Beruflich Dokumente
Kultur Dokumente
Research Article
Malware Propagation and Prevention Model for Time-Varying
Community Networks within Software Defined Networks
Received 10 December 2016; Revised 18 February 2017; Accepted 5 March 2017; Published 28 March 2017
Copyright 2017 Lan Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which
permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
As the adoption of Software Defined Networks (SDNs) grows, the security of SDN still has several unaddressed limitations. A
key network security research area is in the study of malware propagation across the SDN-enabled networks. To analyze the
spreading processes of network malware (e.g., viruses) in SDN, we propose a dynamic model with a time-varying community
network, inspired by research models on the spread of epidemics in complex networks across communities. We assume subnets
of the network as communities and links that are dense in subnets but sparse between subnets. Using numerical simulation and
theoretical analysis, we find that the efficiency of network malware propagation in this model depends on the mobility rate of the
nodes between subnets. We also find that there exists a mobility rate threshold . The network malware will spread in the SDN
when the mobility rate > . The malware will survive when > and perish when < . The results showed that our model is
effective, and the results may help to decide the SDN control strategy to defend against network malware and provide a theoretical
basis to reduce and prevent network security incidents.
malware propagation in SDN is proposed. Then, in Sec- many cases, such as computer malware spreading on the
tion 4, we implement a numerical simulation to evaluate the Internet. Therefore, we consider that the community struc-
influences of the mobility rate on the dynamic behavior of tures in complex network models have considerable influence
SDN, and the theoretical analysis of this model is performed. on the spreading of network malware in SDN.
In Section 5, the possible applications of our research are In recent years, many studies have indicated that time-
presented. Finally, we conclude and offer prospective areas for varying networks play an important role in the investigation
future research in Section 6. of the network malware spreading that occurs in complex
networks [15]. In computer networks, we can assume subnets
as communities and links that are dense in a subnet but
2. Background and Related Work
sparse between subnets. Network malware spreading is rapid
2.1. Industry Trends. This research paves the way for practical in the subnets but slow between subnets. Because different
implementations using SDN as a platform for malware subnets are disparate, it is impossible for individuals to
propagation control. In the industry, Google has already propagate malware to different subnets at the same time even
deployed SDN for data center backbone traffic. Major com- if these individuals have connections with many different
mercial switch vendors including Cisco, IBM, HP, Dell, and subnets in a static network. Thus, there are no links among
Juniper Networks have announced intent to support or have subnets at each time step in a time-varying network, but indi-
already launched switching products that support SDN. We viduals can move among subnets because of the centralized
see a lot of potential in applying our research into similar control of SDN [16].
environments. Toutonji and Yoo proposed a model Passive Worm
The market research company IDC predicts that the mar- Dynamic Quarantine (PWDQ) to enable network malware
ket for SDN applications will reach $37 billion by 2016 [3]. It detection and protection [17]. When a node is listed as a
is also realistic to expect malware (e.g., network viruses, Bot- suspicious node, the PWDQ model departs from previous
nets) to continue to be a threat for future SDN deployments. models in that infected nodes will be recovered either by
Specifically, we witness a recent surge in malware (e.g., Mirai) passive benign worms or by quarantine measures. Computer
specifically designed for launching Distributed Denial-of- simulations show that this method may decrease the number
Service (DDOS) attacks to network-connected assets. To of infectious nodes and reduce the speed of network malware
assure Internet security, effective detection malwares are propagation.
indispensable. Our research addresses these issues directly. Omote and Shimoyama found a method for preventing
the spread of network malware [18]. An estimating unit
calculates the expected number of infected nodes when the
2.2. Research Trends and Gaps. Research on the network malware transmits a predetermined number of packets, based
security of SDN raised concern in recent years. Most prior on the infectivity calculated by the infectivity calculating unit.
