Teletraffic Analysis of DoS and Malware Cyber Attacks on P2P Networks under Exponential Assumptions

Abstract

Peer-to-peer (P2P) networks are distributed systems with a communication model in which no central authority governs the behavior of individual peers. These networks currently account for a considerable percentage of all bandwidth worldwide. However, this communication model also has a clear disadvantage: it has a multitude of vulnerabilities and security threats. The nature of the P2P philosophy itself means that there is no centralized server responsible for uploading, storing, and verifying the authenticity of the shared files and packets. A direct consequence of this is that P2P networks are a good choice for hackers for the spread of malicious software or malware in general since there is no mechanism to control what content is shared. In this paper, we present a mathematical model for P2P networks to study the effect of two different attacks on these systems, namely, malware and denial of service. To analyze the behavior of the cyber attacks and identify important weaknesses, we develop different Markov chains that reflect the main dynamics of the system and the attacks. Specifically, our model considers the case in which a certain number of nodes are infected with a cyber worm that is spread throughout the network as the file is shared among peers. This allows observation of the final number of infected peers when an initial number (we evaluate the system for from 1 to 14 initial nodes) of malicious nodes infect the system. For the DoS attack, our model considers the portion of peers that are unable to communicate and the average attack duration to study the performance degradation of such an attack. A two-pronged approach was used to study the impact of the attacks on P2P networks; the first focused only on the P2P network, and the second focused on the attacks and the network.

1. Introduction

Peer-to-peer networks are computer networks in which all or some aspects function without fixed clients or servers [1]. They have elementary operating principles; their maintenance cost is low because they do not have centralized servers, and, therefore, thy are very popular, especially in data transmission and file-sharing services of any kind. Moreover, they avoid bottlenecks at the server since high traffic loads imply that many users are active in the system, and each of these contributes resources (memory, processing, and communication bandwidth) to the overall operation of the network. They are organized in a flat structure that allows a direct exchange of information between clients. That is why they are ideal for file dissemination to many computers. Figure 1 shows the operation of this kind of network.

Indeed, a peer acts as a server and as a client in a self-organized and dynamically coordinating structure, since the number of nodes can be increased or decreased at any time. Peers share the file with each other, which is divided into chunks that are distributed throughout the system. Then, a given peer uploads a set of chunks to other peers that do not have them, while it downloads missing chunks from other peers. The respective peer is responsible for finding the correct information. If the data are common, it is easy to find them, but it is difficult to find rare data from other peers. Peers with the complete file usually are called Seeds, while peers without the complete file are called Leechers [2]. Hence, seeds can share the complete file with any given leecher. In this regard, it is important for seeds to remain in the system after they have downloaded the file to increase the capacity of the system.

P2P networks can be divided into three categories: unstructured P2P, structured P2P, and hybrid P2P networks [3,4,5]. An unstructured P2P network does not tell the exact location of the data, so it looks for the requested data in its network. This type of network represents a degree distribution of power law and is dominant in real-life deployment. The disadvantage of this type of network is that it does not seem to know if it can access the data. A structured P2P network uses a globally consistent protocol for efficient searching. It uses a hash table called a distributed hash table (DHT). This table provides information about where a particular file comes from based on several important factors. A hybrid P2P network combines the topology of a structured and an unstructured one. This type of network defines so-called Superpeers, which act as servers to a small portion of the network, and each of them has a list of file information. From this description, it is clear that, for any P2P network, nodes share the chunks directly among themselves without the need for previous verification from a centralized authority. Hence, it would be relatively easy for a malicious node to modify a given chunk to propagate malware throughout the network. Furthermore, since the P2P network entirely relies on users sharing their communication resources, a simple denial of service attack (DoS), which impedes neighbor nodes’ communication, can drastically hinder the operation and performance of the system [6].

Taking BitTorrent as an example, when a file is downloaded, part of the file is downloaded, and the other part is received at the same time by different peers who may have downloaded a chunk or the whole file [7]. This download mechanism in peer-to-peer networks improves the download speed, avoiding bottlenecks at the server and taking advantage of the user’s resources to increase the system bandwidth. However, the adequate operation of the system heavily relies on nodes trusting each other. Hence, in the case of malware inserted in one or several chunks, it can be spread and affect many users. To the best of our knowledge, the malware propagation dynamics in a P2P network have been largely overlooked. Based on the above, in this paper, we develop a mathematical model based on Markov chains that captures the main dynamics of the system, including peer arrival and exit, file downloading, and infected chunks being disseminated. In this sense, the main contributions of our work are as follows:

• We propose an analytical framework to study the behavior of the malware attack that allows identification of the rate at which the malware is dispersed and the number of infected nodes.
• We develop a mathematical analysis to study the impact of jamming the communications of a group of nodes under a DoS attack.
• Based on the insight gained from the mathematical description of the attacks, we recommend the use of countermeasures to investigate the dynamics of the attack when cybersecurity measures are enabled.
• We obtain the performance metrics of the system under the different attacks and different conditions of the attacks.

The proposed teletraffic model is an approximation analysis for different cyber attacks on P2P systems when events occur in exponentially distributed times. Expressly, for the DoS type of attack, we assume that the attacker impairs or limits the communication capabilities of the network during exponentially distributed random times. If the attack has a random duration with distributions with a coefficient of variation (CoV) different from one (as in the case of the exponential distribution), this model is no longer accurate. However, it can be easily extended by using phase-type distributions to account for a CoV < 1 using an Erlang distribution or for a CoV > 1 using a hyper-exponential distribution, in both cases using the developed Markov chains in this work as the basic models. For the malware attack, we consider that there is an initial number of malicious peers, $N_I$, that is registered in the system and that will begin the worm dissemination when the file distribution begins. These malicious nodes have the same characteristics in terms of their communication and processing capabilities. As such, the upload and download bandwidths are not different from the rest of the nodes. Whenever the system operation begins, the malicious nodes will spread the malware to any other peer in the system, and these infected peers will continue the malware propagation to other peers that connect to them, and so on. As such, the only variable of the attack is $N_I$. Note that the malicious nodes cannot behave differently than regular nodes in terms of the upload and download rates because the P2P system would not be compatible, and they would not be able to communicate. If countermeasures are considered, we assume that these measures will prevent some nodes from being infected, while others would not be able to avoid infection (with the probability $P_I$ in our model) since there are no completely secure cyber systems. In the case of the DoS attack, there is no malware attack, but rather some peers are unable to communicate. Hence, the model considers the portion of nodes that cannot download nor upload any chunks, $\delta$, and the average duration of the attack, 1/Δ. We believe that these are the only parameters of the attack from the standpoint of the effect on the P2P communication capabilities.

