SCIRD: Revealing Infection of Malicious Software in Edge Computing-Enabled IoT Networks

1  Introduction

Internet of Things (IoT) networks have experienced rapid development in areas such as smart cities, smart health, and smart transportation. Such networks have characteristics such as node mobility, node heterogeneity, link heterogeneity, and topology diversity [1]. Facing these characteristics and the large data processing demands brought by the explosive growth of IoT nodes, edge computing has become an emerging network architecture that provides powerful computing capabilities and good service functions to support IoT applications [2–4]. In this manner, Edge Computing-enabled IoT (ECIoT) architecture brings computation, storage, and analytic capabilities closer to the data source, enabling real-time decision-making and reducing the latency of data transmission to cloud-based systems [5]. However, ECIoT nodes (ECIoTNs) with distributed and interconnected nature involve security vulnerabilities [6] introduced by malicious software such as Trojans, spyware, viruses, worms, rootkits, etc. Each type of malicious software has certain characteristics and infiltrates the ECIoT through different methods [7]. Incidents of significant losses caused by the spread of malicious software are not uncommon in society [8]. In November 2022, a new type of ransomware attacked the Australian insurance giant Medibank, which affected the personal information of 9.7 million customers, involving multiple sectors such as healthcare institutions and government departments [9]. The attackers typically spread malicious software to victims’ systems through email attachments or network vulnerabilities, and then demanded ransom to decrypt the infected files. The ransomware attack has caused significant financial losses and leads to data breaches and system paralysis. In the same year, the Bank of Zambia was hit by ransomware attacks, causing disruptions in some systems, threatening crucial financial data and impacting its normal operations and financial system stability, and resulting in certain negative effects on the country’s economy. These two attacks resulted in many organizations facing the risks of data loss, business disruptions, and substantial financial losses [10].

Recent research shows that malicious software in ECIoT is capable of spreading itself and has become a major factor affecting ECIoT security [11]. Once malicious software exploits vulnerabilities in ECIoTNs and spreads widely in the ECIoT, it can eavesdrop on ECIoTNs data and even cause ECIoTNs to completely lose their functionality by depleting their energy sources [12,13]. This seriously affects the availability, confidentiality, and stability of ECIoT services. Therefore, it is urgent to study the infection behavior and influencing factors of malicious software in ECIoT and provide methods for analyzing the stability of the infection model of malicious software in ECIoT [14].

The goal of the current work is to explore the spread rule of malicious software within ECIoTNs and propose strategies to prevent and inhibit its spread. It also proposes a malicious software infection model that integrates the expected probability of malicious software infection behavior by extending epidemic theory [15]. Subsequently, we study the stability of this model and finally obtain results that can reveal the infection mechanism of malicious software in ECIoT. By integrating insights from previous research, this study makes an effort to provide a comprehensive analysis of malicious software spreading dynamics in ECIoT networks and offer valuable insights for designing effective security countermeasures.

Here are our contributions:

(1) An epidemiology-based Susceptible-Curb-Infectious-Removed-Dead (SCIRD) model is proposed, which studies the characteristics of malicious software propagation in ECIoT networks by considering node heterogeneity, link heterogeneity, and topology structure heterogeneity. The model extends the Markov chain to study the state transition of ECIoTNs.

(2) The differential equations of the SCIRD model are derived, which represent the proportion dynamics of different compartments, namely S, C, I, R, and D, in the SCIRD model at various extents.

(3) Equilibrium states in the SCIRD model are demonstrated. Therefore, the conditions to determine whether malicious software will spread or die out in ECIoT networks can be obtained to guide the security mechanism defending malicious software propagation.

The key contributions of this paper are as follows. The application of the proposed SCIRD model can help researchers gain a deeper understanding of the propagation mechanism of malicious software in ECIoT networks, including characteristics such as propagation speed, range, and pathways, which will provide a more systematic and comprehensive perspective for the analysis, prediction, and formulation of strategies to combat malicious software propagation. Such a model can facilitate a better understanding and control of malicious software propagation behavior, contributing to enhancing security alertness and preventive capabilities of ECIoT networks. Moreover, our model can be extended to one considering different types of network topologies such as random, small-world, and scale-free networks to study the dynamics and patterns of malicious software propagation in different network structures.

The remaining sections of this paper are structured as follows. In Section 2, we examine the current state of research and put forth several issues that need to be addressed regarding the propagation of malicious software in ECIoT networks. In Section 3, we build a state graph for ECIoTNs infected by malicious software, taking into consideration the distinctive characteristics of current malicious software propagation, and propose the SCIRD model. Section 4 is dedicated to demonstrating equilibrium states of the SCIRD model, calculating the fundamental reproduction number, and affirming the model stability. Moving forward, in Section 5, we propose an algorithm using Matlab, and conduct experiments to validate the stability of equilibrium points. Finally, in Section 6, we provide a summary of the paper. Fig. 1 shows the paper workflow providing sufficient visual aids to guide readers through the various phases and steps of the work.

