Mathematical analysis of the dynamics of cyberattack propagation in IoT networks

Yousef AbuHour; Sadeq Damrah; Mahmoud H. DarAssi; Zuhur Alqahtani; Areej Almuneef

doi:10.1371/journal.pone.0322391

Abstract

The growing threat of cyberattacks is a severe concern to governments, military organizations, and industries, especially with the increasing use of Internet of Things (IoT) devices. To tackle this issue, researchers are working on ways to predict and prevent these attacks by studying how malware spreads. In this study, we use a discrete-time approach to better model how cyberattacks spread across IoT networks. We also focus on the role of firewalls, developing a strategy to optimize their effectiveness in slowing down the spread of malware. Additionally, we analyze the reproduction number’s sensitivity and explore the proposed discrete system’s local and global stability. The model was simulated and analyzed using Python packages, providing practical solutions to improve cybersecurity in IoT networks. These insights are supported by numerical simulations based on real-world data.

Citation: AbuHour Y, Damrah S, DarAssi MH, Alqahtani Z, Almuneef A (2025) Mathematical analysis of the dynamics of cyberattack propagation in IoT networks. PLoS One 20(5): e0322391. https://doi.org/10.1371/journal.pone.0322391

Editor: Elochukwu Ukwandu, Cardiff Metropolitan University - Llandaff Campus, UNITED KINGDOM OF GREAT BRITAIN AND NORTHERN IRELAND

Received: September 20, 2024; Accepted: March 20, 2025; Published: May 16, 2025

Copyright: © 2025 AbuHour et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: The following is a direct link to freely access the data set https://github.com/yousef-ABH/Cyberattack_Propagation/tree/main

Funding: ZA is supported by the Nourah bint Abdulrahman University Researchers Supporting Project number (PNURSP2025R518), Princess Nourah bint Abdulrahman University in Riyadh, Saudi Arabia. SD is partially supported by Australian University grant number (IRC-2022/2023-COE-MATH-PR13), Australian University West Mishref, Safat 13015, Kuwait. None of the funders play any role in the study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

1 Introduction and literature review

DDoS attacks utilize several compromised computer systems as attack-traffic sources. DDoS attacks may result in financial loss, intellectual property theft, database destruction, and reputation damage, among other malicious activities [1, 2]. Cyber security studies allow professionals to counter such attacks to avoid disruption in critical services and ensure national security. Knowing how different DDoS attacks work is key to providing the right defense against them. Various strategies for mitigating DDoS attacks exist to ensure security against such an attack [3]. In summary, the study of cyber and DDoS attacks cannot be ruled out in modern times in light of the need to understand the threats and develop protective measures to ensure the continuous operation of core services and foster national security.

Several mathematical models can be used to simulate DDoS attacks over IoT networks. One of these mathematical models is the decision tree-based IDS proposed by Kumar et al. [4]. This model avoids intra-network and inter-network DoS/DDoS attacks in the IoT environment. The authors have used a virtual machine with the Cooja simulator, which was pre-installed in the Contiki operating system for conducting experiments. The results showed that the C5 Decision Tree-Based IDS model was very accurate, with low rates of false alarms [4]. In this line, Oluwafemi et al. [5] compared the effectiveness of supervised, unsupervised, and semi-supervised machine learning algorithms on detecting DDoS attacks in Cyber-Physical Systems IoT (CPS-IoT). Their dataset consisted of 10,000 records for training and testing the algorithms in their case. Results showed that a supervised machine learning algorithm best detects DDoS attacks [5]. Al-Sarawi [6] also simulated and analyzed different DDoS attack scenarios using different attack rates and buffer sizes of network components. They used Omnet++ to simulate the DDoS attacks and assess the impact on the performance of a network. Researchers and cybersecurity experts can use these models to understand how DDoS attacks work and build a strategy to counter them. The mathematical modeling of the DDoS attacks shall help understand their behavior for developing suitable countermeasures. Machine learning can be used to model DDoS attacks in IoT networks. A DDoS attack will consume all of the resources of a victim’s server, making it unable to accept connections from new clients [7, 8].

SIR models in epidemiology are primarily employed in studying the dynamics of the spread of infectious diseases. Recently, some researchers have started to use SIR models to study the spread of cyberattacks. It helps prevent attacks by detecting network vulnerabilities and predicting attack propagation. The dynamics of the propagation of diseases and the control strategies were relatively explored in works [9–11] by researchers. They have used systems of differential equations and developed mathematical frameworks to simulate transmission dynamics under various scenarios, from strict social restrictions to the application of optimal control measures in transmitting different diseases. These models consider differential equations that deal with population behavior to understand how such behavior affects the spread of a disease, thereby establishing the effectiveness of interventions. On the other hand, the research uses age-structured models to express the dynamics of diseases with differential equations and study the efficiency of vaccination strategies. Introducing impulsive vaccination in the above model, they ante the time and optimal coverage to regulate the spread [12–14]. Though having a different theme, their work on the burden of diseases and their mitigation also resorts to differential equations in modeling the impact of mitigation strategies for diseases. For example, to cope with drug resistance, it combines education intervention with a "test and treat" strategy in a differential equation framework to project its potential for surmounting such drug resistance. In particular, across these studies, the mathematical framework of differential equations becomes a powerful tool for understanding and controlling the dynamic spread of diseases.

The modeling of the spreading of an attack in a network confounds which nodes are more vulnerable and thus take measures to protect them [15, 16]. Models have earlier been built to simulate cyberattacks so that the enthronement of the defense strategies and prevention of the results could be lessened. The researchers used artificial intelligence in the detection and prediction of cyberattacks. Researchers have put forward research, including Pokhrel et al. [17], on bots concerning security-related issues.

In the work of [18], the authors devised a trust-based hypothetical scheme based on a mathematical model, classifying the devices into different categories by analyzing their internal behavior through the calculated trust score.

Microsoft Security Blog that provides insights into DDoS attack trends in 2022. According to the report, Microsoft mitigated an average of attacks daily in 2022. The maximum number of attacks per day recorded was on September 22, 2022. The minimum number of daily attacks was 680 on August 22, 2022. Table 1 describes the approximate number of DDoS attacks and the average cost of those attacks in years 2020, 2021, and 2023.

Download:

Table 1. The number of DDoS attacks and the average cost of attacks.

https://doi.org/10.1371/journal.pone.0322391.t001

In a report published by Infosecurity Magazine, the frequency of DDoS attacks increased by year-over-year in 2022. Nevertheless, the rate of growth started to decelerate in the fourth quarter, with attacks dropping by in December. The power of botnets continued to grow throughout the year, making possible attacks greater than 2 Tbit/s and persisting for as long as three days [19, 20]. Some of these data are from the report in Table 2.

