The Impact of Quarantine Strategies on Malware Dynamics in a Network with Heterogeneous Immunity

. In this paper, we investigate the inﬂuence of two types of isolation on malware propagation within a computer network. Model 1 proposes the network quarantine strategy, where infected computers are fully disconnected from the network. As for model 2, the control strategy is the anti-virus software quarantine, where infected ﬁles in a computer are contained in an isolation folder. Both models consider the aspect of heterogeneous immunity, that is, weak and strong immunization of computers in a network. Analytical examinations produced a virus-free equilibrium and an endemic equilibrium for each model. It has been observed that the quarantine reproduction number R q plays an essential role in the existence and stability of the equilibrium points. Furthermore, numerical simulations are accomplished to substantiate the qualitative results. Finally, a sensitivity analysis is executed to specify the dominant parameters on R q . It is found that the performance of network quarantine is better than anti-virus software quarantine in controlling malware propagation.


Introduction
Nowadays, as more people manage and store all their personal and business lives on the Internet, they have become a thriving target for cybercriminals.Cybercriminals usually use spam e-mails, spoofed apps, non-secure Wi-Fis, or unsafe URLs to deliver dangerous malware to targeted computers and endanger their security.Although anti-virus software is the best way to detect and remove malware, it lags behind the emergence of new versions of malware.Therefore, the development of predicting malware to prevent and control is essential.So experiments to better understand the dynamics of malware spread are a crucial issue in improving safety and reliability in computer networks.
Due to the similarities between the transmission of computers malware and infectious diseases, many researchers were motivated to use mathematical epidemiological models to explore the dynamics of computer malware propagation.Kephart and White [5] were amongst the first researchers to investigate how computer viruses spread on the Internet using the SIS model.They concluded that if the infection rate is below a certain threshold, then an imperfect defense against the virus can still be highly effective in preventing the spread.In [3], Gan et al. included a nonlinear vaccination probability in the classical SIRS model to assess the effect of vaccination on the spread of computer viruses.Similar models with virus vaccination can be found in [2,24].In [6], they modified the SIRS models by including a group representing an antidotal population generating the SAIR model.They assumed that some infected computers moved back to the susceptible group since there are anti-virus programs which are not effective enough to remove all of the viruses.Contrary to what is previously mentioned, the model in [11] include two susceptible compartments.This is based on the heterogeneity in users security awareness.They studied the effectiveness of weak and strong immunization against malware on network reliability.Other malware propagation models are established in [1,4,18,20,21,25,26].
Inspired by the approach of epidemic disease control models, researchers implemented a quarantine strategy on malware propagation models.Quarantine is an alternative way to limit the infection period by isolating the infected from delivering malware into the network.There are two methods of quarantine in the cyber world: network quarantine and anti-virus software quarantine.Network quarantine is to isolate infected computers from the network while running the latest anti-virus software to remove malware.Whereas, anti-virus software quarantine is to isolate the infected file via anti-virus software to an inaccessible quarantined folder and then apply the latest version of anti-virus software to remove malware.
In [7], Koonprasert and Channgam introduced an SEIQR worm propagation model for mobile devices.They studied the effect of using WiFi base stations to isolate worms by disabling the connection between the infected device with other devices.They assumed that worms infect susceptible devices, which then undergo a period until they become infectious.Only then will quarantine measures be applied.Also, recovered mobile devices are assumed to gain immunity from being infected again.
In [22], Wang et al. proposed an SEIQV model.They combined two strategies to control the spread of worms: vaccination and quarantine.They assumed that any host with suspicious behavior is isolated, whether it is a vulnerable, exposed or infected host, but at different rates.Moreover, the susceptibles, infected and quarantined hosts after vaccination acquire permanent immunity.
Another model that involved vaccination treatment is in [27], but with a removed compartment added to build the SIQRV model.All the compartments in their model transfer to the vaccination state at different rates.However, quarantine strategy is applied only for the suspected hosts.
In the previous models, the assumption was that quarantine grants treated computers permanent immunization; however, this is not the case in the real cyber world.Regarding this situation, Mishra and Jha, in [14], considered temporary immunity for recoverable computers.Their model was a modification of the model in [13] by adding the quarantine compartment to obtain the SEIQRS model.They assumed the anti-virus software isolation as the quarantine strategy and analyzed its effectiveness.However, they did not consider the fact that the quarantined computers, which are still connected to the network, could be reinfected with another malware once it is in contact with an infected computer.In [28], three models on worm transmission with quarantine dynamics have been studied.The assumptions in the models followed the principle of "assume guilty before proven innocent", thus, every host that may raise an alarm to the system is quarantined whether it is a true or false alarm.However, all isolated hosts are released after a specific quarantine time, whether they have been inspected or not.
In [8], two compartments, the latent and the breakout computers, were introduced into the quarantine dynamics of computer viruses (SLBQRS).Moreover, they assumed that latent computers posses infectivity, unlike other models with latent class; as a result, computers are infected due to contact with infected computers from the latent or the breakout compartments.In [10], benign worms are incorporated into the dynamics of worm propagation with quarantine strategy (SUIDQR).The assumption was that a benign worm could attack a regular worm, consequently limiting the transmission of worms.Hence, the susceptible host, in the model, is attacked by both worms.However, isolation is executed only on hosts infected with a regular worm.This is accomplished after some delayed time.The dynamics of the model, unlike the rest models, admits a unique endemic equilibrium with no free-malware equilibrium.On the other hand, recently, Lanz et al., in [9], classified malware viruses as either hostile or malicious in their malware propagation model for mobile devices.Both malware attacks a susceptible device; thus, two infected compartments are embedded in the model.However, isolation is implemented only on devices infected with malicious malware.Moreover, they assumed that quarantined devices might get infected again before recovering.
Another model with a quarantine strategy that involved two infected compartments is in [19].They divided the infected class based on a low and high infection.Here, isolation is performed on both types.Finally, in [17], they developed the SIRA model by including the quarantine compartment (SIQRA).They discussed two cases depending if the anti-virus detection rate is higher than the infection rate (no saturation) or the opposite (saturation).In the 'no saturation' case, that is, if the infected computers do not overload the quarantine compartment, the model admits only virus-free equilibrium with no endemic.
In most previous quarantine models, qualitative investigations showed re-liance on the basic reproduction number.If this number is less than unity, a virus-free equilibrium is established; otherwise, malware will prevail.Moreover, it was observed that this number does not depend on the average residence time by quarantined infected computers.However, it depends on the quarantine transfer time.The less time it takes to transfer to quarantine, the lower the value of the basic reproduction number.
In this paper, we study the impact of quarantine measures on a network with heterogeneous immunity.Since, in reality, network security depends on users awareness.On this basis, we extend the model in [11] by adding a new compartment and applying two types of isolation strategies.In model 1, we implement the network quarantine on the system.Here, infected computers are transferred to the quarantined compartment while completely disconnected from the network, and only when they are recovered, they reconnected again.Whereas, in model 2, the anti-virus software quarantine is executed on the system.This control strategy transfers the infected files to quarantined folders, that are difficult to find while leaving the computer connected, where it may get infected again.We aim to compare the effect of both strategies on a network that relies on users security awareness.
The paper is organized as follows.Section 2 deals with the formulation and qualitative analysis of model 1 with the network quarantine strategy.In Section 3, we formulate model 2 with the anti-virus software quarantine strategy and investigate it analytically.Moreover, Section 4 illustrates numerical experiments of both models, as well as examining the sensitivity of the models' parameters.Finally, a brief conclusion is given in Section 5.