studies have looked at the development and analysis of SDN Bradley et al. [19] and other studies have shown that the
security applications [4]. However, few solutions provide an network topology has an impact on network malware spread-
effective defense mechanism against the threat of attacks in ing: the closer to the center of the network the malware is,
SDNs because all types of open applications make the end- the faster the malware spreads and the higher the probability
hosts and switches the target of attacks, which is a threat to the of repeated infection is.
entire network [5]. In all types of security incidents, network Gourdin et al. found that the effect of network malware
malware usually spreads quickly and has a strong influence spreading in a telecommunication network [20], where a
on availability, making network malware the most important certain curing strategy is deployed, can be captured by
issue to resolve in Internet security. epidemic models. In their model, the probability of each node
The control plane of SDN will have direct control over being infected depends on the curing and infection rate of its
the data plane elements [6]. Network administrators of SDNs neighbors.
often use programmable soft switches to provide network vir- Tang and Li investigated malware spread in Wireless
tualization. Modifying routing rules in traditional networks is Sensor Networks (WSNs) through Susceptible-Infective (SI)
difficult but easier in SDNs, which will help address problems epidemic models [21] and proposed two adaptive network
in traditional networks and is advantageous to adjust the protection schemes for securing WSNs against malware
route strategy of the entire network. The logical centralization attacks.
of network intelligence presents exciting challenges and Abaid et al. [22] proposed elastically partitioning network
opportunities to enhance security in such networks, includ- traffic to enable distributing detection load across a range of
ing new ways to prevent, detect, and react to threats, as well detectors and making a centralized SDN controller, which
as innovative security services and applications that are built allows for network-wide threat correlation as well as quick
upon SDN capabilities. Malicious code detection and preven- control of malicious flows.
tion under the new architecture need further study [714]. Ichiro et al. mentioned that, in security incident response,
At its core, the spread of network malware on the Internet the isolation of network virus-infected nodes and investi-
is a dynamic complex network challenge. In complex network gation of the damage situation of network virus activity
dynamics, if the network evolution speed is slower than are needed [23]. They proposed a method to isolate virus-
the information transmission speed, it can be approximately infected nodes while avoiding being detected by malware by
regarded as a static network. This assumption is set up in changing network quickly and partially using SDN.
Security and Communication Networks 3
Hosseini et al. [24, 25] proposed a dynamic model of (1) Consider a total population of nodes in the model,
malware propagation in scale-free networks (SFNs) based on which means that no new nodes enter or leave the system at
a rumor spreading model. The model considers the impact any time.
of software diversity to halt the outbreak of malware in (2) In the model, nodes only have two possible states:
networks. Their research stated that the simulation results susceptible () and infected (). A node must be in one of the
demonstrate that the model is more effective than other two states, and an infected node cannot be infected again. We
existing models of malware propagation, in terms of reducing define the initial infected nodes as (0) = 0 .
the density of infected node. (3) The network malware cannot spread between different
These research efforts provide several new approaches for subnets in normal conditions, which means that there are no
studying network malware spreading and prevention in the infection paths between different subnets.
SDN environment. In terms of our approach, we believe that Assume that each susceptible neighbor of an infected
since an SDN controller can manage and quarantine nodes in node has a probability of being infected and a susceptible
the entries network, when new network malware breaks out node has inf infected neighbors at time in the model. At
in a subnet, this controller may change the flow table strategy + 1 step, this susceptible node will become infected with
according to network status and prevent the spreading of the probability 1 (1 )inf . At the same time, the infected node
malware to other subnets. As such, we designed a network may become susceptible at rate through network malware
malware propagation model of SDN to effectively defend killing and patching.
against the spreading of network malware.
3.2. Model with Time-Varying Community Network. Although
various studies have shown that a computer network is a
3. Modeling Network Malware Spreading in scale-free network, to simplify the model, we begin our
an SDN Environment analysis with the simple time-varying community network.
