Abstract

To cope with evolving computer viruses, antivirus programs must be periodically updated. Due to the limited network bandwidth, new virus patches are typically injected into a small subset of network nodes and then forwarded to the remaining nodes. A static patching strategy consists of a fixed patch injection rate and a fixed patch forwarding rate. This paper focuses on evaluating the performance of a static patching strategy. First, we introduce a novel autonomous node-level virus-patch propagation model to characterize the effect of a static patching strategy. Second, we show that the model is globally attracting, implying that regardless of the initial expected state of the network, the expected fraction of the infected nodes converges to the same value. Therefore, we use the asymptotic expected fraction of the infected nodes as the measure of performance of a static patching strategy. On this basis, we evaluate the performances of a few static patching strategies. Finally, we examine the influences of a few parameters on the performance of a static patching strategy. Our findings provide a significant guidance for restraining malware propagation.

1. Introduction

Computer networks have become a part of our life. Meanwhile, the rapid spread of digital viruses over networks has posed a huge threat to human society [1]. For instance, the total loss caused by Wannacry, the notorious ransomware, was estimated to be as high as four billion US dollars [2, 3]. Consequently, restraining the propagation of malicious codes has long been a major concern in cyber security [4].

To effectively inhibit the diffusion of malware, we must gain a deep insight into its propagation law. Inspired by mathematical epidemiology [5], in the early 1990s Kephart and White [6] proposed the first computer virus propagation model. After years of development, there has formed a new applied mathematics named malware propagation theory, which is devoted to the modeling and study of malware propagation. The earlier malware propagation models build on homogeneously mixed networks [715] or some special inhomogeneous networks such as scale-free networks [1618]. In view of the structural diversity of real-world networks, it is essential to model and study malware propagation on arbitrary networks. The emergent node-level propagation models are especially suited to this demand, because they can accurately account for the effect of the network topology on propagation processes [19, 20]. In the past few years, a number of node-level malware propagation models have been proposed [2123].

For the purpose of restraining the spread of malware, [24, 25] suggested to disseminate virus patches through computer networks. To evaluate the performance of a patch forwarding rate, a number of compartmental virus-patch propagation models have been proposed [2630]. Recently, a node-level virus-patch propagation model has been suggested [31]. With the evolution of malware, existing antivirus programs are insufficient to defend against future digital viruses. Therefore, security service providers have to keep injecting new virus patches into networks. Due to the limited network bandwidth, virus patches are typically injected into a subset of network nodes and then forwarded to the remaining nodes [25]. Unfortunately, none of the above models takes patch injection into account.

Ref. [32] is closely related to our work. In this paper, a simple virus-patch propagation model with patch injection was introduced, and the model was shown to admit a unique globally stable equilibrium. Unfortunately, the results obtained in this paper are applicable to homogeneously mixed networks only. In our opinion, this defect can be overcome by introducing a node-level virus-patch propagation model with patch injection.Ref. [33] is related to our work. In this paper, the problem of seeking cost-effective dynamic patch injection rates was modeled as a game between the virus maker and the security service provider, and a heuristic algorithm for solving the game problem was presented. However, the resulting patch injection rates are time-varying and hence are difficult to realize.

The present paper focuses on evaluating the performance of a static patching strategy. First, we introduce an autonomous node-level virus-patch propagation model to characterize the effect of a static patching strategy on the expected state of the associated computer network. Second, we show that this model is globally attracting, which implies that regardless of the initial expected state of the network, the expected fraction of the infected nodes in the network converges to the same value. Therefore, we recommend the asymptotic expected fraction of the infected nodes as the measure of performance of a static patching strategy. Next, we evaluate the performances of a few static patching strategies. Finally, we examine the effects of a few parameters on the performance of a static patching strategy. To our knowledge, this is the first time the performance of a static patching strategy is evaluated by means of node-level malware propagation theory. In view of ease in realizing static patching strategies, our findings provide a significant guidance for restraining malware propagation.