Download:

Table 2. The number of bots and the source of botnet DDoS attacks in 2022.

https://doi.org/10.1371/journal.pone.0322391.t002

In recent research on modeling malware spread over IoT networks, much of the related work has primarily focused on continuous-time differential equation systems. While these models provide valuable insights, they often lack the granularity to capture real physical systems’ discrete nature. Our research addresses this gap by adopting a discrete-time modulation approach, which offers a more accurate representation of the step-wise progression of malware spread within IoT environments. Unlike previous studies, we also incorporate the efficiency of firewalls into our model, introducing an optimal control strategy that dynamically adjusts firewall effectiveness to minimize malware propagation. Additionally, our work delves into the sensitivity of the reproduction number, highlighting its critical role in determining the threshold conditions for successful malware containment. This comprehensive approach bridges the gap between continuous and discrete modeling and provides actionable insights for enhancing cybersecurity measures in IoT networks.

This study aims to develop a mathematical model for simulating cyberattacks, specifically DDoS attacks, on IoT devices. The objectives of this study are as follows: To identify vulnerabilities in IoT networks through the proposed mathematical modeling of cyberattacks DDoS on IoT devices. To predict the spread of an attack and determine the most vulnerable nodes. To provide recommendations to decision-makers for new policies to protect networks from future attacks. Determine the loss caused by cyberattacks and the cost of protection. We determined the cost of protection from these attacks to model the variables related to cyberattacks. The workflow of this study is as follows: The dynamic behavior of cyberattack propagation was simulated using a system of differential equations. The stability of the proposed model was analyzed by calculating the basic reproduction number to measure the attack’s impact. This study investigates the influential parameters and relationships between the factors that affect the spread of an attack. The number of malicious IoT devices that influence attacks and vulnerable and protected devices was estimated and predicted. The results from the proposed model are leveraged to set optimal control strategies for specific parameters, thereby reducing the cost of prevention and losses caused by cyberattacks. Finally, the study analyzed the attacking space devices and the number of malicious and suspicious devices.

2 Methodology

In this work, we can assume that the targeted IoT space consists of all IoT devices connected within a specific network, which can be divided into two types based on their security protection level. Also, it is commonly known that IoT devices are vulnerable to cyberattacks primarily due to their lack of built-in security features, weak or hard-coded passwords, unpatched vulnerabilities, and inadequate security solutions. Additionally, many users do not change the default settings on their devices, making them even more vulnerable. As a result, attackers can quickly gain access to private networks and steal sensitive information [21]. To raise the security level of IoT devices, it is crucial to implement security solutions such as firewalls, antivirus, and encryption. Additionally, devices should be updated regularly to patch security vulnerabilities, and strong, unique passwords should be used for each device. As an additional layer of protection, blockchain technology can be used to secure IoT devices further. Therefore, let S_a denote the set of vulnerable IoT devices, and S_p represent the set of protected devices. The notation of targeted IoT devices that become malicious is M_t.

The mathematical framework models the attack dynamics through four key scenarios. In the first scenario, attackers use compromised devices (M_a) to spread malicious code, launch DDoS attacks, or gain access to sensitive data and other devices on the network. This behavior is captured by the interaction terms and in the equations. In the second scenario, compromised target devices (M_t) transition to a protected state (S_p) at a rate p, as described by . The third scenario involves the recovery of compromised devices (M_t), which move to a recovered state (R_t) at a rate , modeled by . Finally, in the fourth scenario, recovered devices (R_t) can become susceptible again at a rate , reintroducing them into the vulnerable pool. The four scenarios are illustrated in Fig 1, which visually represents the transitions and interactions between the compartments

Download:

Fig 1. Illustration of model compartment links.

https://doi.org/10.1371/journal.pone.0322391.g001

Attackers’ space, attacked devices are defined as follows:

(1)

(2)

Target population targeted IoT devices are modeled as follows:

(3)

where and

Table 3 presents the model parameters along with their corresponding values used in the simulation and analysis of the results.

Download:

Table 3. The description of the system’s parameters (Fig 1).

https://doi.org/10.1371/journal.pone.0322391.t003

3 Model formulation and analysis

This section presents a mathematical model for DDoS attack propagation in IoT networks, adaptable to other attack types with necessary modifications.

Botnets, like Mirai and Hajime, are designed to infect vulnerable IoT devices, creating large networks of compromised devices (M_a and M_t) that can coordinate DDoS attacks. The model’s emphasis on infection, recovery, and protection directly reflects the behavior of botnets in real-world scenarios, making them a natural fit for the system’s dynamics. Table 4 categorizes various types of malware commonly employed in Distributed Denial of Service (DDoS) attacks targeting Internet of Things (IoT) devices [24, 25]. Botnets represent the most suitable type of malware for the given model because they align with the dynamics of infection, recovery, and protection described in the equations. The model captures the spread of malware in both the attacker’s network (S_a and M_a) and the target network (S_t and M_t), including infection rates ( and ), recovery rates ( and ), and protection mechanisms (p).

Download:

Table 4. Malware types used in DDoS attacks on IoT devices.

https://doi.org/10.1371/journal.pone.0322391.t004

The discrete-time system model for analyzing the spread of malware in IoT networks. The model consists of two interconnected populations: the attacker population and the target population.

and the targeted population is:

(4)

Lemma 1. For non-zero initial conditions, the solution for model (4) satisfies:

Proof: Upon using the fact that

Since, , and R_a are all positive quantities and is an invariant region, then we may set , and hence we have

Similarly, we can conclude that

Hence, . Therefore, , and the proof is completed.

Thus, Lemma 1 proved that the set is positively invariant.

4 Free malicious malware equilibrium point (FMME)

The FMME is the Free Malicious Malware Equilibrium Point, a conjectural point in cybersecurity where the population of malicious software becomes stable within a network. In this situation, the rate of new malware infection into the system is equated with the rate by which the same malware is detected and neutralized. In FMME, the overall effect of malware on the network remains constant, which indicates that current defense measures can significantly suppress such threats but never actually stamp out the problem. Knowing and identifying the FMME may help cybersecurity specialists optimize their strategies to ensure that resources are well allocated to maintain network stability and security.

4.1 Local stability analysis of the malware-free equilibrium

The Free Malicious Malware Equilibrium Point’s local stability refers to a system’s ability to regain equilibrium following minor perturbations. From a network perspective, this means that at FMME, although the increase or decrease of the malware infection rate may slightly influence all defenses, they will adjust to restore the balance. Moreover, local stability in its own right is instrumental in ensuring uniformity in security, where small changes in malware activity do not lead to large disruptive pixel changes. The FMME’s local stability would have to be framed against how fast detection and mitigation mechanisms react to and recover from the events. Cybersecurity designs should enhance this local stability to ensure that minor threats never become explosive security breaches. In this section, we will investigate the local stability of the FMME for the system (4). The steady state at the equilibrium point when an attack is not successful, “Vanished attack,” or free of malicious malware equilibrium point (FMME) is assumed to be .

Calculating the basic reproduction number will assure the stability of the model at this equilibrium point. Using the next-generation matrix approach as described by [26–30], the matrices and are evaluated as follows:

and

According to [30], can be considered the spectral radius of the matrix i.e. .

It can be defined as the reproductive number, which is the extent of maximum damage expected from a cyberattack. It is the total reproductive numbers of the attacker population space and the target space. If the reproductive number of the attacking population crosses one, the nodes flowing from suspicious to malicious increase uncontrollably, resulting in a successful attack.

where

To put it another way, if the reproduction number is more significant than one, then each infected malicious node, on average, will successfully infect more than one further node, which causes an exponential increase in malicious nodes. This fast-spreading makes the attack hard to stop and dramatically raises the chances of success.

