Malware propagation model for cluster-based wireless sensor networks using epidemiological theory

Game between malware and defend system for WSNs

Before studying the propagation mechanism of WSNs malware, one must first consider the attack and defense strategy between malware and a defend system. For sensor nodes infected by malware, it can propagate to more surrounding nodes, which can make the network invalid in a large area. However, if the malware propagates too frequently, it is easy to be detected by susceptible nodes and repaired. At the same time, the energy of the infected node will be consumed every time the malware is propagated. Therefore, the problem for infected nodes is maximizing the propagation of malware while minimizing their own energy consumption. As for the defend system, the data received by the node can be detected for security. If abnormal malware packets are found, the data will be discarded, and the last hop node will be installed with patches and restored. However, these methods will inevitably bring interference to the normal operation of WSNs. For example, detecting data and installing security patches will consume energy and occupy bandwidth. Therefore, the defend system will also detect the received data with a certain probability, so as to maximize its own benefits. This shows that the attack and defense process between malware and defend systems is actually a game. Therefore, in this paper game theory is used to analyze the attack and defense strategies between them.

Definition: The strategic game between malware and a defend system in WSNs is composed of a ternary $\mathbb{G}=\left(J,\left\{C_i\right\},\left\{U_i\right\}\right)$, where

• $J=\left\{\mathcal{M},\mathcal{D}\right\}$ is the set of players in the game, where $\mathcal{M}$ and $\mathcal{D}$ represent the malware and the defend system, respectively.

• C_i is the strategy set of player iwhen i is the defend system; $C_{\mathcal{D}}=\left\{detecting,nodetecting\right\}$, when i is malware; $C_{\mathcal{M}}=\left\{propagation,nopropagation\right\}$.

• U_i is the utility obtained by the player i during the game, and its value is determined by the strategies adopted by both sides of the game.

According to the attack and defense game in Definition 1, the payoff matrix of the game can be obtained, as shown in Table 2. If the susceptible node performs security detection on the received data packet, it must consume energy and may block the channel, and the resulting system cost is recorded as ν. The cost of malware caused by the energy consumption of the infected node sending the data packet containing the malicious software to the next hop node is recorded as ɛ. After the susceptible node is detected, if malware is found, the system will repair the last hop node, which will consume energy and bandwidth, and set the total cost as τ. After the repair is successful, the utility to the system and the cost to the malware are both e. When the malware initiates an attack and the system initiates detection, the overall utility of the system is −ν − τ + e, and the utility of the infected node is −e − ɛ. When the system is not detected, the utility of the system and that of the malware are −e and e − ɛ, respectively. In addition, when the system initiates detection but no malware is found, the system’s utility will be −ν. In other cases, the utility of both parties is zero.

The notion of mixed strategy Nash equilibrium (MNE) captures a steady state of a strategic game in which each player holds the correct expectation about other players’ behavior and acts rationally. The main feature of MNE is that the opponent adopts any pure strategy, and the player’s expected utility is the same. According to game theory, there must be MNE in the game of limited players, so one can solve the MNE of the game 𝔾. Assume that malware attacks and propagates with a probability of p, and does not attack with a probability of 1 − p. The system detects the received data with probability q, and does not detect with probability 1 − q. The utility maximization method to can be used to solve the MNE. According to the utility matrix, the expected utility of the system $E\left(U_{\mathcal{D}}\right)$ is (1)${\displaystyle \begin{array}{c}\hfill E\left(U_{\mathcal{D}}\right)=pq\left(-\nu -\tau +e\right)+q\left(1-p\right)\left(-\nu \right)\\ \hfill +p\left(1-q\right)\left(-e\right)\end{array}}$ Letting $\frac{\partial E\left(U_{\mathcal{D}}\right)}{\partial q}=0$, one has (2)${\displaystyle p=\frac{\nu }{2e-\tau }}$ Similarly, the expected utility of malware $E\left(U_{\mathcal{M}}\right)$ is (3)${\displaystyle \begin{array}{c}\hfill E\left(U_{\mathcal{M}}\right)=pq\left(-e-\varepsilon \right)+p\left(1-q\right)\left(e-\varepsilon \right)\end{array}}$ Letting $\frac{\partial E\left(U_{\mathcal{M}}\right)}{\partial p}=0$, one has (4)${\displaystyle q=\frac{e-\varepsilon }{2e}}$