As the spread of network malware in SDN is similar to the Based on the model assumption, we construct a time-
spread of diseases, we can use similar models to study the varying community network with network malware spread-
spread of network malware. This type of model has two ing.
assumptions: (1) the state of a network node at any moment (1) Consider a total population of nodes that is divided
is limited; the states include susceptible; infected; recov- into subnets with random ( = 1, 2, . . . , ) nodes in each
ery; isolation. We can choose different sets of states subnet, and let them satisfy
according to the characteristics of the network malware and
modeling purposes. (2) The infected nodes have a certain = . (1)
probability of infecting other nodes in the network. =1
Our mathematical model of computer malware spread (2) For each subnet i, we use probability to add a link
is mostly based on the Susceptible-Infected-Recovery (SIR) between each two nodes and let them satisfy
model or the simple Susceptible-Infected-Susceptible (SIS)
1
model [26]. To simplify our research, we adopted the SIS ( 1) = . (2)
model, where each node belongs to one of two states: sus- =1 2 2
ceptible or infected [27, 28]. Mathematical analysis on such a
In addition, is the average degree of the entire network.
model has revealed the importance of topology for propaga-
(3) When an infected node jumps from one subnet into
tion dynamics. Particularly, we found that the time-varying
another subnet, it will spread the network malware. We
community network model is suitable for networks with
assume that every node ( = 1, 2, . . . , ) has probability
small numbers of susceptible nodes, and we assumed that the
q to jump to another subnet, which is chosen randomly. In
network evolves more slowly than the diffusion process.
order to simulate malware spreading caused by node jump,
we add links between different subnet with probability q.
3.1. Model Assumptions. Different nodes belong to different During each time step, break all of the links between different
subnets in a computer network. In our study, we use logical subnet connected at last time step. Then connect nodes in the
subnets to classify the community network; network malware different subnet with probability q again. The most important
spreads more quickly within the subnet and spreads slowly value is a threshold . The network malware spreads and
between different subnets. To simplify the complex model, becomes infected for > and perishes for < . In
we assume that the network malware cannot spread between this model, we have a network malware threshold . The
different subnets in normal conditions. Because the SDN may network malware spreads and becomes infected when > .
change its routing strategy, when one infected node moves From the theory of probability [29], we have = / in
from one subnet to another logical subnet, it probably makes the time-varying community network model. For a specific
the network malware spread between subnets. community , when the mobility rate = 0, its network
To study the effects of network malware spreading when malware subthreshold is defined as
an infected node changes from one subnet to another in SDN,
= = . (3)
we establish some simple model assumptions. ( 1)
4 Security and Communication Networks
(t)
devices, and hosts can be redirected, which means that the
0.3
node mobility rate between subnets satisfies > 0. When
> ( = 1, 2, ..., ), even if there is only one seed at the 0.2
beginning, the network malware may spread into all of the
subnets. We discover that the time of the network malware 0.1
outbreak in the subnets is dependent on the mobility rate
. When < ( = 1, 2, ..., ; < ), a mobility rate 0
threshold is considered. The network malware in subnet 0 20 40 60 80 100
is where < can survive when > because of the t (time step)
jump of infected nodes. (1), q = 0.00001 (2), q = 0.000002
(2), q = 0.00001 (2), q = 0.000001
4. Simulation and Evaluation Figure 1: Density of infected nodes () in two subnets with
different mobility rates . The symbol (1) denotes the first subnet,
To simulate the network malware spreading, we use a similar and the symbol (2) denotes the second subnet.
experimental environment. To be brief we set = 2 and
analyze the network malware spreading in two cases. At the
beginning, there is only one infected node, (0) = 1, and we
represents the density of the infected nodes in the first subnet
set = 3000, 1 = 1200, 2 = 1800, = 20, 1 = 0.0069,
at time t, q is the mobility rate between subnets, and 1 is the
and 2 = 0.0155. These parameters satisfy (1) and (2).
total number of nodes of the first subnet.
In the time-varying network model, small world model,
(A) > ( = 1, 2). Let us set = 0.1. We can obtain 1 =
and scale-free model, these theories are based on mean
0.0121 and 2 = 0.0036 from (3). We set = 0.02 > ( = field theory. According to mean field theory, 1 () satisfies
1, 2). equation 1 () = 1 () + 1 1 ()(1 1 ()).
