Table 2.2 provides some of the most representative types of malware and many of their underlying subcategories, e.g. viruses and their variations. It also provides some notable instances of each malware type, as well as a qualitative severity characterization of their operation based on their overall past outcome. The severity of each attack is qualitatively assessed as “low-average-high.” It should be noted that Table 2.2 is a nonexhaustive summary of malware type classification, and other works in the literature, e.g. [13,52,163,166], can be consulted for more detailed descriptions and analysis.

The most frequently encountered types of malware tend to be those that are targeting individual users, rather than those that attack large-scale centralized systems and infrastructures, such as banking, military, and public utility systems. Their severity can be minor or grave depending on the scale of attack and the intelligence of malware. Most of these malware sources are derived from exploiting operating system (OS) holes⁴ and bugs and rarely due to rather complicated software that is possible to unlock whole software systems. Among the malware types that attack individual users, the most frequently encountered is the worm type and its variations, affecting both Internet and mobile users. Worms usually hit massively and suddenly as many unprotected machines they can, usually after some OS hole has been discovered by hackers. In fact, most of the malware examples employed in the literature refer to attacks by one or more types of worm malware.

In 2001, the CodeRed worm was released only 25 days after a relevant vulnerability was announced, signifying the order of magnitude of the potential capability of malware authors, even a decade ago. Since then, even though significant awareness has been raised and precautions have been taken to avoid similar cases, there still exist several similar incidents, varying in severity and targets. Just for comparison purposes, in 2006, a Microsoft Windows vulnerability was exploited by a worm in only 5 days after it was revealed.

Malware of the worm type, similarly to trojan horses and spyware software, aims mainly at ordinary individual users, rather than the complex centralized grids. Spyware in their turn is malware types that exploit machine vulnerabilities, and typically they exploit the lack of knowledge that characterizes simple users, in order to install themselves into host machines and monitor user activity, obtain passwords, etc., without the user’s consent.

On the other hand, malware of botnet type applies to compromised machines infected by targeted software that the attackers use in order to launch large-scale attacks to important and typically large interconnected systems and networks, frequently of commercial or governmental use, such as public utility and defense networks. A similar purpose is attained by DoS/distributed denial-of-service (DDoS) attacks usually aiming more at the commercial operation of websites in the WWW. A DoS attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A DDoS is where the attack source is more than one and often thousands of unique IP addresses. In such cases, the individual hosts essentially behave as “zombie soldiers” by either infecting even more machines and thus creating a large army of compromised machines, or as soldiers of this army in order to attack large and usually well-guarded network systems. Several documented incidents prove that this has been a very popular and successful practice among the attackers with various undesired results for the legitimate systems and users.

The increase of malware outbreaks in computer and communication networks is nowadays more than ever evident. According to a relevant study by Symantec [195], the last half of 2005, 1896 new outbreaks appeared, corresponding to about 70 new per week. Among those, 50% was characterized as having high severity of their outcome, while about 45% were of medium severity, leaving only a small percentage of 5% exhibiting small severity. In another incident, where the Welchia worm “fought” against the Blaster worm as a released countermeasure, the unrestricted spread of this “patch” created so much additional traffic in the Internet that almost destabilized even well-provisioned critical subnetworks. Perhaps, what is known as the “highlight of worm outbreaks” was registered in 2004 and denoted as War of the Worms between the NetSky, Bagle, and MyDoom worm variants [207]. This war created complex interactions among worms citing instances of one worm terminating another worm. Lately, in March 2012, significant dysfunctions were caused by a DNS Changer Malware involving Internet users, denoted by a name “Operation Click Ghost.” This malware was essentially a bundle of viruses such as TDSS, Alureon, TidServ, and TDL4 viruses that changed DNS settings. Table 2.3 presents a mapping of specific attack threats to the malware types (spreading/propagation) and contamination types (peer-to-peer/group) presented earlier in Table 2.1.

All these examples illustrate the variability of outcomes that several malware types and their variations have on the systems over which they propagate. These outcomes may include financial, operational, ethical, and life-critical issues emerging for the attacked networks and their users and in most of the cases the outcomes turn out to be more severe than measured or expected.

Lately, and especially since 2010, the proliferation of smartphones has lead to a paradigm shift in network access services and has also driven several radical changes in the traditional wired infrastructures. It has essentially served as a driver for a paradigm shift in network access from wired to wireless networks and has enabled true mobile access and computing. However, in parallel, an increasing trend in mobile malware emergence has been observed, where the malware modules mainly transfer through mobile devices (tablets and smartphones).