Figure 1: Paper workflow diagram

2  Related Work

The propagation of malicious software in the context of ECIoT bears certain similarity to infectious diseases to some extent [16]. Common epidemic models are classified based on the type of infectious diseases, such as the Susceptible-Infectious (SI) [17] and Susceptible-Infectious-Susceptible (SIS) [18] models. They can also be categorized based on the transmission mechanisms, including Partial Differential Equations (PDEs), Ordinary Differential Equations (ODEs), and network dynamics. For examples, the model STSIR (Social Internet of Things Susceptible-Infectious-Removed) was proposed to illustrate malicious software propagation among IoT nodes considering people behavior [19], however, the application of the model may require adjustments and validation in specific scenarios. By adding the state E (exposed), an SEIR (Susceptible-Exposed-Infectious-Removed) model was proposed to analyze the interval of logging, the number of friends in the list, and the influence of the malicious software’s initial spreading rate [20], but the fixed immunity assumption in the SEIR model may not accurately describe factors in the propagation of malicious software.

Some researchers have studied the spread of malicious software from different perspectives. Guo et al. [21] put forward a method to represent the impact of different network structures on virus transmission using growth curves. Li et al. [22] began to study the impact model of information dissemination in mobile social networks from a multi-role perspective. Li et al. [23] used structural optimization to control information diffusion in social networks. Wang et al. [24] proposed a new data-driven approach, based on intuitive assumptions, to enhance the detection of zombie networks. They utilized honeypots to simulate zombie network attacks on medical devices and assets connected to the IoT with healthcare settings. In addition to the above models, others include models twin-SIR (twin Susceptible-Infectious-Removed) [25], SLBRS (Susceptible-Latent-Breaking-out-Recovered-Susceptible) [26], SEIRS-QV (Susceptible-Exposed-Infected-Recovered-Susceptible with Quarantine and Vaccination) [27], SEIQ-VS (Susceptible-Exposed-Infected-Quarantine with Vaccination-Susceptible) [28], and SIQR (Susceptible-Infected-Quarantine-Removed) [29]. Wherein, the twin-SIR model lacks of consideration for real-world factors such as changes of node behavior and network structure. The SLBRS model is indeed novel when proposed, but, due to considering multiple factors, its complexity increases, its interpretability decreases, and it requires higher requirements for actual data. Both the SEIRS-QV and SEIQ-VS models consider a wide range of influencing factors, but they both require accurate parameter estimation and extensive data support. The SIQR model neglects some complex propagation dynamics, such as latency and immune details.

These models all add certain states to the original classical SIR (Susceptible-Infectious-Removed) or SI model, while considering the communication radius and node distribution density. Besides, worm viruses are also highly contagious in the IoT, so people have proposed various propagation models based on compartmental populations [30], specifically designed for heterogeneous and hierarchical networks incorporating human behaviors. At the same time, the dynamics of worm propagation in complex networks have been extensively modeled and studied, and it has been confirmed that the network topology has a significant impact on the worm propagation in such networks [31,32]. The researchers also proposed a propagation model for the defense of PLC-PC (Programmable Logic Controller-Personal Computer) worms in industrial networks [33]. In the meanwhile, Yang et al. presented a new VEIQS (Vaccination-Exposed-Infected-Quarantine-Susceptible) worm propagation model [34]. But the model typically assumes that propagation is unobstructed and does not take into account the impact of defensive measures. Table 1 summarizes some representative papers on the propagation of malicious software, and compares with our work to provide a brief overview for better understanding in terms of the model name, main contributions, projecting point, and weakness.

However, the above research still fails to address some problems related to the spread of ECIoT malicious software. One problem is how to describe the actual situation where an ECIoTN becomes ineffectual due to energy depletion, physical degradation, or malicious software attacks. The other problem is how to ascertain the conditions under which malicious software will spread or disappear in wireless hardware. Herein, considering the heterogeneity of communication connectivity among ECIoTNs, we address the first problem by adding two states, namely, the dead state and the suppressed state, to the traditional SIR model. Furthermore, we address the second problem by studying the equilibrium point stability of our non-homogeneous model and mathematically verifying the correctness of our theoretic results.