When malware initiates an attack with probability $\frac{\nu }{2e-\tau }$, the expected utility of the malware is the same regardless of whether the system is detected or not. Similarly, when the probability of system detection is $\frac{e-\varepsilon }{2e}$, the expected utility is the same regardless of whether the malware initiates an attack. Therefore, ($p^{\ast }=\frac{\nu }{2e-\tau },q^{\ast }=\frac{e-\varepsilon }{2e}$) is the MNE of the attack and defense game between malware and system. When both parties are rational, they will use this strategy to attack and defend. When the malware initiates an attack and the system does not detect it, the malware will spread successfully; when the malware initiates an attack and the system detects it, the system will find the malware and repair the data source node. Therefore, the malware infection rate and system recovery rate under MNE conditions can be obtained: (5)${\displaystyle \beta =p^{\ast }\left(1-q^{\ast }\right)=\frac{\nu \left(e+\varepsilon \right)}{2e\left(2e-\tau \right)}}$ (6)${\displaystyle \gamma =p^{\ast }{q}^{\ast }=\frac{\nu \left(e-\varepsilon \right)}{2e\left(2e-\tau \right)}}$

Malware propagation model

In this subsection, a malware propagation model is established under the condition of MNE. Let $\tilde{S}\left(t\right)$, $\tilde{I}\left(t\right)$, S(t), I(t), and R(t) denote the susceptible cluster head nodes, infected cluster head nodes, susceptible common nodes, infected common nodes, and number of recovered nodes at time t, respectively. According to the malware attack strategy under MNE, the infected nodes infect surrounding susceptible nodes with infection rate β that can communicate with each other. Moreover, according to the system defense strategy, the infected nodes recover at a rate of γ.

In a cluster-based hierarchical network, it is assumed that the number of cluster head nodes and common nodes are N₁ and N₂, respectively; that is, there are N₁ clusters in the network, and each cluster contains N₂/N₁ common nodes with the node status conversions. Letting ${\tilde{S}}_r\left(t\right)$ and S_r(t) represent the effective contact number of the infected cluster head node against the susceptible cluster head node and the susceptible common node, respectively. The formula is expressed as follows: (7)${\displaystyle {\tilde{S}}_r\left(t\right)=\frac{\sigma \pi r^2}{N_1}\tilde{S}\left(t\right)}$ (8)${\displaystyle S_r\left(t\right)=\frac{S\left(t\right)}{N_1}}$ Each infected node can infect $\beta {\tilde{S}}_r$ susceptible nodes per unit time. Therefore, the conversion rate of susceptible cluster head nodes to infected cluster head nodes is $\beta {\tilde{S}}_r\left(t\right)\tilde{I}\left(t\right)$ at time t. Since common nodes cannot communicate with each other but can only be infected by cluster head nodes, the infection rate of common nodes is also determined by $\tilde{I}\left(t\right)$. The conversion rate from susceptible common node to infected common node is $\beta S_r\left(t\right)\tilde{I}\left(t\right)$ at time t. At the same time, due to the existence of the defense system, the conversion rate of infected nodes I and $\tilde{I}$ to immune group R is γI(t) and $\gamma \tilde{I}\left(t\right)$, respectively. Considering that the node cannot continue to work due to physical device damage or exhaustion of battery power, the death and births rate of the node are both set to b, which ensures that the number of nodes in the network remains constant. In this way, we can obtain the state transition relationship between groups in the cluster network shown in Fig. 2.

In accordance with the rates of change between different states shown in Fig. 2, one can establish a mathematical model of a system of differential equations based on cluster-based WSNs for malware propagation: (9)${\displaystyle \left\{\begin{array}{c}\frac{d\tilde{S}\left(t\right)}{dt}=b{N}_1-\beta \frac{\sigma \pi r^2}{N_1}\tilde{S}\left(t\right)\tilde{I}\left(t\right)-b\tilde{S}\left(t\right)\hfill \\ \frac{d\tilde{I}\left(t\right)}{dt}=\beta \frac{\sigma \pi r^2}{N_1}\tilde{S}\left(t\right)\tilde{I}\left(t\right)-\gamma \tilde{I}\left(t\right)-b\tilde{I}\left(t\right)\hfill \\ \frac{dS\left(t\right)}{dt}=b{N}_2-\beta \frac{S\left(t\right)}{N_1}{I}^{\prime }\left(t\right)-bS\left(t\right)\hfill \\ \frac{dI\left(t\right)}{dt}=\beta \frac{S\left(t\right)}{N_1}{I}^{\prime }\left(t\right)-\gamma I\left(t\right)-bI\left(t\right)\hfill \\ \frac{dR\left(t\right)}{dt}=\gamma \tilde{I}\left(t\right)+\gamma I\left(t\right)-bR\left(t\right)\hfill \end{array}\right.}$