The subsequent materials are organized in this fashion. Section 2 introduces a virus-patch mixed propagation model, and Section 3 investigates the dynamical properties of the model. Section 4 evaluates the performance of a few static patching strategies, and Section 5 examines the effects of some parameters. This work is summarized by Section 6.

2. The Modeling of the Patching Problem

We define the patching problem as the problem of evaluating the performance of a static patching strategy. This paper focuses on this problem. For this purpose, this section focuses on the modeling of the problem.

2.1. Terms and Notations

Consider a computer network and let denote the set of all network nodes. Suppose viruses and patches propagate through the directed subnets and of the network, respectively. Let and denote the adjacency matrices of and , respectively.

Suppose that at any time , each node is assumed to be in one of three possible states: susceptible, infected, and patched. Susceptible nodes are uninfected and have not received the newest patch. Hence, they are vulnerable to the newest virus. Patched nodes have received the newest patch. Hence, they are uninfected and immune to the newest virus. Let denote the event of node being susceptible at time , the event of node being infected at time , and the event of node being patched at time . Then the vector

represents the network’s state at time .

Let

As , the vector

represents the network’s expected state at time .

2.2. The Virus-Patch Mixed Propagation Model

We introduce a collection of six assumptions as follows.(A1)Due to virus injection, each susceptible node gets infected at any time at the average rate , which we refer to as virus injection rate.(A2)Due to virus propagation, the susceptible node gets infected at time at the average rate , where is a constant we refer to as virus propagation rate.(A3)Due to patch injection, each unpatched node gets patched at any time at the average rate , which we refer to as patch injection rate.(A4)Due to patch forwarding, the unpatched node gets patched at time at the average rate , where is a constant we refer to as patch propagation rate.(A5)Due to system reinstallation, each infected node gets susceptible at any time at the average rate , which we refer to as reinstallation rate.(A6)Due to emergence of new virus, each patched node gets susceptible at any time at the average rate , which we refer to as patch failure rate.

These assumptions are schematically shown in Figure 1.

Based on the above assumptions and according to the differential dynamical system theory [34], the network’s expected state evolves over time according to the following differential dynamical system:

Here,

We refer to the system as a virus-patch propagation (VPP) model. The model accounts for the effect of the static patching strategy. For convenience, we abbreviate this model as

2.3. The Modeling of the Patching Problem

The patch injection rate and the patch forwarding rate are both under the control of the security service provider. Specifically, is determined directly by the security service provider, while can be adjusted by rewriting the patch forwarding protocol. In what follows, we refer to the two-dimensional vector as a static patching strategy.

For the VPP model (4), let . The expected fraction of the infected nodes at time is

So, the asymptotic expected fraction of the infected nodes can be measured by

Obviously, the smaller the quantity, the better the static patching strategy. Henceforth, we will use this quantity as the indicator of the performance of the static patching strategy .

By combining the above discussions, the patching problem comes down to the following problem:

Patching Model: Given a 6-tuple and a Patching Strategy . Determine .

3. The Dynamics of the VPP Model

Obviously, the solution to the patching model depends on the dynamics of the VPP model (4). In this section, we investigate the dynamics of this model. First, we show that the model is positively invariant. Second, we prove that the model admits a unique equilibrium. Finally, we prove that the equilibrium is globally attracting.

3.1. Positive Invariance

Lemma 1. The VPP model (4) is positively invariant with respect to .

Proof. Let denote the boundary of . Then consists of the following hyperplanes.For , let denote the -dimensional row vector with the -th component being negative one and all of the remaining components being zero, the -dimensional row vector with the -th component being negative one and all of the remaining components being zero, and the -dimensional row vector with the -th and -th components being one and all of the remaining components being zero. Obviously, , and have , , and as their respective outer normal vectors. Suppose is a smooth point on . We deal with three cases, respectively.
Case 1. . Then, .Case 2. . Then, .Case 3. . Then, .Hence, always points to the interior of . The claim follows from [35].