Mobile malware is a malicious software that is specifically built to attack mobile phone or smartphone systems. These types of malware rely on exploits of particular OS and mobile phone software technology and represent a significant portion of malware attacks in today’s computing world, where mobile phones are increasingly common.

Within the category of mobile malware, certain kinds of smartphones are targeted more often than others. Industry research shows that an overwhelming majority of mobile malware targets the Android platform, rather than other popular mobile OS systems, like Apple’s iOS, mainly due to proprietary platform restrictions, etc. Various types of mobile malware include device data spies that log certain kinds of data and deliver it to hackers. Another type of mobile malware is called root malware and gives hackers certain administrative privileges and file access. There are also other kinds of mobile malware that perform automatic transactions or communications without the device holder’s knowledge, signifying a noteworthy variability of mobile malware, similar to the corresponding malware targeted for wired networks.

With mobile malware, essentially a completely new battlefield has emerged, which was previously considered relatively immune due to its low market penetration. In 2012 and according to rough estimates, there were approximately 370 million devices in total, including cellphones, smartphones, and tablets [195]. This indicates a steady paradigm shift in usage toward wireless networking, which also paves the way for a corresponding shift of malware toward wireless networks, and especially those that become more decentralized. It seems that very shortly wireless Internet will have approximately the same volume of malware as the Internet. Regarding smartphones,⁵ 35,000 new mobile malware pieces per day are observed. Malware has increased by 46% due to attacks targeting mobile devices specifically [195]. New usage paradigms introduced by social networking via mobile devices create a new malware diffusion medium, where scarcer resources enable more diverse damage, the bandwidth is now common to all users, the batteries are restricted, and the media access more overcrowded than ever. However, the wireless setting enables novel countermeasures as well. As will be seen in the second part of the book, the state-of-the-art methodologies for modeling malware diffusion over wireless complex networks can reveal the key dynamics of malware diffusion, thus enabling designing more efficient countermeasures, even in the worst-case attack scenarios.

The node infection models are tightly related to the possible states that a legitimate node can be in. Examples of such states with respect to malware diffusion are the susceptible, infected, removed, and dead states. The malware-related states of legitimate nodes considered in this book are presented cumulatively in Table 2.4 with a short description of their interpretation. These states can successfully capture the operational modes of legitimate nodes with respect to malware diffusion, and they will be defined in detail next.

In all cases, a node starts clean of any malware disseminating in the network and this state is denoted as susceptible (S) . If a legitimate node receives some form of active malware, which affects the device’s operation (the impact of malware could vary in type and severity depending on factors explained before), the user is denoted as infected (I) . Essentially, this user becomes a victim of the disseminating outbreak and the outcome of this “infection” will be determined (behavior-wise) by the corresponding node infection model, i.e. whether a node will sustain this attack or not defines a different infection model and vice versa. Sometimes the symbol (I) is used to denote a state called infectious in order to better reflect that the corresponding node entering this state is not only infected but also infects other legitimate nodes as well as if it was an attacker. Thus, the infected state is applicable in nonpropagative networks, while the infectious state in propagative ones. If a legitimate user was infected and at the same time it has entered a state where recovery actions take place, the corresponding node state is denoted by removed (R) . This state implies that as long as the node is “removed” it cannot be reinfected by the outbreak, which however also means that the device is not in a fully operational mode as it is the case in the susceptible state (it is similar to being temporarily removed from the network). Finally, the state where the user is practically considered completely removed from the network, i.e. due to a malware depleting all its resources, or due to malware constituting the device nonoperational, or even because a user/administrator decided it was too dangerous to retain the device in the network and concluded to take it offline completely, is denoted as dead (D) .

Given all the above, a formal definition of a node infection model can be provided.

Table 2.4 also includes states that refer to networks, where nodes may exhaust their energy but have the capability of recharging. This additional feature may have a significant role in malware diffusion as will be shown in the later chapters.

As explained in Definition 2.2, the node infection model practically describes the succession of the aforementioned legitimate user states, aiming at approximating as accurately as possible the actual behavior (operational state) of the nodes in an attacked network. The {S, I, R, D} states in Table 2.4 are the most basic ones and in fact, the simplest node infection models consider only some of them (i.e. {S, I} is the minimum possible subset of states modeling the outcome of an attack). However, in more complicated networks, additional states could be considered or defined, depending on the actual behavior and developing events taking place. Further extending the previous state space and the node infection models that will be presented in the following could be straightforward or very tough, depending on the corresponding behavior to be modeled in each case. In this book, we will only focus on node infection models on the four states with respect to the state space defined above, and only briefly touch upon cases requiring the definition and application of additional states.

