 (Rpro < 1), B <0, there will be three cases.

(i) If A > 0,for thepositiverootl*1 = (-B+/A)/2A, 2AI*1 + B = -VA > 0; same as the above, E*1 = (S1[1,S22,V^ is a stable node. For I*2 = (-B -/A)/2A, 2AI*2 + B = -/A < 0; in this case, f(X) has an intersection point with positive real axis, so E*2 = (S*2,S2*2,1*2) is a saddle point.

(ii) If A = 0, then T = -B/2A, 2AI* + B = 0; in this case, one of the eigenvalues corresponding to E* is equal to zero, so E* is a nonhyperbolic equilibrium.

(iii) If A < 0, system (3) has no endemic equilibrium.

3.2.3. The Saddle Node and Bifurcation. According to Theorems 2 and 3, we can see that under the conditions C > 0 (Rpro < 1), B < 0, and A = 0, system (3) has one endemic equilibrium E*, and it is a nonhyperbolic equilibrium. Utilizing the center manifold theorem [25, 26] and the existence theorem [27], we studied the dynamical behavior near the equilibrium E*. Taking p as the bifurcation parameter, we prove that system (3) could experience saddle-node bifurcation. The detailed results are given as follows (the proofs of Theorems 4 and 5 are provided in Appendices A and

Theorem 4. If C>0 (Rpro < 1), B < 0, and A = 0, system (3) has one positive equilibrium E*, and E* is a saddle node.

Theorem 5. System (3) experiences saddle-node bifurcation at the equilibrium x0 = E* as the parameter p passes through the bifurcation value.

From the above mathematical analysis, we can see that under certain parameter condition, system (3) would experience backward bifurcation. Combined with the theoretical results, we can rewrite the inequality conditions about C, B, and A = B2 - 4AC in terms of

t \ „ „ „ (p + v) (p + d + 4>) C<0 (Rprn > l)^ ß>ßc = , , -——,

V pro 7 ' lc p(l- p)+d + a<p + aw

B<0^ß>ßB =

^ + d + a^ + a (^ + y) + qy (l - a)

A>0^ ß> ßA = ((a(^ + y) + (p^ + qy) (l - a) + pp(1 - a) - (^ + d + o(f) ) x(a)-1)

0.14 0.12 0.1 0.08 0.06 0.04 0.02 0

0.8 0.7 0.6 0.5 I* 0.4

00.5 0.6 0.7 0.8 0.9 1 1.1 1.2 (a) (b)

Figure 2: Bifurcation diagram. (a) Forward bifurcation case; (b) backward bifurcation case.

+ (2 (a(l-a) (p + y) (Q + pp) + (py + qy)(l-a) x [pp(l-a)

-(p + d + a^)])1'2 x(a)-1).

and pA satisfy the following relationship

Pc >Pb Pc > Pa > Pb-

Pa (1-p)^ + d + o(p^ + cp)

^Pro - -Rprol

y + d + $

becomes one critical threshold for system (3), and ft > pA & Rpro > ^pro. In addition, we can obtain Rpro = 1 - (B2/4A) if A = 0. Obviously, R'vro < 1.

From Theorems 1-5, we can obtain the following proper-

Corollary 6. For system (3),

(1) if Pc > Pb and < ft < ftc, then two endemic equilibria exist, one of which is locally stable and competes with the locally stable worm-free equilibrium, which is the backward bifurcation (see Figure 2(b));

(2) otherwise, the worm-free equilibrium is the unique attractor when Rpro < 1, which is the forward bifurcation (see Figure 2(a)).

These results can also be given in terms of a, fi, or d, and in practice, these parameters are easily controlled. However, the expressions are more complicated. Therefore, we only give corresponding regions in numerical simulation.

4. Sensitivity Analysis

In real world applications, our main objective is to control the percentage of infective computers or eradicate the worm by taking effective measures. In our model, parameters a, <p, d, p, and q are related to human behavioral responses. For our purpose, following Arriola and Hyman [28], the normalized forward sensitivity indices with respect to a, <p, d, and p are calculated, respectively, as follows:

{dRpro /-Rpro )

a($ + py)

(da/a) (1 - p) y +9 + ocp + opy

{dRpjRp^__^ (1-g) [6 + (l-p)p]

(d<p/<f>) y + y (^ + o + (f>)2

{dRpm/Rpm) _ (1-g) ($ + py) (dd/d) _ y + y' ^ + e + (f>)2

{dRpm/RpIo) ß (1-<r)p

pro pro

(3P/P)

y + y y + 9 + $

It can be seen that, among these parameters, Rpro is an increasing function of a and d. Opposed to this, fi and p have an inversely proportional relationship with ^pro.

