Received March 20, 2020, accepted March 20, 2020, date of publication March 27, 2020, date of current

version April 20, 2020.

Digital Object Identifier 10.1109/ACCESS.2020.2983652

INVITED PAPER

Beyond Herd Immunity Against

Strategic Attackers
VILC QUEUPE RUFINO 1,2 , (Student Member, IEEE), LEANDRO PFLEGER DE AGUIAR 3 ,
DANIEL SADOC MENASCHÉ 1 , CABRAL LIMA 1 , ÍTALO CUNHA 4 ,
EITAN ALTMAN 5,6,10 , (Fellow, IEEE), RACHID EL-AZOUZI 5 , FRANCESCO DE PELLEGRINI 5,

ALBERTO AVRITZER 7 , AND MICHAEL GROTTKE 8,9 , (Member, IEEE)

1 Instituteof Mathematics, Federal University of Rio de Janeiro (UFRJ), Rio de Janeiro RJ 21941-590, Brazil
2 Brazilian Navy, Rio de Janeiro RJ 20010-000, Brazil
3 Siemens Corporate Technology, Princeton, NJ 08691, USA
4 Department of Computer Science, Federal University of Minas Gerais (UFMG), Belo Horizonte MG 31270-901, Brazil
5 Computer Science Lab (LIA/CERI), University of Avignon, 84911 Avignon, France
6 INRIA Sopia-Antipolis, University Cote D’Azur, 06902 Avignon, France
7 Esulab Solutions, Plainsboro, NJ 08536, USA
8 Global Data Science, GfK SE, 90443 Nürnberg, Germany
9 Chair of Statistics and Econometrics, Friedrich-Alexander-Universität Erlangen-Nürnberg, 90403 Nürnberg, Germany
10 Laboratory of Information, Network and Communication Sciences (LINCS), 75013 Paris, France

Corresponding author: Vilc Queupe Rufino (vilc.rufino@marinha.mil.br)

This work was supported in part by the THANES, a joint project between Brazil (FAPERJ) and France (INRIA), and in part by the Grant
from CAPES and CNPq as well as by the Dr. Theo and Friedl Schöller Research Center for Business and Society.

ABSTRACT Herd immunity, one of the most fundamental concepts in network epidemics, occurs when a
large fraction of the population of devices is immune against a virus or malware. The few individuals who
have not taken countermeasures against the threat are assumed to have very low chances of infection, as they
are indirectly protected by the rest of the devices in the network. Although very fundamental, herd immunity
does not account for strategic attackers scanning the network for vulnerable nodes. In face of such attackers,
nodes who linger vulnerable in the network become easy targets, compromising cybersecurity. In this paper,
we propose an analytical model which allows us to capture the impact of countermeasures against attackers
when both endogenous as well as exogenous infections coexist. Using the proposed model, we show that a
diverse set of potential attacks produces non-trivial equilibria, some of which go counter to herd immunity;
e.g., our model suggests that nodes should adopt countermeasures even when the remainder of the nodes has
already decided to do so.

INDEX TERMS Cybersecurity, denial-of-service attacks, network epidemics, network security.

I. INTRODUCTION of cybercriminality as a service. In fact, botnets are built in a

Malicious software, such as viruses, Internet worms, adware, silent way using epidemic malware diffusion to compromise
spyware and botnets [1], continuously threatens the Inter- millions of terminals by malicious codes (malware) and later
net stability posing a wide variety of challenges to system on perform actions without the knowledge of the legitimated
administrators and users. Viral models for the diffusion of owners. In the last decade, botnets have been leased as sup-
malicious software have been part of the mainstream research port infrastructure in order to perform various types of crim-
in network security to model the diffusion of computer worms inal activities including, e.g., Distributed Denial of Service
[2]–[6]. Such models are very convenient also to capture the (DDoS) [9] attack campaigns or ramsomware attacks, just
construction of large distributed attack networks known as to mention the most spectacular ones. Typically the attacker,
botnets [7], [8], which are pivotal for the emerging paradigm also called the botmaster, takes control of devices either com-
promising them using endogenous infections, i.e., from the
The associate editor coordinating the review of this manuscript and neighbors in a local network, or using exogenous infections
approving it for publication was Derek Abbott. operated from a remote network. Recently, botnets leverage

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 8, 2020 66365
 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

a lethal combination of social engineering and software vul- practical considerations. In fact, although countermeasures
nerabilities, where the infection of local machines is usually like vaccination or patching are very effective, they typically
performed using viral phishing attacks able to hijack a large cause collateral effects, such as system downtime or slow-
base of social network accounts [7], [10] and by leveraging down. In some cases, e.g., in industrial control systems [34],
trojans in order to take control of local machines. the resulting performance losses are unacceptable at the busi-
Models for virus propagation have been thoroughly studied ness level. Therefore, one needs to trade off the benefits of
since the seminal work of Kermack and McKendrick [11], applying such countermeasures against their corresponding
[12], mainly focusing on epidemic thresholds and immu- costs, given the probability of infection in the presence of
nization policies. In the last 20 years, new research lines in strategic attackers [15], [21].
computational epidemiology have unveiled the crucial role of A further major challenge in network security is the typ-
network topology in the propagation of epidemics [13], [14]. ically autonomous nature of decision making. Given that
As a consequence, in order to manage network security, sig- devices are interconnected, if the owner of a device or a group
nificant effort has been devoted to understand how computer of devices is not willing to pay for stringent countermeasures
viruses spread in a network, and how to efficiently design and thus decides to take the risks of contamination, neighbors
countermeasures able to mitigate such threats [15]–[17]. Tra- are directly impacted and other nodes may be indirectly
ditionally, many countermeasures account for herd immunity, affected [35]–[37]. Hence, decisions makers face a game in
a form of indirect protection of network nodes from infections which the countermeasure strategy selected by a given user
that occurs when a large percentage of devices becomes impacts the security landscape of the population as a whole.
immune to an infection, providing a measure of protection Cost–benefit analyses of vaccination programs usually
for individuals who are not immune [18]–[21]. account for the positive externality of vaccination [21], [38];
In fact, vaccination is one of the most prevalent counter- i.e., in a population where only a few individuals are not
measures against the spread of epidemics, since it reduces immune, these individuals benefit from the vaccination that
the fraction of vulnerable nodes [22], [23]. In the realm of the others have undergone. Hence, they have less incentive to
computer systems, however, there are light and heavyweight incur the relative costs of vaccination. Indeed, their rational
forms of vaccination. Lightweight vaccination is typically decision is to avoid the crowd, and ignore the vaccine. Such
performed through the update of anti-virus software. Such analyses, however, do not account for exogenous infections
updates are executed regularly, usually once a day or once caused by malicious and strategic attackers.
a week, giving rise to the so-called Internet security ‘‘cat and Nowadays, it is possible to scan the whole IPv4 space
mouse game’’. Actually, as soon as an anti-virus software in less than an hour, and efficiently detect a few vulnerable
update is released, by using dedicated bot update modules nodes [39], [40]. We refer to attackers performing such port
[24]–[27] botmasters change the signature code of the virus scans to find vulnerable nodes as strategic attackers, as they
and its behavior. Novel fully undetectable versions of the can strategically invest their attack budget towards vulnera-
virus are produced and the virus ultimately evolves through ble users. Vulnerable users, in turn, must follow the crowd,
multiple generations [28]–[30]. i.e., apply a countermeasure although most of the other users
New releases of anti-virus software need to cope with such have already done so.
virus evolution, also known as polymorphism. In this context, In this paper, we consider the problem of determin-
networked nodes are typically modeled using a susceptible- ing whether to invest in heavyweight forms of protection
infectious-susceptible (SIS) model [31], according to which accounting for positive and negative externalities of vaccina-
they switch over time between being susceptible (S) to the tion. Our goals are:
malware infection and being actually infected (I), and then 1) To compute the node infection probability in a network
susceptible again after malware removal. Ultimately, most as a function of the rates of endogenous and exogenous
anti-virus products are subscription-based and deploy regular infection; i.e., we assess the risks of not applying a
updates to anti-virus databases. stringent countermeasure.
Alternative countermeasures against viruses include very 2) To determine the system equilibria; i.e., given the rel-
stringent treatments, such as quarantine, e.g., the disconnec- ative vaccination costs and an estimate of the infec-
tion of nodes from the network, clean-state restarts with full tion probability, we determine the expected number of
operating system and firmware upgrades, or the execution of agents that incur the heavyweight relative vaccination
heavyweight anti-virus software [32], [33]. The latter may costs.
detect viruses more promptly compared to their lightweight To this aim, we propose a simple epidemic model, which
counterparts, at the expense of more significant CPU and extends the multiplicative SIS model and is amenable to
memory overhead. For all practical purposes, devices imple- steady-state closed-form solutions. We assume an attacker
menting such countermeasures can be assumed to be immune with a limited average infection budget of 3 infections per
to the target malware. time unit. Such power is uniformly distributed among N
Among the challenges faced by system administrators, nodes that the attacker identifies as vulnerable. Then, each
we focus on the dilemma involved in applying stringent of such nodes is subject to exogenous infections which occur
countermeasures, whose applicability is often limited by at rate 3/N . Such exogenous infections due to strategic

66366 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

attackers limited by a budget, investigated in this work, give In this work, we assume that a transition from an
rise to a rich set of novel insights in the realm of epidemic infected to a susceptible state occurs at nodes deploying
models. lightweight countermeasures. Those transitions reflect that an
We summarize our key contributions as follows. infected node, after lightweight countermeasures, becomes
1) Analytical model: We propose an analytical model susceptible again for new variants of the same malware. The
which captures positive and negative externalities use of the SIS model to capture those transitions is standard
associated with countermeasures in security games. in the literature of epidemic models applied to computer
It accounts for an attacker with a finite budget, lead- systems.
ing to a threat model wherein the exogenous infection The classical SIS epidemic model is borrowed from Biol-
rate per node decreases as the number of vulnerable ogy. As such, it captures the propagation of non-intentional
nodes grows. The model is simple and tractable, while viruses. Propagation of malware in a computer network,
still having expressive power to capture the trade- in contrast, must capture intentional and targeted infections,
offs related to the vaccination of networked nodes as pointed out in [8], [46], [47].
(Sections III-V); One way to capture strategic behavior is to extend the
2) Infection probability assessment: We provide sim- model by exogenous strategic infections. Exogenous infec-
ple closed-form expressions to approximate the infec- tions have previously been considered in the realm of bio-
tion probability as estimated by the proposed model. logical networks [42], [43], [48]. However, to the best of our
In particular, one of the proposed approximations is knowledge there is no prior epidemic model using exogenous
based on Newton’s Approximation Method (NAM). infections to account for strategic attackers with a finite attack
The accuracy of the approximation can be arbitrarily budget. In particular, attackers that can scan the whole net-
increased at the expense of additional computational work in a few hours have been considered by the security
cost (Section VI and Appendix A); community from a systems-oriented standpoint [39], [49],
3) Vaccination game and analysis of equilibria: We [50] but not from an epidemics point of view. One of our
pose a vaccination game in which each player selects goals is to bridge this gap. To that aim, we consider exogenous
a countermeasure as a function of the estimated infec- infections per node whose rates depend on the population
tion probability. We investigate system equilibria, indi- size. We are unaware of previous works wherein such threat
cating two extreme regimes; under the first (second) model has been considered (see Section III-C).
one, the infection probability monotonically decreases Network externalities play an important role in the adop-
(increases) as a function of the size of the vulnera- tion of software and countermeasures. A community of users
ble population, corresponding to a follow-the-crowd of a particular software, for instance, benefits from addi-
(avoid-the-crowd) behavior (Section VII-A); tional members [38], [51], e.g., when accounting for inter-
4) Simulations: We perform experiments using a detailed operability or collaboration functionality. In [52], network
malware simulator inspired by Mirai botnet epi- externalities play an important role for strategic decisions
demics under different configuration scenarios. We ver- taken by each community in an attacker-susceptible environ-
ify that the proposed model qualitatively captures ment. In our work, we assume that increasing the number
the simulated botnet behavior (Section VIII and of vulnerable nodes implies decreasing the probability of
Appendix G). an exogenous infection towards a tagged, randomly-chosen
node.
This paper is organized as follows. Section II presents Maille et al. [53] have also studied network externalities
related work. The considered system is briefly introduced in related to security countermeasures, but without accounting
Section III. Section IV defines the vaccination game and the for epidemic aspects. Their focus is on financial and eco-
concepts of follow and avoid the crowd in the presence of a nomic motivations behind malicious actions, assuming that
strategic attacker in an epidemic context. After the proposed the number of vulnerable devices is directly proportional
model has been described in Section V, Section VI develops to the incentives an attacker has to produce an exploit for
an approximate solution to the model, in closed form. The that vulnerability. A similar economic perspective from the
system equilibria are analyzed in Section VII. Section VIII standpoint of attackers has been considered in [28]. In our
illustrates some properties of the considered system through research, in contrast, the focus is mainly on strategic attackers
simulation experiments and contrast them against our find- who leverage existing exploits, and are able to identify targets
ings obtained using the model, Section IX presents additional by scanning the IP address space.
discussion on broader implications of the work and Section X We indicate that the proposed model gives rise to both
concludes the paper. stable and unstable equilibria. Those equilibria are similar in
spirit to the ones obtained in the analysis of medium access
II. RELATED WORK protocols, such as Aloha [54], [55]. Nonetheless, our analysis
There is a vast literature on epidemic models, accounting for intrinsically accounts for strategic decision makers, whereas
transient and stationary aspects [41] as well as endogenous traditional performance models, such as those used to analyze
and exogenous infections [42]–[45]. Aloha [54], [55], account for non-strategic agents.

VOLUME 8, 2020 66367

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

TABLE 1. Table of notation.

FIGURE 1. Node states. Transitions in a coarse-grained time scale

correspond to changes in the adoption of stringent countermeasures,
and are captured by the vaccination game state graph introduced in
Section IV-C and Definition 1. Fine-grained transitions are captured
by the SIS model introduced in Section V-A.

III. SYSTEM DESCRIPTION

A. TERMINOLOGY
Next, we briefly introduce the terminology considered
throughout this work.
• A network comprises nodes (or users).
• Heavyweight forms of vaccination, also referred to as
stringent countermeasures, include quarantine or the
execution of heavyweight anti-virus software. Devices
implementing such countermeasures are assumed to be B. USER POPULATION, COST FUNCTION
immune to the target malware. AND NETWORK TOPOLOGY
• Vaccinated nodes are those nodes that have applied strin- We consider a finite population of M nodes. Each of them
gent forms of vaccination (see Figure 1). must decide to invest or not in a vaccine. Let the cost per
• Lightweight forms of vaccination are typically per- time unit of a vaccine (e.g., subscription fee for a heavyweight
formed through the update of anti-virus software. Such anti-virus software) be denoted by V , while the costs per time
updates are executed regularly, giving rise to the so- unit in which a node is infected amount to H [15]; typically,
called Internet security ‘‘cat and mouse game’’ which V < H . We refer to the (unit-less) fraction V /H as the
motivates the SIS model considered in this paper. relative vaccination cost C (see Table 1).
• Vulnerable nodes are those nodes that are not vaccinated, We denote the number of nodes that have not applied a
who implement lightweight forms of vaccination, and stringent form of vaccination by N . Such nodes are subject to
are thus subject to infection and recovery. A vulnerable the epidemic process and might be infected by the virus, while
node is either susceptible or infected. still adopting lightweight protective mechanisms. After being
• Susceptible users are prone to infection. Once infected, infected, a node recovers returning to its initial susceptible
they apply lightweight countermeasures, which cause state, e.g., by formatting or rebooting the machine. The
them to transition back to the susceptible state. remaining M − N nodes are assumed to be always immune.
• The attack budget of an attacker is the rate of infections The relative cost incurred by a user in a population wherein
per time unit that the attacker can issue. N users are vulnerable is given by C(N ),
• Endogenous infections are caused by local neighbors. (
Exogenous infections are caused by an attacker whose ρ, if user is not vaccinated,
C(N ) = (1)
attack budget is limited. V /H , otherwise,
• The vaccination cost refers to aspects such as expenses,
downtime, performance overhead, increased system where ρ is the fraction of time at which the user is infected.
response time, or degraded functionality due to the The network topology, comprising N nodes that did not
application of a vaccine. invest in stringent countermeasures, determines the process
• The infection probability is the expected fraction of time of epidemic spread. The network topology is given by its
during which a vulnerable node is in the infected state. adjacency matrix A of size N × N , where each entry ak,l is
The infection probability depends on the infection rate 1 if the nodes k and l are connected and 0 otherwise. Except
and on the curing rate. When deciding which counter- otherwise noted, we assume an undirected network topology,
measure to take, a node trades off the relative vaccination wherein ak,l = al,k and the diagonal elements of A are all
cost against the probability of infection. zero.

