Whether in practice the worm can indeed inflict the maximum damages developed in this section depends on implementability of the optimal strategies. Specifically, if the optimal policies that inflict the maximum damage are complex to execute, then the worm may not be able to perform them since they are limited by the capabilities of their resource constrained hosts as well. Inauspiciously though, we show that optimal attack strategies follow simple structures (
Theorem 6.1) which make them conducive to implementation.
Fig. 6.2 provides visualization of the theorem. Note that in the left figure, the patching only immunizes the susceptible nodes (
but
), while in the right figure, patching can equally immunize the susceptible and clean and immunize the infective nodes (
).
Recall that one of the basic tradeoff/s decisions that the attacker was dynamically faced with was the best timing to kill an infective node. Specifically, should an attacker kill a node as soon as it is infected so as to have claimed a casualty and secured a large damage on the network but losing the chance to further the spread? Or should it wait in anticipation of contacting new susceptible nodes and extend the contagion but at the risk of being detected and removed by the defender before it gets to destroy the host. Is the tradeoff broken by choosing an intermediate probability of killing the host?
Theorem 6.1 states not.
In words, an optimal
is of
bang-bang form, that is, it possesses only two possible values
and
, and switches abruptly between them. It has at most one such jump, which necessarily culminates at
. Thus, the theorem says that although killing a node early on would ensure a partial damage, the overall damage is more if this decision is deferred until toward the end of the attacking period despite the
risk of recovery of the infective nodes by the system. Specifically, at the start of the outbreak, the number of susceptible nodes is high and infective nodes can be used to further propagate the infection. As time passes by, the level of susceptible nodes drops due to both spread of infection and immunization effort by the system. At a certain threshold, the risk of recovery of the infective nodes in the remaining time outweighs the potential benefit by spreading the infection. At this point, whose exact value depends on the parameters of the case, the malware starts killing the nodes with maximum possible rate. This will ensure that infective nodes are maximally used for spread of the infection and for attacker’s malicious activities.
In summary,
Theorem 6.1 provides the optimal attack as follows: initially, the effort of the malware is focused on spreading the worm and amassing infective nodes without killing any. Subsequently, the reverse course of action is taken: at a threshold time, the amassed infected nodes are slaughtered at the highest rate which lasts till the end of the interval.
Note that the optimal killing policy (
) will be completely specified by the (only possible) jump points (trigger epoch). Given the flexibility provided by software-driven devices, the infective nodes can subsequently execute these strategies
without coordinating any further among themselves or with any central entity. The transition time can be determined by solving a system of differential equations, as described in the previous sections. Such systems can be solved very fast due to the existence of efficient numerical algorithms for solving differential equations, and the computation time is constant in that it does not depend on the number of nodes
. Note also that our algorithms do not require any local or global information as time progresses and only the initial information is sufficient to determine the decision of infective nodes for the entire interval.
Fig. 6.3 shows the effect of increasing the patching rates
and
on the trigger epoch. We observe that increasing the patching rate generally decreases the jump time. Intuitively, in a system with a large recovery rate, both the susceptible and infective nodes recover rapidly. Hence, the worm should start killing them earlier in order to not lose too many nodes in the competition with the network administrator to the pool of recovered. Note also that the starting time of the killing is sensitive to the value of recovery rate when the patching can impact both infective as well as susceptible nodes (
). This is because when
, once a node is infected, then it will not be recovered by the system and is safely in the tally of the worm, but when
, the worm is in competition with the system and excessively deferring the killing is ever more risky if the speed of recovery of the victims is increased.