3.2. Equilibrium

For a differential dynamical system, an equilibrium is a system state such that if the initial system state is the state, all of the future system states will be the state.

Theorem 2. The VPP model (4) has a unique equilibrium. Moreover, let denote the equilibrium, then , , where

Proof. First, we show that the subsystemadmits a unique equilibrium. Obviously, the claim holds if and only if the continuous mapping : , defined byadmits a unique fixed point. By the well-known Brouwer Fixed Point Theorem [36], we get that admits a fixed point, denoted . It is easily verified that , . It remains to show the uniqueness of the fixed point. Otherwise, suppose admits another fixed point . LetWe may assume . ThenThis contradicts the assumption that . So, is the unique fixed point of . Hence, the subsystem (13) has a unique equilibrium .
Second, we prove that the VPP model (4) has a unique equilibrium. The claim holds if and only if the function defined byadmits a unique fixed point. The argument is analogous to the previous argument. Let denote the unique fixed point of . Then, the model (4) admits the unique equilibrium .

As the VPP model (4) is a multi-dimensional nonlinear differential dynamical system, it is extremely difficult or even impossible to get a closed-form formula for its unique equilibrium. The following theorem provides a numerical method for calculating the equilibrium.

Theorem 3. Let be the equilibrium of the VPP model (4). Define a pair of recursive sequences, and , as follows.Then,

Proof. The two sequences are obviously bounded. By induction on , we get that the two sequences are increasing. So, the two sequences converge. By the argument for Theorem 2, we get Eq. (20).

3.3. Global Attractiveness

For a differential dynamical system, an equilibrium is globally attracting if the system state always approaches it. An equilibrium of a differential dynamical system is globally stable if (a) it is globally attracting, and (b) for any neighborhood of the equilibrium, there is a neighborhood of the equilibrium such that when starting from within the second neighborhood, the system will always stay within the first neighborhood. Now, examine the global attractiveness of the equilibrium of the VPP model. For this purpose, we will use the following well-known lemma.

Lemma 4 (Chaplygin lemma [37]). Given a smooth -dimensional differential systemLetwhere . Suppose for any , there holdThen , , .

For our purpose, we prove the following lemma.

Lemma 5. Let () be a solution to the model (4). Then there exists such that

Proof. Obviously, we haveandConsider the comparison systemsandwhere , . By Lemma 4, we haveObviously, the system (27) admits the globally stable equilibrium , and the system (28) admits the globally stable equilibrium . So,The claimed inequalities follow.
Now, let us present the main result of this paper as follows.

Theorem 6. The equilibrium of the VPP model (4) is globally attracting.

Proof. Let be the equilibrium of the model (4). First, we show that is a globally stable equilibrium of the subsystemLet be a solution to the subsystem. Letwhere is given by Lemma 5. LetThen , and if and only if . Let and denote the upper-right and lower-right Dini derivatives, respectively. Then we have two claims as follows.
Claim 1. if , and if .Claim 2. if , and if .We prove the first claim only, because the second claim can be proved analogously. Choose: such that . As , we have . So,Hence, , As the inequality is strict if , i.e., we have if .
Next, we treat three cases, respectively.
Case 1. . Then . So, .Case 2. . Then . So, .Case 3. . Then So, Moreover, the equality holds if and only if .
It follows from the LaSalle Invariance Principle [34] that is globally attracting. Hence, for any , there exists such thatSubstituting these inequalities into the first equations in the model (4), we getandConsider the comparison systemsandwhere , . By Lemma 4, we haveSimilarly to the previous argument, we can show that the system (41) admits a globally stable equilibrium , and the system (42) admits a globally stable equilibrium . So, we getObviously, we have . By Eq. (44), we getHence, . Therefore, is the global attractor of the model (4).

By Theorem 6, we have the following result.

Theorem 7. For the VPP model (4), we have

According to Theorem 3, we may calculate the measure of performance of a static patching strategy using the iterations (18) and (19).