66368 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

C. THREAT MODEL infection rate. Then, a multiplicative model is preferred in

Let 3 be the power of an attacker, measured by the number that, as showed in [56], it results into closed-form analyti-
of infections per time unit. In the simplest setting, a constant cal expressions, amenable to further analysis under general
budget is allocated evenly among all vulnerable nodes; the topologies, as indicated in the upcoming sections.
exogenous infection rate per node is then λ(N ) = 3/N . In the The additive model [57] captures a situation where the
remainder of the paper, we may refer to λ(N ) simply as λ, infection rate γ d affecting a node increase monotonically
keeping the dependence of λ on N implicit but noting that as the number of infected neighbors d grows. Under the
such dependence is assumed throughout the whole work. multiplicative model proposed in [56], in contrast, the cumu-
In general, 3 may be a function of N , and λ assumes a lative infection rate γ d may increase or decrease monoton-
functional form given by ically with respect to the number of infected neighbors d,
depending on whether γ ≥ 1 or γ < 1, respectively.
λ(N ) = 3(N )/N . (2)
In this paper, we are interested in the scenario wherein the
The threat model introduced above constitutes one of our key endogenous infection rate increases with respect to the num-
contributions. The model leads to novel insights on epidemic ber of infected neighbors. To this aim, we shall assume that
behavior accounting for strategic attackers, with implications the time scale of the epidemic process is rescaled in a way
on the role of vaccination for small populations as further such that the exogenous and endogenous infection rates λ
discussed in the following sections. and γ are both greater than or equal to one, λ ≥ 1 and
γ ≥ 1.
D. EPIDEMIC INFECTION AND RECOVERY In Section VIII we show through comprehensive simula-
At any point in time, each of the N vulnerable nodes can be tions that the qualitative behavior under the multiplicative
at states susceptible (S, or 0) or infected (I , or 1). Let the infection model captured by our analytical results also holds
time expended in the recovery of an infected node follow an under the additive infection model corresponding to a Mirai
exponential distribution with rate µ. A susceptible node may botnet. The additive and multiplicative models are further
be infected by an external attacker (exogenous infection) or contrasted in Appendix B and analyzed under the complete
by an internal attack (endogenous infection) from network and bipartite topologies in Appendices D, E and F.
neighbors. Let d be the number of infected neighbors of
a given node. We assume that the endogenous infection is
exponentially dependent on d; i.e., the rate of endogenous IV. THE VACCINATION GAME: FOLLOW THE
infection per node is given by γ d . The effect of the exogenous CROWD OR AVOID IT?
infection is also assumed as multiplicative. Thus, the infec- A. THE TWO REGIMES
tion rate of a susceptible node is given by λγ d , and the We distinguish biological epidemic processes, which spread
time until a susceptible node becomes infected follows an infections throughout neighbors without a planned strategy
exponential distribution with mean 1/ λγ d .


and computational epidemic processes which may have two
distinct regimes depending on the i) the attacker who knows
E. WHY MULTIPLICATIVE INFECTION MODEL? the vulnerable nodes and can directly infect them all subject
The multiplicative infection model proposed in [56] is to its limited capacity or ii) the epidemic process that spreads
inspired by the standard SIS equations. The key novelty without a direct attacker control (see Figure 2).
consists of replacing the additive infection rate affecting a In a biological epidemic the infection probability is strictly
tagged node, namely λ + γ d, by a multiplicative one λγ d . increasing as a function of the number of vulnerable indi-
In what follows, we further discuss the motivation and the viduals. This occurs because endogenous infections play a
implications of a multiplicative model. key role and exogenous infections are typically assumed to
In the traditional SIS epidemic models inspired by bio- be insensitive to the number of vulnerable individuals. Such
logical systems, such as, the framework under which the assumptions are captured, for instance, by the standard SIS
NIMFA model [57] is derived, the additive model is a natural model under which the NIMFA approximation [57] is derived
choice. In fact, when d infected neighbors of node i enter in (Figure 2(a)).
contact with node i, each according to an independent Poisson In a computational epidemic considered in this work we
process of rate γ , the resulting cumulative infection rate γ d assume that exogenous infections are due to a strategic
is the sum of their individual infection rates, and yields the attacker with a finite budget (see Section III-C). Then, there
Markovian structure. Ultimately, this provides an appealing is an initial regime (the yellow area in Figure 2(b)) in which
precise formal derivation of the probability of infection per exogenous infection dominates and the infection probability
node. decreases as a function of the number of vulnerable nodes,
Note, however, that a linear model may fail to capture the given that the attacker has limited capacity; and there is
presence of strategic attackers. In fact, such attackers can a final regime in which the endogenous infection domi-
intentionally target a vulnerable node, possibly in a coordi- nates and the infection probability increases as a function of
nated and/or often synchronised fashion. As a consequence, the number of vulnerable nodes, similarly to the biological
our intuition is that such effect might result in a superlinear epidemic.

VOLUME 8, 2020 66369

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

FIGURE 3. Infection probability of a tagged vulnerable node: (a) in a

computational epidemic, nodes have motivation to vaccinate when the
relative vaccination cost is less than the infection probability; (b) the
system admits at most two non-trivial equilibria, one being unstable and
the other stable.

C. EQUILIBRIA
Next, we further explain and formally define the notion of
FIGURE 2. Illustrative biological and computational epidemics. equilibrium considered throughout this paper. We start by
Computational epidemic has two types of behavior: the first is dominated illustrating the concepts through an example which is simple
by exogenous infections, while the second is dominated by endogenous
infections. but already helps us appreciate the nature of our definitions.
Then, we proceed by introducing the formal definitions.
Figure 3(b) shows three points of equilibria: i) The first
B. FOLLOW OR AVOID THE CROWD? point is the trivial equilibrium, in which there is no vulnerable
Figure 3 illustrates in red the relative vaccination costs C node and no infected node. ii) The second point is an inter-
for a computational epidemic. If the risk (probability) of nal unstable equilibrium; few steps towards to the left with
infection of a node is above these relative vaccination costs, respect to the numbers of vulnerable nodes (x axis) implies
the node is motivated to vaccinate. Inversely, if the probability more motivation to vaccinate, and few steps towards the right
of infection of a node is below the relative vaccination costs, implies less motivation to vaccinate. iii) The third point is
the node is not motivated to vaccinate. the internal stable equilibrium, a small modification in the
According to Figure 3(a), this vaccination strategy leads number of vulnerable nodes (x axis) to the left or the right
to three decision moments: i) the first moment occurs under results in incentives to return to the equilibrium.
the initial regime with the infection probability above the For each vaccination game we define its corresponding
relative vaccination costs: each node is motivated to vacci- state graph. The state graph of the game illustrated above is
nate, and hence the number of vulnerable nodes decreases; shown at the bottom of Figure 3(b).
in this case, the best strategy is to follow the crowd. ii) Definition 1 (State Graph [58], [59]): A state graph is a
the second moment occurs when the infection probability is directed graph where each vertex corresponds to a strategy
below the relative vaccination costs: no node is motivated to profile Z. There is a directed arc from vertex Z to vertex Z 0
vaccinate, and thus the number of vulnerable nodes tends to with label v if the only difference between Z and Z 0 is the
increase; in this case, the best strategy is to avoid the crowd. strategy of a single player and the payoff of that player in Z is
iii) the third moment occurs under the final regime with the strictly less than its payoff in Z 0 , the modulus of the difference
infection probability above the relative vaccination costs: the being equal to v.
node is motivated to vaccinate and the number of vulnerable Next, we specialize the above general definition of state
nodes decreases; in this case, the best strategy is to follow graphs to the vaccination games considered in this paper.
the crowd. In particular, we consider two simplifying assumptions:

66370 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

• symmetry: we assume all users to be symmetric, i.e., all Definition 3 subsumes that the index of each vertex in the
users have the same number of neighbors and are subject state graph corresponds to the expected number of vulnerable
to the same curing rates, as well as the same stationary users in the system at that state, assuming a large population
exogenous and endogenous infection rates. This yields of users. Under such an interpretation, two adjacent states
a lumped state space wherein each state is character- in the state graph are now separated by a continuum set of
ized solely by the number of vulnerable users, i.e., the virtual states in between them. Then, a virtual equilibrium
number of users that decided not to implement stringent is a virtual state wherein relative vaccination costs equal
countermeasures; infection probability. Accordingly, Definition 3 refers to the
• incentives: we assume that the infection probability of set of states surrounding that virtual equilibrium state as an
vulnerable users together with the relative vaccination equilibrium.
costs at the current state of the state graph fully deter- Definition 4: A stable equilibrium of the vaccination game
mine the incentives that drive users to change their is an equilibrium comprising up to two adjacent vertices
strategies, i.e., users have an incentive to change their n and n + 1 in its state graph wherein users have no
strategy if the current infection probability is greater incentive to change their strategies and cause the system
than relative vaccination costs. to transition to a vertex of the state graph outside of the
Intuitively, the latter assumption implies that each user does considered set.
not account for the difference in the infection probability of Note that Definition 4 is rather intuitive, as it captures the
the population after a single change of individual strategy is notion of a set of strategy profiles such that users have no
performed. Such assumption allows us to determine the value incentive to make the system transition out of this set.
v of an edge from state Z to Z 0 of the state graph solely The set of vertices corresponding to a stable equilibrium
based on properties of state Z. Such assumption is inspired may comprise a single vertex n or a pair of adjacent vertices
by [60], wherein its applicability and implications are further n and n + 1. If an equilibrium comprises two states n and
discussed. n + 1, and at state n (state n + 1) the infection probability is
Definition 2: The state graph of a vaccination game con- less (greater) than the relative vaccination costs, the equilib-
sists of N + 1 vertices, with each vertex n ∈ {0, 1, . . . , N } rium is stable as (4) implies that the population indefinitely
corresponding to a strategy profile wherein there are n vul- transitions back and forth between those two states.
nerable users, and each edge corresponding to a transition Definition 5: Any non stable equilibrium of the vaccina-
wherein the system state decreases (or increases) by one unit, tion game is referred to as an unstable equilibrium.
representing the fact that a user starts (or stops) adopting a According to Definition 3, an equilibrium of the vaccina-
stringent countermeasure. The value v of an edge from state tion game is characterized by a minimal set of up to two
Z to Z 0 is given by adjacent vertices n and n + 1 in its state graph. If at state
n (state n + 1) the infection probability is greater (less) than
v(Z) = |H ρ(Z) − V |, (3) the relative vaccination costs, Definition 5 together with (4)
imply that the equilibrium is unstable.
where ρ(Z) is the infection probability at state Z. In addition, Next, we further distinguish between boundary and inter-
nal equilibria.
Z − 1, if H ρ(Z) > V and Z ≥ 1



 Definition 6: A boundary equilibrium of the vaccination



 (incentive to start adopting stringent game is an equilibrium corresponding to either vertex 0 or
vertex N of the corresponding state graph. Any equilibrium



 countermeasure)
0
Z = Z + 1, if H ρ(Z) < V and Z ≤ N − 1 (4) that is not a boundary one is referred to as an internal
 equilibrium.
(incentive to stop adopting stringent


The fact that the infection probability is zero at state 0 and






 countermeasure), that relative vaccination costs are assumed to be non-negative,

Z, otherwise. together with the two considered simplifying assumptions,
motivates the following definition.
Given the definition of state graphs of vaccination games, Definition 7: The trivial equilibrium is the boundary equi-
we are ready to introduce the notion of stable and unstable librium wherein all nodes are vaccinated, corresponding to
equilibria of such games. Note that according to (4), at state Z vertex 0 of the state graph.
a user has incentive to adopt (resp., stop adopting) a stringent The above definitions will be used in Section VII to establish
countermeasure if H ρ(Z) > V (resp., H ρ(Z) < V ). In what structural results of the vaccination game. To that aim, we first
follows, we formalize the notion of an equilibrium. introduce the SIS epidemic model and its approximate solu-
Definition 3: An equilibrium of the vaccination game is tion in the two sections that follow. The role of the SIS
characterized by a minimal set of up to two adjacent vertices model and its approximate solution in the general framework
n and n + 1 in its state graph such that there exists a value considered in this paper is illustrated in Figures 4(a) and 4(b),
n0 ∈ [n, n + 1] for which ρ(n0 ) = V /H , n0 ∈ R, n ∈ N. respectively.

VOLUME 8, 2020 66371

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

V. EPIDEMIC MODEL: CHARACTERISTICS AND SOLUTION

A. NETWORK STATE
The network state can be expressed by an N -dimensional vec-
tor. Let x be a state of the network, x = (x1 , x2 , . . . , xk , . . . ,
xN −1 , xN ), with xk ∈ {0, 1} representing the state of node
k and x ∈ X , with X ≡ {0, 1}N denoting all possible
network states. The dynamics of the system is characterized
by a continuous, homogeneous-time, irreducible and finite
Markovian process. Each network state corresponds to a state
in the Markovian process. Such process, in turn, is known to
be reversible [61].
Note that the network states introduced in this section
should not be confused with the states of the state graph intro-
duced in Section IV-C and Definition 1. Whereas the states
considered here vary in a fine-grained time scale, the states
of the state graph considered in Section IV-C correspond
to changes in the adoption of stringent countermeasures by
users, and vary in a coarse-grained time scale (see Figure 1).
FIGURE 4. Exact and approximate solutions to the epidemic model and
corresponding vaccination game. The threat model used to obtain the
B. INFINITESIMAL GENERATOR exogenous infection rate λ(N) per node is one of the key novel elements
Let Q be the infinitesimal matrix associated with the Markov of this work.
process. States are indexed lexicographically, and we denote
by x(i) the i-th network state. The k-th entry of vector x(i) is
(i) (i) sides infected, referred to as infected edges, is given by
denoted by xk . Let dk be the number of infected neighbors
(i) N N
of node k at state x . 1 T 1 P P
2 x Ax = 2 xk xl ak,l .
Then, the element qi,j in the i-th row and j-th column of Q k=1 l=1
l6 =k
is given by:
(i)
D. INFECTION PROBABILITY

(i) (j)

 λγ dk , if xk = 0, xk = 1,

 (i) (j) Let I be a random variable denoting the number of infected
 xl = xl for l 6 = k,
nodes in the network. Let π(ι) = P(I = ι) be the probability




of finding ι infected nodes in the network. Thus, from Equa-
 (j)
(i)
 µ,


 if xk = 1, xk = 0,
qi,j = (i) (j) (5) tion (7):
xl = xl for l 6 = k,
 N
X
2 π̃(ι) = π̃(x), ι = 0, . . . , N


 X (9)
qi,p , if i = j,




 − x:1T x=ι
π̃(ι)


 p=1, p6=i
π(ι) = .


0, otherwise. (10)
Z
C. STEADY-STATE DISTRIBUTION The infection probability of a node picked randomly (based
The steady-state distribution of the multiplicative SIS process on a uniform distribution), as a function of the population
[43], [56] is given by size, is

π̃(x) E(I )
π(x) = , x ∈ X, (6) ρ(N ) = , (11)
Z N
where where
 1T x N
λ T
X π̃(ι)
π̃(x) = γ x Ax/2 (7) E(I ) = ι (12)
µ ι=0
Z
and is the expected number of infected nodes. The infection prob-
ability plays a key role in the modeling framework proposed
X
Z= π̃(x). (8)
in this work, as summarized in Figure 4(a).
x∈X
In the expressions above, matrix A is the adjacency matrix
The number of infected nodes at state x is given by as defined in Section III-B. In the remainder of this paper,
N
1T x =
P
xk . In addition, the number of edges with both we will consider a fully-connected network, unless otherwise
k=1 noted. For such a network, ak,l = 1 ∀k 6= l.

66372 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

VI. AN APPROXIMATE SOLUTION TO THE Lemma 1: The node infection probability under the bino-
EPIDEMIC MODEL mial approximation is given by
In this section we introduce an approximate solution to the 1
epidemic model. We start by presenting the binomial approx- ρ̂(N ) = µ −N ?
. (19)
imation.
1+ λ(N ) γ

A. BINOMIAL APPROXIMATION Proof: Some algebraic manipulations result in

In what follows, we assume that the topology is fully con- λ(N ) N ? ι
N   
1 X N
nected. Let ι be the number of infected nodes. Thus, from Ẑ ρ̂(N ) = ι γ
N ι µ
Equation (7): ι=0

λ(N ) ι ι(ι−1)/2 λ(N ) N ? ι

N   
N −1
  
N X
π̃(ι) = γ , ι = 0, . . . , N . (13) = γ
ι µ ι−1 µ
ι=1
The infection probability of a node picked randomly (based λ(N ) N ? ι+1
N   
X N −1
on a uniform distribution), as a function of the population = γ
ι µ
size, is given by (11), ι=0
λ(N ) N ? λ(N ) N ? N −1
  
N
1 X π̃(ι) = γ 1+ γ . (20)
ρ(N ) = ι (14) µ µ
N Z
ι=0
Ẑ can be rewritten as
λ(N ) ι ι(ι−1)/2
N   
1 X N
= ι γ , (15) N
NZ ι µ Ẑ =
X
π̂(ι)
ι=0
where (15) is obtained by replacing (13) into (14). Obtaining ι=0
N  ι
a closed-form expression from Equation (15) is complicated λ(N ) N ?

X N
due to the quadratic term in the exponent of γ . To simplify = γ
ι µ
this, we consider the following approximation. ι=0

Let N ? (N ) be an hyperparameter of the proposed approx- λ(N ) N ? N

 
= 1+ γ . (21)
imation of ρ(N ). We will show that letting N ? (N ) be the µ
expected number of infected neighbors of a typical node
Therefore, by Equations (20) and (21):
yields accurate approximations of ρ(N ) in regular topolo-
N −1
gies wherein all nodes have the same number of neighbors. λ(N ) N ? λ(N ) N ?
 