Model description
We consider a new propagation model of computer malware in a network containing a quarantined compartment and subject to heterogeneous immunization.The term quarantine, in this model, means completely isolating the infected computer from the network.During isolation, the latest version of anti-virus software is executed on infected computers to remove malware.After infected computers are fully restored, they return to the network.Moreover, in reality, network integrity relies heavily on user security awareness.High-security awareness leads to computers with robust immunization against malware threats and vice versa.Therefore, the model divides the susceptible compartment into two sub-compartments, the strongly-and the weaklyprotected, denoted by, S and W, respectively.For convenience, computers are called nodes.S-nodes are computers with strong immunity due to regular updates of anti-virus software.On the contrary, W-nodes are computers with outdated anti-virus software that are not updated or without any security products installed.The rest of the model compartments are the infected computers (I-node) and the quarantine computers (Q-node).Infected nodes are computers that are currently infected with malware and can transfer them to susceptible nodes.While quarantined nodes are computers in isolation, they cannot transmit malware.More specifically, we assume that the total population at time t is given by N(t) = S(t) + W(t) + I(t) + Q(t).For abbreviation we use S, W, I, and Q to denote S(t), W(t), I(t), and Q(t), respectively.The state variable S, W, I, and Q are non-negative and the parameters: α, β w , β s , , δ, γ, η, µ are positive and lie in the interval (0, 1].A summary of the model's notations is given in Table 1.
Our model is based on the following reasonable assumptions: H1.The network in this model is static which means that the total number of nodes over the network is invariant.H2.Every W, S-nodes get infected with probability β w , β s , respectively due to possible connection with I-nodes.H3.W-nodes have a higher infection rate than S-nodes i.e. β w > β s .H4. Due to computer isolation in the network, I-nodes convert to Q-nodes with rate δ.H5.When the anti-virus program expires or is not updated, the computers in S-nodes transfer to W-nodes with rate α.H6.W-nodes transfer back to S-nodes with rate , when installed by an updated anti-virus software.H7.Each infected computer is successfully cured by the effect of anti-virus software with rate γ.H8.After performing the latest version of anti-virus software on Q-nodes, they leave to S-nodes with rate η.H9.Every node is out of use with probability µ.H10.All new nodes are attached to the network at a rate µ, and they are strongly-protected.
According to the above assumptions, the dynamics of the model (see Figure 1) are described by the following system of nonlinear ordinary differential equations: From the assumption (H1), the network is static, thus, the total number of computers connected to the network is constant (N 0 ), i.e., N(t) = W(t) + S(t) + I(t) + Q(t) = N 0 for all t ≥ 0. System (2.1) can be normalized by setting the state variables as follows: W = W/N, S = S/N, I = I/N, and Q = Q/N.Also, we reduce the model to a subsystem by using the identity W + S + I + Q = 1.The reduced model has the form:

Mathematical analysis
Qualitative analysis of system (2.2) is carried out in this subsection.We begin by investigating the positivity and boundedness of the model, then we find the equilibrium points and examine their stabilities.
Proof.From (2.2), we have that This implies that for t ≥ 0, all solutions that are non-negative remain nonnegative.Now, if we combine the equations of system (2.2) we get The above inequality can be rewritten as where F = W + I + Q.Using the integrating factor method, we multiply both sides of the above inequality by the integrating factor e (k+α+βs+µ)t , d dt (e (k+α+βs+µ)t F (t)) ≤ (α + β s )e (k+α+βs+µ)t .
Integration over the time interval [0, t] yields This implies that This proves that all solutions of system (2.2) are bounded and do not exit the region Ω, Hence, Ω is positively invariant.

Equilibrium points and quarantine reproductive number
In general the equilibrium points are obtained by equating the rates in system (2.2) to zero.We obtain two equilibrium points.The first is the virus-free equilibrium point (I = 0), E 0 1 = ( α +α+µ , 0, 0), which exists always.We employ this equilibrium point to compute the quarantine reproductive number R q by applying the next generation method [23] on system (2.2).Let x = (I, W, Q) T , then system (2.2) can be written as where The Jacobian matrices of F (x) and V (x) evaluated at E 0 1 are, respectively, It follows that the spectral radius of G = f.v−1 is the quarantine reproductive number, thus, We use the name "quarantine reproduction number" for the threshold quantity above since we consider the quarantine process as an intervention strategy used to reduce or control the malware propagation.
The second equilibrium point when I = 0 is the unique endemic equilibrium point, that is, , where Here, Stability analysis of the equilibrium points.
Here, we investigate the stability of the equilibrium points to predict the long term behavior of the solutions to model (2.2).

Local stability.
We examine the local stability of E 0 1 and E * 1 by using the linearization method [16] and Routh-Hurwitz criterion [12].Theorem 2. If R q < 1, the free equilibrium point E 0 1 is locally asymptotically stable in Ω. Whereas, if R q > 1, it is unstable.
Proof.The characteristic equation of the Jacobian matrix of the linearized system of (2. where By expanding the determinant we get the following cubic equation in λ: where According to Hurwitz criteria, Global stability.We explore the global stability of E 0 1 using theories from [15] which are stated in Appendix A. As for E * 1 , we prove global stability using Lyapunov function [16]. 2) is globally asymptotically stable with respect to Ω if R q < 1 and the assumptions in Lemma 3.8 [15] are satisfied.
Hence, E 0 1 is globally asymptotically stable if R q < 1.
Theorem 5. E * 1 of system (2.2) is globally asymptotically stable with respect to where A and B are positive constants to be determined.Clearly, V is positive definite since V (E * 1 ) = 0 and V > 0, ∀(W, . Calculating the derivative of V along the solutions of the model (2.2), we obtain both are positive, we have This implies that the invariant set (W, I, Q) ∈ Ω : dV dt = 0 is equal to the singleton E * 1 .Hence, by the LaSalles Invariance Principle [12], E * 1 is globally asymptotically stable in the set Ω if αδβ w < β s (α + + µ)(η + µ) + αδβ s .

Model description
In this model, the concept of quarantine differs from model 1.It refers to isolating virus-infected files inside a computer by implementing an anti-virus program that blocks viruses in a folder.These isolated folders cannot be easily accessed through regular tools of file management.Therefore, the quarantine rate δ, here, is the rate at which the anti-virus software isolates an infected file.In accordance, Q-node contains all computers with quarantined folders.However, these computers are not isolated from the network.Because of this, it could be reinfected with other malware due to contact with an infected computer.Let β q ∈ (0, 1] be the infection rate of Q-node.Since the anti-virus in Q-node has already isolated the malware file, the probability for it to be reinfected by other malware is less than the probability of other nodes.Thus, we assume that β q < β s < β w .When all quarantined folders are restored, then computers leave Q-node at a rate η (see Figure 2).Similarly, as in model 1, we assume that the total population at time t is given by N = S + W + I + Q. Incorporating these new assumptions in model 1, we obtain an extended model governed by the following system of nonlinear ordinary differential equations: Following the same steps in model 1, we reduce system (3.1) to the reduced system:

Mathematical analysis
Here, system (3.2) is investigated qualitatively.We obtain a feasible region for the system, find the equilibrium points and discuss its stability.
Proof.The proof is similar to the one in Theorem 1.

Equilibrium points and quarantine reproductive number
Model 2 produces two equilibrium points.A virus-free equilibrium point, E 0 2 = ( α +α+µ , 0, 0), which exists always; and a unique endemic equilibrium point , where and I * 2 satisfies the equation: Here, , then d < 0. Hence, following the Descartes' rule of sign, equation (3.3) has one positive real root, that is, Consequently, E * 2 exists when R q > 1, β s < γ + δ + µ, and β q < η + µ + δ.Using the next generation method on system (3.2),we get the same quarantine reproductive number as in model 1, that is,R q .
Stability analysis of the equilibrium points Local stability.The local stability of the equilibrium points of system (3.2) is explored below.Theorem 7. If R q < 1, the free equilibrium point E 0 2 is locally asymptotically stable in Ω. Whereas, if R q > 1, it is unstable.
Proof.The proof is similar to the one in Theorem 2.

Theorem 8. E *
2 is locally asymptotically stable with respect to Proof.The proof is similar to the one in Theorem 3.
Global stability.We examine the global stability of the equilibrium points of system (3.2) using the same methods previously discussed.Theorem 9. E 0 2 of system (3.2) is globally asymptotically stable with respect to Ω if R q < 1 and the assumptions in Lemma 1 [15] are satisfied.
Proof.The proof is similar to the one in Theorem 4.
Proof.The proof is similar to the one in Theorem 5.

Numerical experiments
In this section, we solve models (2.2) and (3.2) numerically to show the agreement of the numerical simulations with the qualitative results.Some numerical examples are conducted with the aid of MATLAB.In particular, we consider two different specifications for the parameters to substantiate the analytical results for each model.All the simulations are based on a network size of N = 10 4 computers.Consequently, the results are expressed in terms of percentage of the total network size.

Sensitivity analysis
Designing effective control strategies to limit the spread of malware depends on the quarantine reproduction number R q .Therefore, it is crucial to examine the sensitivity of R q against model parameters to explore the parameters that reduce the numeric value of R q .We vary R q with respect to one parameter, at a time, and consider the remaining parameters to be constant.As a result, we have the following variations of R q : We can see from (4.1) that R q decreases with increasing γ, , δ, and µ.On the contrary, R q has a proportional increase relationship with the parameters, β w , β s , and α.As for the parameters β q and η, there is no change in R q because it does not depend on them.This result is also illustrated in Figure 5.Each curve in the figure simulates the variation of R q corresponding to one parameter, the rest of the parameters are fixed at values given in Table 2.
Furthermore, we compute the normalized sensitivity index (elasticity) of R q with respect to model parameters with the values given in Table 2 using the formula [12]: where p denotes any parameter.Table 2 demonstrates the elasticity of R q with respect to the parameters, that is, the percentage value of decrease (or increase) in R q after a 1% increase in the parameter.For example, a 1% increase in corresponds to a reduction in R q by 0.184%.However, a 1% increase in α leads to 0.221% increase in R q .Also, Table 2 shows that the most significant decline in the percentage of R q comes from an increase in γ and δ.This indicates that the quarantine rate, as well as recovery rate, play an essential role in reducing the spread of malware.On the other hand, Table 2 displays a considerable rise in R q that is followed by an increase in β w .This implies that weak immunization attributes highly in malware propagation.Next, we compare the two quarantine strategies, the network quarantine (model 1) and the anti-virus software quarantine (model 2). Figure 6 simulates the time variation of the infected compartment for different values of β q .We can see that the size of I-node with network quarantine (β q = 0) declines in time faster than with anti-virus software quarantine (β q > 0).
A similar result is shown in Figure 7 when performing the two strategies on I-node as the quarantine rate δ increases.This suggests that the network quarantine is better than the anti-virus software quarantine to control malware propagation.
Finally, Figure 8  and the model in [11], which represents the spread of malware with heterogeneous immunity but without quarantine strategy.We find that the size of I(t) in [11] rises within time to an equilibrium level; however, under network quarantine, it remarkably declines to a much lower equilibrium level.This is expected since the quarantine reproduction number for model (2.2) is less than the basic reproduction number for the model in [11].To see this, we let µ = 0 in R q , we get R q = (β w α + β s )/(δ + γ)(α + ), where the basic reproduction number in [11] is Thus, R q is less than R 0 .This refers to the importance of quarantine as a strategy for controlling malware transmission.The findings of the sensitivity analysis propose the following suggestions: (i) installing effective anti-virus software and updating it on time reduces the infection rate β w and α while at the same time, it increases the rate and the recovery rate γ, (ii) isolating the infected computers from the network has a better effect than isolating the infected files by anti-virus software.

Conclusions
Quarantine is one of the most immediate ways to control epidemic spreading, as it disconnects the communication between the infected and the susceptible ones.To investigate the impact of quarantine on the malware spreading process, we introduced two models.One proposed a network quarantine strategy (model 1), and the other proposed an anti-virus software quarantine strategy (model 2).Both models account for heterogeneous immunity.A dynamical behavior study was conducted focusing on the critical quarantine reproduction number R q .Qualitative and quantitative examinations were carried out to predict the long term behavior of models.Also, a sensitivity analysis was executed to investigate parameters influence on R q .We conclusively present some of the main findings of the models as follows.Both models produced two equilibria, the virus-free (E 0 1 , E 0 2 ) and the endemic (E * 1 , E * 2 ).The virus-free equilibrium points of both models always exist and are locally and globally asymptotically stable if R q is less than unity.The endemic equilibrium point E * 1 of model 1 exits if R q > 1, and is locally and globally asymptotically stable if αδβ w < β s (α + + µ)(η + µ) + αδβ s .The endemic equilibrium point E * 2 of model 2 exits if R q > 1, β s < γ + δ + µ, and β q < η + δ + µ.E * 2 is locally asymptotically stable if αδβ w < β s (α + + µ)(η + µ) + αδβ s , and globally asymptotically stable if αδβ w < (β s − β q )(α + + µ)(η + µ) + αδβ s .The numerical simulations of both models coincide with the analytical results.Moreover, the simulations showed that an increase in the quarantine rate δ has significantly reduced R q .Whereas, weak immunization participated substantially in spreading malware.Furthermore, the performance of network quarantine was found to be better than anti-virus software quarantine in controlling malware propagation.From the comparison between model 1 (network quarantine) and the model in [11] (no quarantine), quarantine had been proven to be a good policy.Also, it is found that R q does not depend on the average residence time by quarantined infected computers (1/η), which is in agreement with most malware propagation models in the literature.
In accordance, we highly suggest network quarantine as a control strategy of malware spreading.However, the period that a network takes to transfer an infected computer to quarantine (1/δ) must be concise.Furthermore, continuous awareness towards immunizing computers will lead the way to network solidity.

Figure 1 .
Figure 1.The transfer diagram of model 1.

Figure 2 .
Figure 2. The transfer diagram of model 2.

Figure 3 .
Figure 3.Time variation of system (2.2) with parameters given in (a) Example 1 and (b) Example 2 for various initial conditions.

Anti-virus software quarantine Example 3 .
(Virus-free equilibrium point) Let the parameters in model (3.2) be as follows:

Figure 4 .
Figure 4. Time variation of system (3.2) with parameters given in (a) Example 3 and (b) Example 4 for various initial conditions.

Table 1 .
Model notations.The infection rate of W-node caused by an infected computer Hour −1 βs The infection rate of S-node caused by an infected computer Hour −1 The rate that W-node enters S-node Hour −1 αThe rate that S-node enters W-nodeHour −1 γThe recovery rate of I-nodeHour −1 ηThe recovery rate of Q-node a 11 + a 22 + a 33 , C 2 = a 11 a 22 + a 11 a 33 + a 22 a 33 + a 23 a 32 + a 12 a 21 , C 3 = a 11 a 23 a 32 + a 13 a 21 a 32 + a 11 a 22 a 33 + a 12 a 21 a 33 .

Table 2 .
The sensitivity indices of Rq to any parameter p.