We live in the age of information and we store our information on computers. Interconnectivity of computers via the internet allows easy utilization and sharing of this information, but it also enables the spread of malicious software that is often designed to steal it. The high value of the data creates an “arms-race” dynamic between malware and cybersecurity software, where both parties continue to evolve and utilize diverse measures to gain an upper hand (Song 2008; Ladau et al., 2018). Traditional computer security measures focus on prevention, detection and neutralization of malware on an individual computer level. However, the key to effective defense is activation of multiple security layers, and continuous innovation in terms of security measures at different levels. In this research project, we employ complexity approach which allows us to test novel anti-virus measures that are designed at the system level. Specifically, we translate three virus-related interaction patterns observed in the context of ecology, and by simulating these interactions in the context of a computer network, we assess their effectiveness at allowing a safe network state to emerge.
In recent years, malware has evolved in terms of its sophistication and threat, while the increasing use of mobile devices, home and car automation provides a fertile environment for its propagation (Hart et al., 2008). Self-propagating and evolving nature of computer viruses has led malware defense researchers to look into fields with equal or higher complexity for inspiration (Crandall et al., 2008). Biology, epidemiology and ecology have been particularly popular fields for generating new defense strategies, for instance, in simulating predator-prey dynamics or immunity-like anomaly detection (Ford et al., 2006; Suárez et al., 2018; Gorman et al. 2004). These attempts generally proposed defense mechanisms that operate within the computer or a local IT network, without explicitly including malware and dynamics that are typical for it.
To advance understanding of malware, Del Rey and colleagues (2019) have created a model that simulates malware behavior in different types of networks. While the model has provided a more nuanced insight into propagation of malware, it has not yet been applied in the context of malware defense. We propose such application in the present research project. We propose three ecology-inspired interaction patterns:
- Auto-cut
- Auto-rewire
- Pseudo-virus
We integrate these measures within the replicated model.
The main model is adapted from del Rey, A. M., Dios, A. Q., Hernández, G., & Tabernero, A. B. (2019, June). Modeling the Spread of Malware on Complex Networks. In International Symposium on Distributed Computing and Artificial Intelligence (pp. 109-116). Springer, Cham.
"The epidemiological model proposed in this work is a compartmental model where the population of devices is divided into three classes or compartments: susceptible, infectious and attacked. Susceptible devices are those that have not been infected by the malware (the device is free of the malicious code); the infectious devices are characterized because they have been reached by the malware but have not been attacked, and finally, attacked devices are those devices where the malware is carrying out its stealthy and malicious activity. [...]
Note that a susceptible device becomes infectious when the malware reaches it (and, in our model, this depends on both the infection rate and the number of infectious neighbor devices); the infectious device c becomes attacked with probability a or susceptible with probability b << a (in this work it is supposed that the malware can remove itself if it does not find any neighbor host or the current host must not be attacked); finally, the attacked devices recover once the attacked period is finished. As a consequence, it is a SIAS model (Susceptible- Infectious-Attacked-Susceptible)."
Three different network types can be setup for the virus propagation: a small world network, a scale-free network through preferential attachment and a spatially clustered computer network. Accordingly, the rewiring probability and the average node degree for small world and spatially clustered networks can be changed. The total number of nodes can be altered, as well as the number of infected nodes and their distribution between hubs and outliers.
The parameters h, a, b and T can be set according to the model of del Rey, A. M., Dios, A. Q., Hernández, G., & Tabernero, A. B. (2019). The infection rate 0 ≤ h ≤ 1 has influence on the infection of a device free of malware. The targeted coefficient 0 ≤ a ≤ 1 defines the probability that the infectious device will be effectively attacked for a total amount of T ticks. The direct recovery from infectious comes at probability probability 0 ≤ b << a ≤ 1. In addition, it is possible to infect nodes by clicking them having the according button activated.
In this section, the propagation of an antivirus can be triggered. It will behave just like the normal virus, but the parameters h, a, b and T can be individually set for both. Also the proportion of the two viruses can be altered. Whether the two viruses patch the used exploit upon the first infection and thus bar the access to the node for the other virus can also be triggered here.
The auto-cut and auto-rewire method to counter the propagation of the virus can be triggered here. The detection probability determines how likely a node can detect being infected and cut all connections. The auto-rewire probability sets the probability of a node rewiring a certain percentage of nodes after an attack to avoid being infected again. For this rewiring, isolated or disconnected nodes can be preferred.