π̂(ι) µ γ 1 + µ γ
We defer this derivation to the upcoming section (see also ρ̂(N ) = = N
1 + λ(N

Appendices C and D-E). For now, it suffices to note that Ẑ ) N?
γ
µ
N ? (N ) is a scalar value between 0 and N and that N ? : R → R −1
µ

is an increasing function.
= 1+ . (22)
Then, we define ρ̂(N ) ≈ ρ(N ) and π̂(ι) ≈ π̃(ι) as a λ(N )γ N
?

function of N ? (N ) and of parameters λ, µ, γ and N as follows:

N
1 X π̂(ι) An alternative derivation of the binomial approximation is
ρ̂(N ) = ι , (16) presented in Appendix C.
N Ẑ
ι=0
where B. PARAMETERIZATION OF APPROXIMATION:
 
N λ(N ) N ? ι
 OPTIMALLY SETTING N ?
π̂(ι) = γ (17) Next, our goal is to determine how to set the hyperparam-
ι µ
eter N ? in order to obtain accurate results with the pro-
and posed approximation of ρ(N ). To that aim, we consider two
N
X approaches. The first consists of analyzing the most probable
Ẑ = π̂(ι). (18) states of the system. The second is based on the N -intertwined
ι=0 mean-field approximation (NIMFA). The two approaches are
N ? in Equation (17) is a simplified notation for N ? (N ). We further developed in Appendices C and D-E, respectively.
refer to Equation (16) as a ‘‘binomial approximation’’ due to Both approaches lead to the same result, namely, that letting
the use of Newton’s binomial in its definition. N ? be the expected number of infected neighbors of a typi-
The role of N ? in the modeling framework proposed in this cal node yields accurate approximations in regular networks
work is indicated in Figure 4(b), which should be contrasted wherein all nodes have the same degree.
against Figure 4(a). Given N ? , Equation (16) can be rewritten In a fully-connected topology each node has N − 1 neigh-
in closed form as demonstrated by Lemma 1. bors, and the expected number of infected neighbors of any

VOLUME 8, 2020 66373

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

each other, which is in agreement with the discussion in the

previous paragraphs. The root mean squared error due to the
approximation of N ? by N ρ̂(N ) rather than by (N − 1)ρ̂(N )
is of the order of 10 nodes in the considered setting. This,
in turn, indicates that for analytical tractability one may
consider simpler expressions to approximate N ? , trading off
accuracy against simplicity.

C. REGULAR NETWORKS
The analysis in the previous section accounted for fully
connected networks, and can be easily extended to regular
networks. A regular network is a network wherein each node
has degree d̃. In a regular network the expected number of
infected neighbors of each node is d̃ ρ̂(N ). Then, under the
binomial approximation, Equation (19) can be rewritten as
1
ρ̂(N ) = ?
−1
. (25)
1 + µ λγ d
In particular, let
d ? = d̃ ρ̂(N ). (26)
Using (26) we are able to obtain accurate approximations
of the infection probability. For the special case of fully
connected networks where d̃ = N − 1, ρ̂(N ) estimated
by (25)-(26) equals (23).
Let d be the average node degree in a network. If the
FIGURE 5. Infection probability behavior and model parameterization:
(a) infection probability ρ(N) as a function of number of vulnerable nodes distribution of node degrees is concentrated around its mean,
N, and its approximations ρ̂(N, N ? ), letting N ? = N (upper bound), the analysis above still holds replacing d̃ by d. In what
N ? = N/2 (lower bound), and optimal N ? ; (b) finding the best
approximation for N ? under the binomial approximation, with γ = 1.09,
follows, we illustrate the approximations above in bipartite
µ = 1, 3 = 10 and λ = 3/N. networks.
Illustrative Example: To illustrate the accuracy of the
approximation above, Figures 6 and 7 show the infection
given node is (N − 1)ρ(N ). Then, in a fully connected net- probability as a function of the number of vulnerable nodes,
work, under the binomial approximation, Equation (19) can obtained through Equation (25). Figure 6 considers a fully
be rewritten as connected bipartite network and Figure 7 accounts for a
1 bipartite network with maximum node degree equal 3. In both
ρ̂(N ) =
−1 . (23) cases, setting d ? to its optimal value we obtain very accurate
1 + µ λγ −1)ρ̂(N )
(N
approximations, and (26) typically provides a good approxi-
where we let mation for the optimal value of d ? (see Figures 6(c) and 7(c)).
Setting d ? = d, we note that the resulting approximation
N ? = (N − 1)ρ̂(N ) (24)
upper bounds the infection probability. Alternatively, setting
in Equation (19). d ? = d/2 we obtain a lower bound. Those examples serve
Figure 5(a) shows the infection probability as a func- to illustrate that the proposed approximations are helpful to
tion of the number of vulnerable nodes, with γ = 1.09, analyze topologies other than the complete graph. Additional
µ = 1, 3 = 10 and λ = 3/N . The full orange line results on bipartite graphs and more general topologies are
is obtained through the fix point solution of Equation (23), reported in Appendices E and G, respectively.
which accurately captures the exact solution of the model
(see Appendix D). Setting N ? to its optimal value also leads VII. MODEL ANALYSIS: PROPERTIES OF EQUILIBRIUM
to an accurate approximation of the infection probability, Next, our goal is to characterize structural properties of the
as indicated by the circles in Figure 5(a). Alternatively, letting equilibria. We start with general results before specializing to
N ? = N (resp., letting N ? = N /2) in Equation (19) leads to the case wherein the attacker budget is distributed uniformly
an upper (resp., lower) bound for the infection probability, at random across vulnerable nodes.
shown by the green (resp., blue) curve.
Figure 5(b) further illustrates how to optimally set N ? . A. GENERAL RESULTS
In particular, it indicates that the curves corresponding to Under the general setting illustrated in Figure 4(b), the fol-
the optimal N ? parameterization and (N − 1)ρ̂(N ) match lowing theorem states that the model admits at most two

66374 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

FIGURE 6. Infection probability behavior and model parameterization in

a bipartite fully connected graph: (a) considered topology when N = 8
vulnerable nodes; (b) infection probability ρ(N) and its approximations
ρ̂(N, d ? ), letting d ? = N/2 (upper bound), d ? = N/4 (lower bound) and
d ? optimally set; (c) optimal value of d ? (circles) contrasted against
ρ(N)d (full line) indicates close agreement between the two. We let
γ = 2.09, µ = 1, 3 = 10 and λ = 3/N.

internal equilibria, under the mild conditions that γ > 1 and

that N ? (N ) and is an increasing function of N , while λ(N ) is
FIGURE 7. Infection probability behavior and model parameterization in
a bipartite graph with maximum node degree of three: (a) considered
a decreasing function of N . topology when N varies between 3 and 8; (b) infection probability ρ(N)
and its approximations ρ̂(N, d ? ), letting d ? = N/2 (upper bound),
Theorem 1: The vaccination dynamics subsumed by the d ? = N/4 (lower bound) and d ? optimally set; (c) optimal value of d ?
SIS model under the binomial approximation admits at most (circles) contrasted against ρ(N)d (full line) indicates rough agreement
two internal equilibrium points. between the two. We let γ = 2.09, µ = 1, 3 = 10 and λ = 3/N.
?
Proof: Let 9(N ) = (λ(N )/µ)γ N . By Lemma 1, ?
As dNdN > 0 and dN ≤ 0, we conclude that Equation (27)
dλ
d ρ̂(N )/dN = (d9/dN )/(9 (1 + 1/9)2 ). All terms of
2

d ρ̂(N )/dN are greater than zero, except d9/dN : admits at most a single root. Therefore, ρ̂(N ) admits at
most one internal minimum point, and ρ̂(N ) intercepts any
d9

1 dλ N ? ? horizontal line in at most two points. Those points are the
N ? dN
= γ + λ(log γ )γ candidate internal equilibria.
dN µ dN dN
?
Illustrative Example: Figures 8 and 9 illustrate the results
λγ N  ? 
= log γ
dN
+
dλ 1
. (27) discussed so far, under the setup of µ = 1, 3 = 10 and
µ dN dN λ λ = 3/N . Theorem 1 is in agreement with the results shown

VOLUME 8, 2020 66375

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

For γ = 1.09, Equation (30) evaluates to N ≈ 23.

Indeed, this result is in rough agreement with Figure 8, which
indicates that the minimum infection probability occurs for
N = 21.
Next, we further derive closed-form expressions approx-
imating equilibrium points. The internal equilibrium points
can be determined through the following equation,

ρ(N ) − C = 0, (31)

where as before C refers to the relative vaccination costs.

Alternatively, approximate values can be obtained through

ρ̂(N ) − C = 0. (32)
FIGURE 8. Infection probability of a tagged node as a function of the
population size, ρ(N). When the endogenous infection rate γ is small
(big), the system is dominated by the exogenous (endogenous) infection
Letting again N ? = N /2, the values of N that satisfy the
rate, and the infection probability decreases (increases) with respect to above equation are
the vulnerable population size. When γ ≈ 1, the infection probability first
decreases and then increases, in agreement with Equation (6). µ = 1, (C − 1)3 log γ
 
2
3 = 10 and λ = 3/N. N =− W , (33)
log γ 2Cγ 1/2
in Figure 8. This figure shows that for γ > 1 the infection where W (x) is the Lambert relation [63], defined as follows,
probability first decreases and then increases. The infection
probability admits a single global minimum and at most two x = W (x)eW (x) . (34)
equilibrium points. When the system admits two internal
equilibrium points, one of those equilibria is stable, while the The Lambert relation W (x) admits two real values for each
other is unstable. For γ = 1.09, Figure 9 shows the possible given value of x, corresponding to the branches −1 and 0.
population states with corresponding gains envisioned by For 3 = 10, γ = 1.09 and C = 0.6, for instance, the values
users who decide to vaccinate (blue arrows pointing upwards) of N corresponding to the −1 and 0 branches are 45.6 and
or not to vaccinate (red arrows pointing downwards). States 9.7, respectively. Figure 9 shows that 45.6 significantly over-
11 and 12 compose an unstable equilibrium, while states shoots the stable equilibrium involving states 30 and 31, while
30 and 31 constitute a stable equilibrium. The minimal infec- 9.7 is a good approximation for the unstable equilibrium
tion probability is attained at state 21. involving states 11 and 12. The overshooting occurs due to
the rough approximation N ? = N /2, which is not very
B. SPECIAL CASE: VULNERABLE NODES SELECTED accurate as shown in Figure 5(a). More accurate results can be
UNIFORMLY AT RANDOM, λ(N) = 3/N obtained by using Newton’s approximation method (NAM),
Next, we specialize our results to the setting wherein vulner- as indicated in Appendix A.
able nodes are selected uniformly at random. To that aim, Although the approximations presented in this section are
we leverage the closed-form result derived in Lemma 1, not extremely accurate, they serve to illustrate the qualita-
setting λ(N ) = 3/N . Note that letting λ(N ) = 3/N tive properties of the model. In particular, the fact that the
corresponds to considering an attacker who has a finite attack Lambert relation has at most two real branches implies that
budget of 3 infections per time unit, which is uniformly the system admits at most two internal equilibria. This result,
distributed across N vulnerable nodes. In that case, in turn, is in agreement with Theorem 1, allowing us to obtain
a quick assessment of the equilibrium points.
dλ 3
= − 2. (28)
dN N
VIII. EXPERIMENTS
For the purposes of the following analysis, it suffices to We developed an epidemic simulator to evaluate a network’s
consider a rough approximation for N ? , and let N ? = N /2 behavior under a wide range of configurations, including
(see our discussion in Section VI-B). Then, those not directly captured in our analytical model (e.g.,
 
d 1 1 when the number of vulnerable nodes N varies over time,
ρ̂(N ) = κ log γ − , (29) when the time between infections is not exponentially dis-
dN 2 N
tributed, or when the epidemic model is additive rather than
where κ is a positive constant. The root of Equation (29)
multiplicative). We compare the experimental results with
corresponds to the population size which yields minimum
analytical results, discussing similarities and differences.
infection probability, and is given by
Our simulator is publicly available.1
2
N = . (30)
log γ 1 https://github.com/queupe/miraisim

66376 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

FIGURE 9. Dynamics of the number of vulnerable nodes. The endogenous infection rate and the relative vaccination cost are set to
γ = 1.09 and 0.6, using the same setup as for Figure 8. There are two stable Nash equilibria [62], the first one at 0 and the other one at 31.
In Figure 8, the horizontal line at y = 0.6 crosses the magenta curve at two points. The first point corresponds to an unstable equilibrium
(where the expected number of vulnerable nodes is between 11 and 12), and the second one corresponds to a stable equilibrium
(between 30 and 31 vulnerable nodes).

TABLE 2. Simulation parameters and their reference values. TABLE 3. Simulation and fitting of the model parameters.

Each configuration was executed eight times; in Figure 10 we

plot the infection probability average with a 95% confidence
interval as a function of the number of vulnerable hosts.

B. ANALYTICAL MODEL AND EXPERIMENTS

1) MODEL PARAMETERIZATION
Next, we introduce the methodology used to parameterize the
A. SIMULATOR CONFIGURATION proposed model. The most striking distinction between the
The simulator provides an array of configuration parameters, analytical model and the simulation is that in the former infec-
shown on Table 2, to allow control of network conditions and tions have a multiplicative effect, whereas in the latter the
the behavior of infected devices. The simulator is inspired by effect is additive. For this reason, there is no straightforward
the behavior of Bashlite and Mirai [8], [47]. mapping between the parameters used in the simulations and
An attacker operates an initial infection host (called the those considered in the analytical model. To cope with such a
master bot) with an additive exogenous infection rate 3̃. challenge, we consider a simple curve fitting approach. The
On each infection, the master bot attempts connection to a model parameters corresponding to the scenarios presented
random subset of hosts in the network (e.g., using telnet). in Figure 10 are reported in Table 3. In what follows we
Each subsequent infected device (called a bot) contributes an further discuss the obtained numerical results.
additive endogenous infection rate γ̃ . Infections from (master
and normal) bots proceed in two steps. First, a bot attempts to 2) EXPERIMENTAL RESULTS
connect to a target host (e.g., using telnet). Connections fail Figure 10 compares the infection probability obtained
if the target device is protected or already infected. Second, through simulations against that obtained with the proposed
the bot attempts to infect the target host if a connection is analytical model. The analytical model results were obtained
successful. Each bot attempts infections independently and using Newton’s Approximation Method after two iterations
in a random cyclic order. (see Appendix A). The fraction of infected nodes obtained
We run simulations for 10, 000 time units, which through simulations (resp., analytical model) is shown in
is long enough to estimate the network’s steady state. solid red lines (resp., dotted-dashed blue lines). For the

VOLUME 8, 2020 66377

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

FIGURE 10. Outcome of Mirai Botnet simulation experiments, in the presence of a strategic attacker, under a fully connected network. The
reference values of the simulator parameters are: 3 = 1500, γ̃ = 5 × 10−5 , 3̃ = 2 × 10−2 and τ = 65. Model parameters are shown in Table 3.

simulations, the 95% confidence interval is also reported Generally, the model tends to overestimate the infection
(shaded area). In addition, we also report the fraction of nodes probability vis-à-vis the experiments. This is due to the
that were infected through endogenous and exogenous infec- following reasons: i) The model assumes that the nodes
tions, in dotted and dashed red lines, respectively. In each are always active (on-time), whereas the simulator assumes
plot, the fraction of infected nodes (solid red line) is the sum that the nodes alternate between active and inactive states
of the fraction of endogenously and exogenously infected (on-time and off-time). ii) The model assumes a multiplica-
nodes. Column I (left) varies the endogenous infection rate tive infection rate, while the simulator assumes an additive
γ̃ , Column II (center) varies the exogenous infection rate 3̃, one. iii) In the model, the periods between events are expo-
and Column III (right) varies the node uptime τ . nentially distributed, whereas in the simulator l and T follow
a uniform distribution. iv) The model assumes instantaneous
3) MODEL VALIDATION infections and state transitions, while the simulator captures
The outcome of the experiments is qualitatively in agree- the time it takes bots to scan for vulnerabilities (attempt
ment with the findings from the analytical model. Under the connections) and infect vulnerable hosts.
initial regime with a few nodes, the system is dominated
by exogenous infection. As the number of nodes increases, C. EXPERIMENTAL RESULTS AND INSIGHTS
the infection probability first decreases and then increases, As the number of vulnerable nodes increases, the frac-
and the system is then dominated by endogenous infection. tion of infected nodes first decreases and then increases.