In the simulation, we chose an infected node in the first
subnet randomly, and the other nodes in the two subnets In this equation, 1 () represents the density of the
were susceptible. We simulate the step with mobility rate infected nodes in the first subnet and each infected node
= 0.000001 to 0.00001 between the subnets, and the result will become susceptible at rate . is the probability that
is shown in Figure 1. The curve with black asterisks represents each susceptible node linked by an infected node will be
the density of infected nodes in the first subnet as a function infected. On the right side of the equation, 1 () shows the
of time with mobility rate = 0.00001 and the other curves reduced number of infected nodes, (1 1 ()) is the density
represent the evolution of infected nodes in the second subnet of susceptible nodes, and 1 1 () presents the number
with different mobility rates from 0.00001 to 0.000001. of infected nodes around a susceptible node. According to
As can be observed from the diagram, the network the multiplication rule, 1 1 ()(1 1 ()) presents the
malware first broke out in the first subnet and then propa- increased number of infected nodes in the entire network.
gated into the second subnet. The time of network malware The simplified formula is
outbreak in the second subnet decreased with the increase in /
the mobility rate . 1 () = , (4)
We have not plotted the curve of the other mobility rate 1 +
in the first subnet because the network malware spreading where = 1 , = 1 , and
in the first subnet has less of a relationship with . The
values of mobility rate applied above were chosen based 1 (0)
on experiment and by experience. A deep understanding of = . (5)
1 (0)
the detailed time evolution of network malware spreading is a
prerequisite to finding optimal strategies to prevent network 1 (0) shows the density of infected nodes at time = 0,
malware outbreaks. Thus, we analyzed it in detail. and, in this simple example, we obtain 1 (0) = 1/1 . At time
From the simulation, we knew that when > 2 , the step , there are 1 1 () infected nodes in the first subnet.
network malware would have an outbreak in the second According to model, the nodes between subnets connect with
subnet only if there was one node that was infected by the probability . So, in the second subnet, there are 1 1 ()2
nodes and had moved from the first subnet. nodes connected with the infected nodes in the first subnet,
At each time step, the number of infected nodes that move which have a probability of being infected. So, at each time
from the first subnet can be calculated as 1 1 (), where 1 () step , the probability of the node in the second subnet being
Security and Communication Networks 5
1 1 () 2 = 1. (6) 60
0
Tc (q)
Then, we can obtain 50
ln (ln(1+)+/(1 2 ) ) 40
= . (7)
30
We can obtain the outbreak time of the network malware
in the second subnet by
20
0 0.2 0.4 0.6 0.8 1 1.2
ln(1+)+/(1 2 )
ln ( ) ln q 105
= + 0 = + . (8)
= 0.02
= 0.08
In this formula, 0 = ln / is the time for the number Theoretical curve
of infected nodes in the second subnet to increase from one
to half of the stabilized value. To check the above theoretical Figure 2: The network malware outbreak time versus the mobility
analysis, we simulate experiments to obtain test data. We rate . The symbols represent the results of numerical simulations,
make numerical experiments and determine by checking and the lines represent the results of theory.
the number of infected nodes of the second subnet, which
reaches half of the stabilized value at time step . We build
the time-varying network with the same parameters as shown and the network malware did not break out at all in the second
in Figure 1 and set = 0.02 and = 0.08. We simulate subnet, as shown in Figure 3(b).
the experiment many times and take the average result of We theoretically analyze how the mobility rate influences
several experiments. When we change the mobility rate the spreading of network malware. Because < 1 , there
from 0.000001 to 0.00001, we obtain two curves, as shown in must be a time step 1 when the network malware will perish
Figure 2. The circles and asterisks denote the results from two when = 1 in the first subnet. The network malware can
different values by experiment, and the two lines represent spread in the second subnet only if the infected nodes can
the results calculated from (8), where = 0.02 and = 0.08. move into the second subnet and at least one susceptible node
As we can see, the numerical simulations and theoretical in the second subnet is infected before = 1 . According to
conclusion are consistent. (4), we know that when < 0, 1 () is reduced gradually to
close to zero. We use 1 (1 ) = 0.0001 as a small number and
(B) 2 < < 1 . Through our analysis, we know that the solve (4) to obtain 1 :
network malware will perish in the first subnet, where the
mobility rate is too low. However, if the mobility rate is ln ((10000 ) /)
1 = . (9)
high enough, the network malware may also spread into the
second subnet.