Since the total number of sensor nodes in the system is a fixed value (N₁ + N₂), one can obtain (10)${\displaystyle R\left(t\right)=N_1+N_2-\tilde{S}\left(t\right)-S\left(t\right)-\tilde{I}\left(t\right)-I\left(t\right)}$ Therefore, primarily the first four equations in system (9) are considered. Letting (11)${\displaystyle {\alpha }_1=\beta \frac{\sigma \pi r^2}{N_1}}$ (12)${\displaystyle {\alpha }_2=\frac{\beta }{N_1}}$ The system model Eq. (9) can finally be simplified as (13)${\displaystyle \left\{\begin{array}{c}\frac{d\tilde{S}}{dt}=b{N}_1-{\alpha }_1\tilde{S}\tilde{I}-b\tilde{S}\hfill \\ \frac{d\tilde{I}}{dt}={\alpha }_1\tilde{S}\tilde{I}-\gamma \tilde{I}-b\tilde{I}\hfill \\ \frac{dS}{dt}=b{N}_2-{\alpha }_{2}S\tilde{I}-bS\hfill \\ \frac{dI}{dt}=\beta {\alpha }_{2}S\tilde{I}-\gamma I-bI\hfill \end{array}\right.}$

Malware-free equilibrium and its stability

To investigate the local stability of the equilibrium points of the system Eq. (13), one must calculate the corresponding Jacobian matrix as (23)${\displaystyle J=\left[\begin{array}{cccc}\hfill -{\alpha }_1\tilde{I}-b\hfill & \hfill -{\alpha }_1\tilde{S}\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill {\alpha }_1\tilde{I}\hfill & \hfill {\alpha }_1\tilde{S}-\gamma -b\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill -{\alpha }_{2}S\hfill & \hfill -{\alpha }_2\tilde{I}-b\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill {\alpha }_{2}S\hfill & \hfill {\alpha }_2\tilde{I}\hfill & \hfill -\gamma -b\hfill \end{array}\right]}$

Lemma 1. The malware-free equilibrium E₀ of system Eq. (13) is locally asymptotically stable if R₀ < 1 and unstable if R₀ > 1.

Proof. Calculating the Jacobian matrix Eq. (25) at malware-free equilibrium, one obtains (24)${\displaystyle J\left(E_0\right)=\left[\begin{array}{cccc}\hfill -b\hfill & \hfill -{\alpha }_1{N}_1\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill {\alpha }_1\tilde{I}\hfill & \hfill {\alpha }_1{N}_1-\gamma -b\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill -{\alpha }_2{N}_2\hfill & \hfill -b\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill {\alpha }_2{N}_2\hfill & \hfill 0\hfill & \hfill -\gamma -b\hfill \end{array}\right]}$ To prove the stability at the point E₀, one will find all the eigenvalues (λ) of the matrix Eq. (26). The eigenvalues are given as (25)${\displaystyle \lambda =-b,-\gamma -b,{\alpha }_1{N}_1-\gamma -b}$ where −b is a double eigenvalue.

Hence, when R₀ < 1, all eigenvalues of the matrix (26) have no positive real part, and the malware-free equilibrium E₀ is locally asymptotically stable; when R₀ > 1, Eq. (26) has a positive eigenvalue α₁N₁ − γ − b. Thus, malware-free equilibrium E₀ is unstable. Theorem 2. The malware-free equilibrium E₀ is globally asymptotically stable if R₀ < 1.