3  Designing a State Diagram for ECIoT with Malicious Software Infection

Viewed in terms of the network’s topology, we assume that the malicious software-infected ECIoT consists of M stationary ECIoTNs that are uniformly distributed across a two-dimensional region. Each ECIoTN is equipped with an omnidirectional antenna available for signal transmission. When an ECIoTN detects local data, it can forward this data to neighboring ECIoTNs located within its transmission range. These neighboring ECIoTNs then relay the data to their respective neighbors in an ongoing fashion.

Based on the characteristics of ECIoTNs, we develop a state diagram to represent the behavior of an ECIoTN within the malicious software-infected ECIoT. This can be analogized to an epidemiology-based model for malicious software propagation. In the state diagram, an ECIoTN is assigned to a single state that reflects its manner. We categorize an ECIoTN as state S if it exhibits its vulnerabilities but remains uninfected. When an ECIoTN is infected with malicious software but there exists security software that can contain the propagation of malicious software, it is classified as state C. When an ECIoTN becomes infected by malicious software and can transmit malicious software to neighboring nodes through data or control information, it transitions to state I. Upon applying security patches and achieving immunity to the current malicious software, an ECIoTN enters state R. An ECIoTN is assigned to state D when it becomes non-functional, either due to complete energy depletion or damage caused by malicious software. Thus, we extend the traditional SIR model to establish the SCIRD model, encompassing all the states of ECIoTNs within the malicious software-infected ECIoT.

As illustrated in Fig. 2, any ECIoTN within the network has the potential to undergo a state transition in reaction to external factors. This means that the current state of an ECIoTN can be altered due to external influences. When susceptible ECIoTNs become infected through the propagation of malicious software, not all nodes are necessarily affected, as a portion of nodes can successfully thwart the infection due to the presence of security software. This results in a transition of their state from S to C. However, security software is incapable of completely impeding the spread of malicious software. Furthermore, when infected ECIoTNs have the ability to transmit malicious software, their state transitions from S to I. Once a complete infection occurs, we employ patching of the security programs to treat the infected ECIoTNs, granting them immunity against known malicious software. This action leads to a state transition from I to R. Additionally, considering the mechanical nature of computers, any ECIoTN has the potential to transition to state D due to hardware malfunction or power depletion.

Figure 2: State diagram for an ECIoTN

We categorize the ECIoTNs based on their heterogeneous communication connectivity. Within the ECIoT, all ECIoTNs can be classified into L clusters, each characterized by the same degree of connectivity. For simplicity, we adopt a unified notation to represent both the cluster and its degree, where i∈{1,2,…,L} is used to denote the degree of cluster i. To simplify the description, we use Si(t), Ci(t), Ii(t), Ri(t), and Di(t) to represent the proportions of ECIoTNs in cluster i at time t that are in states S, C, I, R, and D, respectively. Clearly, we can derive alternative expressions for these quantities as

Si(t)+Ci(t)+Ii(t)+Ri(t)+Di(t)=1,(1)

Ii(0)=α,0<α<1,(2)

Ci(0)=Ri(t)=Di(t)=0,(3)

Si(0)=1−α,(4)

where α means the initial proportion of ECIoTNs assigned to cluster i in state I.

Let Ffgi denote the feasibility of an ECIoTN in cluster i∈{1,2,…,L} transforming its state from f∈{S,C,I,R,D} to g∈{S,C,I,R,D}. At time t, an ECIoTN assigned to cluster i∈{1,2,…,L} in state S meets one or more infectious ECIoTNs with feasibility Ei(t):

Ei(t)=1⟨ad⟩∑i=1LδiϑiIi(t).(5)

Here, ⟨ad⟩ represents the average degree of the ECIoTNs, δi represents the feasibility that an ECIoTN involves degree i, and ϑi represents the spread capability of an ECIoTN. These variables have the following conditions:

∑i=1Lδi=1,(6)

and

<ad>=∑i=1Liδi.(7)

Various equations for the spread capability that may be borrowed to ECIoTNs have been presented. Representative examples contain (1) ϑi=i [35]; (2) ϑi=AC [36], where AC is a fixed value; and (3) ϑi=φir/(1+ϕir) [37], with three variables: φ, r, and ϕ.