Lemma 2. The FMME point of the model (4), , is locally asymptotically stable if , and unstable if .

Proof: The proof of this lemma can be deduced from [30] (see Theorem 2 and S1 Appendix A).

4.2 Global stability of FMME

The global stability of a free malicious malware equilibrium in a cyberattack model means the system will asymptotically reach a malware-free state regardless of where it starts. This involves establishing that the malware-free equilibrium is globally stable, as demonstrated by any of the system’s trajectories resulting in an arbitrarily chosen initial state. The development of global stability requirements almost certainly involves introducing a suitable Lyapunov function, effectively measuring a system’s potential energy. Such a function should exhibit a monotonic decrease over time and suggest its energy dissipation capabilities, thus leading to a steady state. When the failure of the initial computer systems due to bugs is not considered, this generally becomes the description of what is called “convergence” and “equilibrium” in the industry. An equilibrium is supposed to be attained once the interim phase is over and the incoming malware is “cleaned” by the antivirus programs (or other methods). The crucial property that guarantees system behavior over the long term in terms of security and the absence of malicious threats that will damage the dignity of the network or system under consideration is thanks to this property.

Theorem 1. At the malware-free equilibrium point , the proposed model (4) is globally asym-ptotically stable whenever .

Proof: Following the general procedure for the global stability [31–34], we consider the following Lyapunov function

where

The backward difference of is given by

(5)

(6)

(7)

(8)

(9)

By the application of lemma 1, and in . Thus, we obtain

(10)

(11)

(12)

Using the La Salle invariant principle [29], we conclude that the MMFE point of the model (4) is global asymptotically stable (GAS) in .

5 Endemic equilibrium

The endemic equilibrium in the cyberattack model is a state in which a certain amount of malignant malware is retained in the system, yet it is constant. At this point, the rate of new infections is balanced by a recovery or neutralization rate, leading to a stable, though nonzero, malware prevalence. Knowing the endemic equilibrium is very important for estimating the long-term impact of cyber threats and mitigation strategies. The stability of such an equilibrium is analyzed to determine whether small perturbations will die out or lead to fluctuations in malware prevalence. The control at this point over the system dynamics is, therefore, very critical in maintaining cybersecurity to avert wide-range damages that arise from persistent cyber threats.

5.1 The endemic equilibrium point (EEP) existence

An EEP’s existence often relies on the basic reproduction number, . When , the EEP exists, meaning that infection can persist in a population. On this basis, one can analyze the conditions for the existence of an EEP to understand the settings under which malware persists and design appropriate control measures that will reduce the malware burden or eradicate it.

Let the endemic equilibrium point, where a long-term DDoS attack be

. We can derive the following result.

Lemma 3. If , the model (4) has a unique endemic equilibrium point .

Proof: Substituting the expression for , into the model (4) at steady state yields

Regarding the attackers’ compartments, we have:

Upon solving the equations we obtain,

(13)

(14)

By solving the target compartments steady-state equations, we get:

(15)

(16)

(17)

Since all the parameters are positive, it implies that , , and . However, only if . That is, whenever .

5.2 The endemic equilibrium point (EEP) stability analysis

The stability of the (EEP) for cyberattacks becomes essential to understanding such systems’ long-term behavior. An EEP will indicate a steady state in which the system is coexisting with some constant level of cyber threats in the environment. Stability analysis answers whether small perturbations around this state will decay in time and, therefore, self-limit, returning the system to its equilibrium or growth, eventually leading to divergence from equilibrium. The local stability of the EEP is generally checked with different methods, among them the linearization and eigenvalue analysis of a system’s Jacobian matrix, evaluated at the EEP. If all of the eigenvalues have negative genuine parts, then the EEP will be locally asymptotically stable; that is, it will return to equilibrium after minor disturbances. Such stable behavior is essential in the development of robust strategies for cybersecurity, guaranteeing resilience to persistent threats and minimizing the risk of far-flung cyber incidents.

Define as the set where all compartments other than the suspicious ones go to zero. i.e..

Theorem 2. If , the globally asymptotically stable (GAS) only one point (EEP) point of the model (4) exists within .

Proof: Define the following Lyapunov function

(18)

(19)

(20)

(21)

(22)

(23)

(24)

(25)

(26)

We can take since is an invariant region, giving . Thus, , and . This completes the proof.

6 Experimental results and discussion

In this section, which includes results and a discussion with recommendations, we will test the validity of our proposed model and simulate it with different tools. We will discuss the obtained results from the model, including the reproduction number and prediction of the nodes in each compartment. We will also test the control strategy that targets firewall protection.

Table 5 compares several related works based on Essential Elements (EE): Firewall (EE1), two populations considered (EE2), Sensitivity Analysis (EE3), and Recommendation Policy (EE4). None of the reviewed works incorporate a recommendation policy (EE4), highlighting a gap in the literature. This analysis underscores the need for future research to integrate recommendation policies into IoT attack propagation and mitigation models.

Download:

Table 5. Comparison of related works based on Essential Elements (EE).

https://doi.org/10.1371/journal.pone.0322391.t005

6.1 Model implementation

In this subsection, we prepare the model parameters for simulation and validation. First, we set up the simulation environment using the tools listed in Table 6.

Download:

Table 6. Tools used in this study.

https://doi.org/10.1371/journal.pone.0322391.t006

From SciPy 1.11.3, we use RK45 and ‘’ for solver configurations and tune parameters affecting the reproduction number, such as attack and recovery rates. The parameters can be derived from online datasets. By leveraging real-world datasets CICAPTIIoT2024 [22] and UNSW-NB15 [23], we estimate key model parameters, including attack rates (), recovery rates (), protection rates (p), and removal rates (). The following mathematical formulas allow for the systematic computation of these parameters:

, is the ratio of the number of attack packets to the total number of packets multiplied by time.
, is the ratio of the number of attack packets originating from compromised devices to the total number of packets multiplied by time.
, is the reciprocal of the average recovery time.
p, is defined as the ratio of protected devices to the total number of compromised devices multiplied by time.
, is defined as the reciprocal of the average active time of attackers.
, is defined as the reciprocal of the average active time of compromised devices.

The proposed model is scalable for complex IoT networks, dynamically adapting to growth via the arrival rate parameter . It also supports hierarchical topologies, optimizing communication and propagation.

Simulations demonstrate that the model can handle large-scale (Fig 2) networks with 2000 of nodes. Moreover, we scaled the network to include 10 attacker clusters, 12 target clusters, and 15 devices per cluster, resulting in 330 devices (plus gateways and the central node) (Fig 3). The model remained computationally feasible and provided accurate predictions even at this scale.