The network and node inspector shows the network’s properties and infection status. Moreover, single nodes and their neighbours can be inspected by clicking the according button and hovering a node with the mouse.
Our exploratory studies demonstrated that the robustness of the three types of network is contingent. In a more high-threat context, (i.e. more initial infected devices), a more aggressive virus (i.e. with a higher infection probability), and a targeted initial infection (i.e. initial infected device as a hub in the network), the propagation of the virus could not be eliminated without any defensive mechanisms in the small-world network and computer-network at least within 500 ticks observation (see Figure 3). In other words, the virus persists in the small-world network and computer-network under these conditions. And even though the scale-free network recovered automatically finally after more than 130 ticks , it took much more time to defeat the virus. This results partially supported our assumption that the malware propagation cannot be eliminated automatically without any defensive mechanisms.
To deal with the drawbacks of auto-cut and auto-rewiring mechanisms, We 1) exploratively combined the two functions, and 2) found the optimal auto-rewiring probability while auto-cut probability holds still. We conducted experiments with 100 repetitions for each auto-rewire probability value range from 0 to 1 with an interval of 0.05 in the three networks while all else holds the same. The experiments revealed that the mechanism tends to be the most efficient in eliminating infection when auto rewiring probability is 0.05. We then conducted the simulation study and experiments with auto-rewire-probability as 0.05. The results evidenced that this combination notably improved the performance of the defensive mechanism. Moreover, it increased the probability of retaining the original structure of the network, thus, interpreted as a networking consisting of computers connected via the internet, it could hold its efficiency when exchanging information. Additionally, the experiments show that it decreased the amount of the isolated devices on the average during the propagation (i.e. the average number of isolated nodes in each tick) and after the propagation (i.e. final number of isolated nodes).
The auto-rewire on its own has shown unwanted results as it facilitated the spread of the virus and changed the network structure, however, the combination of auto-cut and auto-rewire showed favorable results. It offered a possibility to control over both the amount of disconnected devices and the structure of the network while effectively eliminating the malware propagation. Still, it would be interesting to see which mechanisms could potentially enhance the propagation of the virus and thus propose potential threats to the network and its structure. A more sophisticated rewiring algorithm could take more variables into account when reconnecting with other nodes to better maintain the initial structure of the network while still providing an efficient mechanism to eliminate the virus. Such questions could be discussed through an extended model in further researched based upon this work.
Stonedahl, F. and Wilensky, U. (2008). NetLogo Virus on a Network model. http://ccl.northwestern.edu/netlogo/models/VirusonaNetwork. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
del Rey, A. M., Dios, A. Q., Hernández, G., & Tabernero, A. B. (2019, June). Modeling the Spread of Malware on Complex Networks. In International Symposium on Distributed Computing and Artificial Intelligence (pp. 109-116). Springer, Cham.
node-clustering-coefficient
It stores the local clustering coefficient of the node and how close its neighbours are to being a complete graph.
distance-from-other-turtles
It stores a list of distances of this node from other turtles.
susceptible? | infectious? | attacked?
The three Boolean variables represent the state of the computer during the virus propagation.
antivirus1? | antivirus2?
The two Boolean variables indicate whether the node was attacked by the one virus or the other. This is important for the propagation of an antagonistic virus especially if the two viruses patch the exploit of their host upon infection.
attacked-at-tick
It acts as a time counter during the attack state of a node.
attack-count | attack1-count | attack2-count
The three variables count the attacks of both viruses, together and separately.
rewired?
It keeps track of whether the link has been rewired or not.
clustering-coefficient | average-path-length | clustering-coefficient-of-lattice | average-path-length-of-lattice
These four variables store the clustering coefficient and average path length of the initial lattice and the whole network throughout the simulation.
infinity
A very large number is used for distance between two turtles which don't have a connected or unconnected path between them.
highlight-string
This string is used by the node inspector functionality
connected-network?
This is a Boolean variable which indicates whether the overall network is fully connected.