4. The Performances of Some Patching Strategies

In this subsection, we evaluate the performances of some patching strategies. For this purpose, we need to acquire some networks. Pajek is a famous social network analysis software [38]. By setting the number of nodes as 100 and the edge-rewiring probability as and using Pajek, we get a small-world network [39], which is denoted and displayed in Figure 2. By setting the number of nodes as 100 and using Pajek, we get a scale-free network [40], which is denoted and exhibited in Figure 3. Finally, Figure 4 exhibits a real-world email network with 100 nodes [41].

Example 8. Consider the VPP model with and . By calculations, we get . Figure 5 shows that for five different initial conditions, agreeing with Theorem 7.

Example 9. Consider the VPP model with and . By calculations, we get . Figure 6 shows that for five different initial conditions, in accordance with Theorem 7.

Example 10. Consider the VPP model with and . By calculations, we get . Figure 7 shows that for five different initial conditions, conforming to Theorem 7.

5. Further Discussions

Now, let us investigate the effects of some parameters on the performance of a patching strategy.

5.1. The Effects of the Four Rates

First, let us examine how the four rates, , , and , affect performance of a patching strategy.

Theorem 11. For the VPP model (4), is increasing with , , and , and is decreasing with .

Proof. We argue for the first claim only. This is because the arguments for the remaining claims are similar. Let denote the equilibrium of the VPP model with and the static patching strategy , the equilibrium of the VPP model with and the static patching strategy , where . Let be the solution to the recursion (18). By Theorem 3, we getLet be the solution to the recursion (19) with , the solution to the recursion (19) with . By Theorem 3, we getBy induction on , we get . So,Combining Eq. (47) with Eq. (49), we get .
The theorem demonstrates that the performance of a patching strategy can be improved by either reducing the virus injection rate or the virus propagation rate or the patch failure rate or enhancing the reinstallation rate.

Example 12. Consider the set of VPP models with and , . Figure 8(a) shows that is increasing with , agreeing with the first claim of Theorem 11.

Example 13. Consider the set of VPP models with and , . Figure 8(b) shows that is increasing with , in agreement with the second claim of Theorem 11.

Example 14. Consider the set of VPP models with and , . Figure 8(c) shows that is decreasing with , meeting the fourth claim of Theorem 11.

Example 15. Consider the set of VPP models with and , . Figure 8(d) shows that is increasing with , in accordance with the third claim of Theorem 11.

5.2. The Effects of the Two Networks

Next, we inspect how the virus-propagating network and the patch-forwarding network affect the performance of a patching strategy.

Theorem 16. For the VPP model (4), is increasing with the addition of new edges in , and is decreasing with the addition of new edges in .

The argument for the theorem is analogous to that for Theorem 7. Hence, it is omitted. This theorem shows that the performance of a patching strategy can be improved by reducing virus propagation channels or augmenting patch dissemination channels.

6. Summary

This paper has addressed the issue of evaluating the performance of a static patching strategy. We have introduced a novel node-level virus-patch propagation model and showed that the model is globally attracting. Hence, we have recommended the asymptotic expected fraction of the infected nodes as the indicator of performance of a patching strategy.

There are some relevant problems that are worth studying. The virus-patch propagation model (4) can easily be extended to the situation where the patching rates are different for susceptible and infectious nodes, with similar results. In this paper it is assumed that the network topology is unchanged over time. However, many real-world computer neworks such as mobile networks are time-varying. Hence, it is worthwhile to extend this work to the time-varying network situation. In practice, a security service provider may flexibly adjust the patching strategy over time to mitigate the consequence of malware. In this situation, the problem of seeking a cost-effective dynamic patching strategy may be modeled as an optimal control problem [42, 43]. Additionally, when the virus maker is intelligent and rational, the problem of choosing a cost-effective patching strategy may boil down to a game problem [4446].

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Funding

This study was funded by Natural Science Foundation of China (Grant No. 61572006) and Chongqing Basic Research and Front Exploration Project (Grant No. cstc2018jcyjA3093).