In today's conditions, it is impossible to imagine real life without the use of modern computer technology, smartphones, gadgets and other devices. Every person who lives in today's conditions uses the global Internet. The use of personal computers and mobile devices in combination with the Internet has become an integral part of everyday life. The constant use of the Internet has caused many serious threats to the privacy and security of personal data of one or more users. Every year there is a significant increase in cyber-attacks with an increase in their complexity. Such attacks affect electronic resources, governments, businesses, and individual or legal entities, and cause serious financial and social damage to them. No person is guaranteed 100% protection against damage to their own device by malicious software (malware). For commercial firms and/or banking systems, it is necessary to understand the level of losses over time, which are obtained as a result of the operation of malware in a specific area. In this regard, the issue of predicting the spread of malware in networks and the question of how to respond in the event of malware entering a serious company or firm is quite acute.

Assessing the level of damage requires taking into account many factors, but first of all, it concerns the issue of assessing the dynamics of the spread of the epidemic in computer networks. This issue is quite general, since epidemics in human communities have existed for a long time as a threat factor for

2021 Copyright for this paper by its authors. people and bring huge losses. Therefore, epidemiology has accumulated a significant baggage of models of the dynamics of epidemics and estimates of damages from them. There is a lot of literature on this subject, in particular [1–3]. And therefore, it is worth taking into account this accumulated experience. At the same time, it is necessary to take into account that epidemics in computer networks must differ from epidemics in human communities and the economy [3-5]. The application of epidemiology models for computer networks should be critically reconsidered, in addition, new approaches should be proposed [6; 7].

The problem of forecasting and the problem of optimization are quite often related to each other. To carry out effective forecasting in any field, it is necessary to minimize errors on those data, which are presented in the form of statistics for carrying out the training procedure with or without a teacher [8].

Below, in this section, an analysis of some existing models for predicting the spread of malware is carried out and a description of various methods and algorithms, mathematical foundations, which are applied to statistical data processing, as well as based on gradient methods for finding extrema of multidimensional functions [9] is performed. Effective forecasting, in particular, forecasting the spread of malware in real objects and systems, requires the use of up-to-date machine learning methods, including optimization methods.

Several approaches are used to develop a complex software application for modeling the spread of malicious software. The first approach is to use a modification of classical deterministic models (DMs) to investigate the state of propagation of malware epidemics. The second approach is more universal modeling the spread of malicious software based on stochastic models (SM), for example, using random processes, Markov chains, cellular automata, neural networks, etc. [5; 6]. Models based on classical systems of ordinary differential equations (SODE) and Cauchy problems for them are described below, as well as general principles of modeling these problems using classical cellular automata using different neighborhoods – Neumann neighborhood and Moore neighborhood.

SIR malware propagation model. As a basic mathematical model, we will take the classic SIR model [8]. This model can describe the spread of many different processes, and these processes can be both physical and technical, and biological or economic.

Let us have some network that connects several computers. It can be a local network, or a network that has access to global Internet resources. It is clear that the introduction of a malware onto one personal computer can lead to the spread of this software throughout the network. Of course, the speed of software distribution through this network is governed by various factors [6; 7]. Such factors include, for example: – activity of users in this network in general; – the target orientation of the software and the speed of its distribution, which is controlled by the software code from which it is composed; – a combination of factors; – other factors.

We will assume that the target nodes of the network can be in one of three given states: – non-infected nodes of the network, which can be exposed to the entry of malware into them.

Let's denote them as S – susceptible; – infected nodes of the network, i.e., those that have already been infected with a malware infection. Regarding the operation of such nodes, it is necessary to take immediate measures to preserve (including integrity, if possible) data on such nodes. Let's denote them as I –infective; – network nodes that are not conducive to infection, i.e., those on which appropriate protection measures are installed (for example, network screens, anti-virus systems, etc.), and in such nodes, the corresponding of malware has been removed. We will call such nodes as R – removed. The process of the spread of malware depends on only a few parameters: – the total number of system nodes, which is divided into the number of uninfected nodes, the number of infected nodes and the number of restored (unfavorable) nodes in a specific network; – the speed of propagation of malware; – the speed of treatment of network nodes in the event of a specific of malware falling into it (the speed of response and adoption of appropriate protective measures regarding the treatment of network nodes).

It is assumed that the number of network nodes is constant during the entire period of research of this network. This means that nodes are not added to or removed from the network. Let's describe this model mathematically:

Let N – the total number of computers (nodes) in the network:

( ) + ( ) + ( ) = .

Changes in the state of the network can be described in the form of SODE, which has the following form: ( )

= 0. = + infected system node). initial conditions of the species system:

In systems of differential equations ( 1 ) – the speed of infection of system nodes, а – the speed of treatment of a system node (the speed of taking measures to ensure the protection of an already It is clear that the reproduction of the dynamics of the mathematical model ( 1 ) requires setting the ( 1 ) ( 2 ) (0) = 0, (0) = 0, (0) = 0.