In addition, in this work, we are not concerned with the computational effects of cyber attacks, i.e., the effect on electronics or computer-related processes. Indeed, our model and analysis cannot reflect these issues, as pointed out by the reviewer. Our model can only reflect the impact on the communication capabilities under the malware and DoS attacks. However, our analysis can consider different characteristics of these attacks, such as the number of initially infected nodes, the mean duration of the attacks, the efficiency of the countermeasures, and the number of nodes that cannot use their communication capabilities. In this regard, our model cannot measure the impact of other variables related to these attacks, such as the time of infection (nodes are not infected instantly by the malware or DoS attack), the use of firewalls, the capabilities of the computer used by the attacker, and the capabilities of the nodes under attack, among many other parameters that can have an important impact on the development of the attack. However, as is often the case in analytical studies, there is a compromise between the tractability of the analysis and the details of the model. If we were to introduce these parameters, the model would be much more complex and probably could not be studied using these mathematical tools. The advantage of using an approximation based on this simplified model is that it can obtain general results before the implementation of the system.

The rest of the paper is organized as follows. We give the background for this paper in Section 2. We survey related work in Section 3. Furthermore, we present the main assumptions and considerations of the problem in Section 4. Then, in Section 5, we introduce the mathematical model approach using Markov chains to represent the interactions of the attacks in the topology of a P2P network. In Section 7, we present the results of our three different scenarios, analyzing the impact of crucial variables on the model. Finally, Section 8 concludes this paper and points out future research directions.

2. Background

Mathematical models developed to study the propagation of infectious diseases have been adapted to the case of worm propagation [8]. Worms are programs that spread themselves across a network by exploiting security or policy flaws in commonly used services [9]. In this regard, several studies of worm propagation have been conducted in which the main mathematical tool used is structural equation modeling (SEM), which is derived from epidemic models in which the host can only transfer from susceptible to infectious. The susceptible, infected, and recovered model improves on the SEM model by taking the removed state and the transition from infectious to removed into account [10]. The SIS model is another evolution of the SEM model; it assumes that infectious hosts can get back to a susceptible state with a certain probability [11]. Unlike these works, we assume that nodes are infected by the distribution of the chunks shared among peers, which is directly related to resource sharing and communication procedures. Moreover, we model a jamming attack based on the same dynamics of the P2P network. In the network security context, both deterministic and stochastic transmission models of worms, based on their respective equivalents in epidemiology, have been proposed. Deterministic propagation models of worms may be further classified into two categories: continuous-time and discrete-time. Since the propagation of worms is a discrete event process, discrete-time propagation models of worms are more accurate than their continuous-time counterparts in the deterministic regime. Some relevant works on deterministic propagation models of worms can be found in [8,11,12,13]. All of the previous models consider a continuous-time propagation base except the last one, which considers discrete-time.

Stochastic propagation models of active worms are based on the notion of stochastic processes. All of them are discrete-time in nature. Two prominent instances of stochastic propagation models of worms can be found in [12,14,15,16].

Attacks on P2P networks can be classified into two types, namely, general and specific attacks [17]. From the general network attacks perspective, this classification provides the most damaging attacks that threaten the network since they aim to disable the complete operation of the system. Malware, DoS, and DDoS (denial of service) fall under this category [18,19,20,21,22].

From the specific attacks on P2P networks perspective, they can also be classified into network and application levels. At the network level, an adversary may try to break the routing system, block access to information by impeding the routing process, or obtain some particular identifiers. At the application level, an adversary can attempt to corrupt or delete data stored in the system. Some papers on network attack simulations can be found in [18,23,24,25].

3. Related Work

Different models have been proposed from different perspectives. We mention the most relevant and use

Table 1. Related work and introduced methodology.

Reference	Introduced Methodology
[26]	This model is a modified version of the susceptible–exposed–infected model from the field of epidemiology.
[27]	Computationally simple hybrid deterministic/stochastic model for the observed scanning behavior on a local network.
[28]	Event-driven simulator.
[29]	Discrete simulations that provide some verification.
[30]	Non-linear differential equations.
[31]	Deep analysis of the features of file sharing and virus propagation.
[32]	0.01 Files in the network as subjects instead of the computers, as is traditional.
[33]	Epidemiological modeling that predicts.
[34]	In-depth analysis of the active malicious code characteristics.
[35]	Based on the worm propagation characteristics and mechanism of a conditional triggered worm attack.
[37]	Attacks of various pollution, including file-targeted attacks and index-targeted attacks.
[38]	Complex network theory.
[39]	A customized form of susceptible–exposed–infected model based on the study of epidemiology.
[8]	Deterministic models of the propagation of computer viruses in a heterogeneous network.

to summarizes introduced methodology. In [26], a model is presented that predicts how a P2P-based virus propagates through a network. Ref. [27] presents a density-dependent Markov jump process model for worms. In [28], a model based on an event-driven simulator is developed. Works focused on propagation can be found in [29,30,31,32,33,34,35]. Ref. [36] suggests a model for proactive worm prevention based on P2P networking technologies. In [37], a unified model is developed. Ref. [38] presents a model based on complex network theory. Ref. [39] submits a customized form of susceptible–exposed–infected. A new multi-node coordinated attack model is proposed in [8].

