Abstract: An attempt has been made to formulate the final size formula for infected nodes in a computer network due to the attack of different malicious agents like viruses, Trojan horse, worms, etc. We assume that the population of the nodes in a computer network is homogenous and there does not exist any heterogeneous mixing. The concept of self-replication of infected nodes and the time lag for self-replication (replication period), latent period and temporary immune period is introduced. The Susceptible Infected Recovered Susceptible (SIRS) class populations is assumed to be bounded by the total size of the population N (t) which is constant at any time instant. The stability of the result is stated in the terms of reproductive number R₀. The system is stable if reproductive number is >1 and unstable if reproductive number is <1. Numerical method is employed to solve the system of integro-differential equations and is used to analyze the behavior of the susceptible, infected and recovered nodes in a computer network.

INTRODUCTION

Transmission of malicious objects in computer network is epidemic in nature. Malicious object is a code that infects computer systems. There are different kinds of malicious codes such as: Worm, Virus, Trojan horse etc., which differ according to the way they attack computer systems and the malicious actions they perform. Some of them erase hard disks, some others clog the network while some others sneak into the computer systems to steal away confidential and valuable information. Malicious objects can be in any form like attachment of malicious executable file, malicious hyperlink and Phishing.

By clicking incidentally or wrongly an attachment of malicious executable file can infect the system, here the user’s awareness is necessary to avoid such type of attacks. If a hyperlink looks likes a spy-ware then by clicking it a user can go to the direction of attack. In a certain sense, the propagation of virtual malicious objects in a system of interacting computers could be compared with a disease transmitted by vectors when dealing with public health.

Whenever, any malicious agent enters a computer network, a matter of immediate interest is the likely magnitude of the outbreak. This is called the expected final size of the epidemic which we denote it as Z in a computer network (Anderson and Watson, 1980; Anderson and May, 1991; Anderson and Britton, 2000; Bailey, 1975; Diekmann and Heesterbeek, 2000).

The formula for Z that Kermack and McKendrick (1927) obtained was totally dependent on the basic reproduction number, R₀ (the expected number of secondary cases caused by a typical primary case in a fully susceptible population) and The final size of epidemic in a computer network at any instant t is nothing but the total size of the infected population at that instant t.

We arrive to the final size of the population in a computer network at any instant of time t by subtracting the susceptible and recovered population from the susceptible population at time zero which is nothing but the total size of the population, N (t).

Mishra and Saini (2007a, b) and Mishra and Jha (2007) developed various epidemiological models of transmission of malicious objects in the computer network.

The standard SIRS model equations for the susceptible, infected and recovered classes given by Diekmann and Heesterbeek (2000) is:

Where:

The model developed by Diekmann and Heesterbeek (2000) does not consider time delays like latency period, temporary immunity period, etc., as in the cyber world the recovery is not permanent. We propose the final size formula for infected nodes in a computer network considering the above mentioned time delays and self replication factor and the temporary immunity of the recovered nodes.

Latent period (ω): There is a certain time lag for the node to become infective once it is in the network and is termed as latent period ω.

Temporary immunity period (τ): After the node becomes infected, the malicious object in it may/may not self replicate. Hence, after the run of anti malicious software, the node recovers and attains temporary immunity for a time period termed as period of temporary immunity τ.

Replication factor (r_k): The factor by which any malicious agent self-replicates after infecting any node is called the factor of self replication.

Replication period (φ_k): The time lag between a malicious agent infecting a node and its replicated copies becoming infective is called the time for self replication.

Deaths of malicious objects equivalently mean to say the complete recovery of infected files from malicious objects when anti malicious software is run in the computer node for a specific session.

MATERIALS AND METHODS

Mathematical model: We try to find the final size formula for infected nodes in a computer network considering the latency period ω, temporary immunity period τ and time for self replication of kth malicious agent to be constant. The immunity from malicious agents is not permanent but temporary, since in the cyber world, nodes are not permanently immune. We assume that any new node added into the network is susceptible and death rate other then the attack of malicious agents, μ is constant. We further assume that death rate of the nodes due to infection is constant (Deaths of a node equivalently mean to say the isolation of the node which even on running of anti-malicious software may spread malicious agents).

When a node is infected, it may self-replicate with a probability q_k and may not self-replicate with a probability (1-q_k) and when a node is removed from infected class, it may recover with a probability p_k and may not recover with a probability (1-p_k) and that recovery is temporary. Susceptible population is divided into different groups. Nodes may be susceptible due to virus, worms, Trojans, etc. Malicious objects in each group have homogeneous susceptibility but susceptibility of malicious objects from different group is distinct (Mishra and Saini, 2007a, b). Infected population is also divided into different groups (as per their susceptible behavior group). Malicious objects in each group has homogeneous infection but infection of malicious objects from different group is distinct. The flow of malicious objects is shown in Fig. 1. The recovery starts soon after the completion of the latent period that is the time lag between the start of infection and the start of running of anti-malicious software is considered to be zero.