Download:

Fig 2. Simulated network for 2000 devices.

https://doi.org/10.1371/journal.pone.0322391.g002

Download:

Fig 3. Simulated network for interactions between attackers and targets (330 devices).

https://doi.org/10.1371/journal.pone.0322391.g003

Orange edges represent interactions between attackers and targets, modeled by the equation:

This simulation uses a machine with a 12 core CPU and 32 GB RAM. Running time varies from 30 seconds for 330 nodes to 10−−−−13 minutes for nodes. The computational complexity of the model is determined by the number of IoT devices and their interactions, with key processes such as infection, recovery, and protection operating at complexity. In a fully connected network, where every device interacts with all others, the worst-case complexity reaches O(N²) due to pairwise interactions. However, a sparse network assumption significantly improves efficiency by modeling IoT devices as a graph, where each node interacts with only a limited number of neighbors, reducing the complexity to , where k is the average number of connections per device. This approach ensures the model remains scalable for large-scale IoT networks.

6.2 Model simulation

In this subsection, we present the simulation framework used to evaluate the proposed model. We employ Monte Carlo simulations to capture randomness and variability in attack dynamics, conduct sensitivity analysis to identify key parameters, and compare stochastic and deterministic solutions. These analyses provide insights into the transient and steady-state behaviors of attackers and IoT devices, validating the model’s robustness and applicability to real-world IoT networks.

The algorithm (see S1 Appendix) is concise and compact, preserving all essential steps while emphasizing the Monte Carlo approach. It highlights the stochastic nature of the simulation with clear annotations such as “Random time step” and “Random event selection.”

To evaluate the robustness of the model under uncertainties, such as uncertain attack rates and varying device security levels, we conducted a comparative analysis using both stochastic (Monte Carlo) and deterministic approaches. Fig 4 illustrates the dynamics of the system involving attackers and IoT devices. The top subplot shows the attackers’ space, where susceptible attackers (S_a) transition to malicious attackers (M_a). The Monte Carlo simulation captures fluctuations due to randomness, while the deterministic solution provides a smooth average, reflecting the expected behavior. The bottom subplot depicts the dynamics of IoT devices, including susceptible (S_t), compromised (M_t), recovered (R_t), and protected (S_p) devices. Here, the Monte Carlo results exhibit step-like behavior due to stochastic effects, whereas the deterministic solution offers a continuous approximation. Both approaches reveal a transient phase followed by a steady state, demonstrating the system’s balance between infection, recovery, and protection. This analysis highlights the importance of stochastic modeling for capturing variability under uncertainties and deterministic modeling for understanding average behavior. These insights are critical for developing robust mitigation strategies, such as improving recovery and protection mechanisms, to address DDoS attacks in IoT networks with varying levels of device security and attack rates.

Download:

Fig 4. Comparison of stochastic (Monte Carlo) and deterministic solutions for the dynamics of attackers and IoT devices.

https://doi.org/10.1371/journal.pone.0322391.g004

Figures 5 and 6 elucidate the dynamics of reproduction numbers for both attacking and targeted populations. This analysis facilitates discerning instances of successful and unsuccessful attacks.

Download:

Fig 5. The reproduction number of attacking population analysis.

https://doi.org/10.1371/journal.pone.0322391.g005

Download:

Fig 6. The reproduction number R_Target of targeted population analysis.

https://doi.org/10.1371/journal.pone.0322391.g006

Fig 5 shows the variation of the attack reproduction number, , with respect to the variables . The lower triangle of the graph represents the region where the attack fails, i.e., the infection becomes endemic. The upper triangle represents the region where the attack is successful, i.e., the infection is eradicated. The line separates these two regions. In other words, if the reproduction number of an attack is greater than one, then each infected node will infect more than one other node, leading to an exponential increase in the number of infected nodes. This makes it difficult to stop the attack and increases its chances of succeeding. Also, it shows that when the reproduction number is less than one, an endemic case appears, and the attack will be prevented due to the decreasing number of attacking nodes. In other words, if the reproduction number of an attack is less than one, each infected node will not infect more than one other node, leading to a collapse in the number of infected nodes. This makes it easier to stop the attack. The analogous conclusion applies to Fig 6.

The Partial Rank Correlation Coefficient (PRCC) is a valuable metric for assessing the sensitivity of the basic reproduction number (Fig 7). PRCC values, expressed as percentages, provide insights into the strength and directionality of correlation between each epidemiological parameter ( and p) and the basic reproduction number R_target. These coefficients quantify the extent to which changes in a specific parameter impact the equilibrium dynamics of infection. A positive PRCC () indicates a direct relationship, where an increase in the parameter positively influences the reproduction number. Conversely, a negative PRCC ( and p) signifies an inverse relationship, where higher parameter values decrease the reproduction number. These findings are crucial for understanding the sensitivity of disease transmission dynamics and inform effective intervention strategies. The findings of Fig 8 can be concluded as the previous figure. The weak relation of R_attack and is because of the lower recovery rate in the attacking population.

Download:

Fig 7. PRCC elasticity analysis of

.

https://doi.org/10.1371/journal.pone.0322391.g007

Download:

Fig 8. PRCC of

analysis.

https://doi.org/10.1371/journal.pone.0322391.g008

The left plots in Fig 9 illustrate the impact of and on R₀. However, the right plots show the influence of and on R₀. These plots highlight the relative sensitivity of R₀ to each parameter, providing insights into their roles in the spread of DDoS attacks and guiding effective control strategies.

Download:

Fig 9. Sensitivity analysis of the reproduction number R₀ to key parameters.

https://doi.org/10.1371/journal.pone.0322391.g009

Fig 10 demonstrates how variations in influence the number of malicious attackers over time, highlighting the critical role of the attack rate in the propagation of DDoS attacks. This analysis provides insights into the effectiveness of strategies targeting to mitigate the spread of malicious activity in IoT networks.

Download:

Fig 10. Sensitivity analysis of M_a (malicious attackers) to

.

https://doi.org/10.1371/journal.pone.0322391.g010

Fig 11 shows a graph of the percentage of successful attacks when the attacker has successfully attacked the target. The graph shows three curves, one for each of the three values of R₀>1. The graph shows that the percentage of successful attack reproduction number is less than 1 in the case of a failed cyberattack. The network’s defense graph also shows that the percentage of successful attacks decreases as the number of nodes increases. This is because there are more opportunities for the infection to be stopped as the number of nodes increases. The dashed line in the graph represents the percentage of successful attacks if the attacker does not target any nodes. This line is at , which means that the attacker is equally likely to succeed or fail regardless of the R₀>1 value or the number of nodes.

Download:

Fig 11. R₀>1 compartment analysis when we have successful attack.

https://doi.org/10.1371/journal.pone.0322391.g011

Fig 12 shows the curve for the case where the cyberattack failed, called the extinction curve. It is characterized by a reproduction number (R₀) less than 1. This means that, on average, each infected node infects less than one other node. As a result, the number of infected nodes gradually decreases and eventually reaches zero. The reproduction number is less than 1 in the case of a failed cyberattack because the network’s defenses can stop the spread of the infection. These defenses can include firewalls, intrusion detection systems, and antivirus software. They can also include human factors, such as employee training and awareness. In addition to the network’s defenses, the failure of a cyberattack can also be due to other factors, such as the quality of the attack code, the attacker’s resources, and the attack’s timing.

Download:

Fig 12. R₀<1 compartment analysis when the cyberattack failed.

https://doi.org/10.1371/journal.pone.0322391.g012

Fig 13 shows a DDoS attack is a cyberattack that attempts to overload a target with traffic, making it unavailable to legitimate users. The percentage of infected devices in a DDoS attack typically starts high and decreases over time. This is because the attack initially successfully overwhelms the target, but the target’s defenses eventually start to mitigate the attack. The initial high percentage of infected devices is because the attack can quickly infect many devices. This is normally achieved by leveraging vulnerabilities or social engineering, such as tricking users into accessing a malicious webpage or other entry attack vectors. Throughout the attack, the defenses of the target weaken the attack. This would take the form of blocking the volumes of malicious traffic, filtering out the infected devices, or even strengthening the target’s infrastructure. This causes the percentage of infected devices to decrease over time until they eventually reach a stable state.

Download:

Fig 13. The proportion of compromised devices during a cyber IoT attack.

https://doi.org/10.1371/journal.pone.0322391.g013

6.3 Designing the optimal control strategy

The formulation of efficient preventive measures is very cautious in cybersecurity. In particular, we suggest an optimal control strategy for preventing firewall attacks. This strategy mitigates the effect of those unexpected attacks by judiciously varying parameters associated with the firewall’s configuration and response. The prevention factor of the firewall, which is represented as f_p, will be used in reconstructing the prime model as follows:

(27)

By examining the effect of these parameters on the success or failure of such an attack, we can better personalize our defense strategies. Firewalls, as they turned out to be the first line of defense against cyberattacks, are very important in maintaining the integrity of the network. Next-generation firewalls have threat prevention capabilities that allow for early detection and blocking of attempted attacks before they breach the corporate network.

The below steps are suggested to improve their effectiveness: Parameter Analysis: Some vital parameters about the firewall configuration will be studied, like transmission rates, access controls, filtering rules, etc. These parameters significantly impact the effectiveness of prevention against different kinds of attacks. Optimized Control Strategy: Mathematical modeling and optimization methodology will yield time-varying and cost-effective solutions for malware outbreak mitigation.

For instance, strategies like quarantine and vaccination should be promptly implemented at the onset of an attack, while continuous monitoring and patch application remain essential [39]. In addition, the basic reproduction number (a threshold value governing malware diffusion) is used to quantify how adjustments in firewall parameters influence attack propagation. The new reproduction number is clearly defined as

Applying the gekko Python tools, we get the simulation in Fig 14. We observed a transition from attack success to failure. Notably, the firewall efficiency did not surpass 0.25, indicating that achieving optimal protection requires further enhancements.

Download:

Fig 14. An optimal control strategy for firewall protection f_p

https://doi.org/10.1371/journal.pone.0322391.g014

Based on this simulation, we can define the policy based on the following recommendations.

Deploy Firewalls: Install firewalls on all critical nodes to reduce infection spread.
Optimize Firewall Efficiency: Maintain a protection rate of at least 0.125 to mitigate attacks effectively.
Educate Stakeholders: Raise awareness about firewall benefits and their role in network security.

These steps enhance resilience, reduce infections, and maintain network integrity.

Now, we will define the optimization problem, which aims to minimize the impact of malicious attackers (M_a) and compromised devices (M_t), while maximizing the number of protected (S_p) and recovered (R_t) devices. This will reduce the cost of maintaining the network and prevent IoT devices from being lost. The objective function is defined as:

where are weights representing the importance of each term, and T is the time horizon.

Control variables are introduced to influence the system dynamics: u₁(t) reduces the attack rate (), u₂(t) increases the recovery rate (), and u₃(t) increases the protection rate (p). These control variables are bounded as:

The system dynamics are modified to incorporate the control variables:

The objective function J balances the trade-off between minimizing malicious activities (M_a and M_t) and maximizing protective measures (S_p and R_t). The control variables represent efforts to reduce attacks, increase recovery, and enhance protection. The modified dynamics incorporate these controls, such as reducing the attack rate by , increasing the recovery rate by , and increasing the protection rate by p + u₃.

Fig 15 illustrates the impact of implementing an optimal control strategy on the dynamics of attacker and target populations. By effectively reducing the number of attackers and targets over time, the approach enhances network security and minimizes the associated costs of mitigation and recovery. This demonstrates the dual benefit of the control strategy: improving security while optimizing resource expenditure.

Download:

Fig 15. Comparison of attacker and target populations with and without control strategy.

https://doi.org/10.1371/journal.pone.0322391.g015

6.4 Model integration

In this section, we propose an application of our model for integration with a cyber threat intelligence platform. The API facilitates communication between the CTI-platform (Cyber Threat Intelligence Application) and the Model Plugin. The CTI-App provides real-time data about the IoT network’s compartments, time, and risk level of malware. At the same time, the Model Plugin processes this data and returns predictions and recommendations (see S2 Appendix.).

The proposed API structure delivers significant advantages, including real-time predictions powered by the latest threat data, ensuring timely insights into attack propagation. To ensure the confidentiality and integrity of data exchanged between the CTI-App and the Model Plugin, all API requests and responses will be encrypted using TLS/SSL to prevent unauthorized access during transmission. It offers actionable recommendations, enabling stakeholders to proactively address threats, and is scalable to handle large IoT networks while adapting to evolving risks. Its seamless integration with existing cybersecurity tools enhances practicality and usability in real-world scenarios.

The system includes an auto-connecting interface with cyber intelligence applications, ensuring effortless integration and requiring no user intervention beyond monitoring results. Providing clear, actionable recommendations simplifies decision-making and prioritizes stakeholder input, creating a user-friendly and efficient experience.

The proposed model for DDoS attack propagation in IoT networks has several limitations, including the lack of consideration for power consumption, other malware types, and complex network topologies. Additionally, the model does not explicitly address computational constraints, such as runtime scalability for large-scale networks. Future work should extend the model to incorporate energy-aware metrics, diverse malware behaviors (e.g., ransomware, botnets), and advanced topologies (e.g., hierarchical, mesh). Moreover, optimizing computational efficiency and exploring parallel processing techniques will be crucial for handling large-scale simulations. The model should also account for device heterogeneity and dynamic parameter adaptation to better reflect real-world scenarios. Combining multiple malware types and integrating real-time threat data will enhance its predictive capabilities and practical relevance.

A roadmap for future work includes integrating network topology parameters to model realistic IoT connectivity and incorporating resource constraints to account for processing power and energy consumption. Additionally, the model should adopt adaptive security strategies that dynamically adjust policies based on network size and attack severity. These enhancements will improve scalability, computational efficiency, and real-world applicability, enabling robust mitigation strategies and proactive IoT security measures.

Conclusion

This study investigates the propagation dynamics and mitigation strategies of DDoS attacks in IoT networks. We have quantified key factors influencing the spread of such attacks by analyzing the sensitivity of the reproduction number, attacker behavior, and compartmental proportions. Our findings highlight the importance of a multi-faceted approach to securing IoT devices and networks. To enhance the robustness of our analysis, we integrated statistical Monte Carlo simulations, which provide probabilistic insights into attack propagation and the effectiveness of mitigation strategies under varying network conditions. This allows for a more comprehensive evaluation of uncertainties in real-world scenarios. Furthermore, we explored optimal control techniques to identify strategies that minimize the impact of DDoS attacks while maintaining network functionality. Sensitivity analysis revealed the most critical parameters influencing attack spread and mitigation effectiveness. Our proposed mitigation strategies include strengthening IoT security through regular updates, strong authentication protocols, and enabling advanced security features. Raising user awareness about DDoS threats is essential to prevent devices from being exploited in attacks. Additionally, leveraging automated DDoS mitigation tools to filter malicious traffic and implementing cooperative threat intelligence sharing among organizations can improve early detection and response strategies. This study contributes to the ongoing efforts to enhance IoT security by integrating mathematical modeling with computational simulations and real-world applicability. We hope our findings aid in developing effective, data-driven mitigation frameworks to counteract the growing threat of DDoS attacks.

Supporting information

S1 Appendix.

Monte Carlo Simulation for Attackers and IoT Devices

https://doi.org/10.1371/journal.pone.0322391.s001

(PDF)

S2 Appendix.

The CTI-App sends a request to the Model Plugin with the following structure.

https://doi.org/10.1371/journal.pone.0322391.s002

(PDF)

References

1. Alashhab ZR, Anbar M, Singh MM, Hasbullah IH, Jain P, Al-Amiedy TA. Distributed Denial of service attacks against cloud computing environment: survey, issues, challenges and coherent taxonomy. Appl Sci 2022;12(23):12441. http://dx.doi.org/10.3390/app122312441
- View Article
- Google Scholar
2. Ahmad A, Abu-Hour Y, DarAssi MH. Effects of computer networks’ viruses under the of removable devices. Int J Dyn Syst Differ Equ 2020;10(3):233–48.
- View Article
- Google Scholar
3. De Neira AB, Kantarci B, Nogueira M. Distributed denial of service attack prediction: challenges, open issues and opportunities. Comput Netw. 2023;222:109553.
- View Article
- Google Scholar
4. Kumar V, Kumar V, Sinha D, Das AK. Simulation analysis of DDoS attack in IoT environment. In: 4th International Conference on Internet of Things and Connected Technologies (ICIoTCT), 2019: Internet of Things and Connected Technologies. Springer; 2020. pp. 77–87.
5. Machaka P, Ajayi O, Kahenga F, Bagula A, Kyamakya K. Modelling DDoS attacks in IoT networks using machine learning. In: International Conference on Emerging Technologies for Developing Countries. Springer; 2022. pp. 161–75.
6. Kaur R, Sangal AL, Kumar K. Modeling and simulation of DDoS attack using Omnet++. In: 2014 International Conference on Signal Processing and Integrated Networks (SPIN). IEEE; 2014. pp. 220–5.
7. Balarezo JF, Wang S, Chavez KG, Al-Hourani A, Kandeepan S. A survey on DoS/DDoS attacks mathematical modelling for traditional, SDN and virtual networks. Eng Sci Technol Int J. 2022;31:101065.
- View Article
- Google Scholar
8. Johnson Singh K, De T. Mathematical modeling of DDoS attack and detection using correlation. J Cybersecur Technol. 2017;1(3-4):175–86. http://dx.doi.org/10.1080/23742917.2017.1384213
- View Article
- Google Scholar
9. Al-Arydah M, Malik T. An age-structured model of the human papillomavirus dynamics and optimal vaccine control. Int J Biomath 2017;10(06):1750083.
- View Article
- Google Scholar
10. Al-Arydah M, Berhe H, Dib K, Madhu K. Mathematical modeling of the spread of the coronavirus under strict social restrictions. Math Method Appl Sci. 2021; http://dx.doi.org/10.1002/mma.7965 pmid:34908636.
- View Article
- PubMed/NCBI
- Google Scholar
11. Al-Arydah M. Mathematical modeling and optimal control for COVID-19 with population behavior. Math Method Appl Sci. 2023;46(18):19184–98. http://dx.doi.org/10.1002/mma.9619
- View Article
- Google Scholar
12. Berhe HW, Al-Arydah M. Computational modeling of human papillomavirus with impulsive vaccination. Nonlinear Dyn. 2021;103(1):925–46. http://dx.doi.org/10.1007/s11071-020-06123-2 pmid:33437129
- View Article
- PubMed/NCBI
- Google Scholar
13. Madhu K, et al. Optimal vaccine for human papillomavirus and age-difference between partners. Math Comput Simul. 2021;185:325–46.
- View Article
- Google Scholar
14. Ahmed A, AbuHour Y, El-Hassan A. A novel COVID-19 prediction model with optimal control rates. Intell Autom Soft Comput. 2031;32:979–90. http://dx.doi.org/10.32604/iasc.2022.020726
- View Article
- Google Scholar
15. López M, Peinado A, Ortiz A. An extensive validation of a SIR epidemic model to study the propagation of jamming attacks against IoT wireless networks. Comput Netw. 2019;165:106945.
- View Article
- Google Scholar
16. Chernikova A, Gozzi N, Boboila S, Angadi P, Loughner J, Wilden M, et al. Cyber network resilience against self-propagating malware attacks. In: Computer Security—ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part I. Springer; 2022. pp. 531–50.
17. Pokhrel S, Abbas R, Aryal B. IoT security: botnet detection in IoT using machine learning. arXiv. preprint. arXiv:210402231; 2021.
- View Article
- Google Scholar
18. Rathee G, Garg S, Kaddoum G, Jayakody DNK, Piran MJ, Muhammad G. A trusted social network using hypothetical mathematical model and decision-based scheme. IEEE Access. 2020;9:4223–4232.
- View Article
- Google Scholar
19. Team ANS. 2022 in review: DDoS attack trends and insights; 2023. Available from: https://www.microsoft.com/en-us/security/blog/2023/02/21/2022-in-review-ddos-attack-trends-and-insights/
20. Mustapha A, Khatoun R, Zeadally S, Chbib F, Fadlallah A, Fahs W, et al. Detecting DDoS attacks using adversarial neural network. Comput Secur. 2023;127:103117.
- View Article
- Google Scholar
21. XTI S. Common IoT attacks that compromise security - SOCRadar Cyber Intelligence Inc.; 2022. Available from: https://socradar.io/common-iot-attacks-that-compromise-security/
- View Article
- Google Scholar
22. for Cybersecurity CI. CIC APT IIoT dataset 2024; 2024. Available from: https://www.unb.ca/cic/datasets/iiot-dataset-2024.html
23. Wells D. UNSW-NB15 Dataset; 2015. Available from: https://www.kaggle.com/datasets/mrwellsdavid/unsw-nb15
- View Article
- Google Scholar
24. Kolias C, Kambourakis G, Stavrou A, Voas J. DDoS in the IoT: mirai and other botnets. Computer. 2017;50(7):80–84.
- View Article
- Google Scholar
25. Sahoo KS, Puthal D. SDN-assisted DDoS defense framework for the internet of multimedia things. ACM Transactions on Multimedia Computing, Communications, and Applications (TOMM) 2020;16(3s):1–18.
- View Article
- Google Scholar
26. Anderson RM, May RM. Population biology of infectious diseases: Part I. Nature. 1979;280(5721):361–7. pmid:460412
- View Article
- PubMed/NCBI
- Google Scholar
27. Diekmann O, Heesterbeek JAP, Metz JAJ. On the definition and the computation of the basic reproduction ratio R 0 in models for infectious diseases in heterogeneous populations. J Math Biol. 1990;28(4):365–82. doi: https://doi.org/10.1007/BF00178324 pmid:2117040
- View Article
- PubMed/NCBI
- Google Scholar
28. Hethcote HW. The mathematics of infectious diseases. SIAM Rev. 2000;42(4):599–653.
- View Article
- Google Scholar
29. La Salle JP. The stability of dynamical systems. SIAM; 1976.
- View Article
- Google Scholar
30. Van den Driessche P, Watmough J. Reproduction numbers and sub-threshold endemic equilibria for compartmental models of disease transmission. Math Biosci. 2002 Nov-Dec;180:29–48. doi: https://doi.org/10.1016/s0025-5564(02)00108-6 pmid:12387915
- View Article
- PubMed/NCBI
- Google Scholar
31. Ottaviano S, Sensi M, Sottile S. Global stability of SAIRS epidemic models. Nonlinear Anal Real World Appl. 2022;65:103501.
- View Article
- Google Scholar
32. DarAssi MH, Damrah S, AbuHour Y. A mathematical study of the omicron variant in a discrete-time Covid-19 model. Eur Phys J Plus. 2023;138:601.
- View Article
- Google Scholar
33. Meetei MZ, DarAssi MH, Altaf Khan M, Koam AN, Alzahrani E, Ali H Ahmadini A. Analysis and simulation study of the HIV/AIDS model using the real cases. PLoS One 2024;19(6):e0304735.
- View Article
- Google Scholar
34. Yusuf TT. On global stability of disease-free equilibrium in epidemiological models. Eur J Math Stat 2021;2(3):37–42.
- View Article
- Google Scholar
35. Johnson Singh K, De T. Mathematical modelling of DDoS attack and detection using correlation. J Cybersecur Technol. 2017;1(3-4):175–86. http://dx.doi.org/10.1080/23742917.2017.1384213
- View Article
- Google Scholar
36. López M, Peinado A, Ortiz A. An extensive validation of a SIR epidemic model to study the propagation of jamming attacks against IoT wireless networks. Comput Netw. 2019;165:106945.
- View Article
- Google Scholar
37. Liu G, Peng B, Zhong X. A novel epidemic model for wireless rechargeable sensor network security. Sensors 2020;21(1):123. pmid:33375512
- View Article
- PubMed/NCBI
- Google Scholar
38. Singh A, Awasthi AK, Singh K, Srivastava PK. Modeling and analysis of worm propagation in wireless sensor networks. Wirel Pers Commun. 2018;98:2535–2551.
- View Article
- Google Scholar
39. Yan Q, Song L, Zhang C, Li J, Feng S. Modeling and control of malware propagation in wireless IoT networks. Secur. Commun. Netw. 2021;2021:1–13.
- View Article
- Google Scholar

[ref1] 1. Alashhab ZR, Anbar M, Singh MM, Hasbullah IH, Jain P, Al-Amiedy TA. Distributed Denial of service attacks against cloud computing environment: survey, issues, challenges and coherent taxonomy. Appl Sci 2022;12(23):12441. http://dx.doi.org/10.3390/app122312441
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Ahmad A, Abu-Hour Y, DarAssi MH. Effects of computer networks’ viruses under the of removable devices. Int J Dyn Syst Differ Equ 2020;10(3):233–48.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. De Neira AB, Kantarci B, Nogueira M. Distributed denial of service attack prediction: challenges, open issues and opportunities. Comput Netw. 2023;222:109553.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Kumar V, Kumar V, Sinha D, Das AK. Simulation analysis of DDoS attack in IoT environment. In: 4th International Conference on Internet of Things and Connected Technologies (ICIoTCT), 2019: Internet of Things and Connected Technologies. Springer; 2020. pp. 77–87.

[ref5] 5. Machaka P, Ajayi O, Kahenga F, Bagula A, Kyamakya K. Modelling DDoS attacks in IoT networks using machine learning. In: International Conference on Emerging Technologies for Developing Countries. Springer; 2022. pp. 161–75.

[ref6] 6. Kaur R, Sangal AL, Kumar K. Modeling and simulation of DDoS attack using Omnet++. In: 2014 International Conference on Signal Processing and Integrated Networks (SPIN). IEEE; 2014. pp. 220–5.

[ref7] 7. Balarezo JF, Wang S, Chavez KG, Al-Hourani A, Kandeepan S. A survey on DoS/DDoS attacks mathematical modelling for traditional, SDN and virtual networks. Eng Sci Technol Int J. 2022;31:101065.
View Article
Google Scholar

[14] View Article

[15] Google Scholar

[ref8] 8. Johnson Singh K, De T. Mathematical modeling of DDoS attack and detection using correlation. J Cybersecur Technol. 2017;1(3-4):175–86. http://dx.doi.org/10.1080/23742917.2017.1384213
View Article
Google Scholar

[17] View Article

[18] Google Scholar

[ref9] 9. Al-Arydah M, Malik T. An age-structured model of the human papillomavirus dynamics and optimal vaccine control. Int J Biomath 2017;10(06):1750083.
View Article
Google Scholar

[20] View Article

[21] Google Scholar

[ref10] 10. Al-Arydah M, Berhe H, Dib K, Madhu K. Mathematical modeling of the spread of the coronavirus under strict social restrictions. Math Method Appl Sci. 2021; http://dx.doi.org/10.1002/mma.7965 pmid:34908636.
View Article
PubMed/NCBI
Google Scholar

[23] View Article

[24] PubMed/NCBI

[25] Google Scholar

[ref11] 11. Al-Arydah M. Mathematical modeling and optimal control for COVID-19 with population behavior. Math Method Appl Sci. 2023;46(18):19184–98. http://dx.doi.org/10.1002/mma.9619
View Article
Google Scholar

[27] View Article

[28] Google Scholar

[ref12] 12. Berhe HW, Al-Arydah M. Computational modeling of human papillomavirus with impulsive vaccination. Nonlinear Dyn. 2021;103(1):925–46. http://dx.doi.org/10.1007/s11071-020-06123-2 pmid:33437129
View Article
PubMed/NCBI
Google Scholar

[30] View Article

[31] PubMed/NCBI

[32] Google Scholar

[ref13] 13. Madhu K, et al. Optimal vaccine for human papillomavirus and age-difference between partners. Math Comput Simul. 2021;185:325–46.
View Article
Google Scholar

[34] View Article

[35] Google Scholar

[ref14] 14. Ahmed A, AbuHour Y, El-Hassan A. A novel COVID-19 prediction model with optimal control rates. Intell Autom Soft Comput. 2031;32:979–90. http://dx.doi.org/10.32604/iasc.2022.020726
View Article
Google Scholar

[37] View Article

[38] Google Scholar

[ref15] 15. López M, Peinado A, Ortiz A. An extensive validation of a SIR epidemic model to study the propagation of jamming attacks against IoT wireless networks. Comput Netw. 2019;165:106945.
View Article
Google Scholar

[40] View Article

[41] Google Scholar

[ref16] 16. Chernikova A, Gozzi N, Boboila S, Angadi P, Loughner J, Wilden M, et al. Cyber network resilience against self-propagating malware attacks. In: Computer Security—ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part I. Springer; 2022. pp. 531–50.