In the context of the Internet of Things, different approaches have been proposed [40,41,42,43]. However, many of these works are focused on IoT systems, which have many key differences from P2P systems. Specifically, in P2P networks, it is desirable for all nodes to cooperate and communicate with the rest of the nodes to increase the system bandwidth. In contrast, in IoT systems, nodes usually have no clear advantage in communicating with any other node in the system. Rather, they communicate with the sink node or some specific nodes that may be used as relay nodes to reach the sink. In this regard, a malware attack would have an entirely unique behavior and performance as in the P2P network. Furthermore, for the DoS attack, if certain key nodes in an IoT system are impaired to communicate, the effect on the system performance would be greatly affected if the packet cannot reach the sink. This is especially true in P2P networks. Indeed, only a portion of nodes would not be able to download nor upload chunks, but the rest of the nodes would continue to operate normally, but with a decreased bandwidth.

As we have mentioned, our model focuses on malware and DoS attacks on the P2P system since these are general attacks focused on disrupting the normal operation of the complete system and, therefore, are the most damaging attacks. In this regard, we provide a mathematical framework to quantitatively measure the effectiveness of such attacks. We model both the infection procedure and the case in which countermeasures are used to limit the propagation of malware in infected chunks. Furthermore, we consider a jamming attack in which a malicious node transmits an interference signal that is capable of disabling certain nodes, thereby preventing them from sharing their chunks with other peers.

4. Malware and DoS Attacks in the P2P Network

In this section, we describe in detail the attacks that we mathematically model using Markov chains. It is important to note that our work theoretically models both the DoS and worm-based attacks similarly to how the Erlang B formula and the basic P2P system (also derived from continuous-time Markov chains) model the blocking probability in telephone systems, i.e., assuming exponentially distributed times (interarrival and service duration). In this regard, our analysis only considers the communication links available or disabled under these types of attacks, as well as the rate of propagation of worms in P2P networks under different conditions. As in the Erlang B model and P2P basic system, there is no consideration of the electronics, computing capabilities, interference, noise, or many other components and variables involved in these systems. The main reason for this is that a mathematical model that considers all of these details may be very hard to produce and even more computationally difficult to solve.

Considering the basic P2P system presented in [44,45], in which exponentially distributed times were considered as well, we aim to extend this model by introducing these two types of cyber attacks, which, given the distributed nature of P2P networks, are very harmful. These attacks are modeled using exponential assumptions, which may differ from practical attacks but give a first approximation to the theoretical performance of these networks. The results are similar to those of the basic model, in which the user interarrivals or dwelling times may not follow an exponential distribution, but the theoretical performance presents a good approximation to real systems (see the results in [45]). Following this, we assume that the DoS attack follows an exponential distribution. Specifically, we assume that the period between attacks and the duration of each attack are random variables with exponential distributions. This may differ from a real attack pattern where botnets are generating such disruptions in the system. In this regard, the exponential model presented in this work has the advantage of presenting a base model that can be easily extended to cover different attack patterns. Indeed, the exponential distribution assumption implies that both the attack interarrival times and attack duration have a coefficient of variation equal to one ($CoV={\sigma }_x/E\left[x\right]$, where ${\sigma }_x$ is the standard deviation, and $E\left[x\right]$ is the mean of these times). In the case that the attack pattern has a different $CoV$, it can be modeled using an Erlang distribution $(ifCoV<1)$, a hyper-exponential distribution $(ifCoV>1)$, or even a Markov modulated poisson process (MMPP) in the case that there are bursts of such attacks. All of these different attack patterns use the basic exponential distribution chain that we developed in this work as the base.

4.1. Malware

Malicious code or malware is the generic term used to designate any informatic program created deliberately to carry out an unauthorized activity that, in numerous instances, is harmful to the system in which it has been lodged. It is a complex piece of software that is capable of complicated attacks, such as collecting all kinds of information. The unauthorized activity of malware (payload) may range from a simple erasure of files to the retrieval and later use of private and/or confidential information (websites visited, contact lists, passwords, account numbers, etc.). Occasionally, the activity performed by the malware may provide some benefit to its creator or disseminator [46]. The flow chart for this attack is depicted in Figure 2.

Malware is currently one of the main threats to information security. Far from decreasing, this threat (and the effects thereof) will expand considerably in the coming years, mainly because of improvements in its techniques and goals. In the case of malware distribution in P2P networks, the threat and impact are even higher since the intrinsic operation of the system relies on nodes sharing data among peers that are not even known or identified to many nodes, and this file is shared among all users of the system. Hence, it is of paramount importance to quantify the impact of such attacks.

In this work, we consider that the malicious nodes are present from the beginning of the download process, with $N_i$ nodes attacking the network. The rationale for this is that, for these types of attacks, there is no need to maintain an active attack since the P2P system is very efficient at propagating the malware given a sufficiently high value of $N_i$. In this way, the attacker is less likely to get detected since it only provided an initial number of infected seeds, and no new malicious nodes are introduced afterward. This number remains fixed, and no new malicious nodes are added during the operation of the system. We also consider that when a peer enters into contact (i.e., downloads one or more chunks) with an infected peer, it automatically becomes infected. Given the developed analysis, we believe this represents an important baseline model that allows the relaxation of these assumptions in future work if required.

A technique [47] for efficient and effective malware detection is to build models of the malicious samples offline and then verify at run-time if the behavior of a suspicious application adheres to a known model. Ref. [48] used hierarchical behavior specifications to build a model of a malicious program. As the number of malicious samples continues to grow, efficiency is essential, not only for detectors, but also for automatic malware analysis systems. To address this problem, [49] proposed a technique that allows detection of whether a binary is a polymorphic variant of a malware sample that has already been analyzed in the past.

Malicious software has a wide range of analysis avoidance techniques that it can employ to hinder forensic analysis. A review of the literature [50] on malware analysis methodologies found that the most effective methodologies take the presence of analysis avoidance techniques into account [51]. Ref. [52] presented an incremental, static, and dynamic spiral analysis methodology for analyzing malware that additionally molds the analysis environment as the understanding of the malware is attained.

4.2. Denial of Service and Distributed Denial of Service

A denial of service (DoS) attack attempts to make a node or network and its resources unavailable to its intended users by overloading [6]. Figure 3 shows the flow chart for this kind of attack. A distributed denial of service (DDoS) attack usually means that a group of network nodes launches DoS attacks against the same victim. They both cause the service to stop working by using reasonable service requests to exhaust the resources of the target host. The host sends riddles to its clients before continuing with the requested computation, thus ensuring that the client performs an equally costly computation. DoS and DDoS attacks are very likely to happen in P2P systems. Indeed, in a P2P network, there are numerous participants, and the traffic generated by them is considerably large. Therefore, it is very difficult to predict the traffic between nodes. Hence, attackers can make use of this kind of behavior to overload the network and then disrupt or disable the P2P network. The impact of such an attack is more important when there are millions of concurrently active peers because there is the risk that it could serve as a DDoS engine for attacks against a targeted host. Since any node can act as a router in P2P systems, DDoS attacks are difficult to detect [53,54,55,56,57].

The query flooding a P2P network can be easily attacked by sending a massive number of queries to peers. Furthermore, this attack can be performed by malicious nodes transmitting a jamming signal that causes enough interference in the surrounding nodes, effectively impairing their communication capabilities. Attacks can also use the P2P network as an agent to attack other targets, such as websites. Peers in the network request files from a target and overwhelm the victim with enormous bandwidth usage. Such attacks intend to exhaust resources, paralyzing the capacity of the target. The exhausted resources include the target’s CPU processing, downstream bandwidth, upstream bandwidth, etc.

5. Mathematical Model

In this section, we mathematically model both malware and denial of service attacks using continuous-time Markov chains that describe the main dynamics of the system, namely, peer arrivals and departures, file downloading procedure, and infection rates for the malware attack and saturated nodes with impaired communication from the DoS attack. We consider the main and shared characteristics of several attacks to be malware, worms, and poisoning since their behavior and form of attack are very similar. In this way, the parameters are simple, and the findings obtained can be extended to more than one attack in this type of network.

To this end, we use the basic P2P network model presented in [53] that we now describe in detail.

5.1. Basic P2P Model

This model assumes that there are two types of users: leechers and seeds. The Markov chain that describes this system is composed of two states, $(x,y)$, where x is the number of leechers, and y is the number of seeds. Note that there has to be at least one seed in the system to share a file, which is, in fact, the only node that has the complete file at the beginning of the downloading procedure. Hence, this represents an irreducible continuous-time Markov chain with valid state space $\left({\Omega }_{x,y}\right)$ where the state system space $(x,y)$ is with $x=0,1,2,\dots ,$ and $y=1,2,3,\dots$. This chain is irreducible because any state can be accessed by any other state, and all states communicate with each other.

Peers arrive in the system with no chunks (i.e., arriving as leechers) at the rate $\lambda$ and leave the system before finishing the complete download of the file at the rate $\theta$. Hence, the model considers that nodes become impatient or simply have to leave the downloading procedure for a random time with an exponential distribution and the mean $1/\theta$. Once a leecher downloads the complete file, it becomes a seed at the rate $\tau$. Seeds dwell in the system for a random exponentially distributed time with the mean $1/\gamma$. This passage from leecher to seed can be further explained as follows: Two scenarios of conditions are considered. The first one is penury, in which there is a scarcity of users that, in turn, is reflected as a scarcity of resources since there are very few peers sharing the file, and the system’s bandwidth is denoted by $\mu \left[\right(\eta ·x)+y]$, where $\mu$ is the upload rate, and $\eta$ is the parameter that reflects the efficiency of the file sharing among leechers. Indeed, not all leechers that connect among these can interchange chunks of the file because they may have duplicated chunks. This is especially true when there are few leechers in the system or when the chunks are not uniformly distributed by the seeds, i.e., there are chunks that are widely distributed, while other chunks are rare. However, as the number of leechers increases, and the system uses good chunk distribution policies, the efficiency increases, reaching a value close to 0.9. Assuming that nodes can download the file at a maximum rate c, in penury conditions, the available bandwidth is not sufficient for the nodes to download at this rate. Hence, $\mu (\eta ·x+y)<(c·x)$. Indeed, the total download rate of the system is $c·x$ because only leechers are downloading the file, and seeds have already completed the download. The second scenario is abundance, in which the number of users is sufficient to allow leechers to download at the maximum rate, $(c·x)$. Hence, the leecher-to-seed transition rate can be expressed as:

$$\tau =\min \left[\mu \right(\eta ·x)+y),cx]$$

(1)

We numerically solve the aforementioned chain to obtain the average number of seeds and leechers in the system. Moreover, this Markov chain can be represented as depicted in Figure 4.

5.2. P2P Infected by Malware

Based on this basic model, we now develop the Markov chain that describes the peer infection procedure. In this model, we assume that there are $N_i$ malicious nodes at the beginning of the file distribution attacking the system. Furthermore, new nodes that arrive, at the rate $\lambda$, are not infected, but, if they connect to an infected node, they become infected. For this infection model, we assume that nodes cannot be uninfected, but this restriction will be relaxed in further sections. Hence, the Markov chain that models these dynamics can be formed by four states $(X_n,X_i,Y_n,Y_i)$, where $X_n:$ uninfected leechers, $X_n:$ infected leechers, $Y_n:$ non-infected seeds, $Y_i:$ infected seeds, and the initial state is $(0,0,1,N_i)$. Leechers (seeds), whether infected or not, can leave the system at the rate $\theta$ ($\gamma$). A non-infected leecher that never downloaded a chunk from an infected peer becomes a non-infected seed at the rate ${\tau }_{nn}$, given by:

$${\tau }_{nn}=\min [c{P}_n{X}_n,\mu (\eta ·X_n+Y_n)]$$

(2)

where $P_n$ is the probability that a peer does not get infected. Note that in order for a leecher to not get infected, all of the available uplink bandwidth, i.e., all of the resources shared with this leecher, have to be free from infected peers. Conversely, an infected leecher that downloaded chunks from infected peers at some point in the file exchange procedure becomes a seed at the rate ${\tau }_i$

$${\tau }_i=\min \left[c{X}_i,\mu (\eta ·X+Y)\frac{X_i}{X}\right]$$

(3)

where the total number of leechers is given by $X=X_n+X_i$, and the total number of seeds is $Y=Y_n+Y_i$. For this rate, note that $c{X}_i$ is the total download rate from infected leechers downloading in abundance conditions, and, in penury, the portion of infected leechers is $X_i/X$, and only infected peers are uploading to these leechers. If not, i.e., if uninfected peers were exchanging chunks, these uninfected peers would become infected. As such, the only bandwidth considered for an infected leecher to become an infected seed is: $\mu (\eta ·X+Y)\frac{X_i}{X}$. Moreover, an uninfected leecher can become an infected seed at the rate:

$${\tau }_{ni}=\min [c(1-P_n)X_n,\mu (\eta ·X+Y)(1-P_n)]$$

(4)

In this case, the leecher managed to remain uninfected during the file downloading only until the final chunks when it becomes a seed and downloads the last chunks from an infected source. Then, the uninfected nodes ($X_n$) are the peers downloading, but they get infected in this process with the probability ($1-P_n$). Furthermore, unlike the case of ${\tau }_{nn}$, all peers can upload the file to these leechers as long as they get infected at this point, explaining the right part of this expression.

To calculate $P_n$, we have to consider that the total bandwidth in the system is given by $\mu (X\eta +Y)$, while the bandwidth provided by non-infected peers is $\mu (X_n\eta +Y_n)$, and the bandwidth provided by infected peers is $\mu (X_i\eta +Y_i)$. Then, considering that any peer can be connected to any other peer in the system, the probability that only the non-infected bandwidth is used can be expressed as:

$$P_n=\frac{X_n\eta +Y_n}{X\eta +Y}$$

(5)

From this, the rate at which leechers become infected during the file-sharing process before becoming seeds, i.e., considering that they can be infected by downloading any possible chunk in the file, can be written as:

$${\tau }_c=\min [ck(1-P_n)X_n,\mu k(\eta ·X+Y)(1-P_n)]$$

(6)

where k is the number of chunks, each of size B bytes, forming a file of size F bytes. Then, the number of chunks in a file is given by $k=F/B$. From this, we can see that the chunk download (upload) rate is $ck$ ($\mu k$), which is k times faster than the file download (upload) rate.

From this description, when the system is in the state $(X_n,X_i,Y_n,Y_i)$, the valid transitions to any other state are listed as follows and depicted in Figure 5:

• $(X_n+1,X_i,Y_n,Y_i)$ when a new non-infected leecher arrives at the rate $\lambda$.
• $(X_n-1,X_i,Y_n,Y_i)$ at the rate $X_n\theta$ when a non-infected leecher leaves the system.
• $(X_n,X_i-1,Y_n,Y_i)$ at the rate $X_i\theta$ when an infected leecher leaves the system.
• $(X_n,X_i,Y_n-1,Y_i)$ at the rate $Y_n\gamma$ when a non-infected seed leaves the system.
• $(X_n,X_i,Y_n,Y_i-1)$ at the rate $Y_i\gamma$ when an infected seed leaves the system.
• $(X_n-1,X_i+1,Y_n,Y_i)$ when a leecher downloads an infected chunk at the rate ${\tau }_c$.
• $(X_n-1,X_i,Y_n+1,Y_i)$ at the rate ${\tau }_{nn}$ when a non-infected leecher becomes a non-infected seed.
• $(X_n,X_i-1,Y_n,Y_i+1)$ at the rate ${\tau }_i$ when an infected leecher becomes an infected seed.
• $(X_n-1,X_i,Y_n,Y_i+1)$ at the rate ${\tau }_{ni}$ when a non-infected leecher becomes an infected seed.

5.3. P2P System Infected by Malware with Countermeasure

In this case, we assume that every time a leecher downloads a chunk, it passes through a revision process, looking for malware. An example of this kind of measure could be antivirus protocols for verifying the origin of the files or quarantine protocols for files that are not known to be trusted. However, not all malware can be detected, and not all peers may have the latest version of the antivirus software, which causes some malware to remain undetected and infect leechers, as in the previous case.

Then, in this chain, the model accounts for the malware revision procedure in the sense that the nodes do not get infected just by downloading an infected chunk. Rather, they become infected only if these countermeasures fail. Then, $P_I$ is the probability that a non-infected node downloading from an Infected node does become contaminated. The closer this parameter is to one, the higher the probability of contagion, and, when it is closer to zero, this indicates that the assumed measures are more effective. Building on this, the Markov chain, depicted in Figure 6, describes the use of countermeasures in a malware attack as very similar to the previously described chain, except that whenever there is a risk of getting infected, the security software avoids infection with the probability $P_I$. Then, only transitions to the following states are modified:

• $(X_n-1,X_i+1,Y_n,Y_i)$ when a leecher downloads an infected chunk and cannot avoid infection at the rate $P_I{\tau }_c$
• $(X_n-1,X_i,Y_n,Y_i+1)$ at the rate $P_I{\tau }_{ni}$ when a non-infected leecher cannot prevent infection and becomes an infected seed.

5.4. Markov Chain with a DoS Attack

In this attack, nodes are unable to communicate, preventing resources from sharing with other peers. Building on this, the Markov chain that captures the main dynamics of this system is given the following valid state space $(X_n,X_d,Y_n,Y_d)$ for $({\Omega }_{X_n,X_d,Y_n,Y_d}{X}_n,X_d,Y_n\le 0,Y_n\le 1)$ where $X_n$ and $Y_n$ ($X_d$ and $Y_d$) are the leechers and seeds without an attack (under the DoS attack). From this, when the system is in the state $(X_n,X_d,Y_n,Y_d)$, the possible transitions are shown in Figure 7 and are described as follows:

• To the state $(X_n+1,X_d,Y_n,Y_d)$ at the rate $\lambda$ when a new leecher arrives. We assume that new peers are not under the DoS attack.
• To the state $(X_n-1,X_d,Y_n,Y_d)$ when a leecher without an attack leaves the system at the rate $X_n\theta$.
• To the state $(X_n,X_d-1,Y_n,Y_d)$ when a leecher under attack leaves the system at the rate $X_n{\theta }_d$. In this case, we assume that a leecher that realizes that it cannot communicate may choose to leave the system as soon as it detects a possible attack or perceives a malfunction by maybe trying to reset the communication device or leaving the system to re-enter at a future time. As such, the node may leave the system earlier than usual; then, ${\theta }_d>\theta$.
• To the state $(X_n-1,X_d,Y_n+1,Y_d)$ when a leecher without an attack downloads the complete file and becomes a seed. Indeed, if this peer is not under attack while downloading the file, it is very likely that it will remain in the same conditions when it finishes its download process. This occurs at the rate $\tau =\min [C{X}_n,\mu (\eta X_n+Y_n)]$. It is important to note that only peers without an attack can share their resources, while nodes under the DoS are not considered in the communication bandwidth. Additionally, only the leechers without an attack can become seeds, which explains the left side of this rate.
• To the state $(X_n,X_d,Y_n-1,Y_d)$ at the rate $Y_n\gamma$ when a seed without an attack leaves the system.
• To the state $(X_n,X_d,Y_n,Y_d-1)$ at the rate $Y_d\gamma$ when a seed that is being attacked leaves the system. In this case, since the peer has already downloaded the file, it may not detect an ongoing attack. As such, the departure rate remains the same as seeds without any attacks.
• To the state $(X_n-\left[X_n{\delta }^l\right],X_d+\left[X_n{\delta }^l\right],Y_n-\left[Y_n{\delta }^s\right],Y_d+\left[Y_n{\delta }^s\right])$ when a portion of new peers get attacked. Hence, in the case that a malicious node generates a spurious signal in a given area, some nodes inside this region can be leechers (in this case ${\delta }^l$), and some other nodes can be seeded (${\delta }^s$ in this model).
• To the state $(X_n+\left[X_n{\delta }^l\right],X_d-\left[X_n{\delta }^l\right],Y_n+\left[Y_n{\delta }^s\right],Y_d-\left[Y_n{\delta }^s\right])$ when the attacker desists its attack in some region. We consider that the average attack time is $1/\Delta$. Then, this occurs at the rate $I(X_d,Y_d)\Delta$ where $I(X_d,Y_d)$ is an indicator function (the end of an attack can only occur if an attack is present in the system) given as:

  $$I(X_d,Y_d)=\left\{\begin{array}{cccc}\hfill 0& \mathrm{if}\hfill & \hfill X_d\mathrm{or}{Y}_d& =0\hfill \\ \hfill 1& \mathrm{if}\hfill & \hfill X_d\mathrm{or}{Y}_d& \ne 0\hfill \end{array}\right.$$

6. Numerical Solution of the Markov Chains

The numerical results presented in this section were obtained by numerically solving the previous Markov chains and using Python with the Anaconda package manager and the Jupyter Notebook interface. Other packages within Python that are important for the simulation are random, math, NumPy, Matplotlib, and Pandas.

6.1. Simple Markov Chain

For the basic Markov chain, i.e., when no attack is present, the parameters used for the solutions are presented in

Table 2. Parameters used in the simple chain.

Parameter	Value	Description	Units
c	0.02	Download file rate	files/s
$\lambda$	1	Peer arrival rate	users/s
$\mu$	0.00125	Upload file rate	files/s
$\theta$	0.01	Leecher connection time	s
$\gamma$	0.01	Seed connection time	s
$\eta$	0.85	Download efficiency coefficient

. Algorithm A1 represents the states that were presented in Figure 4. When the system is in the state $(x,y)$, the solution consists of calculating all of the exponential random times associated with the output rates from this state and choosing the minimum time. Then, the next state is the one associated with this minimum time. We store all the times in each state to calculate the stable state probabilities ${\pi }_{(x,y)}$.

6.2. Markov Chain with Initially Infected Nodes

For the Markov chain with infected initial nodes, the parameters of the simple chain plus the parameters explained in

Table 3. Added parameters to the chain with infected nodes.

Parameter	Value	Description	Units
K	1/10	File chunks	size/chunks
$X_i$	-	Infected leechers	peers
$Y_i$	-	Infected seeds	peers
$N_i$	10	Initial number of infected seeds	peers

were taken. The basic model corresponds to the normal and conventional operation of the P2P system. However, when an active attack is present, the system would be degraded according to the intensity of the attack. For the malware attack, the intensity of the attack is reflected in the initial number of malicious nodes, $N_i$, while for the DoS attack, the intensity of the attack is reflected in the time of the attack and number of nodes affected by it, given by $1/\delta$, ${\delta }^l$, and ${\delta }^s$, correspondingly.

Algorithm A2 represents the numerical solution of the Markov chain that was presented in Figure 5 . For this string, we also varied three different parameters over a certain range. These parameters are $\gamma$, which represents the seed connection time; $\mu$, which indicates the download rate; and $\lambda$, which is the arrival rate of new users connecting to the network per second. Three different experiments were performed to vary each of the above parameters against the number of initially infected nodes ($N_i$), which represents the intensity of the attack, to study the performance of the system in terms of the number of healthy or infected peers and determine which value or range of values favored or harmed the growth of the infected nodes. The value of K was set to 0.1, although this value can change depending on the specific conditions of the system.

6.3. Markov Chain with Infected Initial Nodes and Countermeasures

In this case, similar to the previous Markov chain, a comparison was made between the number of initially infected nodes and the probability $P_I$ that a healthy node downloading files from an infected node does not get contaminated or that the contaminated chunks are passed through the security software to disinfect it. Note that the model does not consider the case in which the infected chunks are discarded. Indeed, they are disinfected, with the probability $P_I$ or not detected, and then, the leecher gets infected with the probability $1-P_I$, which implies that the security software could not detect the malware, to observe how it affects the behavior of seeds and leechers, whether healthy or infected. In this experiment, the range of initially infected nodes was extended, starting from 1 to 14 nodes, and the infection rate was carried out within the range of 0 to 1 with steps of 0.01.

In Algorithm A3, we can see that $P_I$ is multiplied by the rates associated with states 6 and 7, as these states affect the growth of the infected pairs.

7. Numerical Results

In this section, we show the most representative results that could be used in future P2P networks that suffer cyber attacks. First, we show well-known results for the basic model that shows the normal operation of the system to clearly see the effects of the different attacks on the network.