By now, for a general worm propagation model with forward bifurcation (Figure 2(a)), we can take measures to increase fi and decrease a, d at the same time to make Rpro below one. However, for our model, the backward bifurcation (Figure 2(b)) appears under certain parameter values. In this case, reducing Rpro below one would not promise to eradicate the worm eventually. As shown in Figure 2(b), there exists a locally stable endemic equilibrium even if Rpro < 1. In order to control the worm propagation, the involved parameter values must be further reduced or increased so far that Rpro < ^pro, and Rpro enters the region where no endemic equilibria exist (see Figures 2(b) and 9). Therefore, the control of worm

Time (hour)

- ff = 0.02

ff = 0.1 - ff = 0.2

Time (hour)

- 0 = 0.00006

^ = 0.0006 - 0 = 0.001

Time (hour)

- 0 = 0.0005

0 = 0.001 ----0 = 0.01

Time (hour)

- p = 0.001

p = 0.1 - p = 0.5

Figure 3: The variations in the number of infectious computers I(t) for different values of a, (¡>, 0, and p, respectively.

propagation is more difficult under the situation in which backward bifurcation appears.

5. Simulations and Control Strategies

Theoretical results have been provided in previous section; now we use numerical simulations to verify the above results. We fix N* = 0.24 x 232 [29], p = 1/(5 x 24), and y = 1/24 throughout this paper.

5.1. The Effect of Parameters. In Section 4, we have analyzed the effects of a, <p, d, and p on ^pro. To provide an intuitive

impression, when p = 250 x 0.24 x 0.0026, the influences of a, <p, d, and p on I(t) are shown in Figure 3.

It can be observed that the effects of a, <p, and d are stronger and p have little or almost no influence on I(t). Moreover, we find that 0 can influence not only the number of infectious computers but also the arrival time of the second peak. It is easy to see that the peak of the second outbreak would be postponed if 0 is increasing. Generally, as the arrival time of the first peak of worm outbreak is very quick, it is too late to make any responses when we are aware of it. Thus, if the arrival time of the second peak of worm outbreak can be postponed, it can give security professionals more time to study the corresponding counter measures.

- q = 0.01

q = 0.1 - q = 0.5

2000 3000

Time (hour)

Figure 4: The variations in the number of infectious computers I(t) for different values of q.

2000 3000 Time (hour)

-Rpro = 0.9830

Rpro = 1.7873 Rpro = 2.3235

Figure 5: The variations in the number of infectious computers I(t) for different values of Epro.

Although q does not appear in the expression for ^pro, it is related to the user behavior. So, fixing ft = 250 x 0.24 x 0.0026, p = 0.8, 0 = 0.0003, 0 = 0.0005, a = 0.02 (this is the forward bifurcation case, Rpro = 2.3235), we study the influences of q on the changes of I(t). From Figure 4, we can see an increase of q would lead to a decrease of I(t). That is, even if Rpro > 1, the final size of infectious computers can be reduced to a low level by increasing q.

In order to display the differences between the forward and backward bifurcation, in the following parts, we carry on numerical simulations for the two cases, respectively.

5.2. Forward Bifurcation. Firstly, to find better control strategies for worm infection, we perform some sensitivity analysis of I(t) and the basic reproduction number Rpro in terms of the model parameters. Choosing p = 0.8, q = 0.5, $ = 0.0003, d = 0.0005, a = 0.02, we can obtain ftc = 0.0671. Assuming the value of ft is 250 x 0.24 x 0.0011, 250 x 0.24 x 0.002, and 250x0.24x0.0026, respectively, then the corresponding value of Rpro is 0.9830, 1.7873, and 2.3235. We show variations of I(t) for different values of R in Figure 5 can see that Rpro is really the threshold for the establishment of the worm in the susceptible pool, and the number of infectious computers increases with the increase of ^pro.

Secondly, in Figure 6, we show the influences of initial conditions 1(0) on the number of infectious computers I(t) for the same ^pro. We can see 1(0) has little or almost no influence on I(t).

From the above analysis, we find that as long as we take measures to control the parameter values to make Rpro < 1, we will be able to control the spread of the worm. However, we know that in real world the control measures corresponding to involved parameters may not be easy to carry out. Even if

controlling parameter values cannot ensure that Rpro < 1,the final size of infectious computers can be reduced by reducing the value of Rpro as far as possible.

5.3. Backward Bifurcation. Similarly, keeping other parameter values unchanged, we choose 0 = 0.006, a = 0.2, then ftc = 0.1589, ftB = 0.1336, ftA = 0.1505, and ftc > ftB, ^pro = 0.9470. Assuming the value of ft is 250 x 0.24 x 0.0025, 250x0.24x0.0026, and 250x0.24x0.00275, respectively, then the corresponding value of Rpro is 0.9439,0.9817, and 1.0383. The inequality 0.9439 < ^ < 0.9817 < 1.0383 is satisfied.

In Figure 7, we show the changes of I with time for different ^pro. The initial values adopted in Figures 7(a) and 7(b) are 1(0) = 107 and 1(0) = 3x 106, respectively.

Comparing Figure 7(a) with Figure 5, we can find if at Rpro < 1, I(t) may still tend to a positive endemic level; that is, Rpro <1 is not sufficient to control the spread of Internet worm. Comparing Figure 7(a) with Figure 7(b), it can be observed that when Rpro < Rpro = 0.9817 < 1, the initial value 1(0) can influence the evolutions of I with time. But the initial value 1(0) has no influence on the evolutions of I with time when Rpro = 1.0383 > 1 and Rpro = 0.9439 < ^pro.Thus^pro = 1 is not the only threshold condition for the worm eradication, and ^pro also plays a key role.

In order to display the impacts of 1(0) on the evolutions of I(t) more clearly, in Figure 8, we assume the initial value of 1(0) is 106 :106 :107. From Figures 8(a)-8(c), we can see that when ^ < Rpro < 1, for different 1(0), I(t) will tend to endemic equilibrium or worm-free equilibrium simultaneously, which puts forward new challenges to the worm control. Because the value of 1(0) depends mainly on the hackers who write malicious code, it is hard to control.

0.01 0.009 0.008 0.007 0.006 I 0.005 0.004 0.003 0.002 0.001 0

2000 3000 Time (hour)

2000 3000 Time (hour)

Rpro = 0.9830

Rpro = 1.7873

2000 3000 Time (hour)

Rpro = 2.3235

Figure 6: The influences of initial conditions 1(0) on the number of infectious computers I(t) for different values of 1(0) with the same Epro.

Then in order to eradicate the worm, we must take further measures to reduce ^pro, so that Rpro < ^pro.

For system (3), the parameters are in cooperation with each other. So in Figure 9, we give the region division of the distribution of endemic equilibria in (a, fi), (fi, d), and (a, d) planes. Thus the parameter space is divided into several parts. In the yellow area, system (3) has two endemic equilibria, one of which is locally asymptotically stable. In the "no endemic equilibrium" region, the worm-free equilibrium is globally asymptotically stable. In the "one endemic equilibrium" region, the unique endemic equilibrium is globally asymptotically stable. From Figure 9, we can obtain the corresponding value ranges of a, fi, and d just as ft easily. This can be an instruction to control parameter values and provides a good basis for the establishment of control measures in practical terms.

Synthesizing the above analysis and simulation results, some control strategies can be implemented: in both cases (forward and backward bifurcation), it is strongly recommended that one should periodically acquire and run antivirus software of the newest version. Filtering and blocking suspicious messages with a firewall is also suggested. Educational efforts should be rolled out to increase the public awareness of worm propagation. Especially in the case of backward bifurcation, in order to control the spread of the worm, one must further strengthen the implementation of these measures.

6. Conclusion

In the vast majority of Internet worm models [30-35], the basic reproduction number R0 is the critical threshold

4000 6000 Time (hour)

- Rpro = 0.9439 Rpro = 0.9817

- Rpro = 1.0383

0.2 0.18 0.16 0.14 0.12 I 0.1 0.08 0.06 0.04 0.02 0

= 0.9439

Rpro = 0.9817

4000 6000 Time (hour)

Figure 7: The variations in the number of infectious computers I(t) for different values of Rpro: (a) 1(0) = 107, (b) 1(0) = 3 x 106.