66378 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

The system (model and simulator) undergoes two regimes, Host uptimes significantly impact the fraction of
first being dominated by exogenous infections and then by infected nodes. The asymptotic value of the proportion of
endogenous infections. In Figure 10 the dashed curve repre- infected nodes depends on the average uptime, as shown
sents the probability of exogenously infected hosts, which is in Figure 10, Column III. When nodes stay active for longer
decreasing while the number of vulnerable hosts increases, periods of time, the number of infections attempted by each
and the dotted curve represents the probability of endoge- individual bot increases, resulting in an increase of the frac-
nous infected hosts, which is increasing while the number tion of infected nodes.
of vulnerable hosts increases. The behavior observed in the
experiments agrees with the one predicted by the proposed IX. DISCUSSION
model (see Lemma 1 and Appendix 2). In this section we indicate some of the broader implications
Figure 10 shows that under the first regime the proportion of the results presented in this work.
of exogenously infected hosts is greater than the proportion
of the endogenously infected ones (the dashed curve is above A. CYBERSECURITY INSURANCE
the dotted curve). Under the final regime, the proportion of Cybersecurity insurance (or cyber liability insurance) is a
the endogenously infected hosts is greater than the proportion product that an entity can purchase to help reduce the finan-
of the exogenously infected ones (the dotted curve is over the cial risks associated with online business. It encompasses a
dashed curve). contract wherein, in exchange for a fee, the insurance pol-
The minimal proportion of (endogenously and exoge- icy transfers some of the risk to the insurer [64], [65]. Our
nously) infected hosts occurs when the dashed curve crosses results imply that the modeling and pricing of cybersecurity
the dotted curve (as the curves are concave increasing and insurance should take into account both positive and nega-
convex decreasing, respectively). At that point, the proportion tive externalities derived from immunization. In particular,
of infected hosts as assessed by simulations (solid curve) the model proposed in this paper may serve as an additional
reaches its minimum. ingredient when assessing insurance prices [65].
Note that when γ̃ = 8 × 10−5 (Figure 10(a.I)) the
analytical model underestimates the infection probability, B. RISK SCORE PARAMETERIZATION
going counter the behavior observed in the other scenarios Standard risk scores, such as the common vulnerability scor-
considered in Figure 10. Except for the scenario consid- ing system [66], account for environmental aspects when
ered in Figure 10(a.I), the number of vulnerable nodes that determining risks. Such environmental aspects may embrace
minimizes the infection probability according to simulations the security countermeasures taken by the neighbors of a
(solid curve) is typically close to that obtained through the node when assessing its risk. Our results indicate that even if
analytical model (dotted-dashed blue curve). most of the neighbors of a given node are already protected,
As the number of vulnerable nodes increases, the infec- the risks faced by a node may remain high, which serves to
tion probability is more sensitive to the endogenous, motivate lingering nodes to also deploy the available security
rather than the exogenous, infection rate. Endogenous countermeasures.
infections are boosted as the number of infected nodes in the
network increases, whereas the exogenous infection rate is C. IMMUNIZATION STRATEGIES BEYOND HERD
limited by the power of the bot master. From top to bottom, IMMUNITY
in Figure 10 Column I the endogenous infection rate was The models presented in this work serve to bring awareness to
increased by about factor 60, while in Column II the exoge- system administrators about risks incurred due to old vulner-
nous infection rate had to be increased around 400 times to abilities for which a significant fraction of the population has
produce similar effects. already applied a patch. Strategic attackers may still be able to
Model parameters are more sensitive to host uptimes find vulnerable nodes that linger in the network. Such nodes
and exogenous infection rates as opposed to endogenous may correspond, for instance, to industrial control systems
rates. As shown in Table 3, model parameters µ and γ are which are difficult to patch, or to devices which are not
more sensitive to 3̃ and τ (second and third columns of automatically patched after being installed off-the-shelf [34].
Figure 10) as opposed to γ̃ (first column of Figure 10). This Strategic attackers may target those devices, requiring system
occurs even though endogenous infection rate was varied in a administrators to adopt preventive measures beyond herd
range between 8 × 10−5 and 500 × 10−5 , which allows us to immunity.
appreciate the roles of endogenous and exogenous infections
as the number of vulnerable nodes increases. Further increas- D. ADDITIONAL PRACTICAL IMPLICATIONS
ing the endogenous infection rate does increase the sensitiv- Next, we provide a discussion on the implications of our
ity of model parameters, however, this results in scenarios results from the attack generation and defense points of
where endogenous infection rates dominate system behavior, view. From the attack standpoint, our model suggests that
which can be captured through classical epidemic models, scanning the network to target vulnerable nodes can signifi-
e.g., [11], [12]. cantly impact infection probability. This, in turn, implies that

VOLUME 8, 2020 66379

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

engineering solutions to counteract the automated exploita- protecting against multiple malware using the same attack
tion of vulnerabilities in the wild are key in face of strategic vector. It is also worth pointing that in this work we focused
attackers [39], [67]. From the defense standpoint, our model on networks with a finite number of nodes. The study of
suggests that there is an optimal number of vulnerable nodes scaling laws of epidemics when the number of vulnerable
that minimizes infection probability. We envision that the nodes grows to infinity [69], accounting for strategic attackers
assessment of infection probability, in turn, can be used to whose budget increases as the population of vulnerable nodes
decide how to invest in security countermeasures, such as grows, is another avenue for future research.
vaccination, rejuvenation and quarantine [17], accounting for
the whole population ecosystem. In addition, the number APPENDIXES
of vulnerable nodes that minimizes infection probability as APPENDIX A
derived from the proposed model can also be instrumental ITERATIVE MODEL SOLUTION THROUGH NEWTON
to determine how to deploy honeypots based on first princi- APPROXIMATION
ples [68], which we leave as subject for future work. In this appendix we indicate that the Newton Approximation
Method (NAM) may be instrumental to approximate the
X. CONCLUSION infection probability. The use of NAM to obtain approximate
In this paper we have proposed a new epidemic analyti- closed form expressions to estimators is not novel. A similar
cal model to assess the infection probability of nodes in a idea has been used by Wilks [70], for instance, to obtain
network which face a strategic attacker with finite power. approximations in closed form to optimal estimators for the
For this model, the infection probability can be expressed covariance matrix of the bivariate Gaussian distribution (see
in closed form, allowing us to verify its equilibrium points Section 4 in [70]).
and its further attributes. Administrators can use this model to
choose the best countermeasure to be applied to the network. A. A NOTE ABOUT NOTATION
To facilitate this process, the model provides: i) a vaccination In all the appendices that follow, we are interested in approx-
game in which the player must choose the best strategy to imations to ρ(N ). Then, to simplify notation we refer to the
minimize the maintenance costs depending on the infection infection probability as estimated by the Markovian model
probability; ii) some points of equilibrium supporting the and to its approximation through the binomial approximation
concept of follow or avoid the crowd in the presence of a as ρ(N ). It should be clear from the context the quantity which
strategic attacker. is being referred to.
In order to validate the proposed model we have carried
out numerous experiments using a simulator in which we B. INTRODUCTION TO NEWTON APPROXIMATION
provoked infections using the Mirai botnet malware. The METHOD (NAM)
proposed model was able to capture the behavior qualita- Next, we show how to apply NAM to obtain approximations
tively and accurately. The experiments have also allowed to for the infection probability. In a fully connected network,
understand what happens if some assumptions of the pro- under the binomial approximation, Equation (19) can be
posed model are relaxed. The experiments have shown that rewritten as
the exogenous infection rate has to be increased around 400 1
times to attain effects similar to those observed when the ρ(N ) =
−1 . (35)
1 + µ λγ −1)ρ(N )
(N
endogenous infection rate is increased by about a factor of 60.
Some interesting results from the experiments and related The definition of ρ(N ) uses ρ(N ) itself as an exponent of γ .
analysis include the following. i) There are two distinct Isolating ρ(N ) is non-trivial, but we can approximate it. With
regimes, the first one being dominated by exogenous infec- ρ(N ) = ρ and n = N − 1, define function f (ρ) as
tions and the second one by endogenous infections. ii) The
 µ  µ
f (ρ) = ρ 1 + γ −ρn − 1 = ρ + ρ γ −ρn − 1. (36)
role of endogenous infection is prevalent whenever the num- λ λ
ber of vulnerable nodes is big. iii) In contrast to classical Then,
epidemiology research, a few vulnerable nodes may become ∂f (ρ) µ
preferred targets, and increasing the number of vulnerable f 0 (ρ) ≡ = 1 + γ −ρn (1 − ρn ln γ ) (37)
∂ρ λ
nodes may decrease the infection probability of a given
∂ 2 f (ρ) µn ln γ −ρn
tagged node. The latter observation, in turn, may be used to f 00 (ρ) ≡ = γ (ρn ln γ − 2) (38)
position honeypots in a network based on epidemiological ∂ ρ2 λ
first principles, which we leave as subject for future work. We are now ready to report the two key results from this
We envision that this work opens up a number of directions section.
for future research, including the analysis of the spread of Theorem 1: If γ > 1, starting from ρ0 = 0 NAM con-
two or more distinct malware. Protective measures can then verges without overshoot to the solution of f (ρ ? ) = 0, where
be implemented either at the host level, e.g. upgrades to ρ ? approximates the node infection probability.
OSes/firmware that add address space layout randomization Proof: Finding a solution for Equation (35) is equiv-
(ASLR), or at the network level, e.g. blocking SMB ports and alent to detecting a root of Equation (36). If γ > 1 and

66380 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

(0)
f (0) × f 00 (0) > 0 it follows from Darboux’s theorem [71] Let ρi be the approximate infection probability after i
that starting from ρ0 = 0 NAM converges without any over- iterations of NAM, with ρ0 = 0. Then,
shoot to the solution. To check the hypothesis of Darboux’s λ
(0)
theorem note that ρ1 = ,
λ+µ
µ λ − µγ −ρ1 n ρ12 n ln γ


f (0) = −1 and f (1) = > 0, ρ2
(0)
(44)
λγ =
λ − µγ −ρ1 n (ρ1 n ln γ − 1)
where µ, λ > 0 and γ > 1. In addition, where ρ1 = ρ1 .
(0)
(1)
µ µn ln γ Similarly, let ρi be the approximate infection probability
f 0 (0) = and f 00 (0) = −2 . after i iterations of NAM, with ρ0 = 1,
λγ λ
λ − µγ −n (n ln γ )
The result follows from the fact that ln γ > 0, which implies (1)
ρ1 = , (45)
that γ > 1 and f (0) × f 00 (0) > 0. λ − µγ −n (n ln γ − 1)
Theorem 2: The expression of ρi+1 at iteration i + 1, as a (1)
and with ρ2 given by Equation (44), replacing ρ1 by ρ1 .
(1)
function of ρi produced at iteration i, is given by
D. HEURISTIC TO SET INITIAL VALUE
λ − µγ −ρi n (ρi2 n ln γ )
ρi+1 = . (39) As indicated in Appendix A-C, the accuracy of NAM is
λ − µγ −ρi n (ρi n ln γ − 1) very dependent on the considered initial condition. We have
shown that to produce tractable closed-form expressions for
Proof: According to the Newton Approximation the infection probability, we can consider two initial condi-
Method (NAM), tions that simplify the resulting expressions, namely ρ0 = 0
and ρ0 = 1. In what follows, we indicate an heuristic to
f (ρi )
ρi+1 = ρi − (40) choose between those two initial conditions. The heuristic is
f 0 (ρi ) inspired by the numerical results presented in Figure 11(a)
from (36) and Figure 11(b) for ρ0 = 0 and ρ0 = 1, respectively,
z
µ
}| { with the same parameters as in Figure 8 (µ = 1, 3 = 10
ρi + ρi γ −ρi n − 1 and λ = 3/N ). Note that ρ0 = 1 typically produces good
= ρi − λ (41)
µ −ρi n approximations, except when the obtained values evaluate to
1+ γ (1 − ρi n ln γ ) quantities beyond the range of interest which varies between
| λ {z } 0 and 1. In those cases, the approximation through ρ0 = 0
from (37)
produces accurate estimates.
ρi µλ γ −ρi n − (ρi µλ γ −ρi n )(ρi n ln γ ) − ρi µλ γ −ρi n + 1 The discussion in the previous paragraph motivates the fol-
=
1 + µλ γ −ρi n (1 − ρi n ln γ ) lowing heuristic. First, evaluate the infection probability con-
sidering the initial value ρ0 = 1. If the resulting expression
1 − ( µλ γ −ρi n )(ρi2 n ln γ ) to estimate the infection probability produces a value greater
= (42) than 1 or less than 0, then switch to ρ0 = 0. We denote by
1 − µλ γ −ρi n (ρi n ln γ − 1)
ρ2 (N ) the infection probability obtained through that simple
λ − µγ −ρi n (ρi2 n ln γ ) heuristic,
= (43)
λ − µγ −ρi n (ρi n ln γ − 1)
(
(1) (1)
ρ2 (N ), if 0 ≤ ρ2 (N ) ≤ 1
ρ2 (N ) = (0) (46)
ρ2 (N ), otherwise.
Figure 11(c) illustrates the behavior of the proposed heuristic
C. CLOSED-FORM APPROXIMATION FOR for ρ ≥ 1.06. In the considered example, ρ0 = 1 produced
INFECTION PROBABILITY accurate results except when γ = 1.03. In the latter case,
Using the precedent approach it is possible to obtain a closed- as shown in Figure 11(b), setting ρ0 = 1 produces results that
form expression for an approximation of the infection proba- are outside the range [0,1]. Hence, for γ = 1.03 we should
bility. Numerically, we experimentally found that using only set ρ0 = 0 which again produces accurate results as shown
two iterations of NAM is enough to obtain accurate approxi- in Figure 11(a).
mations. In what follows, we refine the considered heuristic in
The initial value ρ0 for NAM is key for the gener- order to contemplate scenarios such as those corresponding to
ation of accurate results. We consider two initial values γ = 1.03 in the considered setup. To that aim, note that in
ρ0 = 0 and ρ0 = 1 to obtain two approximations the numerical examples presented above, when γ ≥ 1.06,
of the infection probability. In Appendix A-D we present large values of N produce an infection probability close to 1,
a simple heuristic to determine which is the best initial which in turn favor NAM with initial condition ρ0 = 1
value. as opposed to ρ0 = 0. Accordingly, when γ ≤ 1.03 the

VOLUME 8, 2020 66381

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

such dependency was implicit). According to Equation (47),

if NAM produces results out of the range [0,1], for a given
(z)
value of Ñ , then ρ̄2 (N ) = −∞ for N ≥ Ñ . The refined
heuristic is given by,
 
(0) (1)
ρ̄(N ) = max ρ̄2 (N ), ρ̄2 (N ) . (48)
Figure 11(c) illustrates the approximation obtained consider-
ing the refined heuristic. As shown in Figure 11(c), the refined
heuristic captures the fact that ρ0 = 0 should be chosen
for γ = 1.03. We have evaluated the refined heuristic
under different configurations (not reported in the paper), and
observed that it captured the right initial condition under all
the considered examples.

APPENDIX B
MULTIPLICATIVE VERSUS ADDITIVE
INFECTION MODELS
Next, we further discuss the relationship between additive
and multiplicative infection models. First, note that with a
logarithmic change of variables, namely, letting λ = log λ̃
and γ = log γ̃ , we have
 
λ + γ d = log λ̃γ̃ d . (49)
The equation above allows us to relate the infection rates
under the additive and multiplicative models. A similar idea
has been considered in [72], wherein the authors rely on
geometric programming for epidemic control after replacing
summations by products.
Throughout this paper, we considered the multiplicative
model under the assumption that γ > 1. As argued in
Section III-E, it is always possible to set γ > 1, as far as time
units are conveniently normalized. In the remainder of this
appendix, we briefly discuss an interpretation of the model
under γ < 1, which is out of the scope of this paper but may
be of interest on its own.
If γ < 1, the multiplicative model can be interpreted as
follows. The infection occurs if the external attacker infects
a node and all neighbors infect that node as well. The ‘‘and’’
comes in as the multiplication of probabilities, assuming that
the respective events are all independent.
Note that under the additive model, a node may be infected
FIGURE 11. Infection probability, obtained through NAM: (a) initial externally or by any of its neighbors. In that case, the ‘‘or’’
condition ρ0 = 0; (b) ρ0 = 1; and (c) initial condition chosen by the
proposed heuristic. comes in as the addition. In particular, the aggregation of
independent Poisson processes is also a Poisson process with
infection probability is decreasing with respect to N in the rate equal to the sum of the rates of the independent processes.
range of interest, favoring ρ0 = 0 irrespectively of N . As in this work we consider the setup wherein the infection
(z)
Let ρ̄2 (N ) be the value of NAM at its second iteration, rate increases as the number of infected neighbors grows,
under initial condition z, if the produced value is in the range we assume γ > 1. In this setting, the multiplicative model
between 0 and 1, for all n ≤ N , and −∞ otherwise. Then, is contrasted against the additive model in Section III-E.
 (z) (z)
 ρ2 (N ), if 0 ≤ ρ2 (N ) ≤ 1
 APPENDIX C
(z) (z)
ρ̄2 (N ) = and ρ̄2 (N − 1) 6 = −∞, (47) ALTERNATIVE DERIVATION OF BINOMIAL


−∞, otherwise, APPROXIMATION
Zhang and Moura [45] describe an alternative approach to
where z, 0 ≤ z ≤ 1, is the initial value for ρ0 . Equation (47) derive a result similar in spirit to Lemma 1 taking into account
explicitly sets the dependence of ρ on N = n+1 (in Lemma 1 the most-probable state x ∈ X .

66382 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

Approximation by Most-Probable State x ∈ X : Next,

we consider an alternative approach to approximate the prob-
ability that a node is infected in steady-state. Recall that
the steady-state probability of state x, π(x), is given by
Equations (6), (7) and (8). In order to approximate the prob-
ability that a node is infected in steady-state, Zhang and FIGURE 12. Markov chain for the fully connected network topology when
Moura [45] leverage the notion of most-probable state x? = N = 3.
(x1? , x2? , . . . , xN? ), with x? = arg max π(x).
x∈X
Then, Theorem 4.1 from [45], constitutes an alternative B. MULTIPLICATIVE MODEL
derivation of the binomial approximation. For completeness, Under the multiplicative model,
we reproduce the theorem below.
3̃i = λγ i (54)
Theorem 3: If π̃(x? )  π̃(x), ∀x ∈ X \ x? , then
−1 Therefore,
µ

P(xk = 1) ≈ 1 + ? , (50) k
λ(N )γ mk Y (N − i + 1)λγ i−1
πk = π0 , k = 1, 2, . . . , N (55)
where iµ
i=1
 k Qk
N λ i=1 (N − i + 1)γ
i−1
= π0 (56)
m?k ak,j xj? .
X
= (51) µ
Qk
i=1 i
j=1  k  Y k
The proof of Theorem 4.1 in [45] consists of rewriting the λ N
= π0 γ i−1 (57)
steady-state distribution (6)-(7) in light of the Boltzmann dis- µ k
i=1
 that π̃(x) = e
tribution. From Equation (7), note H (x) , x∈
λ
X where H (x) = 1 x log µ + 2 x Ax log γ . Then,
T 1 T It follows that
Equation (50) is obtained from the relation between π̃(x) and  k   P
λ N k
the Boltzmann distribution [73]. πk = π0 γ i=1 (i−1) (58)
µ k
In Equation (50), m?k is the number of infected neighbors  k  
of node k in the most-probable configuration. N ? , determined λ N k(k−1)/2
= π0 γ (59)
by Equation (19) in Lemma 1, is directly related to m?k µ k
determined by Equation (50). Equation (19) is obtained from In addition,
Equation (50) replacing m?k by N ? .
1
π0 =  k (60)
PN λ N
k(k−1)/2
APPENDIX D 1+ k=1 µ k γ
EXACT MODEL SOLUTION AND APPROXIMATIONS FOR
FULLY CONNECTED NETWORK TOPOLOGY and
A. GENERAL SOLUTION 1
Z= . (61)
Under the fully connected network topology with N nodes, π0
the number of infected nodes is characterized by a birth-death
The equations above are in agreement with (13).
process. The state of the process is the number of infected
nodes. The rate from state i to state i − 1 equals iµ, as any
C. ADDITIVE MODEL
of the i nodes may recover, for i = 1, . . . , N . The rate
from state i to state i + 1, in turn, depends on whether we Under the additive model,
consider the multiplicative or the additive model. We denote
3̃i = λ + iγ (62)
by (N − i)3̃i the rate from state i to state i + 1 (see Figure 12).
Then, the stationary steady state solution of the system is the Therefore, for k = 1, 2, . . . , N ,
classical solution to a birth death Markov chain,
k
Y (N − i + 1)(λ + (i − 1γ )
k
Y 3̃i−1 πk = π0 (63)
πk = π0 , k = 1, 2, . . . , N (52) iµ
i=1
iµ  k Qk
i=1 1 i=1 (N − i + 1)(λ + (i − 1)γ )
= π0 (64)
and µ k!
 k   Y k
1 1 N
π0 = . (53) = π0 (λ + (i − 1)γ ), (65)
PN Qk (N −i)3̃i−1 µ k
1+ k=1 i=1 iµ i=1

VOLUME 8, 2020 66383

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

and Leveraging the symmetry between nodes, we let

1 lim πj,I (t) = ρ.
π0 =  k . (66) t→∞
PN 1 N Qk


1+ k=1 µ k i=1 (λ + (i − 1)γ ) Then, in stationary regime it follows from (72) that
Recall from (11) that 0 = −µρ + λ + (N − 1)γρ (1 − ρ)


E(I ) = −(N − 1)γρ 2 − (λ + µ) − (N − 1)γ ρ + λ.