7.1. Basic P2P Network

These results were obtained using the parameters and values presented earlier. Specifically, c = 0.02 (files/s), $\lambda$ = 1 (users/s), $\mu$ = 0.00125 (files/s), $\theta$ = 0.01 (leecher departures per sec), $\gamma$ = 0.01 (seed departures per sec), and $\eta$ = 0.85. In Figure 8, we can see the number of peers (both leechers and seeds) who go through an initialization phase during which the system is found in a transitory mode where there are few peers, especially seeds, and the file sharing is very inefficient due to the lack of resources. As time passes, the system enters a stable state where the number of peers varies around a clear average value. This is because the number of resources is sufficiently high, and most leechers find either a leecher that can share the missing chunks or seeds that remain in the system. Note that the number of peers continues to vary throughout the realization of the experiment, but it clearly does so around a fixed value.

For this experiment, the average number of leechers obtained was 100, and the average number of seeds was 16, as shown in

Table 4. Averages and simulation time of the simple Markov chain for each type of peer.

Average in 100,000 Iterations
Leechers	Seeds
100 ± 15	16 ± 3
Approximate running time: 25 min

.

7.2. P2P System with a Malware Attack

For these results, we used the following set of parameters: c = 0.002 (files/s), $\lambda$ = 1 (arrival rate, users/s), $\mu$ = 0.05 (files/s), $\theta$ = 0.005 (leecher departures per sec), $\gamma$ = 0.3 (seed departures per sec), $\eta$ = 0.85, and $K=1/10$ (chunk length), and now, we also use an initial number of infected seeds of $N_i=10$. In this case, the evaluation time was significantly increased due to the increased complexity of the system, as shown in

Table 5. Average results for each type of peer in the network together with the simulation time of the Markov chain with malicious nodes.

Average in 100,000 Iterations
Healthy Leechers	Healthy Seeds	Infected Leechers	Infected Seeds
33 ± 8	2 ± 1	10 ± 5	2 ± 2
Approximate time: 37 min

. The results shown in Figure 9 clearly show that the system also reaches a stable state after a transitory phase. This includes the number of infected peers. Indeed, for this initial number of malicious nodes sharing the malware in their chunks, not all of the system gets infected; it is much less than half of the leechers and half of the number of seeds. These are essential results because, using this model, the system administrator can estimate the number of malicious nodes attacking the system by only observing the resulting number of infected peers in time.

To further study the system performance of the system under a malware attack, we vary many of the system parameters, such as $\gamma$, $\theta$, $\lambda$, and $N_i$ see as Figure 10. From these results, we can see that the value of $\gamma$ has no important impact on the malware process since both healthy and infected peers vary in the same proportion for any value of the initial numerous malicious nodes. However, for the case of $\theta$, we can see that for variations in the departure rate of leechers, the system becomes very sensitive to the number of initial malicious nodes, i.e., an increasing $N_i$ entails a higher number of infected nodes, which did not occur when varying $\gamma$. In the case of the arrival rate, we case see an expected increase in the number of infected peers as the leecher arrival rate increases. This occurs simply because there are more peers in the system sharing their resources, which makes it easier for nodes to get infected.

7.3. P2P System with Countermeasures for the Malware Attack

In this case, the system has incorporated different countermeasures to avoid infections of the malware. However, no countermeasures are completely effective, and some peers still get infected. This vulnerability of cybersecurity countermeasures is modeled with the probability $P_I$. Hence, low (high) values of $P_I$, correspond to the case in which either the countermeasures are very effective (inefficient) or the malware attack is weak (strong) and cannot (can) infect nodes. This effect is clearly seen in Figure 11 where infected peers drastically diminish as $P_I$ approaches the value of 0, avoiding most of the potential infections in the system. These results were obtained using $\gamma =1$, $\eta =0.85$, and the new user arrival rate $\lambda =1$. The running time was 1 hour and 33 minutes, which exceeded the previous execution times, accounting for the added complexity of the system. Note that the number of initial nodes no longer has any effect on the number of infected nodes. As such, the introduction of countermeasures is an effective way to control the spread of malware. From the practical side, the system administrator can clearly see from the number of infected nodes the effectiveness of the countermeasures to produce more effective tools if required. Moreover, as time passes, some countermeasures that were efficient in the beginning may become obsolete as time passes by, which would be reflected in a higher portion of infected nodes.

7.4. P2P System under a Denial of Service Attack

For this attack, we no longer have infected nodes, but rather, nodes that cannot communicate since they are under a DoS attack. Hence, a malicious node jams the communication capabilities of a certain number of nodes, given by $\delta s$ and $\delta l$ in the previously presented model. For a high-level attack, i.e., a node that has the capability of attacking many nodes simultaneously, these parameters will also be high. For a stealthy attack, the attacker may choose a low value for these parameters. In Figure 12, we present the results for a value of ${\delta }_s={\delta }_l=5$, for which, when an attack is present, there are five nodes on average jammed by the attacker.

We now investigate the system’s performance for different conditions of the attack. We first present the evolution in time of the P2P system under this attack, as depicted in Figure 12. For these results, we consider that there is an initial number of five jammed peers, and every time the attack is active there are five peers jammed. We can clearly see that, at the beginning of the attack, there are only five seeds jammed in the system that cannot communicate with the rest of their peers. As time passes by, this initial number of seeds decreases since they eventually leave the system. Thereafter, the attack mainly affects the leechers due to the proportion of seeds in the system, i.e., there are much more leechers, and the probability that the node under attack is a leecher is much greater than that it is a seed.

We now present the average number of leechers and seeds with and without the jamming attack for different attack intensities. Note that the intensity of the attack directly depends on the number of nodes that are jammed when an attack begins (for the leechers, it is ${\delta }_l$, and, for the seeds, it is ${\delta }_s$) and the average time of such an attack, $1/\Delta$. Our model is sufficiently flexible to allow the number of leechers and seeds being jammed to be different. This is the case in a more sophisticated attack where the hacker has the capacity to recognize that a node is either a leecher or seed and jam its radio communications for a specific time. For instance, he may choose to jam only seeds, in which case ${\delta }_l=0$ and ${\delta }_s>0$, or only leechers where ${\delta }_l>0$ and ${\delta }_s=0$.

Table 6. System performance of a P2P system under a DoS attack for different attack intensity varying ${\delta }_l$, ${\delta }_s$, and $\Delta$.