Rpro = 1.0383

condition. Various actions are taken to control the system parameter values so that R0 < 1, then the solutions of the system will approach worm-free equilibrium finally; that is, the spread of worm can be controlled. In our paper, by characterizing the user protection behaviors, we propose a mathematical model which is coupled with the adaptive user protection behaviors for the Internet worm propagation. The theoretical analysis demonstrates that the protection behavior can reduce the value of the basic reproduction number to below one. Besides, we find that the simple model exhibits a very interesting and rich spectrum of dynamical behaviors, such as backward bifurcation, saddle-node bifurcation. Thus, in this case, the basic reproduction number below one is not the only threshold condition for the computer worm control. In the backward bifurcation case, one must further strengthen the protection to control the spread of worm. These results show that whether the user selects protection has an important effect on worm controlling. Moreover, enhancing the protection consciousness of users or speeding up the antivirus software upgrade can delay the arrival time of second peak of infectious computer, which is essential for the security professionals. To sum up, our results are new discoveries in the field of Internet worm propagation and can bring new perspectives to defense and control worm propagation.

Appendices

A. The Proof of Theorem 4

In this subsection, we investigate the dynamics near E* in the second item of case (III) by the center manifold theorem

[25,26]. Firstly, using S1+S2 + 1 = 1,system(3)isqualitatively equivalent to

S2 = pp + ф (1 - S2 -I) - aßS2I - pS2 + qyl - dS2, i = ß(l-S2 -1)1 + aßS2I -pi- yl.

From the previous analysis, we can obtain that the eigenvalues corresponding to E* are A1 = 0 and A2 = -(ftl* + ofil* + p + d + ip).

Secondly, shifting E* to the origin via x1 = S2 - S** and x2 = I - I*, system (A.1) can be transformed into

x1 = - (<Jj3I* + p + d + x1 - + aftS* - qy) x2

- aßx1)

x2 = - (1 - a) ßl*x1 - ßl*x2 - (1 - a) ßx1x2 - ßx\.

Thirdly, define the transformation

'X1 = H У1 '

.X2. ,У2.

aßl * +р + в + ф

(1-a)ßl* а - 1 1

which transformed system (A.2) into the following standard form

У1 = fi (У1>У2)> У2 =Л 2У2 +Î2 (У1,У2)'

I 0.006

2000 4000 6000 8000 Time (hour)

Rpro = 0.9439

0.2 0.18 0.16 0.14 0.12 1 0.1 0.08 0.06 0.04 0.02 0

2000 4000 6000 8000 Time (hour)

Rpr0 =0.9817

0 2000 4000 6000 8000

Time (hour)

Rpro = 1.0383

Figure 8: The influences of initial conditions 1(0) on the number of infectious computers I(t) for different Rprt

where fi = (c/a)aß(\ - a)y^ - ((caß(1 - (b/c)) + bß(l -(b/c)))/a)yiy2 + ((bß + b2ß/(! - o)c)/a)y2 and f.2 = -(coß(1 - a)2/a)yi+ *(o-1+(1+o)(b/c))/a)yiy2-((b(1+o) + cß)/a)y2,witha = ßl* +aßl* + y + d + $,b = aßl* + y + d + $, c = ßl*, d = $ + oßS* - y, and a = b + c, (1 - a)d -b = 0 are satisfied.

By the existence theorem [27], there exists a center manifold for system (A.4), which can be expressed locally as follows:

(0) = {(yi,y2)e R2 ¡y2 = h(yi),

kJ < h(0) = 0, Dh(0) = 0|5 > 0},

with S sufficiently small, and Dh is the derivative of h with respect to y1.

To compute the center manifold Wc(0), we suppose h(y1) has the form

h(yi) = hiyi + h2yi + hsyi + Kyi +

By the local center manifold theorem, the center manifold (A.6) satisfies

Dh • fi (yi' y2) - °2y2 - f:2 (yi,y2) = 0

where Dh(yi) = 2hiyi + 3h2y\ + 4h3y3 + 5h4yl + •••.