Fig. 1:	Flow of malicious agents

But the rate of infection is assumed to be different from the rate of recovery and so the final size of infected population builds up. As per the assumptions, we get a system of integro-differential equations:

(1)

RESULTS AND DISCUSSION

Case I: No birth and no death of nodes: In this case, the birth rate and death rate at any stage are assumed to be zero, i.e., no birth and no death (b = μ = 0 = δ) which implies that the total population is always constant. The Equations thus obtained from (1) are as follows:

(2)

We give a formula to find the final size of the infected nodes in a computer network: Final size of infected nodes in a computer network at time t = Total size of the nodes (size of susceptible nodes at time t + size of temporary recovered nodes after the run of anti-malicious software at time t), Thus:

(3)

(4)

The susceptible and infected population functions are bounded by the total size of population at any time t that is:

(5)

Now putting these inequalities in Eq. 4, we get the final size formula for the infected population in a computer network at any instant of time t as:

(6)

Case II: Birth rate and natural death rates to be positive constants: In this case, we consider the birth rate and natural death rates to be positive constants and both are assumed to be equal, i.e., b = μ and also assume that recovery is complete and temporary that is there is no death due to infected and no disease induced mortality for recovered nodes i.e., p_k = 1. The system of equations thus obtained is as follows:

(7)

The final size formula for the size of infected population at any time t and putting all the bounded constraints for susceptible and infected class populations as in discussed in Case I gives the following inequality:

(8)

From this, it can be easily observed that the inequality obtained in Eq. 6 is identical to Eq. 8. This proves the correctness of theinequality obtained, since the equality of the positive birth and death rates is equivalent to no birth and no death which implies that the total size of the population is invariant of time.

Fig. 2:	Variation of final size of infected populaion

Numerical methods and conclusion: It would be premature to end the discussion by just stating the boundary conditions only. Numerical method is employed to solve Eq. 1-7 under different parameters. Using these in Eq. 8, we observe that the final size of infected population varies as a sinusoidal curve shown in Fig. 2.

In the context of this study, cycle length is the time for one SIRS cycle, i.e., from susceptible stage to completion of temporary immunity after the run of anti-malicious software of the recovered stage.

In a cycle, the size of infected population is initially minimum and it increases gradually and reaches a maximum and as recovery stage starts it gradually decreases. This pattern of variation of the size of infected population repeats in the coming cycles and is periodic in nature.

The susceptible nodes either behave like a cosine curve or exponential curve (Mishra and Saini, 2007a, b). We first assume that the susceptible population varies as a cosine curve as the initial susceptible population for any cycle is maximum and as time passes, the infection increases. This decreases the size of the susceptible population and hence is assumed to vary as a cosine curve. Consider,

(9)

and using the final size formula Eq. 4, we have

Fig. 3:	Variation of final size of infected nodes in the computer network when the infection starts very early in a cycle

(10)

The behavior of the susceptible population is also exponential (Mishra and Saini, 2007a, b) as the initial population in the susceptible class in a cycle is maximum and as time increases, the infection increases, the size of susceptible population decreases and reaches a minimum and again with temporary recovery on run of anti-malicious software, the size of susceptible population increases and this carries on periodically for different cycles. The size of susceptible population is assumed to decrease exponentially and the size of infected population increases exponentially. After self-replication with a delay, the size of infected population reaches a maximum in a cycle and it gradually decreases with the recovery stage and this carries on periodically. Consider,

(11)

and using the final size formula Eq. 4, we get

(12)

If the infection starts very early in a cycle, the final size of infected population is constant for most time and after taking a dip it suddenly increases to a maximum value (Fig. 3). If the infection starts very late in a cycle,the size of infected population is almost zero for most time and after the latent period, it increases exponentially and after the period for self-replication, it drastically increases exponentially to reach maximum and then it gradually decreases with the recovery and reaches a minimum and this repeats periodically (Fig. 4).

Fig. 4:	Variation of final size of infected nodes in the computer network when the infection starts very late in a cycle

Reproductive number: In epidemiology, the basic reproduction number of an infection is the mean number of secondary cases a typical single infected case will cause in a population with no immunity to the infection in the absence of interventions to control the infection. It is often denoted R₀. This metric is useful because it helps to determine whether or not an infectious agent will spread through a population.

When R₀<1, the infection will die out with certainty. But if R₀>1, there is some possibility of a major epidemic. In particular, the proportion of the population that needs to be immunized to provide immunity and prevent sustained spread of the infection is given by:

We discuss the final size of different nodes under different situations.

Case I : In this case, we consider the birth rate and natural death rates to be positive constants and both are assumed to be equal i.e., b = μ and also assume that recovery is complete and temporary that is there is no death due to infected and no disease induced mortality for recovered nodes, i.e., p_k = 1. For the final size of infected nodes in Eq. 4 that is:

the proportion of infected population that must be immunized to get temporary immunity is:

Substituting the corresponding values, we get:

(13)

Case II: For the final size of infected nodes in Eq. 10 that is:

where, A is the recovery rate of the nodes directly recovering from the infected state and B is the recovery rate of the nodes which is infected due to the self-replicated malicious agents, the proportion of infected population that must be immunized to get temporary immunity is:

Substituting the corresponding values, we get:

(14)

Case III: For the final size of infected nodes in Eq. 12 that is:

the proportion of infected population that must be immunized to get temporary immunity is:

Substituting the corresponding values, we get

(15)

The final size of infected nodes in a computer network using SIRS epidemic model has been formulated. The boundedness of the final size of infected population has been derived for the system of integro-differential equations. The variation of final size formula for infected population in a computer network under different behaviors of susceptible and recovered populations is analyzed.

CONCLUSION

In this study, the behavior of susceptible population is analogous to cosine and exponential curve whereas the infected population behavior is analogous to sinusoidal curve. The stability of the system is stated in terms of the reproductive number. The basic reproductive rate is affected by several factors including the duration of infectivity of affected nodes, the infectiousness of the malicious agent and the number of susceptible nodes in the computer network. Generally, the larger the value of R₀, the more difficult it is to control the epidemic.

Nomenclature: