An Advanced Persistent Distributed Denial-of-Service Attacked Dynamical Model on Networks

The advanced persistent distributed denial-of-service (APDDoS) attack does a serious harm to cyber security. Establishing a mathematical model to accurately predict APDDoS attack on networks is still an important problem that needs to be solved. Therefore, to help us understand the attack mechanisms of APDDoS on networks, this paper first puts forward a novel dynamical model of APDDoS attack on networks. A systematic analysis of this newmodel shows that themaximum eigenvalue of the networks is a vital factor that determines the success or failure of the attack. What is more, a new sufficient condition for the global stability of attack-free equilibrium is obtained. The global attractivity of attacked equilibrium has also been proved. Eventually, this paper gives some numerical simulations to show the main results.


Introduction
Cyber-attack overwhelmingly invades every aspect of our life, which causes huge threats and enormous damage to thousands of industries.According to the report [1], the percentage of cyber-attack motivated by Cyber Crime has risen to 72.1% in 2017.And nowadays, there are a lot of attack ways, such as DDoS attack, DoS attack, and so on.
Here, let us discuss some attacked means to achieve a better understanding of the cyber-attack.DoS attack, which is known as the denial-of-service attack, is an important means of attack.It always launches attacks of blocking the buffer of the host of service providers so as to make legal guests can not access the server.And among the cyber-attacks in 2016, about 11.3% attacks were DoS attacks.Different from the DoS attack, in a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources [2].In addition, APT (Advanced Persistent Threat), which is a stealthy and continuous computer hacking process, usually has the characteristics of strong concealment, sophisticated techniques, and continuous monitoring [3].Most importantly, this paper mainly talks about APDDoS (advanced persistent distributed denial-of-service) attack which is DDoS attack equipped with the advance of APT.With the characters of advanced reconnaissance, clear motive, tactical execution, outstanding computing power, and long-term durability [4], it has caused great losses to the world.During the opening ceremonies of the PyeongChang Winter Olympics in February 2018, TV and web services were affected by an APDDoS attack for about 12 hours [5].In February 2018, GitHub (the world's largest code hosting website) suffered a serious APDDoS attack; the peak flow rate reached 1.35Tbps [6].It is easy to know that the APDDoS attack is being more and more harmful and it has a profound impact on the world.
To fully understand the APDDoS attack, its steps must be introduced.First, attacker will invade as many infected computers as possible by inserting or injecting computer malware into phishing websites or phishing texts.So, if the visitor opens it, his/her computer would be infected.And then, the infected computers will be composed into a botnet that is controlled by the attacker.When there are enough infected computers, the attacker can launch flood attack to targeted IPs (services of host) which will be blocked or broken down soon after the attack.
The cyber-attack process on the network can be accurately expressed as a continuous-time Markov chain which is proposed by Van Mieghem [7,8].However, this method is difficult in mathematical analysis.In order to overcome these difficulties, some approximation methods are proposed, such as individual-based mean-field theory (IBMF) and degreebased mean-field theory (DBMF) [9,10].For IBMF, any node can be regarded as a computer or local network in the network is statistically independent from its neighboring nodes [11][12][13][14].For DBMF, any vertex classified by degree is connected to the set of nodes with different degree with the special probability [15][16][17].
To better understand the impact of network topology on APDDoS attack, in this paper we propose a novel APDDoS attack model on networks with IBMF.Then we found that the global stability of attack-free equilibrium and the global attractivity of attacked equilibrium depend on the value of the maximum eigenvalue of the attack network.
In Section 2, the paper proposes the APDDoS attack model.Its threshold and the equilibriums are calculated in Section 3. Further Discussions are given in Section 4. Next, the paper shows some numerical simulations in Section 5. Finally, a brief summary of the full paper is given.

Model Descriptions
According to the ability of computers to defend against malicious software on the network, the paper divides the computers into two groups: Weak-Protected group and Strong-Protected group.Here, we can divide computers into two groups by checking whether the computer has firewall.
The Weak-Protected group (WP), which lacks firewall protection, is vulnerable to malware attacks, such as computer worm, Trojan, and so on.The Weak-Protected group consists of two kinds of computers, which includes susceptible computers (S-node) and infected computers (I-node).The susceptible computers (S-node) are weak in preventing malware attacks but have not been infected yet, while the infected computers (I-node) refers to the computers which has been infected by malwares and controlled by hackers.
However, because the existence of the firewall, the Strong-Protected group (SP) can defend against many kinds of attacks, but it also can be attacked by APDDoS attack.The Strong-Protected group also consists of two kinds of computers, tolerant computers (T-node), and missed computers (Mnode).Tolerant computers (T-node) represent computers with a firewall (which usually means servers) and works normally, while missed computers (M-node) denote the computers with a firewall but cannot respond to the request and become missed for the visitors due to the APDDoS attacks (see Figure 1).
Based on the above facts, some constants can be defined as follows: (i) G= (V, E): the network structure of the computers on network, and G can be represented as an undirected, connected, and nonlooped graph.(ii) N: the scale of network G, which is also the whole number of the computer in the G. (iii) A: the matrix of the network connection situation.A is a symmetric matrix with zero diagonal. = (  ), 1 ≤ ,  ≤ .
(iv)   : the spectrum of A, 1 ≤  ≤ .As A is real and symmetric, we may assume (v) S i (t): the  th node, which is susceptible(S-node) at time t.(vi) I i (t): the  th node, which is infected(I-node) at time t.
(vii) T i (t): the  th node, which is tolerant(T-node) at time t.(viii) L i (t): the  th node, which is missed(M-node) at time t.
(H1) As executing some operations that do harm to the computer security, like browsing the phishing websites or opening the phishing email, etc., any S i infected by the neighboring I-nodes with probability , the average probability of each S i gets infected per unit time, is  ∑      .
(H2) By installing some antivirus soft-wares, any I i (t) recovers to the state of susceptible, which also means becoming S i (t) with the probability .
(H3) As occurring APDDoS attacks, any T i (t) can be attacked by neighboring I-nodes with the probability .By calculating, the average probability of each T i (t) turns into the M i (t) per unit time is  ∑      .
(H4) As changing the hardware of computers and strengthen the firewall, any M i (t) restarts or recovers with the probability .
(H5) As the two groups of the computer are separated, the paper uses  to denote the proportion of the Weak-Protected group and then 1− is the proportion of the Strong-Protected group; also there are S i (t)+I i (t)=  and T i (t)+M i (t)=1-. Let Also, the following equations can be obtained: In order to satisfy these above equations,  and  should be far less than 1.Let ût be a very small interval.According to the assumptions given above, the following equations can be got: (3) Substituting these equations into the above relations and letting Δ >0, the following 4N-dimensional dynamic system has been proposed: with the initial conditions that 0 ≤   (),   () ≤ , 0 ≤   (),   () ≤ 1 − .
Since the first N equations of system (5) are independent of M, so system (5) can be simplified into the following form: with the initial conditions 0 ≤   () ≤ .

Model Analysis
This section aims to understand the dynamical behavior of system (5) and system (6) which was proposed in the previous section.
Proof.The characteristic equation with respect to P 0 is Equation ( 11) has negative roots − with multiplicity N and has   − ,1≤ k ≤ N as the remaining N roots.When  max < / =  0 , then   − / ≤  max − / < 0 for all k.So, all the roots of (11) are negative, implying that the attacked-free equilibrium of system (5) is locally asymptotically stable.Otherwise, if  max > / =  0 , then the attack-free equilibrium is a saddle point.
Next, study the global stability of the attack-free equilibrium of system (6).
Let y(t)=(I 1 (t), . .., I N (t)) T , and rewrite system (6) as the following notation: with the initial condition (0) ∈ Ψ, where Lemma (see [22]).Consider a smooth dynamical system ()/ = (()) that is defined at least in a compact set U.Then, U is positively invariant if for any smooth point w on , the vector g(w) is tangent to or pointing into U.
Combining the above discussions, we get that g(w) is pointing into Ψ.The claimed result then follows from Lemma 3. The proof is completed.
eorem .The attacked-free equilibrium of system ( 6) is globally and asymptotically stable if  max <  0 .
Proof.Look at system (13).As matrix  T is irreducible and its off-diagonal entries are all nonnegative, it follows from [23] that  T has a positive eigenvector z= (z 1 , . .., z N ) belonging to its eigenvalue s( T ).Let r=min i z i (r>0).Then, for all  ∈ Ψ, we have Moreover, <H(y), z> = 0 implies that y=0.In view of Theorem 1 and Lemma 5, the claimed result follows from Lemma 4. The proof is complete.
Proof.It follows from Theorem 6, which implies that lim for any > 0 there exists time T 1 such that, for all  ⩾  1 , we have From the last N equations of system (5), we get that for 1 ≤  ≤ .And for  ≥ This implies that lim The proof is complete.
The following corollary can be obtained easily based on Lemma 4 and Theorem 7.

Corollary . System (5) is uniformly persistent if𝜆
Second, consider properties of the attacked equilibrium of system (5).

eorem . System (5) has an attacked equilibrium 𝑃
Proof.Note that any solution of system (5) is bounded.Hence, the claimed result follows easily from Corollary 8 [25].

Further Discussions
In order to control APDDoS attack,  max <  0 must be satisfied.To different parameters on  0 .Let us do the following calculations: From these computational results, the following conclusions can be got: Based on the above discussions, the corresponding practical suggestions are as follows: (i) Install antivirus software or firewall and update it regularly.
(ii) Improve the defensive level of computer.
(iii) Filter IP addresses so as to reduce the number of IP addresses that can access computer on networks.

Numerical Simulations
This section gives some examples about equilibriums of system (5) under the distinguish networks and optimal dynamic control strategies for disrupting APDDoS attack.The paper discusses the equilibrium of system on four different kinds of networks: full-connected network, stochastic network, scale-free network which uses Barabasi-Albert method, and realistic network.First, consider system (5) under the fully connected network.
Example 1.Consider a network with 200 nodes and every node is connected to other nodes, which is full-connected network.With = 0.004, = 0.01, = 0.4, =0.1, =0.5 where the threshold of the system is 200 >  max =199, the attack-free equilibrium is globally stable (see Figure 3).
Then consider system (5) under the network of stochastic network.
Example 3. Consider a network that nodes are connected randomly to other with 200 nodes.With = 0.01, = 0.01, = 0.5, =0.1, =0.5 where the threshold of the system is 100 >  max = 99.305, the attack-free equilibrium is globally stable (see Figure 5).
Example 4. Consider a network whose nodes are connected randomly to other with 200 nodes.With  = 0.017, = 0.01, = 0.75, =0.1, =0.5 where the threshold of the system is 74.117 <  max = 99.305, the attacked equilibrium is attractivity (see Figure 6).Now, let us consider system (5) under the network of scale-free network.

Conclusion
This paper puts forward a novel dynamical model of APDDoS attack on networks.Then, a systematic analysis of this model is showed.After that, a new sufficient condition for the global stability of attack-free equilibrium is obtained.Next, the sufficient condition for the global attractivity of attacked equilibrium also is studied.Eventually, some numerical simulations are given to show the main results of this paper.

Figure 2 :
Figure 2: Status transition graph of the basic model (the dashed line on the graph means the attack from I-node to T-node).

Figure 3 :
Figure 3: Global stability of attack-free solution on full-connected network.

Figure 4 :
Figure 4: Global attractivity of attacked solution on full-connected network.

Figure 5 :
Figure 5: Global stability of attack-free solution on stochastic network.

Figure 7 :Figure 8 :
Figure 7: Global stability of attack-free solution on scale-free network.

Figure 9 :
Figure 9: Global stability of attack-free on realistic network.

Figure 10 :
Figure 10: Global stability of attack-free solution on realistic network.