Now the mathematical model ( 1 ) together with the initial conditions ( 2 ) to it sets Cauchy problems, which can be solved by the usual approximate methods, for example, Euler methods or Runge-Kutta methods. will be divided into 4 fixed categories:

Malware distribution model SAIR. Unlike the SIR model, in this model all computer network nodes – the number of uninfected nodes (personal computers) of the network that may be infected is denoted as S; example, an anti-virus system, denoted as A; – the number of network nodes (personal computers) that have an installed protection system, for – the number of infected network nodes (personal computers) is denoted as I; – the number of nodes (personal computers) of the network, which have been cured, denoted as R; The spread of the process of infection of computer network elements can be presented in the form of SODE as follows: = + ( ) ( )

+ ( ) ( )

= 0.

In model ( 3 ), the initial conditions of type ( 2 ) should also be taken into account, but for nodes of all 4 states in order to start the process of predicting the spread of malware in the corresponding network system.

It should also be noted that in model ( 3 ): N – the total number of new nodes added to this network; μ – the frequency of removal of system nodes that cannot be restored for reasons not related to the results of malware; – frequency of infection of favorable nodes of the network; – the frequency of infection of system nodes on which protection systems such as antivirus systems or network screens are installed; δ – the frequency with which the nodes exposed to malware fail; – frequency of treatment of network objects (nodes) that were infected; – the frequency of treatment of infected nodes of the system (network) with the participation of the operator; α – the intensity of the appeal of favorable ones to those who establish a protection system. If we take into account the fact that new nodes are not added to this network, and already existing nodes of the network fail only due to the influence of malware, i.e.

= = 0, then the mathematical model of the propagation of malware takes the following form: ( 3 ) ( 4 )

For the system of the form ( 4 ), the initial conditions of the form ( 2 ) are also set, but for all 4 states of the nodes in the computer network.

Malware distribution model PSIDR. Any mathematical model that describes some process, system or set of systems must take into account many factors.

The mathematical model involves two main stages. The first stage consists in the fact that malware propagates quite quickly and freely, that is, the nodes of the computer network have only two states – S and I.

The second stage provides for the procedure of responding to the existing malware in the computer network. During a certain period of time, the malware is identified in the network. Next, the procedure for treating nodes (personal computers) of the network is performed. That is, xi computers that were not infected are automatically "vaccinated", that is, an increased protection system is imposed on them. Nodes of the system, which have already been infected, form the so-called "immunity" and are cured from malware entered into them. As before, there are two parameters in the mathematical model, which characterize the speed of propagation of malware – the parameter μ and the treatment rate of the network nodes is the speed parameter δ.

In the mathematical model PSIDR again: I – the total number of infected elements (nodes) of the computer network. These elements of the network are the spreaders of malware. S – the total number of uninfected nodes of the computer network. These network nodes can be exposed to infection during the entire time of existence in this network. R – the total number of cured computer network elements. These nodes have a so-called "immunity" to infection. The last type of nodes in the system is this D – the total number of infected objects found in the computer network system.

The description given above makes it possible to write down a suitable mathematical model for predicting the spread of malware in this network. The mathematical model looks like this:

( ) ( ) = − ( ) ( ) − µ ( ), = ( ) ( ) − µ ( ), =

( ) + µ ( ), = µ ( ) −

( ), ( ) ( ) ( ) { + + + ( ) = 0.

( 5 )

There are three parameters in the mathematical model ( 5 ). All these three parameters characterize speeds, in particular: β – the speed of infection of network nodes; – the speed of treatment of network nodes; µ – the speed of identification of network nodes with malware. The peculiarity of this model is that the antivirus protection must be updated as early as possible, since the delay in updating the antivirus protection in each network node leads to a greater spread of WPS in this network.

For the mathematical model ( 5 ), initial conditions of the form are given: (0) = 0; (0) = 0; (0) = (0) = 0. ( 6 )

In this case, we obtain a Cauchy problem of the form ( 5 )–( 6 ), which can also be solved by any explicit approximate method, for example, the Euler method or the Runge-Kutta method.

To find an approximate solution of the Cauchy problem ( 5 )–( 6 ), the classical Euler method will be used. In the third section, the stages of designing modules that reproduce the work of a mathematical model based on the SODE of the form ( 5 )–( 6 ) will be given as a basis.

Cellular automata. Models of any complex real systems and their complexes, as well as simulation models are of high value due to the tasks of forecasting physical and technical, economic, ecological, social and other processes. Forecasting the spread of malware is quite similar to forecasting the spread of epidemiological processes. Epidemiological events caused by viruses, pollution from stationary sources of pollutants or new varieties of bioterrorism can cause significant costs to people and their resources. For this reason, it is important to study and model the spread of pathogens in the population.