0 0.06

C > 0, B > 0, A > 0

✓ C > 0, B < 0, A < 0 '

/ / No endemic equilibrium i / / / / ! ■ / / 1

\ / A / ✓ ' / jä ! c < 0 ■ / ^C > 0, B < 0, A > 0 /

\ i .- ■" ' __One-endemic equilibrium

0.05 0.1 0.15 0.2 ff

C = 0 B = 0 A = 0

0.25 0.3

0.01 0.009 0.008 0.007 0.006 0 0.005 0.004 0.003 0.002 0.001 0

C^o, b < 0, A > 0

C < 0 \

One endemic equilibrium

C > 0, B > 0, A < 0 \

No endemic equilibrium

\ -C > 0, B < 0, A < 0 \

0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09 0.1 *

- C = 0

B = 0 ----A = 0

0.01 0.009 0.008 0.007 0.006 0.005 0.004 0.003 0.002 0.001 0

One endemic equilibrium

No endemic equilibrium ~ C ' > 0, B < 0 A > 0 C><B > 0, A < 0/ C > 0, B < 0, A < 0^'

_I__I_I_

0.04 0.06

- C = 0

B = 0 ----A = 0

Figure 9: Bifurcation diagram in the (a, <f), (<p, Q), and (a, Q) planes (C < 0 & R > 1).

Rewrite f1 and f2 as f1 = a1y2 + a2y1y2 + a3y\ and f2 = ^ = caft(1 - a)2 ^ = a - 1 + (1 + a) (b/c)

b1y\ + b2y1y2 + b3y2, respectively, where 1 a 2 a

b(1 + o)+cB

h =--.

c O, (A.8)

a1 = -aß (1 - a),

caß(1-(b/c)) + bß(1-(b/c)) fl = —----,

bß+(b2ß/(1-o)c) u _ 2a1h1 - b2h1

fl3 =-> h2 = X '

Substituting (A.4) into (A.7) and then equating coefficients on each power of y1 to zero yields

1 A 2 '

2aih2i + 3aih2 - b2h2 - b3h\

5a2hih2 + 2a3lh^ + 4aih3 - b2h3 - 2b3hih2 Ä2, '

Then, we get the approximation for h:

h= it [y° + (2aihi -h2hi)y\

+ (2aihi + 3aih2 - b2h2 - b3h°) y\ + (5a2hih2 + 2a3hL + 4aih3 - b2h3 - 2b3hih2) y\]

(A.10)

Substituting (A.10) in the first equation of system (A.4), we achieve

7i = fi (yi,y2)

(a - 1) aß21* 2

coft2(1-o)2 [co(1 - (b/c))+b(1 + (b/c))] 3

+-73-+••••

(A.11)

So from (A.11) (see [36, page 338-340]), we get the following. If C > 0 (Rpro < 1), B < 0, and A = 0, system (3) has one positive equilibrium E*, and E* is a saddle node.

B. The Proof of Theorem 5

From Section 3.2, we can see that when C > 0 (Rpro < 1), B < 0, and if the sign of A changes, system (3) will experience a saddle-node bifurcation. In this part, we give the proof.

Let us consider ft as a control parameter, define ft0 = ftA, x0(x**, x*) = E*(S*,I*), where I* = -B/2A. Rewrite system (A.1) as

x = f(x,ft)

py + fi - (y + d + fi) x1 + (qy - fi)x2 - aftx1x2 (p-(p + Y))x2 - (1 - °) ftx1x2 - ^2

Then we have

Df(x 2,ß2) =

- (aß2x* + y + d + fi) qy - fi - <jß2x*

-(1-a)ß2X*

fß (x2'ß2) =

* / ! N * *

x2 - (1 - a) xxx2 -

Df(x0,ft0) has a simple eigenvalue X = 0 with eigenvector v = [1,a - 1]T and DTf(x0,ft0) has an eigenvector w = [-(ft0x**/(aft0x* + fi - qy)), 1] , corresponding to X = 0. Furthermore, the following conditions are satisfied:

wTfß (x2'ß2) =

oß2x* +fi-qy

x[(l-(1-a)x* - x*) (oß2x* +fi-qy) +aß2x*x*] =0,

w D f(x2,ß2)(v, v) = 2-

oß2x* +fi-qy

According to the theorem (see [37, page 148]), we obtain the following result. System (3) experiences a saddle-node bifurcation at the equilibrium x0 = E* as the parameter ft passes through the bifurcation value ft = ft0.