Up to this point, we have established the dynamics of all states. At time t, an ECIoTN assigned to cluster i∈{1,2,…,L} in state C becomes I, R, and D at proportions FCIiCi(t), FCRiCi(t), and FCDiCi(t), respectively. An ECIoTN assigned to cluster i∈{1,2,…,L} in state I becomes D at the proportion FIDiIi(t). An ECIoTN assigned to cluster i∈{1,2,…,L} in state R becomes D at the proportion FRDiRi(t). Furthermore, certain malfunctioning ECIoTNs that are irreparable need to be substituted with new ones to ensure the proper functioning of the entire ECIoTN. This manner leads to increasing the proportion τ to the proportion Si(t). As a result, we can achieve our SCIRD model characterizing the proportions of ECIoTNs assigned to cluster i∈{1,2,…,L} in states S, C, I, R, D using differential equations, as follows:

{dSi(t)dt=τ+FRSiRi(t)+FCSiCi(t)−FSIiEi(t)Si(t)−FSDiSi(t)Si(0)=1−α,(8)

{dCi(t)dt=FICiIi(t)−FCSiCi(t)−FCRiCi(t)−FCDiCi(t)Ci(0)=0,(9)

{dIi(t)dt=FSIiEi(t)Si(t)−FICiIi(t)−FIDiIi(t)Ii(0)=α,(10)

{dRi(t)dt=FCRiCi(t)−FRSiRi(t)−FRDiRi(t)Ri(0)=0,(11)

{dDi(t)dt=FSDiSi(t)+FIDiIi(t)+FCRiCi(t)+FRDiRi(t)−τDi(0)=0,(12)

satisfying equations

∀t,Si(t),Ii(t),Ci(t),Ri(t),Di(t)≥0,

Si(t)+Ci(t)+Ii(t)+Ri(t)+Di(t)=1,(13)

0<α<1.

4  Stability Analysis of the SCIRD Model for ECIoT with Malicious Software Infection

4.1 Steady States

Our main focus is to determine the steady states of our SCIRD model for ECIoT with malicious software infection, enabling us to identify the critical thresholds at which malicious software will either spread or die out within the ECIoTNs.

Theorem 1. There exist steady states in the SCIRD model including Eqs. (8)–(13) for ECIoT with malicious software infection.

Proof. Once the SCIRD attains its steady states, the proportional changes in all state variables cease. This indicates that all differential Eqs. (8)–(12) equal to zero. Therefore we obtain

{τ+FRSiRi(t)+FCSiCi(t)−FSIiEi(t)Si(t)−FSDiSi(t)=0FICiIi(t)−FCSiCi(t)−FCRiCi(t)−FCDiCi(t)=0FSIiEi(t)Si(t)−FICiIi(t)−FIDiIi(t)=0FCRiCi(t)−FRSiRi(t)−FRDiRi(t)=0FSDiSi(t)+FIDiIi(t)+FCRiCi(t)+FRDiRi(t)−τ=0(14)

At the same time, we can define two steady states: Γ1(Si1,Ci1,Ii1,Ri1,Di1) and Γ2(Si2,Ci2,Ii2,Ri2,Di2). Here,

Si1=τFSDi,(15)

Ci1=0,(16)

Ii1=0,(17)

Ri1=0,(18)

Di1=1−τFSDi,(19)

Si2=FICi+FIDiFSIiZi(t),(20)

Ii2=(FRSi+FRDi)(FICi+FCRi+FCDi)(FSDi(FICi+FIDi)−τFSIiZi[FSIiZi((FCSi+FCRi+FCDi)(FRSi−(FRSi+FRDi)(FICi+FCRi+FCDi)(FICi+FIDi))+FRSiFCRiFIDi+(FRSi+FRDi)FCSiFIDi)],(21)

Ci2=FICiFCSi+FCRi+FCDi∗Ii2,(22)

Ri2=FCRiFRSi+FRDi∗FICiFCSi+FCRi+FCDi∗Ii2,(23)

Di2=1−Si2−Ci2−Ii2−Ri2,(24)

Zi=1⟨ad⟩∑i=1Lδiϑi.(25)

This completes the proof.

According to epidemiological theory, steady state Γ1 obtained from Theorem 1 is referred to the malicious software-free equilibrium, while Γ2 is denoted as the endemic equilibrium. These equilibria serve as analytical tools to examine the dynamics of the SCIRD model of ECIoTNs exposed to malicious software infection. At steady state Γ1, the value of the proportion Ii1 is zero, indicating the disappearance of malicious software. Conversely, when an ECIoT reaches Γ2, the value of the proportion Ii2 is greater than zero, representing the spread of malicious software.

In summary, at steady state Γ1, malicious software within the ECIoT would eventually vanish. However, if the ECIoT is in Γ2, malicious software would continue to propagate, leading to a persistent infection ratio within the ECIoTNs, and eventually reaching a steady level of contagion. In the context of practical defense and control processes of malicious software in IoT networks, administrators should strive for the steady state Γ1. The continuous patching of security programs by administrators helps suppress the spread of malicious software. Moreover, it is crucial to avoid the steady state Γ2, which represents the proliferation of malicious software. As malicious software ultimately infects a proportion of ECIoTNs, it imposes significant damage on the usual functioning of ECIoT networks.