Proof. Let (26)${\displaystyle \begin{array}{c}\hfill D=\left\{\begin{array}{c}\hfill \left(\tilde{S},\tilde{I},S,I\right)\in R^4\left|0⩽\tilde{S}+\tilde{I}⩽N_1,\right.\hfill \end{array}\right.\left.\begin{array}{c}\hfill 0⩽S+I⩽N_2,\tilde{S},\tilde{I},S,I⩾0\hfill \end{array}\right\}\end{array}}$ Obviously, D is the positive invariant set of system Eq. (13). When R₀ < 1, construct the Liapunov function (27)${\displaystyle V\left(t\right)=\tilde{I}\left(t\right)}$ The derivative of V(t) along the trajectory of system Eq. (13). is (28)${\displaystyle \begin{array}{c}\hfill \frac{dV\left(t\right)}{dt}=\frac{d\tilde{I}\left(t\right)}{dt}=\left[{\alpha }_1\tilde{S}-\left(b+\gamma \right)\right]\tilde{I}\\ \hfill ⩽\left[{\alpha }_1{N}_1-\left(b+\gamma \right)\right]\tilde{I}\end{array}}$ Since R₀ < 1, then ${\alpha }_1{N}_1-\left(b+\gamma \right)<0$. Thus, (29)${\displaystyle Q=\left\{\left(\tilde{S},\tilde{I},S,I\right)\in D\left|\frac{dV\left(t\right)}{dt}=0\right.\right\}=\left\{\tilde{I}=0\right\}}$ Therefore, the maximum invariant set of the system in Q is $\left\{\tilde{I}=0\right\}$. According to the principle of Lasalle invariance, (30)${\displaystyle \underset{t\to \infty }{lim}\tilde{I}\left(t\right)=0}$ Substituting the preceding equation into system Eq. (13). (31)${\displaystyle \underset{t\to \infty }{lim}\tilde{S}\left(t\right)=N_1,\underset{t\to \infty }{lim}S\left(t\right)=N_2,\underset{t\to \infty }{lim}I\left(t\right)=0}$ Therefore, E₀ is globally attractive. Combined with the local stability of E₀, it can be seen that E₀ is globally asymptotically stable.

Endemic equilibrium and its stability

Lemma 3. The endemic equilibrium E₁ of system Eq. (13) is locally asymptotically stable if R₀ > 1.

Proof. At the endemic equilibrium point, the Jacobian matrix is (32)${\displaystyle J\left(E_1\right)=\left[\begin{array}{cccc}\hfill -{\alpha }_1{\tilde{I}}_1-b\hfill & \hfill -\gamma -b\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill {\alpha }_1{\tilde{I}}_1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill -\frac{b{N}_1}{{\tilde{I}}_1+\frac{b}{{\alpha }_2}}\hfill & \hfill -{\alpha }_2{\tilde{I}}_1-b\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill \frac{b{N}_1}{{\tilde{I}}_1+\frac{b}{{\alpha }_2}}\hfill & \hfill {\alpha }_2{\tilde{I}}_1\hfill & \hfill -\gamma -b\hfill \end{array}\right]}$ Two eigenvalues are given as (33)${\displaystyle \lambda =-{\alpha }_2{\tilde{I}}_1-b,-\gamma -b}$ and are negative. The remaining two eigenvalues are given by (34)${\displaystyle {\lambda }^2+\left({\alpha }_1{\tilde{I}}_1+b\right)\lambda +\left(\gamma +b\right){\alpha }_1{\tilde{I}}_1=0}$ According to the Routh–Hurwitz criteria, since all the coefficients of Eq. (36) are positive, there is no positive real part eigenvalue. When R₀ > 1, all eigenvalues of the matrix Eq. (34) have no positive real part, and endemic equilibrium E₁ is locally asymptotically stable.

Theorem 4. The endemic equilibrium E₁ is globally asymptotically stable if R₀ > 1.