[ref17] 17. Pokhrel S, Abbas R, Aryal B. IoT security: botnet detection in IoT using machine learning. arXiv. preprint. arXiv:210402231; 2021.
View Article
Google Scholar

[44] View Article

[45] Google Scholar

[ref18] 18. Rathee G, Garg S, Kaddoum G, Jayakody DNK, Piran MJ, Muhammad G. A trusted social network using hypothetical mathematical model and decision-based scheme. IEEE Access. 2020;9:4223–4232.
View Article
Google Scholar

[47] View Article

[48] Google Scholar

[ref19] 19. Team ANS. 2022 in review: DDoS attack trends and insights; 2023. Available from: https://www.microsoft.com/en-us/security/blog/2023/02/21/2022-in-review-ddos-attack-trends-and-insights/

[ref20] 20. Mustapha A, Khatoun R, Zeadally S, Chbib F, Fadlallah A, Fahs W, et al. Detecting DDoS attacks using adversarial neural network. Comput Secur. 2023;127:103117.
View Article
Google Scholar

[51] View Article

[52] Google Scholar

[ref21] 21. XTI S. Common IoT attacks that compromise security - SOCRadar Cyber Intelligence Inc.; 2022. Available from: https://socradar.io/common-iot-attacks-that-compromise-security/
View Article
Google Scholar

[54] View Article

[55] Google Scholar

[ref22] 22. for Cybersecurity CI. CIC APT IIoT dataset 2024; 2024. Available from: https://www.unb.ca/cic/datasets/iiot-dataset-2024.html

[ref23] 23. Wells D. UNSW-NB15 Dataset; 2015. Available from: https://www.kaggle.com/datasets/mrwellsdavid/unsw-nb15
View Article
Google Scholar

[58] View Article

[59] Google Scholar

[ref24] 24. Kolias C, Kambourakis G, Stavrou A, Voas J. DDoS in the IoT: mirai and other botnets. Computer. 2017;50(7):80–84.
View Article
Google Scholar

[61] View Article

[62] Google Scholar

[ref25] 25. Sahoo KS, Puthal D. SDN-assisted DDoS defense framework for the internet of multimedia things. ACM Transactions on Multimedia Computing, Communications, and Applications (TOMM) 2020;16(3s):1–18.
View Article
Google Scholar

[64] View Article

[65] Google Scholar

[ref26] 26. Anderson RM, May RM. Population biology of infectious diseases: Part I. Nature. 1979;280(5721):361–7. pmid:460412
View Article
PubMed/NCBI
Google Scholar

[67] View Article

[68] PubMed/NCBI

[69] Google Scholar

[ref27] 27. Diekmann O, Heesterbeek JAP, Metz JAJ. On the definition and the computation of the basic reproduction ratio R 0 in models for infectious diseases in heterogeneous populations. J Math Biol. 1990;28(4):365–82. doi: https://doi.org/10.1007/BF00178324 pmid:2117040
View Article
PubMed/NCBI
Google Scholar

[71] View Article

[72] PubMed/NCBI

[73] Google Scholar

[ref28] 28. Hethcote HW. The mathematics of infectious diseases. SIAM Rev. 2000;42(4):599–653.
View Article
Google Scholar

[75] View Article

[76] Google Scholar

[ref29] 29. La Salle JP. The stability of dynamical systems. SIAM; 1976.
View Article
Google Scholar

[78] View Article

[79] Google Scholar

[ref30] 30. Van den Driessche P, Watmough J. Reproduction numbers and sub-threshold endemic equilibria for compartmental models of disease transmission. Math Biosci. 2002 Nov-Dec;180:29–48. doi: https://doi.org/10.1016/s0025-5564(02)00108-6 pmid:12387915
View Article
PubMed/NCBI
Google Scholar

[81] View Article

[82] PubMed/NCBI

[83] Google Scholar

[ref31] 31. Ottaviano S, Sensi M, Sottile S. Global stability of SAIRS epidemic models. Nonlinear Anal Real World Appl. 2022;65:103501.
View Article
Google Scholar

[85] View Article

[86] Google Scholar

[ref32] 32. DarAssi MH, Damrah S, AbuHour Y. A mathematical study of the omicron variant in a discrete-time Covid-19 model. Eur Phys J Plus. 2023;138:601.
View Article
Google Scholar

[88] View Article

[89] Google Scholar

[ref33] 33. Meetei MZ, DarAssi MH, Altaf Khan M, Koam AN, Alzahrani E, Ali H Ahmadini A. Analysis and simulation study of the HIV/AIDS model using the real cases. PLoS One 2024;19(6):e0304735.
View Article
Google Scholar

[91] View Article

[92] Google Scholar

[ref34] 34. Yusuf TT. On global stability of disease-free equilibrium in epidemiological models. Eur J Math Stat 2021;2(3):37–42.
View Article
Google Scholar

[94] View Article

[95] Google Scholar

[ref35] 35. Johnson Singh K, De T. Mathematical modelling of DDoS attack and detection using correlation. J Cybersecur Technol. 2017;1(3-4):175–86. http://dx.doi.org/10.1080/23742917.2017.1384213
View Article
Google Scholar

[97] View Article

[98] Google Scholar

[ref36] 36. López M, Peinado A, Ortiz A. An extensive validation of a SIR epidemic model to study the propagation of jamming attacks against IoT wireless networks. Comput Netw. 2019;165:106945.
View Article
Google Scholar

[100] View Article

[101] Google Scholar

[ref37] 37. Liu G, Peng B, Zhong X. A novel epidemic model for wireless rechargeable sensor network security. Sensors 2020;21(1):123. pmid:33375512
View Article
PubMed/NCBI
Google Scholar

[103] View Article

[104] PubMed/NCBI

[105] Google Scholar

[ref38] 38. Singh A, Awasthi AK, Singh K, Srivastava PK. Modeling and analysis of worm propagation in wireless sensor networks. Wirel Pers Commun. 2018;98:2535–2551.
View Article
Google Scholar

[107] View Article

[108] Google Scholar

[ref39] 39. Yan Q, Song L, Zhang C, Li J, Feng S. Modeling and control of malware propagation in wireless IoT networks. Secur. Commun. Netw. 2021;2021:1–13.
View Article
Google Scholar

[110] View Article

[111] Google Scholar

Correction

Figures

Abstract

1 Introduction and literature review

2 Methodology

3 Model formulation and analysis

4 Free malicious malware equilibrium point (FMME)

4.1 Local stability analysis of the malware-free equilibrium

4.2 Global stability of FMME

5 Endemic equilibrium

5.1 The endemic equilibrium point (EEP) existence

5.2 The endemic equilibrium point (EEP) stability analysis

6 Experimental results and discussion

6.1 Model implementation

6.2 Model simulation

6.3 Designing the optimal control strategy

6.4 Model integration

Conclusion

Supporting information

S1 Appendix.

S2 Appendix.

References