ρ(N ) = = (67)
N
N k
 k   Y Whenever the equation above admits a root between 0 and 1,
1 X 1 N
= kπ0 (λ + (i − 1)γ ), (68) it is given by
N µ k √
k=0 i=1
(λ + µ) − (N − 1)γ ± 1
where ρ(N ) = (73)
2(1 − N )γ
N
X where
E(I ) = ιπι (69)
2
ι=0 1 = (λ + µ) − (N − 1)γ + 4(N − 1)γ λ.
is the expected number of infected nodes. In particular, if λ = 0 and (N − 1)γ > µ the solution is
given by
D. NIMFA APPROXIMATION UNDER ADDITIVE MODEL
1
The direct and exact solution of the infection model (65) ρ(N ; λ = 0) = 1 − .
involves a product not expressed in closed form. In part, this γ (N − 1)/µ
occurs because the model solution requires the characteriza- which is in agreement with [15].
tion of the infection probability of each node conditioned on Figure 13 shows the infection probability ρ as a function
the states of neighboring nodes. The states of the neighboring of N , letting µ = 1 and λ = 1/N . The full lines are
nodes, in turn, is captured through the expected value of a obtained through the exact solution of the Markov chain
product of random variables. In this section, we rely on a (Equation (68)) whereas the circles are obtained through the
mean-field (MF) approximation referred to as N -interwinded NIMFA approximation (Equation (73)) for γ = 0.2, 0.3
MF approximation (NIMFA) to compute the fraction of and 0.4, respectively. As in the case of the multiplicative
infected nodes. The approximation consists of replacing the model considered in the remainder of this paper, the infection
expectation of the product of random variables by the product probability first decreases and then increases as the number
of their expectations [15], [74], [75]. of vulnerable nodes grows. In addition, the NIMFA approxi-
Let Xj,0 (t) and Xj,I (t) be two indicator random variables mation captures well the behavior of the exact MC solution,
equal to 1 if node j is healthy or infected, respectively. allowing to find the number of vulnerable nodes that mini-
Accordingly, let πj,0 (t) and πj,I (t) be the probabilities that mizes the infection probability. It is also worth noting that the
node j is healthy or infected at time t, respectively. Note that NIMFA model overestimates the infection probability, which
is in agreement with [76], [77] although the assumptions of
E(Xj,0 (t)) = πj,0 (t), (70) those related works do not account for exogenous infections
E(Xj,I (t)) = πj,I (t). (71)
The time change of E(Xj,I (t)) is given by
 
 
dπj,I (t) X
= −µπj,I (t) + E Xj,0 (t) λ + γ Xk,I (t) 
dt
k6=j

As mentioned above, the NIMFA approximation consists of

replacing the expectation of the product of random variables
by the product of their expectations. Let rj (t) be the endoge-
nous infection rate towards node j by its neighbors, at time t.
Under NIMFA, rj (t) is approximated as follows,
X X
rj (t) = γ Xk,I (t) ≈ γ πk,I (t)
k6=j k6=j

which yields
 
dπj,I (t) X
= −µπj,I (t) + λ + γ πk,I (t) πj,0 (t). (72) FIGURE 13. Additive model under complete graph topology: comparing
exact solution against NIMFA approximation. We let λ = 1/N and µ = 1,
dt
k6=j varying γ between 0.2, 0.3 and 0.4.

66384 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

(see also [78], [79]). A more careful analysis of the conditions

under which NIMFA overestimates the infection probability,
as well as of the connections between the exact MC solution
and NIMFA, are left as subject for future work, noting that
a detailed discussion about NIMFA accuracy under general
topologies can be found at [75].

E. NIMFA APPROXIMATION UNDER

MULTIPLICATIVE MODEL
Next, we consider the multiplicative model under the NIMFA
approximation. Using the same terminology as in the previ-
ous section, the time change of E(Xj,I (t)) is given by
dπj,I (t)  P 
= −µπj,I (t) + E Xj,0 (t)λγ k6=j Xk,I (t) .
dt
As mentioned above, the NIMFA approximation consists of
replacing the expectation of the product of random vari-
ables by the product of their expectations. In the scenario
of the multiplicative model, we also consider an additional
approximation, which consists of replacing the expectation
E γ Xk,I (t) by γ E(Xk,I (t)) .

In summary, we consider the following two approxima-

tions:
• (A1) independence approximation: replace the expec-
FIGURE 14. Multiplicative model under complete graph topology:
tation of the product of random variables by the product comparing exact solution against NIMFA approximation, letting µ = 1 and
of expectations; 3 = 10: (a) under approximations (A1) and (A2) and (b) under
approximation (A1).
• (A2) functional approximation: replace the expecta-
tion of a function, E γ X , by a function of the expec-

tation, γ E(X ) . In the numerical experiments that follow, we indicate that (76)
Under the two approximations above, the endogenous typically provides better approximations than (77). This
infection rate towards node j by its neighbors, at time t, occurs as we empirically observed that (76) slightly overesti-
is given by mates the infection probability. This, in turn, is in agreement
with [76], [77]. Then, approximation (A2) serves as a correc-
k6=j πk,I (t)
P P
rj (t) = γ k6=j Xk,I (t) ≈γ tion. Indeed, it follows from Jensen inequality that
which yields  
E γ X ≥ γ E(X ) , γ > 1, 0 ≤ X ≤ 1. (78)
dπj,I (t)
= −µπj,I (t) + λγ k6=j πk,I (t) πj,0 (t).
 P 
(74)
dt The inequality above implies that approximation (A2) favors
Leveraging the symmetry between nodes, we let a reduction in the infection probability, and that together
(A1) and (A2) balance out to produce better approximations
lim πj,I (t) = ρ. (75)
t→∞ through (76) when compared against (77).
Then, in stationary regime it follows from (74) that Figure 14 shows the infection probability ρ as a function
  of N , letting µ = 1, 3 = 10 and λ = 3/N . The full
0 = −µρ + λγ (N −1)ρ (1 − ρ) lines are obtained through the exact solution of the Markov
Therefore, chain (Equations (59)-(61)) whereas the stars, squares and
1 circles are obtained through the NIMFA approximation for
ρ=
−1 . (76) γ = 1.1, 1.15 and 1.2, respectively. Equation (76) is used
1 + µ λγ (N −1)ρ to obtain Figure 14(a), under approximations (A1) and (A2),
The above derivation indicates that the NIMFA approxi- and Equation (77) is used to obtain Figure 14(b), under
mation provides an alternative derivation and rationale to approximation (A1).
approximation (35), referred to as the binomial approxima- As in Appendix D-D, the NIMFA approximation cap-
tion in this paper. tures the behavior of the exact MC solution, allowing to
Alternatively, if we consider only approximation (A1), but find the number of vulnerable nodes that minimizes the
not (A2), the infection probability is given by the root of the infection probability. In addition, the NIMFA approxima-
following equation, tion again overestimates the infection probability. Applying
 (N −1) approximation (A2) on top of (A1) favors a correction of the
0 = −µρ + λ(1 − ρ) γρ + (1 − ρ) . (77) overshooting, as evidenced by the closer agreement between

VOLUME 8, 2020 66385

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

the exact MC solution and the approximations in Figure 14(a)

when compared against Figure 14(b).

APPENDIX E
EXACT MODEL SOLUTION AND APPROXIMATIONS FOR
BIPARTITE NETWORK TOPOLOGIES
Next, we consider the solution of the model for bipartite
network topologies. Figure 15 shows the Markov chains cor-
responding to the proposed epidemic model accounting for up
to 4 vulnerable nodes, assuming a bipartite network topology.
The Markov chains leverage symmetry in the bipartite graph.
In what follows, we solve the corresponding Markov chains.
To appreciate the analysis that follows through a very
simple example, we start considering the case of a single
vulnerable node. The solution in this simple case, as well as in
the case of two vulnerable nodes, is in agreement with the full
topology considered so far. Then, we consider three and four
nodes, indicating the specifics of the role played by topology
on the model solution.

A. ONE VULNERABLE NODE

In this case, states 0 and 1 correspond to the vulnera-
ble node being susceptible and infected, respectively (see
Figure 15(a)). The corresponding steady state probabilities
are π0 and π1 . Then,

π0 λ = µπ1
π0 + π1 = 1

Therefore,
µ λ
π0 = , π1 =
λ+µ λ+µ
Alternatively, we can rely on results from the detailed state
space introduced in Section V-C to derive the same results.
In this appendix, we refer to a state of the Markov chain
considered in the rest of this paper as a detailed state, and
to the lumped states considered in this appendix simply as
states. To each state i we associated its corresponding class
of symmetric detailed states. The symmetric detailed states
in each class have all the same steady state probability. Let
νi be the number of symmetric detailed states in the class of
state i. The steady state probability of each of those symmetric
detailed states equals πi /νi . It follows from (6)-(8) that
 1x T
λ T
π̃i = νi γ x Ax/2 (79) FIGURE 15. Markov chains for the bipartite topology with up to
µ 4 vulnerable nodes.
π̃i and
πi = P (80)
π̃j
π̃0 1 µ
∀j π0 = P = λ
=
π̃j 1+ µ
λ+µ
Then, ∀j
λ
π̃1 λ
 0
λ µ
π̃0 = γ0 = 1 π1 = P = λ
=
µ π̃j 1+ µ
λ+µ
∀j
λ1 0 λ
π̃1 = γ = The infection probability is given by ρ = π1 .
µ µ
66386 VOLUME 8, 2020
V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

B. TWO VULNERABLE NODES 2) ADDITIVE MODEL

1) MULTIPLICATIVE MODEL The Markov chain corresponding to the additive model with
The Markov chain corresponding to the multiplicative model two nodes is obtained from the one shown in Figure 15(b),
with two nodes is shown in Figure 15(b). In that case, state replacing the rate from state 1 to state 2 from λγ by λ + γ .
i corresponds to i infected nodes in the network, i = 0, 1, 2. In that case, state i corresponds to i infected nodes in the net-
The corresponding steady state probabilities are πi . Then, work, i = 0, 1, 2. The corresponding steady state probabilities
are πi . Then,
π0 2λ = µπ1
π0 2λ = µπ1
π1 λγ = 2µπ2
π1 (λ + γ ) = 2µπ2
π0 + π1 + π2 = 1
π0 + π1 + π2 = 1
Therefore, Therefore,
π0 2λ π0 2λ λγ
 
1
π0 + + =1 π0 = 2λ γ +λ
µ µ 2µ 1+ 2λ
+
µ µ 2µ

and 2λ
µ
1 µ2 π1 = 2λ λ γ +λ
π0 = = 1+ µ + µ µ
1+ 2λ
+ λ2 γ µ2 + 2λµ + λ2 γ
µ µ2
λ γ +λ
2λµ µ µ
π1 = 2 π2 = λ γ +λ
µ + 2λµ + λ2 γ 1+ 2λ
µ + µ µ
λ2 γ
π2 = 2 The infection probability is given by ρ = (π1 + 2π2 )/2,
µ + 2λµ + λ2 γ
λ λ(γ +λ)
E(I ) µ + µ2
As discussed in the previous section, those results can also be ρ= = λ(λ+γ )
. (82)
similarly obtained using the detailed state space introduced 2 1 + 2λ
µ + µ2
in Section V-C. Considering the same terminology as the one
introduced in the previous section (see Equations (79)-(80)), C. THREE VULNERABLE NODES
In this case, the bipartite topology is composed of two
λ0 0 subgraphs. One subgraph contains one node, and the other
π̃0 = 1 γ =1
µ contains two nodes. The fact that the number of nodes in
λ1 2λ each subgraph is distinct breaks symmetry, and requires us
π̃1 = 2 γ 0 = to keep track of two state variables at four states, where the
µ µ
λ2 1 λ2 γ first state variable characterizes the state of the subgraph
π̃2 = 1 γ = 2 comprised of a single node, and the second state variable
µ µ
corresponds to the state of the other subgraph. State 0 cor-
Then, responds to 0 infected nodes. State (1,0) corresponds to one
isolated node being infected in the subgraph comprised of
π̃0 1 µ2 a single node. State (0,1), in contrast, corresponds to one
π0 = P = = node being infected in the subgraph comprised of two nodes.
π̃j 1 + 2λ λ2 γ µ2 + 2λµ + λ2 γ
∀j µ + µ2 As pointed out above, we need to distinguish states (1,0)
π̃1 2 µλ 2λµ
and (0,1) due to symmetry breaking. Similarly, states (1,1)
π1 = P = = and (0,2) correspond to one node in each subgraph being
π̃j 1 + 2λ λ2 γ µ2 + 2λµ + λ2 γ
∀j µ + µ2 infected, and two nodes in the same subgraph being infected,
respectively. Finally, state 3 corresponds to all nodes being
λ2 γ
π̃2 µ2 λ2 γ infected.
π2 = P = =
π̃j 1+ 2λ
+ λ2 γ µ2 + 2λµ + λ2 γ
∀j µ µ2 1) MULTIPLICATIVE MODEL
The Markov chain corresponding to the multiplicative model
The infection probability is given by ρ = (π1 + 2π2 )/2, is shown in Figure 15(c). The flow balance equations are
λ γ 2 given as follows,
λ
E(I ) µ + µ2
ρ= = . (81) π0 3λ = µ(π0,1 + π1,0 ) (83)
2 λ2 γ
1 + 2λ
µ + µ2
(π1,0 2γ + π0,1 (1 + γ ))λ = 2µ(π0,2 + π1,1 ) (84)

VOLUME 8, 2020 66387

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

π0,2 λγ 2 + π1,1 λγ = 3µπ3 (85) 2) ADDITIVE MODEL

π1,0 (µ + 2λγ ) = π0 λ + π1,1 µ (86) The Markov chain corresponding to the additive model is
π0,1 (µ + λ + λγ ) = π0 2λ + π1,1 µ + π0,2 2µ (87) shown in Figure 15(d). The flow balance equations are given
as follows,
and
π0 3λ = µ(π0,1 + π1,0 )
π0 + π1,0 + π0,1 + π0,2 + π1,1 + π3 = 1 (88) 2π1,0 (λ + γ ) + π0,1 (2λ + γ ) = 2µ(π0,2 + π1,1 )
π0,2 (λ + 2γ ) + π1,1 (λ + γ ) = 3π3 µ
We also let π1,0 (µ + 2λ + 2γ ) = π0 λ + π1,1 µ
π0,1 (µ + 2λ + γ ) = π0 2λ + µ(π1,1 + 2π0,2 )
π1 = π1,0 + π0,1 (89)
π2 = π0,2 + π1,1 (90) and

The first three equations above are obtained by considering π0 + π1,0 + π0,1 + π0,2 + π1,1 + π3 = 1
the balance of flow in and flow out between the four layers of
states, i.e., accounting for sets of states 0, {0, (1, 0), (0, 1)}, Symbolically solving the system of equations above is a
and {0, (1, 0), (0, 1), (1, 1), (0, 2)}, respectively. The follow- daunting task, which evidences the benefits of the multiplica-
ing two equations correspond to flow in balancing flow out tive model for which there are closed form expressions for
in states (1,0) and (0,1), respectively. the stationary state probabilities. Nonetheless, with the help
Using the detailed state space introduced in Section V-C, of the Matlab symbolic solver, we are able to express all
we compute the steady state probabilities. Considering the quantities in closed form. Letting µ = 1,
same terminology as the one introduced in the previous
section (see (79)-(80)), π̃i
πi =
Z
λ0 0 5
π̃0 = 1 γ =1
X
µ Z = ζi λi
i=0
λ1 λ
π̃1,0 = 1 γ0 =
µ µ where
λ1 0 λ
π̃0,1 = 2 γ =2 π̃0 14λ2 + (21γ + 19)λ + ζ0
=
µ µ
 2 π̃10 30λ3 + (39γ + 43)λ2 + (33γ + 12γ 2 + 9)λ
=
λ λ2 γ
π̃1,1 = 2 γ1 = 2 2 π̃01 12λ3 + (24γ + 14)λ2 + (12γ 2 + 12γ + 18)λ
=
µ µ
 2
λ λ 2 π̃02 60λ4 + (138γ + 102)λ3 +
=
π̃0,2 = 1 γ0 = 2 + (170γ +102γ 2 +42)λ2 + (36γ + 70γ 2 + 24γ 3 )λ
µ µ
 3
λ λ3 γ 2 π̃11 = 12λ4 + (30γ + 6)λ3 + (10γ + 24γ 2 + 6)λ2 +
π̃3 = 1 γ2 = + (4γ 2 + 6γ 3 )λ
µ µ3
π̃3 = ζ5 λ5 + (84γ + 36)λ4 + (98γ + 108γ 2 + 16)λ3 +
Then,
+ (30γ +88γ 2 +60γ 3 )λ2 +(12γ 2 + 26γ 3 + 12γ 4 )λ
π̃i
πi = , i = 0, 1, 2, 3, 4. (91) and
3λ λ2 (1+2γ ) λ3 γ 2
1+ µ + µ2
+ µ3
ζ5 = 24
It can be readily verified that the solution above satis- ζ4 = 84γ + 108
fies (83)-(90).
ζ3 = 108γ 2 + 266γ + 166
The infection probability of a uniformly selected node is
given by ζ2 = 60γ 3 + 214γ 2 + 273γ + 119
ζ1 = 12γ 4 + 56γ 3 + 110γ 2 + 102γ + 46
2 π01 + π11
 
1
ρ = (π10 + +π11 + π3 ) + + π02 + π3 ζ0 = 8γ 2 + 15γ + 9
3 3 2
Contrasting the equation above against the solution to the
λ λ2 γ λ2 λ3 γ 2
 
E(I ) 1  3 µ + 4 µ2 + 2 µ2 + 3 µ3  multiplicative model (see Equation (91)), we note that the
= = . multiplicative model is instrumental to analyze and study
3 3 1 + 3λ + λ2 (1+2γ ) + λ3 γ 2
µ µ 2 µ 3
general topologies.