4.2 Fundamental Reproduction Number

In order to explore dynamical characteristics of the proposed SCIRD model, our current focus is on determining the fundamental reproduction number denoted by ω using the next-generation matrix method [38], which guides the steady state. This number serves as a measure to quantify the proportion of vulnerable ECIoTNs that are susceptible to the impact of malicious software throughout their lifecycle. Generally, when ω<1, there exists a steady state indicating the eventual disappearance of malicious software. In other words, within all susceptible ECIoTNs, each infectious ECIoTN fails to infect more than a single new individual. However, when ω>1, an endemic steady state persists, signifying the continuous existence of malicious software in the infected ECIoTNs, as each infectious ECIoTN infects more than one susceptible ECIoTN.

Subsequently, we proceed to calculate the fundamental reproduction number ω, utilizing the next-generation matrix technique. Let

[fI]=[FSIiEi(t)Si(t)](26)

and

[vI]=[FICiIi(t)+FIDiIi(t)].(27)

We achieve

F=[∂fI∂Ii(t)]Γ1=[FSIiSi1Zi](28)

and

V=[∂vI∂Ii(t)]Γ1=[FICi+FIDi].(29)

Then, we can obtain the fundamental reproduction number ω as

ω=ρ(FV−1)=FSIiτZiFSDi(FICi+FIDi).(30)

4.3 Analysis of Equilibrium Point Stability

Now we will perform stability analysis on the equilibrium points in the model to investigate whether the model displays the characteristics of viral contagion. Assessing the stability of an equilibrium point involves determining whether the system’s key conditions associated with that point lead trajectories to converge towards it over time, indicating stability. Conversely, if an equilibrium point is deemed unstable, the trajectories will diverge away from it as time progresses.

The SCIRD model, which includes Eqs. (8)–(13) for malicious software-infected ECIoTNs, can be simplified to a set of differential equations containing Eqs. (8)–(11). Besides, Eq. (12) can be replaced by Di(t)=1−Si(t)−Ci(t)−Ii(t)−Ri(t) and can be neglected. Therefore, our focus will be on examining the stability characteristics of the SCIRD model, which encompasses Eqs. (8)–(11).

Theorem 2. If ω<1, steady equilibrium state Γ1(Si1,Ci1,Ii1,Ri1,Di1) is locally stable in the long run, however, if ω>1, it is unstable.

Proof. In accordance with the stability theory for ordinary differential equations, we begin by calculating Jacobian matrix J [39] associated with the SCIRD model, which is represented by

J=[∂S˙i(t)∂Si(t)∂S˙i(t)∂Ci(t)∂S˙i(t)∂Ii(t)∂S˙i(t)∂Ri(t)∂C˙i(t)∂Si(t)∂C˙i(t)∂Ci(t)∂C˙i(t)∂Ii(t)∂C˙i(t)∂Ri(t)∂I˙i(t)∂Si(t)∂I˙i(t)∂Ci(t)∂I˙i(t)∂Ii(t)∂I˙i(t)∂Ri(t)∂R˙i(t)∂Si(t)∂R˙i(t)∂Ci(t)∂R˙i(t)∂Ii(t)∂R˙i(t)∂Ri(t)](31)

=[−FSIiEi(t)−FSDiFCSi−FSIi(t)ZiSi(t)FRSi0−(FCSi+FCRi+FCDi)FICi0FSIiEi(t)0FSIiZiSi(t)−FICi−FIDi00FCRi0−FRSi−FRDi].

Furthermore, we compute the Jacobian matrix at the equilibrium point representing the absence of malicious software Γ1(Si1,Ci1,Ii1,Ri1,Di1) as

J(Γ1)=[−FSDiFCSi−FSIiZiSi1FRSi0−(FCSi+FCRi+FCDi)FICi000FSIiZiSi1−FIDi−FICi00FCRi0−FRSi−FRDi].(32)

Let λ represent an eigenvalue and H denote the identity matrix. We can compute the eigenfunction of matrix J(Γ1) using the following calculation:

|λH−J(Γ1)|=[λ+FSDi−FCSiFSIiZiSi1−FRSi0λ+FCSi+FCRi+FCDi−FICi000λ−FSIiZiSi1+FIDi+FICi00−FCRi0λ+FRSi+FRDi].(33)

Therefore, we can obtain all the eigenvalues:

λ1=−FSDi,(34)

λ2=−FCSi−FCRi−FCDi,(35)

λ3=FSIiZiSi1−FIDi−FICi=(FIDi+FICi)(ω−1),(36)

λ4=−FRSi−FRDi.(37)

From the above formula derivation, we can deduce that λ1<0 and λ4<0 only if ω<1. Thus, if ω<1, steady equilibrium state Γ1(Si1,Ci1,Ii1,Ri1,Di1) is locally asymptotically stable, however, if ω>1, it is unstable. At this point, we have completed the proof.