Proof. When R₀ > 1, construct the Liapunov function (35)${\displaystyle V\left(t\right)=\frac{1}{2}{\omega }_1{\left(\tilde{S}-{\tilde{S}}_1\right)}^2+{\omega }_2\left(\tilde{I}-{\tilde{I}}_1-{\tilde{I}}_{1}ln\frac{\tilde{I}}{{\tilde{I}}_1}\right)}$ where ω_i > 0, i =1 , 2. The derivative of V(t) along the trajectory is (36)${\displaystyle \begin{array}{c}\hfill \frac{dV\left(t\right)}{dt}={\omega }_1\left(\tilde{S}-{\tilde{S}}_1\right)\frac{d\tilde{S}\left(t\right)}{dt}+{\omega }_2\left(1-\frac{{\tilde{I}}_1}{\tilde{I}}\right)\frac{d\tilde{I}\left(t\right)}{dt}\\ \hfill ={\omega }_1\left(\tilde{S}-{\tilde{S}}_1\right)\left(b{N}_1-{\alpha }_1\tilde{S}\tilde{I}-b\tilde{S}\right)+{\omega }_2\left(\tilde{I}-{\tilde{I}}_1\right)\left({\alpha }_1\tilde{S}-{\alpha }_1{\tilde{S}}_1\right)& \hfill \\ \hfill =-{\omega }_1{\left(\tilde{S}-{\tilde{S}}_1\right)}^2\left({\alpha }_1\tilde{I}+b\right)+{\alpha }_1\left({\omega }_2-{\omega }_1{\tilde{S}}_1\right)\left(\tilde{I}-{\tilde{I}}_1\right)\left(\tilde{S}-{\tilde{S}}_1\right)& \hfill \\ \hfill \end{array}}$ Letting ${\omega }_2={\omega }_1{\tilde{S}}_1$, and any value ω₁ > 0, one thus obtains (37)${\displaystyle \frac{dV\left(t\right)}{dt}=-{\omega }_1{\left(\tilde{S}-{\tilde{S}}_1\right)}^2\left({\alpha }_1\tilde{I}+b\right)⩽0}$ and, obviously, (38)${\displaystyle Q=\left\{\left(\tilde{S},\tilde{I},S,I\right)\in D\left|\frac{dV\left(t\right)}{dt}=0\right.\right\}=\left\{\tilde{S}={\tilde{S}}_1\right\}}$ where D is determined by Eq. (28). Therefore, the maximum invariant set of the system in Q is $\left\{\tilde{S}={\tilde{S}}_1\right\}$According to the principle of Lasalle invariance, (39)${\displaystyle \underset{t\to \infty }{lim}\tilde{S}\left(t\right)={\tilde{S}}_1}$ Substituting this into system Eq. (13), one has (40)${\displaystyle \underset{t\to \infty }{lim}\tilde{I}\left(t\right)={\tilde{I}}_1,\underset{t\to \infty }{lim}S\left(t\right)=S_1,\underset{t\to \infty }{lim}I\left(t\right)=I_1}$ Therefore, E₁ is globally attractive. Combined with the local stability of E₁, it can be seen that E₁ is globally asymptotically stable.

Node communication radius r

Letting R₀ = 1 for Eq. (24), one can obtain the node communication radius threshold of the malware propagation in a cluster-based WSN: (41)${\displaystyle r_{th}=\sqrt{\left(\gamma +b\right)/\beta \sigma \pi }}$ That is to say, when r < r_th, R₀ < 1, according to Theorem 2, system Eq. (13) will stabilize at the malware-free equilibrium E₀, and the malware in the system will eventually disappear. When r > r_th, R₀ > 1, and, according to Theorem 4, system Eq. (13) will stabilize at the endemic equilibrium E₁, and malware in WSNs will exist consistently. According to the aforementioned WSN parameters, one can calculate r_th = 1.2259. As shown in Fig. 4, when r = 0.5 < r_th and r = 1 < r_th, system Eq. (13) stabilizes at malware-free equilibrium. The number of infected nodes eventually reaches zero, and convergence speed increases as r decreases. When r = 2 > r_th and r = 3 > r_th, system Eq. (13) stabilizes at the endemic equilibrium. The number of infected nodes eventually tends to a constant value, and the constant value increases with r.

Node distributed density σ

One can also obtain the node distributed density threshold of malware propagation in a cluster-based WSN according to Eq. (24): (42)${\displaystyle {\sigma }_{th}=\frac{\gamma +b}{\beta \pi r^2}}$ That is to say, when σ < σ_th, R₀ < 1, and the malware in the system will eventually disappear. When σ > σ_th, R₀ > 1, and system Eq. (13) will stabilize at the endemic equilibrium E₁, and malware will exist consistently. By calculation, σ = 0.7514. As shown in Fig. 5, when σ = 0.1 < σ_th and σ = 0.5 < σ_th, the malware will eventually disappear, and the convergence speed increases as σ decreases. When σ = 1 > σ_th and σ = 5 > σ_th, the number of infected nodes eventually tends to a constant value, and the constant value increases with σ.

Node death rate b

The threshold of malware propagation about the death rate of nodes is (43)${\displaystyle b_{th}=\beta \sigma \pi r^2-\gamma }$ That is to say, when b > b_th, R₀ < 1, the malware in the system will eventually disappear. When b < b_th, R₀ > 1, system Eq. (13) will stabilize at the endemic equilibrium E₁, and malware will exist consistently. By calculation, b_th = 0.0052. As shown in Fig. 6, when b = 0.001 < b_th and b = 0.003 < b_th, system Eq. (13) stabilizes at endemic equilibrium. When b = 0.01 > b_th and b = 0.03 > b_th, system Eq. (13) stabilizes at malware-free equilibrium. In contrast with communication radius r and node density σ, even when R₀ is greater than 1, the number of infected cluster head nodes decreases monotonically and eventually tends to a constant value. In Figs. 4A and 5A, it can be seen that when R₀ > 1 the number of infected cluster head nodes increases rapidly in the initial stage and then decreases to a constant level.