From (7) and (9) and considering 1 = when = , we
In the experiments, we select = 0.008 and use the same
define as in (5) and obtain
values of the other parameters of the time-varying network,
as in Figure 1. The value conforms to 2 < < 1 , and we
use the initial value of infected nodes (0) = 100, which = . (10)
1 2 (ln (/ (10000 ) + ) ln (1 + ))
is selected randomly from the first subnet. We get the values
1 (0) = (0)/1 = 0.083, 2 (0) = 0, and (0) = (0)/ = To simulate the process better, we repeated the exper-
0.033, where 1 (0), 2 (0), and (0) represent the density of iments several times and set (0) = 100 to 200 and set
infected nodes in the first subnet, second subnet, and entire = 0.004 to 0.01, and then the mobility rate is gradually
network, respectively. increased from 0. When the mobility rate increases to
Figures 3(a) and 3(b) show the evolution function curve the threshold , the network malware will break out in the
of () in two subnets with the mobility rates = 0.0001 second subnet. For each set of (0) and , we conducted
and = 0.00001. The black asterisks represent the density the experiment 100 times and averaged the test data. As
of infected nodes in the first subnet as a function of time, and shown in Figure 4, the circles and asterisks indicate the
the red circles represent the evolution of infected nodes in experiment results for (0) = 100 and 200, respectively. The
the second subnet. As indicated in Figure 3(a), the network lines represent the theoretical value calculated from (10) and
malware broke out at = 70 approximately for = 0.0001 in show that, for a specific , the mobility rate threshold is
the second subnet. However, for = 0.00001, the number of approximately inversely proportional to (0), which is the
infected nodes was reduced to zero slowly in the first subnet initial number of infected nodes in the first subnet. However,
6 Security and Communication Networks
0.35 0.035
0.3 0.03
0.25 0.025
0.2 0.02
(t)
(t)
0.15 0.015
0.1 0.01
0.05 0.005
0 0
0 50 100 150 200 0 50 100 150 200
t (time step) t (time step)
Figure 3: Density of infected nodes () as a function of in two subnets with = 0.008. (a) = 0.0001. (b) = 0.00001.
5. Possible Applications
0.6
With SDN redefining the traditional networking business
qc
Rotating
Machinery
International Journal of
The Scientific
(QJLQHHULQJ Distributed
Journal of
Journal of
Journal of
Control Science
and Engineering
Advances in
Civil Engineering
Hindawi Publishing Corporation Hindawi Publishing Corporation
http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014
Journal of
Journal of Electrical and Computer
Robotics
Hindawi Publishing Corporation
Engineering
Hindawi Publishing Corporation
http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014
VLSI Design
Advances in
OptoElectronics
,QWHUQDWLRQDO-RXUQDORI
International Journal of
Modelling &
Simulation
$HURVSDFH
Hindawi Publishing Corporation Volume 2014
Navigation and
Observation
Hindawi Publishing Corporation
http://www.hindawi.com Volume 2014
in Engineering
Hindawi Publishing Corporation
http://www.hindawi.com Volume 2014
(QJLQHHULQJ
+LQGDZL3XEOLVKLQJ&RUSRUDWLRQ
KWWSZZZKLQGDZLFRP 9ROXPH
Hindawi Publishing Corporation
http://www.hindawi.com
http://www.hindawi.com Volume 201-
International Journal of
International Journal of Antennas and Active and Passive Advances in
Chemical Engineering Propagation Electronic Components Shock and Vibration Acoustics and Vibration
Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation
http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014