According to Theorem 2, when ω<1, the proportions of ECIoTN cluster i∈{1,2,…,L} in state S, C, I, R, and D will evolve over time to approach Si1, 0, 0, 0, and Di1, respectively.

Theorem 3. If ω>1, steady equilibrium state Γ2(Si2,Ci2,Ii2,Ri2,Di2) is locally asymptotically stable.

Proof. We rescript Ci2, Ii2 and Ri2 as

Ci2=(FRSi+FRDi)(FICi+FCRi+FCDi)(FICi+FIDi)FSDi[FSIiZi((FCSi+FCRi+FCDi)(FRSi−(FRSi+FRDi)(FICi+FCRi+FCDi)(FICi+FIDi))+FRSiFCRiFIDi+(FRSi+FRDi)FCSiFIDi)]

∗FICiFCSi+FCRi+FCDi∗(ω−1),(38)

Ii2=(FRSi+FRDi)(FICi+FCRi+FCDi)(FICi+FIDi)FSDi[FSIiZi((FCSi+FCRi+FCDi)(FRSi−(FRSi+FRDi)(FICi+FCRi+FCDi)(FICi+FIDi))+FRSiFCRiFIDi+(FRSi+FRDi)FCSiFIDi)]

∗(ω−1),(39)

Ri2=(FRSi+FRDi)(FICi+FCRi+FCDi)(FICi+FIDi)FSDi[FSIiZi((FCSi+FCRi+FCDi)(FRSi−(FRSi+FRDi)(FICi+FCRi+FCDi)(FICi+FIDi))+FRSiFCRiFIDi+(FRSi+FRDi)FCSiFIDi)]

∗FICiFCSi+FCRi+FCDi∗FCRiFRSi+FRDi∗(ω−1).(40)

As a matter of course, Si2, Ii2 and Ri2 are all greater than 0 when ω>1. This implies that if ω>1, a local equilibrium Γ2(Si2,Ci2,Ii2,Ri2,Di2) exists. Using Eq. (30), it can be concluded that the Jacobian matrix at the endemic equilibrium Γ2(Si2,Ci2,Ii2,Ri2,Di2) as

J(Γ2)=[−FSIiZiIi2−FSDiFCSi−FSIi(t)ZiSi2FRSi0−(FCSi+FCRi+FCDi)FICi0FSIiZiIi20FSIiZiSi2−FICi−FIDi00FCRi0−FRSi−FRDi].(41)

It can be obtained in the same way that the eigenfunction of matrix J(Γ2) as

|λH−J(Γ2)|=[λ+FSIiZiIi2+FSDi−FCSiFSIiZiSi2−FRSi0λ+FCSi+FCRi+FCDi−FICi0−FSIiZiIi20λ−FSIiZiIi2Si2+FIDi+FICi00−FCRi0λ+FRSi+FRDi] =λ4+(FSIiZiIi2+FSDi+FCSi+FCRi+FCDi−FSIiZiIi2Si2+FIDi+FICi+FRSi+FRDi)λ3 +[(FSIiZiIi2+FSDi)(FCSi+FCRi+FCDi)+(FSIiZiIi2Si2+FIDi+FICi)(FRSi+FRDi)+(FSIiZiIi2+FSDi) (−FSIiZiIi2Si2+FIDi+FICi)+(FSIiZiIi2+FSDi)(FRSi+FRDi)+(FCSi+FCRi+FCDi)(−FSIiZiIi2Si2+FIDi+FICi) +(FCSi+FCRi+FCDi)(FRSi+FRDi)]λ2+[(FSIiZiIi2+FSDi)(FCSi+FCRi+FCDi)(−FSIiZiIi2Si2+FIDi+FICi) +(FSIiZiIi2+FSDi)(FCSi+FCRi+FCDi)(FRSi+FRDi)+(FCSi+FCRi+FCDi)(−FSIiZiIi2Si2+FIDi+FICi) (FRSi+FRDi)]λ+(FSIiZiIi2+FSDi)(FCSi+FCRi+FCDi)(FRSi+FRDi)(−FSIiZiIi2Si2+FIDi+FICi)(42)

≜λ4+b3λ3+b2λ2+b1λ+b0.

Clearly, it is infeasible to determine all the eigenvalues of matrix J(Γ2) directly from Eq. (41). Thus, the spread of malicious software within a compromised ECIoTN will be ongoing, and the proportion of contagious ECIoTN nodes will ultimately stabilize. It is evident that we are supposed to strive to avert this scenario by regulating the values of ECIoTN purview.