66388 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

D. FOUR VULNERABLE NODES Then,

In this case, we have a bipartite network comprised of two π̃i
subgraphs with two nodes each. Except when there are two πi = , (106)
4λ 2λ2 (1+2γ ) 4λ3 γ 2 λ4 γ 4
infected nodes in the network, it suffices to keep track of the 1+ µ + µ2
+ µ3
+ µ4
number of infected nodes in the network. Therefore, state i for i ∈ {0, 1, (1, 1), (0, 2), 2, 3, 4}, where π̃i is
corresponds to i infected nodes, for i = 0, 1, 3, 4. When given by (99)-(105).
i = 2, we need to distinguish between two states: (2,0) and The infection probability is given by
(1,1). At state (2,0), we have two nodes infected in the same
λ λ2 γ λ2 λ3 γ 2 λ4 γ 4
 
subgraph, noting that the identity of the subgraph is irrelevant. 1  4 µ + 8 µ2 + 4 µ2 + 12 µ3 + 4 µ4 
At state (1,1), in contrast, we have two nodes infected, each ρ= .
4 2λ2 (1+2γ ) 4λ3 γ 2 λ4 γ 4
1 + 4λµ + µ2 + µ 3 + µ 4
node in a distinct subgraph.
2) ADDITIVE MODEL
1) MULTIPLICATIVE MODEL
The Markov chain corresponding to the multiplicative model Next, we present the solution to the four node bipartite topol-
is shown in Figure 15(e). The flow balance equations are ogy under the additive model. The solution serves to further
given as follows, evidence the simplicity of the multiplicative model. As in the
previous section, with the help of the Matlab symbolic solver,
π0 4λ = µπ1 (92) we are able to express all quantities in closed form. Letting
π1 (2λγ + λ) = 2µ(π2,0 + π1,1 ) (93) µ = 1,
π2,0 2λγ 2 + π1,1 2λγ = 3µπ3 (94) π̃i
πi =
π3 λγ 2 = 4µπ4 (95) Z
5
π1 2λγ + π3 2µ (2µ + 2λγ )π1,1 (96)
X
= Z = ζi λi
i=0
and
where
π0 + π1 + π2,0 + π1,1 + π3 + π4 = 1 (97)
π̃0 = 3λ + ζ0
We also let
π̃1 = 4λ(3λ + ζ0 )
π2 = π2,0 + π1,1 (98) π̃20 = 2λ(2γ 2 + 5γ λ + 3λ2 + 3λ)
The first four equations above are obtained by considering the π̃11 = 4λ(4γ 2 + 8γ λ + 3γ + 3λ2 + 3λ)
balance of flow in and flow out of the sets of states 0, {0, 1}, π̃3 = 4λ(4γ 3 +12γ 2 λ+2γ 2 +11γ λ2 + 6γ λ + 3λ3 + 3λ2 )
{0, 1, (2, 0), (1, 1)} and {0, 1, (2, 0), (1, 1), 3}, respectively. π̃4 = (2γ + λ)π̃3 /4
Equation (96) corresponds to balancing flow in and flow out
from state (1,1). and
Using the detailed state space introduced in Section V-C, ζ5 = 3
we compute the steady state probabilities. Considering the
ζ4 = 17γ + 15
same terminology as the one introduced in the previous
section (see (79)-(80)), ζ3 = 56γ + 34γ 2 + 30
 0 ζ2 = 66γ + 62γ 2 + 28γ 3 + 30
λ
π̃0 = 1 γ0 = 1 (99) ζ1 = 32γ + 28γ 2 + 20γ 3 + 8γ 4 + 15
µ
 1 ζ0 = 5γ + 3
λ λ
π̃1 = 4 γ0 = 4 (100)
µ µ Comparing the equations above against those derived in
 2
λ λ2 γ Section E-C2, we note that due to symmetry the solution
π̃1,1 = 4 γ1 = 4 2 (101) of the four node topology is much simpler than that for
µ µ
 2 three nodes. Nonetheless, further contrasting the equations
λ λ2 above against the multiplicative model (see Equation (106)),
π̃2,0 = 2 γ0 = 2 2 (102)
µ µ we again appreciate that the multiplicative model is instru-
2λ2 (1 + 2γ ) mental to analyze and study general topologies.
π̃2 = (103)
µ2
 3 E. GENERAL NUMBER OF NODES
λ λ3 γ 2
π̃3 = 4 γ2 = 4 3 (104) Next, we consider a bipartite graph with N = 2(Ñ − 1)
µ µ nodes, with Ñ − 1 nodes in each partition. A naive solution to
 4
λ λ4 γ 4 compute the infection probability involves a Markov chain
π̃4 = 1 γ4 = (105)
µ µ4 with state space cardinality of Ñ 2 , as each partition can

VOLUME 8, 2020 66389

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

have from 0 up to Ñ − 1 infected nodes. If N = 4, this

amounts to 9 states. Nonetheless, further leveraging the prob-
lem symmetry we can lump the state space, e.g., leading to the
6 state Markov chain in the case of four nodes (Figures 15(c)
and 15(d) show the lumped MCs for the multiplicative and
additive models, respectively).

1) LUMPED STATE SPACE CARDINALITY

Next, we compute the cardinality of the lumped state
space. The state space is divided into layers, where each
layer ` corresponds to a given number of infected nodes,
` = 0, 1, . . . , 2(Ñ −1). At layer `, the number of states equals
the number of ways to throw ` balls into 2 indistinguishable
bins (corresponding to the two partitions of the bipartite
graph), where each bin can contain up to Ñ − 1 balls. Let
B(`) be the number of states at layer `. Then, B(`) is given
by the Gaussian binomial coefficient,

h i Ñ + 1
B(`) = q`
2 q

FIGURE 16. NIMFA approximation: NIMFA is insensitive to the network

where q` P denotes the coefficient of q` in polynomial P
 
topology being a bipartite graph or a complete graph. The exact solution
and of the Markov chain model indicates that there is a slight difference
between the exact solution of the the two under (a) additive model and
(b) multiplicative model. We let 3 = 10, µ = 1 and γ vary between 1.1,
1.15 and 1.2 under the multiplicative model and 3 = 1, µ = 1 and γ vary
(1 − qÑ +1 )(1 − qÑ )
 
Ñ + 1 between 0.2, 0.3 and 0.4 under the additive model.
= .
2 q (1 − q)(1 − q2 )

generator matrix Q are given by q(i,j),(k,l) ,

Let |B | be the cardinality of the state space of the lumped
model corresponding to the bipartite topology. Then, 
 ((Ñ − 1) − i)λ+

+j((Ñ − 1) − i)γ , if k = i + 1 and j = l





2(X
Ñ −1) 
 ((Ñ − 1) − j)λ+
 
Ñ + 1


|B | = B(`) = q(i,j),(k,l) = +i((Ñ − 1) − j)γ , if i = k and l = j + 1
2 q q=1
`=0 
 iµ, if i = k + 1 and j = l

= (Ñ + 1)Ñ /2. (107)






 jµ, if j = l + 1 and i = k

0, otherwise
The rationale goes as follows. If there are Ñ − 1 nodes per
˜ 1)/2 ways to configure the number
partition, there are Ñ (N − where i, j, k and l are all greater than or equal to zero, and
of infections in the top and bottom partitions, restricted by the strictly smaller than Ñ . Then, the steady state solution is given
number of infected nodes in the top partition being strictly by the standard flow balance equations,
larger than the number of infected nodes in the bottom one. XX
In addition, there are Ñ configurations in which the number πQ = 0, πij = 1, (108)
of infected nodes in both partitions is the same. Together, i j
˜ 1)/2 + Ñ equals (107). If N = 20, 000, for instance,
Ñ (N − where π is the vector of stationary state probabilities. In par-
then |B | = 50, 015, 001 and the original state space has ticular, if Ñ = 2 and Ñ = 3, the solution above is in
cardinality 100,020,001. agreement with Appendices E-B2 and E-D2, respectively.

2) ADDITIVE MODEL 3) MULTIPLICATIVE MODEL

Next, we consider the additive model. To simplify presen- Next, we consider the multiplicative model. As in the pre-
tation, we account for the unlumped version of the model, vious section, to simplify presentation, we account for the
wherein there are Ñ 2 states. Each state (i, j) corresponds to unlumped version of the model, wherein there are Ñ 2 states.
i infected nodes in the top partition and j infected nodes in Each state (i, j) corresponds to i infected nodes in the top par-
the bottom one. Then, the positive entries of the infinitesimal tition and j infected nodes in the bottom one. Then, it follows

66390 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

FIGURE 17. Two topologies with central hubs: (a) star graph with 11 nodes and (b) star-ring
graph with 8 branches and 25 nodes.

from (6)-(8) that

  i+j
λ
 
Ñ − 1 Ñ − 1
πij = π00 γ ij
i j µ
1
π00 =
PÑ −1 PÑ −1 Ñ −1
Ñ −1
 λ i+j ij
i=0 j=0 i j µ γ
and
Ñ
X −1 Ñ
X −1
E(I ) = (i + j)πij
i=0 j=0
E(I ) FIGURE 18. Tree-cluster network topology: there are N = 4 children per
ρ = . node and a total of N = 25 nodes. Filled ellipses represent fully
2(Ñ − 1) connected subgraphs.
In particular, if Ñ = 2 and Ñ = 3, the solution above is in
agreement with Appendices E-B1 and E-D1, respectively.

F. NIMFA APPROXIMATION
For the additive model, the analysis that leads to Equa-
tion (73) still holds.
√
−(λ + µ) + (Ñ − 1)γ + 1
ρ(2(Ñ − 1)) = (109)
2(Ñ − 1)γ
where
1 = ((λ + µ) − (Ñ − 1)γ )2 + 4(Ñ − 1)γ λ. (110)
If λ = 0 and (Ñ − 1)γ > µ the solution is given by
1
ρ(2(Ñ − 1); λ = 0) = 1 − . (111)
γ (Ñ − 1)/µ
which is in agreement with [15].
Similarly, under the multiplicative model the NIMFA
FIGURE 19. Star-cliques graph with 8 clusters and 32 nodes.
approximation for bipartite networks is given by
1 Comparing the equations above against those presented in
ρ(2(Ñ − 1)) = −1 . (112)
Appendix D, we note that the same equations hold in the two

1 + µ λγ (Ñ −1)ρ
considered scenarios. The fact that the NIMFA equations for
The equation above is in agreement with (25), noting that all the complete and bipartite graphs are the same reflects the fact
nodes have the same degree equal Ñ − 1, i.e., d̃ = Ñ − 1. that NIMFA, in this setup, is insensitive to the specifics of the

VOLUME 8, 2020 66391

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

FIGURE 20. Outcome of the simulation experiments in a star network (Figure 17(a)), under the action of the Mirai Botnet in presence of a
strategic attacker. The reference values of the simulator parameters are: 3 = 1500, γ̃ = 5 × 10−5 , 3̃ = 2 × 10−2 and τ = 65. Model parameters
are shown in Table 3.

topology, which are captured only through node degrees. This topologies, in this scenario we exceptionally assume that λ
is due to the fact that NIMFA captures the direct impact of the decays according to (113) under the complete topology rather
neighbors of a node, but not second order effects, e.g., due to than λ = 3/Ñ .
neighbors of neighbors. Figure 16 shows that even though NIMFA does not dis-
Figure 16 shows the NIMFA solution for the bipartite tinguish between the two topologies, in reality there is a gap
graph (dotted lines), and contrasts it against the exact solution between the exact solution of the two. Figure 16(a) shows that
of complete graphs (full line) and bipartite graphs (circles, under the additive model, the infection probability estimated
squares and dots). Figures 16(a) and 16(b) correspond to by NIMFA is typically larger than the infection probabilities
the additive and multiplicative models, respectively. In all of bipartite graphs and complete graphs. In addition, the for-
scenarios, we assume mer is typically larger than the latter. In all cases, the infection
3 probability first decreases and then increases as the number
λ= (113) of vulnerable nodes grows.
2(Ñ − 1)
Figure 16(b) shows that under the multiplicative model
where Ñ − 1 is the number of vulnerable nodes in each the infection probability of a bipartite graph with Ñ − 1
partition of the bipartite graphs. In the complete graphs, Ñ nodes per partition is typically larger than that of a complete
is the number of vulnerable nodes in the network. Note that graph with Ñ nodes in the intermediary regime wherein
to allow for a comparison between the bipartite and complete the system transitions from being dominated by exogenous

66392 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

FIGURE 21. Outcome of the simulation experiments in a star-ring network with 7 branches (Figure 17(b)), under the action of the Mirai Botnet in
presence of a strategic attacker. The reference values of the simulator parameters are: 3̃ = 2 × 10−2 and τ = 65.

infections to being dominated by endogenous infections. The Recall that

NIMFA approximation overestimates the infection probabil- 3
ity of complete and bipartite graphs in that regime, e.g., when λ= .
N
Ñ − 1 varies between 45 and 50 in the setup where γ = 1.1
the dotted line (NIMFA) is above the full line (complete MC) In all scenarios, we have
and the dots (bipartite MC). 3
ρ(1) =
3+µ
APPENDIX F Next, we evaluate ρ(2) and establish conditions under which
CONDITIONS UNDER WHICH INFECTION PROBABILITY ρ(2) < ρ(1).
INITIALLY DECREASES AS POPULATION GROWS
One of the key results in the paper relates is the observation A. MULTIPLICATIVE MODEL
that the infection probability may increase as the population Under the multiplicative model, we have from (81), replacing
of vulnerable nodes grows. Next, we rely on results from λ by 3/2,
the previous sections to establish conditions under which the
3 32 γ
infection probability decreases when the number of vulnera- 2µ + 4µ2
ble nodes grows from one to two. We consider both the addi- ρ(2) = (114)
3 32 γ
tive and the multiplicative models of infection propagation. 1+ µ + 4µ2

VOLUME 8, 2020 66393

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

FIGURE 22. Outcome of the simulation experiments in a tree-cluster network (Figure 18), under the action of the Mirai Botnet in
presence of a strategic attacker. The reference values of the simulator parameters are: 3̃ = 2 × 10−2 and τ = 65.

Therefore, and an extensive analysis of necessary and sufficient condi-

32 γ
tions is left as subject for future work.
3
3 2µ + 4µ2
ρ(1) > ρ(2) ⇒ >
3+µ 1+ 3 32 γ B. ADDITIVE MODEL
µ + 4µ2
Under the additive model, we have from (82),
3 32 γ 3 32 γ
 
1
⇒ µ 1 + + > +
1+ 3 µ 4µ 2 2µ 4µ2 3
+ 3(γ +3/2)
2µ 2µ2
ρ(2) =
In particular, letting 3 = µ = 1, 1+ 3 3(3/2+γ )
µ + 2µ2
1 γ 1 γ
ρ(1) > ρ(2) ⇒ 2+ > + Therefore,
2 4 2 4
⇒ γ < 4.
3 3(γ +3/2)
3 2µ + 2µ2
Recall that under the multiplicative model we assume γ > 1. ρ(1) > ρ(2) ⇒ >
3+µ 3 3(3/2+γ )
Hence, there is an initial decrease in ρ as N increases from 1 + µ + 2µ2
1 to 2 if λ = µ = 1 and 1 < γ < 4. 1

3 32 /2 + 3γ

The illustrative example above serves to indicate condi- ⇒ µ 1 + +
1+ 3 µ 2µ2
tions under which the infection probability decreases as the
number of vulnerable nodes grows. There are a number of 3 32 /2 + 3γ
> +
other scenarios under which the considered behavior holds, 2µ 2µ2

66394 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

FIGURE 23. Outcome of the simulation experiments in a star-cliques network (Figure 19), under the action of the Mirai Botnet in presence of a
strategic attacker. The reference values of the simulator parameters are: 3̃ = 2 × 10−2 and τ = 65.