The Small Worlds model and parts of the code are adapted from Wilensky, U. (2005). NetLogo Small Worlds model. http://ccl.northwestern.edu/netlogo/models/SmallWorlds. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
The Preferential Attachment / Scale Free model and parts of the code are adapted from Wilensky, U. (2005). NetLogo Preferential Attachment model. http://ccl.northwestern.edu/netlogo/models/PreferentialAttachment. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
The setup of a spatially clustered computer network was adapted from Stonedahl, F. and Wilensky, U. (2008). NetLogo Virus on a Network model. http://ccl.northwestern.edu/netlogo/models/VirusonaNetwork. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
startup
It clears the highlight string.
setup
It sets up a network according to the chosen network type; calls startup, do-calculations and infect-initial and resets the ticks.
make-turtles
This procedure creates the number of nodes specified in susceptible state and reset counters.
make-node
This scale-free network procedure creates one node with a connection to an old-node and moves towards it.
find-partner
This scale-free network procedure finds a partner to be used as an attachment point for a newly made node.
layout | limit-magnitude
These functions are used to layout the scale-free network during the creation animation.
setup-spatially-clustered-network
This procedure sets up a spatially clustered computer network.
rewire-all
This procedure is used to create a small world network.
infect-initial
This procedure infects the specified number of nodes and can be influenced by the outlier-hub coefficient.
Virus Propagation on a Complex Network adapted from del Rey, A. M., Dios, A. Q., Hernández, G., & Tabernero, A. B. (2019, June). Modeling the Spread of Malware on Complex Networks. In International Symposium on Distributed Computing and Artificial Intelligence (pp. 109-116). Springer, Cham.
go
The main procedure runs once per tick, colours all nodes and sets their new state according to the virus propagation model. The main procedure stops in case all nodes are green and thus in the idle susceptible state.
The calculations in this model are adapted from Wilensky, U. (2005). NetLogo Small Worlds model. http://ccl.northwestern.edu/netlogo/models/SmallWorlds. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
do-calculations
This procedure reports true if the network is connected.
in-neighbourhood
This procedure is used by find-clustering-coefficient and reports if a node is in the neighbourhood.
find-clustering-coefficient
This procedure calculates the clustering coefficient.
find-path-lengths
This procedure implements the Floyd Warshall algorithm for All Pairs Shortest Paths
Some edge operations are adapted from Wilensky, U. (2005). NetLogo Small Worlds model. http://ccl.northwestern.edu/netlogo/models/SmallWorlds. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
wire-them
This procedure is used to create the small world network.
make-edge
This procedure connects two turtles.
rewire
This procedure rewires a percentage of connections of a given node with the specified probability.
cut
This procedure cuts all connections of a given node.
The highlight operations are adapted from Wilensky, U. (2005). NetLogo Small Worlds model. http://ccl.northwestern.edu/netlogo/models/SmallWorlds. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
highlight
This procedure prepares the graphics for the inspector and calls do-highlight when the mouse is inside the visualization.
do-highlight
This procedure is used to inspect the node closest to the mouse when the highlight procedure is active.
infect-with-mouse
This procedure lets the user infect a node (turn its state from susceptible to infected) by clicking it.
Vinfect-pink-with-mouseV This procedure lets the user infect a by clicking it.
This model was developed and programmed in 2019 by Lukas A. Haack at Universiteit van Amsterdam with the support of Chenyue Wang and Izabelė Jonušaitė and supervision of dr. J.P. Bruggeman.
Wilensky, U. (2005). NetLogo Small Worlds model. http://ccl.northwestern.edu/netlogo/models/SmallWorlds. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
Wilensky, U. (2005). NetLogo Preferential Attachment model. http://ccl.northwestern.edu/netlogo/models/PreferentialAttachment. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
Stonedahl, F. and Wilensky, U. (2008). NetLogo Virus on a Network model. http://ccl.northwestern.edu/netlogo/models/VirusonaNetwork. Center for Connected Learning and Computer-Based Modeling, Northwestern University, Evanston, IL.
del Rey, A. M., Dios, A. Q., Hernández, G., & Tabernero, A. B. (2019, June). Modeling the Spread of Malware on Complex Networks. In International Symposium on Distributed Computing and Artificial Intelligence (pp. 109-116). Springer, Cham.
Mazurczyk, W., Drobniak, S., & Moore, S. (2016). Towards a systematic view on cybersecurity ecology. In Combatting Cybercrime and Cyberterrorism (pp. 17-37). Springer, Cham.