Given a quartic polynomial expression, we can determine its positivity by inspecting the discriminant, denoted as Δ. Here we can obtain that

Δ =b32−4b2=(FSIiZiIi2+FSDi+FCSi+FCRi+FCDi−FSIiZiIi2Si2+FIDi+FICi+FRSi+FRDi)2 −4[(FSIiZiIi2+FSDi)(FCSi+FCRi+FCDi)+(FSIiZiIi2Si2+FIDi+FICi)(FRSi+FRDi)+(FSIiZiIi2+FSDi) (−FSIiZiIi2Si2+FIDi+FICi)+(FSIiZiIi2+FSDi)(FRSi+FRDi)+(FCSi+FCRi+FCDi) (−FSIiZiIi2Si2+FIDi+FICi)+(FCSi+FCRi+FCDi)(FRSi+FRDi)](43)

Through simulation, we attain that the discriminant Δ is negative. This implies that the quadratic term has no real roots, resulting in no intersections between the curve and the x-axis. Thus, the function is either always positive or always negative, ensuring it is strictly positive. As the coefficient in front of λ4 is 1, and based on the proof above, we can conclude that the entire polynomial is always greater than 0. Therefore, we have successfully completed the proof.

According to Theorem 3, when ω>1, the proportions of ECIoTN nodes i∈{1,2,…,L} in states S, C, I, R, and D will evolve over time to approach Si2, Ci2, Ii2, Ri2, and Di2, respectively. As a result, the propagation of malicious software within the infected ECIoTNs will be ongoing, and the ratio of infected ECIoTNs will ultimately reach a steady state. It is apparent that we should strive to prevent this scenario by manipulating the ECIoTN parameters’ values.

5  Experiments

To confirm the SCIRD model for malicious software-infected ECIoTNs, we implemented the model using MATLAB R2022a. The computational algorithm, Algorithm 1, was utilized for this purpose.

In the simulation program of MATLAB, the ECIoT network consists of 1500 static ECIoTNs. The interval Δt is 1d. We establish the ECIoTN topology and determine the values of the remaining parameters by consulting other research. In this case, we set the range of degrees to be between 2 and 20, with an average value of 4. Additionally, the infection rate is set as a function of the degree, denoted as FSIi=ξi, and ξ=0.01.

5.1 Assessing Stability of the Equilibrium State in the Absence of Malicious Software

In this part, we verify the correctness of Theorem 2 by setting various infection capacities.

5.1.1 Equal Infectivity

Here, the infection capacity ϑi is configured as ϑi=φir/(1+ϕir), where φ=5, r=0.5, and ϕ=1 [40]. Therefore, we calculate the mean value of FSIiZi as ∼0.1727. The remaining values are adjusted as follows: τ=0.025, FRSi=0.008, FSDi=0.13, FIDi=0.05, FCRi=0.26, FICi=0.12, FRDi=FSDi=FCDi, and FRSi=FCSi. Based on the calculations, we obtain the ω≈0.1954<1. With the conditions of Theorem 2 fulfilled, we can proceed to verify its correctness using Algorithm 1.

Fig. 3 describes the changing tendency of susceptible ECIoTNs under the circumstance of Theorem 2 for α=0.05,α=0.15, and α=0.2. In Fig. 2, the trajectory of the proportion of ECIoNs in the susceptible state, Si(t), exhibits different trends for various values of α, specifically, 0.8, 0.85, and 0.95. After ∼20d, all three curves decline rapidly and eventually stabilize at approximately 20% reduction. In other words, Si(t) approaches a stable point, denoted as Γ1(Si1,Ci1,Ii1,Ri1,Di1), with an Si1 value of 0.2.

Figure 3: Changing tendency of susceptible ECIoTNs under the circumstance of Theorem 2 for α=0.05,α=0.15, and α=0.2

Figs. 4–7 depict the changing tendency of curb, infectious, removed, and dead ECIoTNs under the circumstance of Theorem 2 for α=0.05,α=0.15, and α=0.2. The changing trends of the proportions of ECIoTNs in states C, I, R, and D, denoted as Ci(t), Ii(t), Ri(t), and Di(t), respectively, remain consistent across different values of α. In Fig. 4, the proportion of curb ECIoTNs exhibits minor changes in the first ∼15d, followed by a gradual increase to 17%, 37%, and 48% in subsequent periods. Afterwards, it gradually decreases and eventually approaches 5%. This is consistent with the value of Ci(t) in the stable point Γ1(Si1,Ci1,Ii1,Ri1,Di1). In Fig. 5, its changing trend is similar to Fig. 3. It remains constant for the first ∼20d and then gradually decreases, eventually approaching zero. This is consistent with the value of Ii(t) in the stable point Γ1(Si1,Ci1,Ii1,Ri1,Di1). In Fig. 6, the proportion of removed ECIoTNs exhibits minor changes in the first ∼20d, followed by a gradual increase to 13%, 25%, and 32% in subsequent periods. Afterwards, it gradually decreases and eventually approaches 5%. This is consistent with the value of Ri(t) in the stable point Γ1(Si1,Ci1,Ii1,Ri1,Di1). In Fig. 7, the proportion of dead ECIoTNs exhibits minor changes in the first ∼15d, and then it gradually increases and approaches 80%. This is consistent with the value of Di(t) in the stable point Γ1(Si1,Ci1,Ii1,Ri1,Di1).