In particular, letting 3 = µ = 1, (see Figures 17-19). The topologies are further described in
the sections that follows, and the parameters used in our
ρ(1) > ρ(2) ⇒ 1.5 > γ
simulations are those reported in Table 2. We run simulations
Hence, there is an initial decrease in ρ as N increases from for 10,000 time units, which is long enough to estimate the
1 to 2 if 3 = µ = 1 and 0 < γ < 1.5. As under the network’s steady state. Each configuration was executed three
multiplicative model, there are a number of other scenarios times; in Figures 20-23 we plot the infection probability
under which the considered behavior holds, and an extensive average with a 95% confidence interval as a function of the
analysis of necessary and sufficient conditions is left as sub- number of vulnerable hosts.
ject for future work.
A. STAR AND STAR-RING TOPOLOGIES
APPENDIX G In the star topology, all nodes are connected with the central
SIMULATIONS UNDER DIFFERENT TOPOLOGIES node, as shown in Figure 17(a). In the star-ring topology,
Next, our goal is to investigate the role of network topologies each branch is connected with the central node, as shown
on the spread of epidemics, beyond the complete and bipar- in Figure 17(b). Those type of topologies are widely used in
tite graphs studied so far. To that aim, we use the simula- computer networks, where nodes may be physically intercon-
tor presented in Section VIII. We considered the following nected through a central hub or switch, or logically connected
four topologies: star, star-ring, tree-cluster and star-cliques to a single central point that controls all communications.

VOLUME 8, 2020 66395

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

The simulation results of an epidemic process accounting REFERENCES

for a strategic attacker on top of a star topology and of a star- [1] S. Weinberger, ‘‘Computer security: Is this the start of cyberwarfare?’’
ring topology are shown in Figures 20 and 21. We observe that Nature, vol. 474, no. 7350, pp. 142–145, Jun. 2011.
[2] W. Liu, C. Liu, X. Liu, S. Cui, and X. Huang, ‘‘Modeling the spread
under those two topologies, exogenous infections typically of malware with the influence of heterogeneous immunization,’’ Appl.
play a more significant role than the endogenous ones. For Math. Model., vol. 40, no. 4, pp. 3141–3152, Feb. 2016, doi: 10.1016/
that reason, the infection probability usually decreases as the j.apm.2015.09.105.
number of nodes grows. As nodes are connected only through [3] M. Garetto, W. Gong, and D. Towsley, ‘‘Modeling malware spreading
dynamics,’’ in Proc. IEEE INFOCOM . 22nd Annu. Joint Conf. IEEE
the central hub, there is not much opportunity for endemic Comput. Commun. Societies, vol. 3, Mar. 2003, pp. 1869–1879.
transmissions. [4] C. C. Zou, L. Gao, W. Gong, and D. Towsley, ‘‘Monitoring and early
Endogenous infections may play a role depending on the warning for Internet worms,’’ in Proc. 10th ACM Conf. Comput. Commun.
Secur. (CCS). New York, NY, USA: Association for Computing Machine,
system parameters. For instance, under the star topology, 2003, pp. 190–199.
if the endogenous infection rate is high or the uptime is large [5] C. C. Zou, W. Gong, and D. Towsley, ‘‘Worm propagation modeling and
(last row of Figure 20) we observe a slight increase in the analysis under dynamic quarantine defense,’’ in Proc. ACM Workshop
Rapid Malcode (WORM). Washington, DC, USA: Association for Com-
fraction of endogenously infected nodes as the number of puting Machinery, 2003, pp. 51–60.
vulnerable nodes increases. In all other considered scenarios, [6] A. Avritzer, R. G. Cole, and E. J. Weyuker, ‘‘Methods and opportunities for
endogenous infections play a negligible role. rejuvenation in aging distributed software systems,’’ J. Syst. Softw., vol. 83,
no. 9, pp. 1568–1578, Sep. 2010.
[7] K. Thomas and D. M. Nicol, ‘‘The koobface botnet and the rise of social
malware,’’ in Proc. 5th Int. Conf. Malicious Unwanted Softw., Nancy,
B. TREE-CLUSTER TOPOLOGY
France, Oct. 2010, pp. 63–70.
The N -ary tree-cluster topology is characterized by cliques [8] A. Marzano, D. Alexander, O. Fonseca, E. Fazzion, C. Hoepers,
organized in a tree topology, where each tree node has N K. Steding-Jessen, M. H. P. C. Chaves, I. Cunha, D. Guedes, and W. Meira,
‘‘The evolution of Bashlite and Mirai IoT botnets,’’ in Proc. IEEE Symp.
children, as shown in Figure 18. In Figure 18, filled ellipses Comput. Commun. (ISCC), Natal, Brazil, Jun. 2018, pp. 813–818.
represent fully connected subgraphs. This model represents [9] A. Ramachandran, D. Dagon, and N. Feamster, ‘‘Can DNS-based black-
a topology where intranets form an hierarchy, e.g., Internet lists keep up with bots?’’ in Proc. 3rd Conf. Email Anti-Spam (CEAS),
autonomous systems and departments within a company. Mountain View, CA, USA, Jul. 2006, pp. 1–2.
[10] S. Gupta, A. Singhal, and A. Kapoor, ‘‘A literature survey on social engi-
Results from our simulations with a strategic attacker on neering attacks: Phishing attack,’’ in Proc. Int. Conf. Comput., Commun.
an N -ary tree-cluster topology are reported in Figure 22. The Autom. (ICCCA). Noida, India: IEEE, Apr. 2016, pp. 537–540.
results are similar to those for star topologies, as the node [11] O. Diekmann, J. A. P. Heesterbeek, and J. A. Metz, ‘‘The legacy of
Kermack and McKendrick,’’ Publications Newton Inst., vol. 5, pp. 95–115,
degrees are limited and exogenous infections dominate the Jul. 1995.
epidemic behavior. [12] W. O. Kermack and A. G. McKendrick, ‘‘A contribution to the mathemati-
cal theory of epidemics,’’ Proc. R. Soc. Lond. A, Math. Phys. Sci., vol. 115,
no. 772, pp. 700–721, Aug. 1927, doi: 10.1098/rspa.1927.0118.
C. STAR-CLIQUES TOPOLOGY [13] D. Chakrabarti, Y. Wang, C. Wang, J. Leskovec, and C. Faloutsos, ‘‘Epi-
demic thresholds in real networks,’’ ACM Trans. Inf. Syst. Secur., vol. 10,
In the star-cliques topology we have a clique of N core nodes no. 4, pp. 1–26, Jan. 2008.
and N cliques of Ñ nodes, wherein one of the latter nodes per [14] R. Pastor-Satorras, C. Castellano, P. Van Mieghem, and A. Vespignani,
clique is connected to a single distinct core node, as shown ‘‘Epidemic processes in complex networks,’’ Rev. Modern Phys., vol. 87,
no. 3, pp. 925–979, Aug. 2015.
in Figure 19. This topology approximates intranets logically
[15] Y. Hayel, S. Trajanovski, E. Altman, H. Wang, and P. Van Mieghem,
and physically connected through a wide-area network such ‘‘Complete game-theoretic characterization of SIS epidemics protection
as the Internet. strategies,’’ in Proc. 53rd IEEE Conf. Decis. Control, Los Angeles, CA,
The results of our simulations with a strategic attacker on USA, Dec. 2014, pp. 1179–1184.
[16] Z. Wang, C. T. Bauch, S. Bhattacharyya, A. d’Onofrio, P. Manfredi,
a star-like topology are reported in Figure 23. The results M. Perc, N. Perra, M. Salathé, and D. Zhao, ‘‘Statistical physics of
are similar to the scenario of fully-connected topologies vaccination,’’ Phys. Rep., vol. 664, pp. 1–113, Dec. 2016, doi: 10.1016/
(Figure 10): an initial prevalence of exogenous infections j.physrep.2016.10.006.
[17] M. Grottke, A. Avritzer, D. S. Menasché, L. P. de Aguiar, and E. Altman,
is followed by a regime wherein endogenous infections are ‘‘On the efficiency of sampling and countermeasures to Critical-
more relevant. Infrastructure-Targeted malware campaigns,’’ ACM SIGMETRICS Per-
form. Eval. Rev., vol. 43, no. 4, pp. 33–42, Feb. 2016.
[18] P. E. M. Fine, ‘‘Herd immunity: History, theory, practice,’’ Epidemiologic
D. SUMMARY Rev., vol. 15, no. 2, pp. 265–302, Jul. 1993.
[19] T. J. John and R. Samuel, ‘‘Herd immunity and herd effect: New insights
Across all topologies, we observed that exogenous infections and definitions,’’ Eur. J. Epidemiol., vol. 16, pp. 601–606, Jul. 2000.
have an important impact on the epidemic behavior. The [20] R. M. Anderson and R. M. May, ‘‘Vaccination and herd immunity to
prevalence of endogenous infections as the number of nodes infectious diseases,’’ Nature, vol. 318, pp. 323–329, Nov. 1985.
increases is dependent on nodes having sufficient out-degree [21] M. Brisson and W. J. Edmunds, ‘‘Economic evaluation of vaccination
programs: The impact of herd-immunity,’’ Med. Decis. Making, vol. 23,
to allow the infection to spread. In topologies where node no. 1, pp. 76–82, Jan. 2003.
degrees are small relative to topology size (e.g., star-ring [22] D. Helbing, D. Brockmann, T. Chadefaux, K. Donnay, U. Blanke,
topologies), endogenous infections have a negligible effect, O. Woolley-Meza, M. Moussaid, A. Johansson, J. Krause, S. Schutte, and
M. Perc, ‘‘Saving human lives: What complexity science and information
indicating the relevance of capturing the characteristics of systems can contribute,’’ J. Stat. Phys., vol. 158, no. 3, pp. 735–781,
exogenous infections as indicated throughout this work. Feb. 2015, doi: 10.1007/s10955-014-1024-9.

66396 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

[23] Z. Wang, Y. Moreno, S. Boccaletti, and M. Perc, ‘‘Vaccination and [45] J. Zhang and J. M. F. Moura, ‘‘Who is more at risk in heteroge-
epidemics in networked populations—An introduction,’’ Chaos, Solitons nous networks?’’ in Proc. IEEE Int. Conf. Acoust., Speech Signal Pro-
Fractals, vol. 103, pp. 177–183, Oct. 2017. cess. (ICASSP). Calgary, AB, Canada: IEEE, Apr. 2018, pp. 4174–4178.
[24] Z. Bederna and T. Szadeczky, ‘‘Cyber espionage through botnets,’’ Secur. [46] M. T. Gardner, C. Beard, and D. Medhi, ‘‘Using SEIRS epidemic models
J., vol. 33, no. 1, pp. 43–62, Mar. 2020, doi: 10.1057/s41284-019-00194-6. for IoT botnets attacks,’’ in Proc. 13th Int. Conf. Design Reliable Commun.
[25] B. Vignau, R. Khoury, and S. Halle, ‘‘10 years of IoT malware: A feature- Netw. (DRCN), Munich, Germany, Apr. 2017, pp. 1–8.
based taxonomy,’’ in Proc. IEEE 19th Int. Conf. Softw. Qual., Rel. Secur. [47] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein,
Companion (QRS-C). Sofia, Bulgaria: IEEE, Jul. 2019, pp. 458–465. J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi,
[26] L. Böck, E. Vasilomanolakis, J. H. Wolf, and M. Mühlhäuser, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher,
‘‘Autonomously detecting sensors in fully distributed botnets,’’ Comput. C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou, ‘‘Understanding
Secur., vol. 83, pp. 1–13, Jun. 2019, doi: 10.1016/j.cose.2019.01.004. the Mirai botnet,’’ in Proc. 26th USENIX Secur. Symp. USENIX
[27] A. Iqbal, L. J. Gunn, M. Guo, M. Ali Babar, and D. Abbott, ‘‘Game Secur. Vancouver, BC, Canada: USENIX Association, Aug. 2017,
theoretical modelling of Network/Cybersecurity,’’ IEEE Access, vol. 7, pp. 1093–1110. [Online]. Available: https://www.usenix.org/conference/
pp. 154167–154179, 2019, doi: 10.1109/ACCESS.2019.2948356. usenixsecurity17/technical-sessions/presentation/antonakakis
[48] P. Van Mieghem and E. Cator, ‘‘Epidemics in networks with nodal self-
[28] L. Allodi, ‘‘Economic factors of vulnerability trade and exploita-
infection and the epidemic threshold,’’ Phys. Rev. E, Stat. Phys. Plasmas
tion,’’ in Proc. ACM SIGSAC Conf. Comput. Commun. Secur. (CCS).
Fluids Relat. Interdiscip. Top., vol. 86, no. 1, Jul. 2012, Art. no. 016116,
New York, NY, USA: Association for Computing Machinery, Oct. 2017,
doi: 10.1103/PhysRevE.86.016116.
pp. 1483–1499.
[49] L. Metongnon and R. Sadre, ‘‘Fast and efficient probing of heteroge-
[29] J.-M. Borello and L. Mé, ‘‘Code obfuscation techniques for metamorphic neous IoT networks,’’ Int. J. Netw. Manage., vol. 28, no. 1, Jan. 2018,
viruses,’’ J. Comput. Virol., vol. 4, no. 3, pp. 211–220, Aug. 2008. Art. no. e1997, doi: 10.1002/nem.1997.
[30] P. O’Kane, S. Sezer, and K. McLaughlin, ‘‘Obfuscation: The hidden mal- [50] P. Richter and A. Berger, ‘‘Scanning the scanners: Sensing the Internet
ware,’’ IEEE Secur. Privacy, vol. 9, no. 5, pp. 41–47, Sep. 2011. from a massively distributed network telescope,’’ in Proc. Internet Meas.
[31] Y. Wang, D. Chakrabarti, C. Wang, and C. Faloutsos, ‘‘Epidemic spreading Conf. Amsterdam, The Netherlands: Association for Computing Machin-
in real networks: An eigenvalue viewpoint,’’ in Proc. 22nd Int. Symp. ery, Oct. 2019, pp. 144–157.
Reliable Distrib. Syst. Florence, Italy: IEEE, Oct. 2003, pp. 25–34. [51] D. Dey and G. Zhang, ‘‘Impact of network externality in the security
[32] N. Skorin-Kapov, M. Furdek, S. Zsigmond, and L. Wosinska, ‘‘Physical- software market,’’ in Proc. Theory Econ. Inf. Syst., Incline Village,
layer security in evolving optical networks,’’ IEEE Commun. Mag., vol. 54, NV, USA, Jun. 2011, pp. 1–37. [Online]. Available: http://www.teis-
no. 8, pp. 110–117, Aug. 2016. workshop.org/papers/2011/Deb%20Dey%20paperSecMkt-DeyZhang-
[33] N. Paul, S. Gurumurthi, and D. Evans, ‘‘Towards disk-level malware 2011-05-11.pdf
detection,’’ in Proc. 1st Int. Workshop Code Based Softw. Secur. [52] J. Grossklags, N. Christin, and J. Chuang, ‘‘Secure or insure?: A game-
Assessments (CoBaSSA), Pittsburgh, PA, USA, Nov. 2005, pp. 13–16. theoretic analysis of information security games,’’ in Proc. 17th Int. Conf.
[Online]. Available: https://web.eecs.utk.edu/~pauln/papers/disk-level- World Wide Web (WWW). Beijing, China: Association for Computing
malware-cobassa05.pdf Machinery, Apr. 2008, pp. 209–218, doi: 10.1145/1367497.1367526.
[34] B. Wang, X. Li, L. P. de Aguiar, D. S. Menasché, and Z. Shafiq, ‘‘Char- [53] P. Maillé, P. Reichl, and B. Tuffin, ‘‘Interplay between security providers,
acterizing and modeling patching practices of industrial control systems,’’ consumers, and attackers: A weighted congestion game approach,’’ in
ACM Meas. Anal. Comput. Syst., vol. 1, no. 1, Jun. 2017, Art. no. 18. Proc. Int. Conf. Decis. Game Theory for Secur. (GameSec), J. S. Baras,
[35] L. Buttyán and J.-P. Hubaux, Security And Cooperation In Wireless Net- J. Katz, and E. Altman, Eds. College Park, MD, USA: Springer, Nov. 2011,
works: Thwarting Malicious And Selfish Behavior In The Age Of Ubiqui- pp. 67–86, LNCS, vol. 7037, doi: 10.1007/978-3-642-25280-8_8.
tous Computing. Cambridge, U.K.: Cambridge Univ. Press, 2007. [Online]. [54] P. Johansson and R. Forchheimer. (2007). Course Information Networks
Available: http://secowinet.epfl.ch/ Slides, Lecture 3 (MAC2: System Modeling and Assumptions). [Online].
[36] Z. Han, D. Niyato, W. Saad, T. Başar, and A. Hjørungnes, Game Theory Available: https://www.icg.isy.liu.se/courses/tsin01/material/slides/3_
in Wireless and Communication Networks: Theory, Models, and Applica- MAC2.pdf
tions. Cambridge, U.K.: Cambridge Univ. Press, Jan. 2012. [55] Y.-C. Jenq, ‘‘On the stability of slotted ALOHA systems,’’ IEEE Trans.
[37] S. Wang and N. Shroff, ‘‘Security game with non-additive utilities and Commun., vol. COM-28, no. 11, pp. 1936–1939, Nov. 1980.
multiple attacker resources,’’ Proc. ACM Meas. Anal. Comput. Syst., vol. 1, [56] J. Zhang and J. M. F. Moura, ‘‘Diffusion in social networks as SIS epi-
no. 1, pp. 1–32, Jun. 2017, doi: 10.1145/3084450. demics: Beyond full mixing and complete graphs,’’ IEEE J. Sel. Topics
Signal Process., vol. 8, no. 4, pp. 537–551, Apr. 2014.
[38] R. Anderson and T. Moore, ‘‘The economics of information security,’’
[57] P. Van Mieghem, J. Omic, and R. Kooij, ‘‘Virus spread in networks,’’
Science, vol. 314, no. 5799, pp. 610–613, Oct. 2006.
IEEE/ACM Trans. Netw., vol. 17, no. 1, pp. 1–14, Feb. 2009.
[39] Z. Durumeric, E. Wustrow, and J. A. Halderman, ‘‘Zmap: Fast [58] Q. Ma, E. Yeh, and J. Huang, ‘‘How bad is selfish caching?’’ in Proc. 20th
Internet-wide scanning and its security applications,’’ in Proc. 22nd ACM Int. Symp. Mobile Ad Hoc Netw. Comput. (Mobihoc). Catania, Italy:
USENIX Secur. Symp. Washington, DC, USA: USENIX Associa- Association for Computing Machinery, Jul. 2019, pp. 11–20.
tion, Aug. 2013, pp. 605–619. [Online]. Available: https://www.usenix.
[59] M. X. Goemans, L. Li, V. S. Mirrokni, and M. Thottan, ‘‘Market sharing
org/conference/usenixsecurity13/technical-sessions/paper/durumeric
games applied to content distribution in ad hoc networks,’’ IEEE J. Sel.
[40] A. Quach, Z. Wang, and Z. Qian, ‘‘Investigation of the 2016 Linux TCP Areas Commun., vol. 24, no. 5, pp. 1020–1033, May 2006.
stack vulnerability at scale,’’ ACM Meas. Anal. Comput. Syst., vol. 1, no. 1, [60] A. Haurie and P. Marcotte, ‘‘On the relationship between Nash—Cournot
Jun. 2017, Art. no. 4. and Wardrop equilibria,’’ Networks, vol. 15, no. 3, pp. 295–308, 1985.
[41] M. J. Keeling and K. T. D. Eames, ‘‘Networks and epidemic models,’’ [61] F. P. Kelly, Reversibility and Stochastic Networks. Chichester, U.K.: Wiley,
J. Roy. Soc. Interface, vol. 2, no. 4, pp. 295–307, Sep. 2005, doi: 10.1098/ 1979. [Online]. Available: http://www.statslab.cam.ac.uk/~frank/rsn.html
rsif.2005.0051. [62] M. J. Osborne and A. Rubinstein, A Course in Game Theory. Cambridge,
[42] E. Altman, A. Avritzer, R. El-Azouzi, D. S. Menasche, and L. P. D. Aguiar, MA, USA: MIT Press, 1994.
‘‘Rejuvenation and the spread of epidemics in general topologies,’’ in [63] S. Yi, P. W. Nelson, and A. G. Ulsoy, Time-Delay Systems: Analysis and
Proc. IEEE Int. Symp. Softw. Rel. Eng. Workshops. Naples, Italy: IEEE, Control Using the Lambert W Function. Singapore: World Scientific, 2010.
Nov. 2014, pp. 414–419. [64] M. Rouse. (2019). Cybersecurity Insurance. [Online]. Available:
[43] J. Zhang, J. M. F. Moura, and J. Zhang, ‘‘Contact process with exogenous https://whatis.techtarget.com/definition/cybersecurity-insurance
infection and the scaled SIS process,’’ J. Complex Netw., vol. 5, no. 5, [65] M. Xu and L. Hua, ‘‘Cybersecurity insurance: Modeling and pricing,’’
pp. 712–733, Oct. 2017. North Amer. Actuarial J., vol. 23, no. 2, pp. 220–249, Apr. 2019.
[44] J. Zhang, ‘‘Network process: How topology impacts the dynamics [66] P. Mell, K. Scarfone, and S. Romanosky, ‘‘Common vulnerability scoring
of epidemics and cascading failures,’’ Ph.D. dissertation, Carnegie system,’’ IEEE Secur. Privacy Mag., vol. 4, no. 6, pp. 85–89, Nov. 2006.
Mellon Univ., Pittsburgh, PA, USA, Sep. 2015. [Online]. Available: [67] Z. Durumeric, M. Payer, V. Paxson, J. Kasten, D. Adrian, J. A. Halderman,
https://kilthub.cmu.edu/articles/Network_Process_How_Topology_ M. Bailey, F. Li, N. Weaver, J. Amann, and J. Beekman, ‘‘The matter of
Impacts_the_Dynamics_of_Epidemics_and_Cascading_Failures/ heartbleed,’’ in Proc. Conf. Internet Meas. Conf. (IMC). Vancouver, BC,
7346633/files/13575083.pdf Canada: Association for Computing Machinery, 2014, pp. 475–488.