Conflict of Interests

No conflict of interests exists in the submission of this paper, and the paper is approved by all authors for publication.

Acknowledgments

This workis supported by the National Natural Science Foundation of China (11171314, 61171179, 11247244, 61301259, and 61379125), Program for Basic Research of Shanxi province (2012011015-3).

References

[1] D. M. Kienzle and M. C. Elder, "Recent worms: a survey and trends," in Proceedings of the 2003 ACM Workshop on Rapid Malcode (WORM '03), pp. 1-10, ACM, New York, NY, USA, October 2003.

[2] O. A. Toutonji, S.-M. Yoo, and M. Park, "Stability analysis of VEISV propagation modeling for network worm attack," Applied Mathematical Modelling, vol. 36, no. 6, pp. 2751-2761, 2012.

[3] X. Fan andY. Xiang, "Modelingthepropagation ofPeer-to-Peer worms," Future Generation Computer Systems, vol. 26, no. 8, pp. 1433-1443, 2010.

[4] X. Yang and L.-X. Yang, "Towards the epidemiological modeling of computer viruses," Discrete Dynamics in Nature and Society, vol. 2012, Article ID 259671,11 pages, 2012.

[5] L.-X. Yang, X. Yang, J. Liu, Q. Zhu, and C. Gan, "Epidemics of computer viruses: s complex-network approach," Applied Mathematics and Computation, vol. 219, no. 16, pp. 8705-8717, 2013.

[6] Q. Zhu, X. Yang, L.-X. Yang, and C. Zhang, "Optimal control of computer virus under a delayed model," Applied Mathematics and Computation, vol. 218, no. 23, pp. 11613-11619, 2012.

[7] C. C. Zou, W. Gong, and D. Towsley, "Code red worm propagation modeling and analysis," in Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 138147, ACM, New York, NY, USA, November 2002.

[8] X. Yang, B. K. Mishra, and Y. Liu, "Theory, model, and methods," Discrete Dynamics in Nature and Society, vol. 2012, Article ID 473508, 2 pages, 2012.

[9] W. Yu, X. Wang, A. Champion, D. Xuan, and D. Lee, "On detecting active worms with varying scan rate," Computer Communications, vol. 34, no. 11, pp. 1269-1282, 2011.

[10] Y.-H. Choi, L. Li, P. Liu, and G. Kesidis, "Worm virulence estimation for the containment of local worm outbreak," Computers and Security, vol. 29, no. 1, pp. 104-123, 2010.

[11] L.-X. Yang and X. Yang, "Propagation behavior of virus codes in the situation that infected computers are connected to the internet with positive probability," Discrete Dynamics in Nature and Society, vol. 2012, Article ID 693695, 13 pages, 2012.

[12] X. Zheng, T. Li, and Y. Fang, "Strategy of fast and light-load cloud-based proactive benign worm countermeasure technology to contain worm propagation," The Journal of Supercomputing, vol. 62, pp. 1451-1479, 2012.

[13] M. E. J. Newman, "Spread of epidemic disease on networks," Physical Review E, vol. 66, no. 1, Article ID 016128,11 pages, 2002.

[14] L.-X. Yang and X. Yang, "The spread of computer viruses under the influence of removable storage devices," Applied Mathematics and Computation, vol. 219, no. 8, pp. 3914-3922, 2012.

[15] C. C. Zou, D. Towsley, and W. Gong, "Email virus propagation modeling and analysis," Tech. Rep. TR-CSE-03-04, University of Massachusettes, Amherst, Mass, USA, 2003.

[16] G. Chen and R. S. Gray, "Simulating non-scanning worms on peer-to-peer networks," in Proceedings of the 1st International Conference on Scalable Information Systems (InfoScale '06), pp. 1-13, Hong Kong, June 2006.

[17] C. C. Zou, D. Towsley, and W. Gong, "Modeling and simulation study of the propagation and defense of internet e-mail worms," IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 2, pp. 106-118, 2007.

[18] C. Gan, X. Yang, W. Liu, Q. Zhu, and X. Zhang, "Propagation of computer virus under human intervention: a dynamical model," Discrete Dynamics in Nature and Society, vol. 2012, Article ID 106950, 8 pages, 2012.