Figure 4: Changing tendency of curb ECIoTNs under the circumstance of Theorem 2 for α=0.05,α=0.15, and α=0.2

Figure 5: Changing tendency of infectious ECIoTNs under the circumstance of Theorem 2 for α=0.05,α=0.15, and α=0.2

Figure 6: Changing tendency of removed ECIoTNs under the circumstance of Theorem 2 for α=0.05,α=0.15, and α=0.2

Figure 7: Changing tendency of dead ECIoTNs under the circumstance of Theorem 2 for α=0.05,α=0.15, and α=0.2

5.1.2 Diverse Infectivity

Apart from the infectivity factor ϑi=φir/(1+ϕir) in Section 5.1.1, we come up with different infection capacities: ϑi=i and ϑi=AC, where AC is a fixed value. When keeping the values of other parameters unchanged, for ϑi=i, we obtain FSIiZi≈0.25 and ω≈0.2828, and for ϑi=AC=2, we obtain FSIiZi≈0.1 and ω≈0.1131. Clearly, both of the fundamental reproduction numbers are less than 1, demonstrating their compliance with the conditions outlined in Theorem 2.

In Figs. 8–12, while there are variations in the peak values of the curves, the proportions of susceptible, curb, removed, and dead ECIoTNs ultimately converge to Si1, Ci1, Ri1, and Di1, respectively. Furthermore, Ii1→0 irrespective of the diverse infection capabilities, it can be observed that the malicious software within the ECIoTNs becomes extinct after ~70d.

Figure 8: Changing tendency of susceptible ECIoTNs under the circumstance of Theorem 2 with diverse infection capabilities

Figure 9: Changing tendency of curb ECIoTNs under the circumstance of Theorem 2 with diverse infection capabilities

Figure 10: Changing tendency of infectious ECIoTNs under the circumstance of Theorem 2 with diverse infection capabilities

Figure 11: Changing tendency of removed ECIoTNs under the circumstance of Theorem 2 with diverse infection capabilities

Figure 12: Changing tendency of dead ECIoTNs under the circumstance of Theorem 2 with diverse infection capabilities

By conducting experiments under the equal infection capacity as well as diverse infection capacity, we have successfully validated Theorem 2. These experiments offer compelling evidence that the malicious software residing in infected ECIoTNs will ultimately be eliminated.

When the conditions for Theorem 2 are satisfied, although malicious software infects a large number of ECIoTNs from the beginning, it is crucial to strive for the stable conditions of an equilibrium without malicious software. This phenomenon can be attributed to the stability of the system, which guarantees that the infected ECIoTNs will be cleared of malicious software, even in the presence of new outbreaks.

5.2 Confirming Stability of Endemic Equilibrium

In this case, we will employ a similar approach as in Section 5.1 to confirm the validity of Theorem 3, utilizing two distinct scenarios: equal infectivity and diverse infectivity.

5.2.1 Equal Infectivity

During the verification process, all values except φ=10 [41] are set to be the same as those in Section 5.1. In this case, we can obtain FSIiZi as ∼0.3454. At the same time, we set τ=0.05,FSDi=0.02, FIDi=0.15, and FRSi=0.01. At this point, ω≈3.1981>1, which satisfies the experimental data requirements of Theorem 3.

Figs. 13–17 depict the the changing tendency of susceptible, curb, infectious, removed and dead ECIoTNs under the circumstance of Theorem 3 for α=0.05,α=0.15, and α=0.2. In Fig. 13, the changing tendency of the proportion of ECIoTNs in state S, denoted as Si(t), varies under different values of α. When α is 0.05, Si(t) decreases slowly, reaching around 93% before gradually increasing and approaching 100% to stabilize. On the other hand, when α is 0.15 and 0.2, Si(t) decreases to their respective minimum values of approximately 82% and 76% before slowly increasing towards 100% and stabilizing in its vicinity. In other words, Si(t) ultimately converges to the Si2 value of 1 in the stable point Γ2(Si2,Ci2,Ii2,Ri2,Di2).