VOLUME 8, 2020 66397

 V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

[68] J. Ren and Y. Xu, ‘‘A compartmental model to explore the interplay DANIEL SADOC MENASCHÉ received the Ph.D.
between virus epidemics and honeynet potency,’’ Appl. Math. Model., degree in computer science from the University of
vol. 59, pp. 86–99, Jul. 2018. Massachusetts, Amherst, in 2011. He is currently
[69] S. Singh and C. R. Myers, ‘‘Outbreak statistics and scaling laws for exter- an Assistant Professor with the Computer Science
nally driven epidemics,’’ Phys. Rev. E, Stat. Phys. Plasmas Fluids Relat. Department, Federal University of Rio de Janeiro,
Interdiscip. Top., vol. 89, no. 4, Apr. 2014, Art. no. 042108, doi: 10.1103/ Rio de Janeiro, Brazil. His research interests are
PhysRevE.89.042108. in modeling, analysis, security, and performance
[70] S. S. Wilks, ‘‘Moments and distributions of estimates of population
evaluation of computer systems. He was a recipient
parameters from fragmentary samples,’’ Ann. Math. Statist., vol. 3, no. 3,
of the best paper awards at GLOBECOM 2007,
pp. 163–195, Aug. 1932.
[71] M. Darboux, ‘‘Sur la méthode d’approximation de Newton,’’ Nouvelles CoNEXT 2009, INFOCOM 2013, and ICGSE
Annales De Mathématiques, vol. 8, no. 2, pp. 17–27, 1869. [Online]. 2015. He is currently an Affiliated Member of the Brazilian Academy of
Available: http://www.numdam.org/item/NAM_1869_2_8__17_0 Sciences.
[72] C. Enyioha, A. Jadbabaie, V. Preciado, and G. J. Pappas, ‘‘Distributed
resource allocation for epidemic control,’’ 2015, arXiv:1501.01701.
[Online]. Available: http://arxiv.org/abs/1501.01701
[73] L. Landau and E. Lifshitz, Statistical Physics (Course of Theoretical
Physics), vol. 5, 3rd ed. London, U.K.: Butterworth, 1980.
[74] P. Van Mieghem, ‘‘The N-intertwined SIS epidemic network model,’’ Com-
puting, vol. 93, nos. 2–4, pp. 147–169, Dec. 2011, doi: 10.1007/s00607-
011-0155-y.
[75] B. Qu and H. Wang, ‘‘The accuracy of mean-field approximation for
susceptible-infected-susceptible epidemic spreading with heterogeneous
infection rates,’’ in Proc. Int. Workshop Complex Netw. Appl. Milan, Italy:
Springer, Nov. 2016, pp. 499–510.
[76] E. Cator and P. Van Mieghem, ‘‘Nodal infection in Markovian susceptible-
infected-susceptible and susceptible-infected-removed epidemics on net-
works are non-negatively correlated,’’ Phys. Rev. E, Stat. Phys. Plasmas
Fluids Relat. Interdiscip. Top., vol. 89, no. 5, May 2014, Art. no. 052802,
doi: 10.1103/PhysRevE.89.052802.
[77] P. Van Mieghem, ‘‘Approximate formula and bounds for the time-varying CABRAL LIMA received the Ph.D. degree in
susceptible-infected-susceptible prevalence in networks,’’ Phys. Rev. E, computer science from Université Pierre et Marie
Stat. Phys. Plasmas Fluids Relat. Interdiscip. Top., vol. 93, no. 5, Currie (Paris 6), France. He is currently a Full
May 2016, Art. no. 052312, doi: 10.1103/PhysRevE.93.052312. Professor with the Computer Science Department,
[78] P. M. Rodríguez, A. Roldán-Correa, and L. A. Valencia, ‘‘Comment Federal University of Rio de Janeiro, Rio de
on ‘Nodal infection in Markovian susceptible-infected-susceptible and Janeiro, Brazil. His research interests are modeling
susceptible-infected-removed epidemics on networks are non-negatively and analysis of computer systems, optimization,
correlated,’’’ Phys. Rev. E, Stat. Phys. Plasmas Fluids Relat. Interdis- and intelligent robotics. He was a recipient of
cip. Top., vol. 98, no. 2, Aug. 2018, Art. no. 026301, doi: 10.1103/ the Best Paper Award at ICONS 2014 and the
PhysRevE.98.026301. Meritorious Award at the International Institute for
[79] E. Cator, P. Donnelly, and P. Van Mieghem, ‘‘Reply to ‘Comment on ‘Nodal Advanced Studies in System Research and Cybernetics, Germany, in 2002.
infection in Markovian susceptible-infected-susceptible and susceptible-
infected-removed epidemics on networks are non-negatively correlated,’’’
Phys. Rev. E, Stat. Phys. Plasmas Fluids Relat. Interdiscip. Top., vol. 98,
no. 2, Aug. 2018, Art. no. 026302, doi: 10.1103/PhysRevE.98.026302.

VILC QUEUPE RUFINO (Student Member,

IEEE) received the B.S. degree in computer engi-
neering from the Federal University of Espírito
Santo, in 1999, and the M.S. degree in computer
science from the University of São Paulo, in 2009.
He is currently pursuing the Ph.D. degree with
the Federal University of Rio de Janeiro (UFRJ).
He has been with the Navy Corps of Engineers
as a Technical Officer, since 2000. His research
interest includes modeling and analysis of systems
with focus on security. ÍTALO CUNHA graduated from UPMC Sorbonne,
in 2011. He received the Ph.D. degree from
Technicolor—Research and Innovation, under the
LEANDRO PFLEGER DE AGUIAR received the French CIFRE Program for cooperation between
advanced Diploma degree in industrial electronics, industry and academia. He has been an Assistant
the B.S. degree in information systems, and the Professor with the Computer Science Department,
master’s degree in computer science. He is cur- UFMG, Brazil, since 2012. His research focuses
rently a Principal Key Expert in industrial control on improving network performance, reliability,
systems security at Siemens Corporate Technol- and security. His contributions provide better vis-
ogy, Princeton, NJ, USA, with over 15 years of ibility on Internet topology and routing dynamics,
industry experience. He is a Contributor Mem- help network operators troubleshoot failures and performance problems,
ber of the ISA-99/IEC 62443 security standard and empower other researchers. He has served on the technical committee
and holds the CISM, GICSP, GRID, GCDA, and of flagship networking conferences, such as USENIX NSDI and ACM
CISSP certifications. He also holds several patents in the field of ICS SIGCOMM. He serves as a member of the National Brazilian Research and
security. Education Network (RNP) Monitoring Work Group.

66398 VOLUME 8, 2020

V. Q. Rufino et al.: Beyond Herd Immunity Against Strategic Attackers

EITAN ALTMAN (Fellow, IEEE) received the ALBERTO AVRITZER received the B.Sc. degree
B.Sc. degree in electrical engineering, the B.A. from the Technion—Israel Institute of Technology,
degree in physics, and the Ph.D. degree in elec- the M.Sc. degree from the Federal University of
trical engineering from the Technion–Israel Insti- Minas Gerais, Brazil, and the Ph.D. degree from
tute of Technology, Haifa, 1984, 1984, and 1990, the University of California at Los Angeles, all
respectively, and the B.Mus. degree in music com- in computer engineering. He served as a Lead
position from Tel-Aviv University, Israel, in 1990. Performance Engineer for Sonatype, MD, USA,
Since 1990, he has been a Researcher with the and as a Senior Member of the Technical Staff for
National Institute for Research in Computer Sci- the Software Engineering Department, Siemens
ence and Control (INRIA). His articles (245 in Corporate Research, Princeton, NJ, USA. Before
international scientific journals and 423 in international conferences with moving to Siemens Corporate Research, he spent 13 years at AT&T Bell
peer reviews) have had a large impact and have in google scholar more than Laboratories, where he developed tools and techniques for performance
21 300 citations. He is the coauthor of four monographs which includes his testing and analysis. He spent the summer of 1987 at IBM Research, York-
book on the foundations of constrained Markov Decision Processes. His town Heights. He is the Founder and the CEO of eSulabSolutions Inc.,
areas of interests include network engineering games, social networks and the preferred source for methods for scalability assessment of mission-
their control, and the analysis through game theoretical models of network critical systems in the telecom and banking domains. He led the automated
neutrality issues. He received the Best Paper Award from Networking 2006, performance testing and analysis of New York subway public announcement
Globecom 2007, IFIP Wireless Days 2009, and CNSM 2011 (Paris) con- and customer information system (PA/CIS), where he was responsible for
ferences. He has also received the Grand Prix de France Telecom from the the certification of system scalability to support 550 stations. His research
French Academy of Sciences, in 2012, the ISAACS Award from the Society interests are in software engineering, particularly software testing, monitor-
of Dynamic Games for his contribution in game theory, in July 2014, and the ing and rejuvenation of smoothly degrading systems, and metrics to assess
Distinguished Technical Achievement Recognition Award from the IEEE TC software architecture. He has published over 70 articles in journals and
on Big Data conference (TCBD), for his outstanding technical leadership and refereed conference proceedings in those areas. He is a Senior Member of
achievement in stochastic modeling and big data analysis, in December 2017. the ACM. He has presented several tutorials at international conferences,
He has been in the editorial boards of the journals Wireless Networks such as LADC, the IEEE ISSRE, and ACM ICPE.
(WINET), Computer Networks (COMNET), Computer Communications
(Comcom), Journal of Discrete Event Dynamic Systems (JDEDS), SIAM
Journal of Control and Optimization (SICON), Stochastic Models, and Jour-
nal of Economic Dynamics and Control (JEDC). His detailed information can
be found at http://www-sop.inria.fr/members/Eitan.Altman/.

RACHID EL-AZOUZI received the Ph.D. degree

in applied mathematics from the Mohammed V
University, Rabat, Morocco, in 2000. He joined
the National Institute for Research in Computer
Science and Control (INRIA), Sophia Antipolis,
where he held postdoctoral and research engineer
positions. Since 2003, he has been a Researcher MICHAEL GROTTKE (Member, IEEE) received
with the University of Avignon, France. His the M.A. degree in economics from Wayne State
research interests are networking games, wireless University, USA, and the Diploma degree in
networks, complex systems, and media streaming business administration, the Ph.D. and Habilita-
and their control theory. He has been managing collaborative research tion degrees from Friedrich-Alexander-Universität
projects at national and European levels. He recieved the Best Paper Award Erlangen-Nürnberg (FAU), Germany. He is cur-
at Networking 2006, Globecom 2017, MSN 2007, Netgcoop 2016, and Unet rently a Principal Data Scientist with GfK SE,
2017. He has been an Associate Editor of the IEEE/ACM TRANSACTIONS ON Nürnberg, Germany, and an Adjunct Professor
NETWORKING, since 2016. with FAU. Before, he spent three years as a
Research Associate and an Assistant Research
Professor with the Department of Electrical and Computer Engineering,
Duke University, USA. His researches focus on stochastic modeling, statis-
FRANCESCO DE PELLEGRINI received the tical data analysis, and machine learning for topics in information systems,
M.Sc. and Ph.D. degrees from the University of computer science, and business administration, including crowdsourcing,
Padova, Italy, in 2000 and 2004, respectively. He is social networks, software quality, and the automatic detection of upcoming
currently a Professor in networking with the Uni- technological trends. His research work has been funded by national and
versity of Avignon. He has published more than international organizations, such as the European Commission, the German
100 articles in major conferences and journals of Ministry of Education and Research, and NASA’s Office of Safety and
computer science, networking, and control the- Mission Assurance. He has published more than 40 articles in international
ory. He has been applying algorithms on graphs, journals and peer-reviewed conference proceedings. He is a Fellow of the
stochastic control, optimal control, and game the- Dr. Theo and Friedl Schöller Research Center for Economics and Society,
ory for the design and perfomance evaluation of Nürnberg, and a member of the German Statistical Society and of ESOMAR.
wireless and wired networked systems. He has received the best paper Moreover, he was also a member of the IEEE’s Software Reliability Working
awards at WiOPT 2014 and NetGCoop 2016. His current H-index (Google) Group revising the IEEE Standard 1633 ‘‘IEEE Recommended Practice on
is 27 with more than 5000 citations. He is a TPC member of the IEEE Software Reliability.’’ He has received numerous awards, including the Sci-
INFOCOM, WiOpt, and NetGCoop, and a reviewer for several international ence Award of the State Bank of Bavaria. He has acted as a Guest Editor for
networking conferences and journals. He promoted and served in the Steer- special editions of Performance Evaluation as well as the Journal of Systems
ing Program Committee of ICST Mobiquitous and Robocomm. He has been and Software, and he is an Associate Editor of the International Journal of
the General Co-Chair of the 2012 Edition of the IEEE NetGCoop, the TPC Performability Engineering and the IEEE TRANSACTIONS ON RELIABILITY.
Co-Chair of the IEEE NetGCoop 2014 and the IEEE WiOpt 2014.

VOLUME 8, 2020 66399