Let us now shift the focus to the description of various fundamental and useful node infection models (state transitions). The simplest state transition is the susceptible → infected, denoted by SI, which models the scenarios where each legitimate user becomes infected and remains so for the rest of its lifetime. Such model is appropriate for describing the behavior of networks under single or multiple attacks with imminent and fatal outcomes, in which, once a node is infected it remains in this state for the rest of its lifetime. This means that for this model, the infected state is absorbing, namely, once a node gets in this state, stays there for ever. Various examples of such malware types are contained in Table 2.3. The SI model is also suitable for the cases where one is interested in whether each node has received a specific piece of malware or not (this could also apply to the dissemination of a specific piece of information, desired or malicious, and whether the members of a population have received it). Most of the earliest epidemics techniques have assumed this type of user/system evolution, as it will be described in the next chapter.

A more advanced model can be considered by observing that in many cases, the impact of malware infection for a device might be determinant. For instance, several types of malware, shown in Table 2.3, can be harmful for the OS and the corresponding machine will be required to be withdrawn and repaired completely. Battery depletion attacks drain the energy of a device at the highest possible rate, reducing its lifetime at a very fast rate. Depleted devices are equivalent to idle machines, i.e. they do not participate in the dynamics of the system evolution, and this is marked by an additional transition from the infected to the removed state. The state transition is now susceptible → infected → removed, and the corresponding node infection model is denoted by SIR. In the removed state, nodes are practically the same as dead and thus, SID could be an alternative acronym. Typically, the SIR identifier is employed in the literature.

From a macroscopic point of view, in a longer observation time interval, a legitimate node of a network receives multiple instances of malware, e.g. within a year a machine might face 10–20 different threats. A typical desktop will be used for a period of at least 5–6 years, within which multiple and diverse malware eventually reaches it. Once a device receives a malicious piece of software, the medium to advanced user (and even the layman after some elapsed time) will typically initiate some type of recovery actions and eventually, even if the host becomes dead for some short period, it will return to the initial state (regarding the specifically identified malware infection). This is a fundamentally different behavior compared to the previous one-way SI and SIR transitions. The new observed behavior is characterized by recurring state transitions. Nodes eventually oscillate between the SI states depending on the maintenance actions and different types of malware received. The corresponding node infection model is denoted as susceptible-infected-susceptible (SIS) and it is one of the most general models considered to study the cumulative and macroscopic behavior of a network when analyzed in the course of time.

Combining the two basic node infection models, SIR and SIS, one is able to obtain a more general model describing the full range of node state transitions for longer time periods (practically spanning all the lifetime of a node) when attacked by multiple malware threats. The latter corresponds to multiple attackers producing threats of different behaviors and characteristics. The specific model is denoted as SIRS, denoting the susceptible-infected-removed-susceptible state transition.

Another interesting node infection model is the susceptible-infected-removed-dead, denoted by SIRD. This model describes effectively behaviors where an initially intact legitimate node receives malware, thus switching to the infected state. After spending some time in that state, in which it could be dysfunctional, not functional at all, or even worse, infective, acting as a malicious node itself, it will make one of the two possible transitions. Either it will be completely removed from the network in which case the transition will be toward the removed state, or toward the dead state, indicating a different type of removal state (usually due to energy depletion or other technical reasons). The transition to the removed state usually denotes that the node is patched and thus permanently protected against the spreading/propagating malware. The SIRD paradigm is popular in modeling specific types of malware, such as the CodeRed worm and its variations, in wired and wireless networks.

Table 2.5 summarizes the node infection models presented in this subsection that will be also considered later in this book, along with a brief explanation. We also provide explicitly the malware type of each node infection model with respect to the classification in Table 2.2, as a quick mapping between node infection models and diffusion dynamics.

Fig. 2.1 presents some examples of node infection models with the corresponding applicable node states that may be encountered in practical scenarios. These models may differ considerably in terms of the system behavior and they can describe radically different application scenarios. In the rest of the book, we will study most of them, explaining in detail the setting in which each of these models emerges, and how effective the modeling of malware diffusion is.