[19] X. Sun, Y.-H. Liu, J.-Q. Zhu, and F.-P. Li, "Research on simulation and modeling of social network worm propagation," Chinese Journal of Computers, vol. 34, no. 7, pp. 1252-1261, 2011.

[20] H. Yuan and G. Chen, "Network virus-epidemic model with the point-to-group information propagation," Applied Mathematics and Computation, vol. 206, no. 1, pp. 357-367, 2008.

[21] L. Feng, X. Liao, Q. Han, and L. Song, "Modeling and analysis of peer-to-peer botnets," Discrete Dynamics in Nature and Society, vol. 2012, Article ID 865075,18 pages, 2012.

[22] L.-P. Song, X. Han, D.-M. Liu, and Z. Jin, "Adaptive human behavior in a two-worm interaction model," Discrete Dynamics in Nature and Society, vol. 2012, Article ID 828246, 13 pages, 2012.

[23] O. Diekmann, J. A. P. Heesterbeek, and J. A. J. Metz, "On the definition and the computation of the basic reproduction ratio R0 in models for infectious diseases in heterogeneous populations," Journal ofMathematical Biology, vol. 28, no. 4, pp. 365-382, 1990.

[24] R. M. Anderson and R. M. May, Infectious Diseases of Humans, Oxford University, Oxford, UK, 1991.

[25] J. Carr, Applications of Center Manifold Theory, Springer, New York, NY, USA, 1981.

[26] L. Perko, Differential Equations and Dynamical Systems, vol. 7 of Texts in Applied Mathematics, Springer, New York, NY, USA, 3rd edition, 2001.

[27] S. Wiggins, Introduction to Applied Nonlinear Dynamical Systems and Chaos, vol. 2 of Texts in Applied Mathematics, Springer, New York, NY, USA, 1990.

[28] L. Arriola and J. Hyman, Forward and Adjoint Sensitivity Analysis: With Applications in Dynamical Systems, Lecture Notes in Linear Algebra and Optimisation, Mathematical and Theoretical Biology Institute, 2005.

[29] A. Zeitoun and S. Jamin, "Rapid Exploration of Internet Live Address Space Using Optimal Discovery Path," in Proceedings of IEEE Global Telecommunications Conference (GLOBECOM '03), pp. 2885-2890, San Francisco, Calif, USA, December 2003.

[30] L.-P. Song, Z. Jin, G.-Q. Sun, J. Zhang, andX. Han, "Influence of removable devices on computer worms: dynamic analysis and control strategies," Computers & Mathematics with Applications, vol. 61, no. 7, pp. 1823-1829, 2011.

[31] Q. Zhu, X. Yang, and J. Ren, "Modeling and analysis of the spread of computer virus," Communications in Nonlinear Science and Numerical Simulation, vol. 17, no. 12, pp. 5117-5124, 2012.

[32] B. K. Mishra and S. K. Pandey, "Effect of anti-virus software on infectious nodes in computer network: a mathematical model," Physics Letters A, vol. 376, pp. 2389-2393, 2012.

[33] L.-X. Yang, X. Yang, L. Wen, and J. Liu, "A novel computer virus propagation model and its dynamics," International Journal of Computer Mathematics, vol. 89, no. 17, pp. 2307-2314, 2012.

[34] C. Gan, X. Yang, W. Liu, and Q. Zhu, "A propagation model of computer virus with nonlinear vaccination probability," Communications in Nonlinear Science and Numerical Simulation.

[35] L.-X. Yang, X. Yang, Q. Zhu, and L. Wen, "A computer virus model with graded cure rates," Nonlinear Analysis: Real World Applications, vol. 14, no. 1, pp. 414-422, 2013.

[36] A. A. Andronov, E. A. Leontovich, 1.1. Gordon, and A. G. Maier, Qualitative Theory of Second-Order Dynamical Systems, John Wiley & Sons, New York, NY, USA, 1973.

[37] J. Guckenheimer and P. Holmes, Nonlinear Oscillations, Dynamical Systems, and Bifurcations of Vector Fields, vol. 42 of Applied Mathematical Sciences, Springer, New York, NY, USA, 1983.

Copyright of Abstract & Applied Analysis is the property of Hindawi Publishing Corporation and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.