$\mathsf{\Delta }$	$\mathit{\delta }\mathit{s}$	Healthy Leechers	Healthy Seeds	DoS Leechers	DoS Seeds
1	0.00	9.155	53.013	7.811	2.924
1	0.25	9.784	4.406	9.884	3.967
1	0.50	10.576	1.614	11.208	1.658
1	0.75	9.410	1.167	10.214	1.123
40	0.00	9.727	52.927	151.998	2.659
40	0.25	7.349	3.669	133.747	15.693
40	0.50	4.725	1.177	208.656	11.323
40	0.75	12.693	1.817	116.988	4.143
80	0.00	9.033	52.525	146.615	2.544
80	0.25	7.172	3.556	154.939	16.503
80	0.50	5.685	1.238	223.982	10.481
80	0.75	6.836	1.253	180.951	7.281
$\mathbf{\Delta }$	$\mathit{\delta }\mathit{l}$	Healthy Leechers	Healthy Seeds	DoS Leechers	DoS Seeds
1	0.00	429.252	2.289	4.119	2.099
1	0.25	41.452	1.946	54.870	2.082
1	0.50	8.488	1.451	7.729	1.401
1	0.75	4.944	1.519	2.153	1.394
40	0.00	431.542	1.883	1.713	17.139
40	0.25	19.523	1.814	285.543	8.148
40	0.50	7.048	1.369	117.530	9.321
40	0.75	4.846	1.390	39.069	8.573
80	0.00	427.611	1.962	2.633	20.930
80	0.25	15.665	1.461	329.619	15.223
80	0.50	7.597	1.432	170.413	11.722
80	0.75	6.602	1.603	36.358	10.091
$\mathbf{\Delta }$	$\mathit{\delta }\mathit{s}$and$\mathit{\delta }\mathit{l}$	Healthy Leechers	Healthy Seeds	DoS Leechers	DoS Seeds
1	0.00	439.798	97.388	4.694	2.283
1	0.25	38.829	5.531	39.261	4.513
1	0.50	9.744	1.517	9.152	1.405
1	0.75	4.192	1.221	2.164	1.118
40	0.00	404.865	112.855	2.692	2.889
40	0.25	18.157	3.590	277.356	14.842
40	0.50	6.161	1.357	159.849	9.440
40	0.75	3.824	1.156	28.004	3.046
80	0.00	423.479	117.059	3.290	3.241
80	0.25	12.866	3.532	307.616	17.266
80	0.50	5.735	1.301	163.830	11.180
80	0.75	4.727	1.262	80.808	8.086

shows the case in which the leechers and seeds are affected in the same proportion. It also shows the case in which ${\delta }_s$ {${\delta }_l$} remains constant and the number of leechers {seeds} under attack varies.

These different attack scenarios produce very interesting results, such as the ones presented in Table 6, in which both the leechers and seeds are jammed in the same proportion. We can see that for some peers under the DoS attack, the number of infected peers increases, but this entails a low number of communicating peers, i.e., the number of peers that can actually share their data gets lower and lower until the point at which no communication is possible among peers, and the population is almost zero. These results prove that there is an attacking intensity where the attack can be relatively stealthy, in which peers can still communicate, and the network is still operational. This occurs at the values of ${\delta }_s$ and ${\delta }_l$ and affects around 40% of the peers. After this point, the system is severely altered, and the attack would be detected rapidly.

Another important result is presented in Table 6, where we can see that if only one population of the system is attacked, either leechers or seeds, only that population decreases to zero. Specifically, for the case in which leechers are attacked, but not seeds, arriving leechers, which are not under attack, can find many resources available since the attacked leechers are not consuming any bandwidth. This allows an expedited file download since these few leechers are all connected to the seeds with all the chunks, and so, we still have successful file downloads. In the case in which only seeds are impacted, the file download process is severely hindered after a value of ${\delta }_s$ since only leechers cannot find all of the chunks of the file, and no more leechers convert into seeds. We can see that, in both of these last cases, the average attack time of $1/\Delta$ is clear in the sense that if the attack has a long duration (low values of $\Delta$), the number of seeds or leechers also goes to zero, even if they are not directly affected. However, the most important parameter for predicting the impact of the attack is the proportion of peers that are jammed when an attack occurs.

With our results, it is essential to highlight that this work is not intended to detect cyber attacks but rather to give theoretical results on the performance effects of both worms and DoS attacks in P2P networks when these attacks follow exponential distributions. After examining the numerical results, we observed that, especially for the DoS attacks, it is possible to see a clear deterioration in the communication capabilities, reflected in the number of leechers that can download the file and also in the number of seeds in the network. (This is more evident when the duration of the attack and the number of nodes under attack is high, as presented in Table 6 of the manuscript.) However, this is clearly not an accurate method for detecting DoS attacks since this effect can also be a product of high levels of interference or noise that occur for reasons (such as other systems in the area or traffic peaks in the zone) other than attacks. For the worm dissemination attack, the number of leechers and seeds is not affected by the sharing procedure of the worm. Hence, in that case, the attack has to be detected by cybersecurity software installed in the downloading nodes. Therefore, this analytical model can only be used to know in advance the propagation rate of the worm with and without cybersecurity countermeasures.

8. Conclusions

In this work, we mathematically model, study, and analyze the effect of two common attacks on P2P networks, namely, worms and DoS attacks. Different parameters of the attacks are considered in our model to clearly see the effectiveness of such attacks, which may provide different counterattack mechanisms for future network deployments or at least provide effective tools for detecting such attacks. The effectiveness of the attacks is visible in terms of the number of infected and healthy peers and also in the proportion of leechers successfully downloading the file. More specifically, for the worm attack, we are interested in evaluating the rate at which the malicious software is spread, while, in the DoS attack, we explore the impact on the communicating capacities of the system.

To this end, we developed and numerically solved different Markov chains that abstract the main dynamics of the P2P networks that are under attack in different scenarios and intensities. Hence, these models and results can be extended to other types of attacks or different scenarios of the same attacks considered in our work by adjusting the involved variables and developing effective countermeasures before a real attack occurs.