A cellular automaton (CA) is an abstract object that consists of a set of cells, each of which has a certain finite state. The state can change over time, based on specific conditions that describe one or another process of spreading the phenomenon.

A cell is a separate element of cellular space, or the so-called "smallest unit of space".

Cellular space is a lattice space that consists of cells, and each cell is in one of several predefined states.

A CA state rule is a rule that governs the transition between cells and their states. The determination of the most appropriate transition rules for the phenomenon or process under study is of particular importance.

The definition of a cell state machine is called "local" because it uses only the neighborhood as input. Neighboring refers to the cells surrounding a particular cell, and they have the ability to influence the next state of that cell. The choice of neighborhood affects the behavior of the cell space. The choice of the appropriate neighborhood depends on the relationship between the elements.

The most important types of neighborhoods are von Neumann neighborhoods and Moore neighborhoods (Figure 1). neighborhood; on the right - around Moore

In practice, a larger number of neighborhoods and grids are actually used, but Figure 1 shows the ones that will be used in the development of the software for modeling the propagation of malware in a network.

Monte Carlo method. Probabilistic modeling methods are actively used to study the impact of random variability of various quantities on the properties of machines, on chemical or biological processes, on the bearing capacity or reliability of a structure, and in many other cases. A very powerful tool for the study of random processes is the Monte Carlo method.

The Monte Carlo method is a simple computer method that consists of conducting numerous mock experiments with random numbers. Its use is universal and does not require special knowledge of probability theory. The only information required is the ratio between the output and input values, in particular, in this form: = ( 1, 2,⋅⋅⋅, ). ( 7 )

The method repeats trials with computer-generated random numbers processed by appropriate mathematical operations. In each "trial" the input variable x1, x2, …, xn are assigned random values, but such that their distributions correspond to the probability distribution of each variable. With these values, the output value y is calculated according to the equation ( 7 ).

The generated values can be used to determine the average value or the probability that y will be lower or higher than the selected value y*, or to define values that will be exceeded (or not reached) with a certain probability (eg time to failure).

The effectiveness of this approach is based on pseudorandom numbers, which are implemented in computing complexes.

Generating random numbers with given distributions. Modern application software often suggests using distributions such as uniform or normal. Random numbers corresponding to other analytically determined distributions can be generated using a uniform distribution. 2.2.

A mathematical model of minimizing damages from the spread of malicious software

To build an optimal control model, consider the PSIDR DM, which was described in the first section of this work. In the model of optimal control, we will assume that the parameter μ is a control parameter and it is limited. We will have an optimization problem, which is described in the mathematical formulation below.

Let there be a functional of the form given below: 0 ( ( )) = ∫ ( ⋅ ( ( )) + ⋅ ( ( )))

A – the fee for personal computers/laptops that were damaged by malware; investigation; was carried out. limited, i.e. 0 ≤ ( ) ≤ . minimum of the functional:

B – the fee for updating the anti-virus system for the personal computers and / or laptops under T – the final time, during which the study of the behavior of malware in personal computers / laptops From a practical point of view, it is obvious that the possibilities of installing a new antivirus are Then the control problem is described by the following mathematical model. Find the global ( ( )) = ∫ ( ⋅ ( ( )) + ⋅ ( ( ))) → min, The initial conditions of the problem look like this:

(0) = 0, (0) = 0, (0) = (0) = 0.

The restriction on the desired control parameter looks like this: 0 taking into account the limitation that is described in the form of the PSIDR model itself, that is, in the form of the Cauchy problem for SODE:

The problem described in the form of mathematical model ( 8 )–(10) can be solved by many methods and algorithms. In most cases, such problems do not have analytical solutions, and if they do, such solutions are not of interest, since real applied problems today can only be solved numerically. The Pontryagin maximum principle can be attributed to the analytical methods of finding the control parameter. The software implementation of the constraint (Cauchy problem) will be based on the use of Euler's classical method for Cauchy problems for ODE and SODE.

To increase the accuracy of solving the direct problem based on the mathematical model ( 9 )–(10) with the known control parameter (11), it is possible to use methods of the Runge-Kutta type 2, 3, 4 and higher orders as desired. Minimization of the functional of the form ( 8 ) will be carried out using deterministic methods and population (multi-agent) stochastic methods and algorithms. 2.3.

The developed software complex consists of several modules, each of which has a corresponding graphical user interface. The general structure of the software complex is presented in Figure 2 below. ( 8 ) ( 9 ) (10) (11) The window of the module for simulation of the

spread of malware based on the stochastic approach (CA) and the PSIDR model

The window of the module for modelling the spread of malware based on the deterministic approach and the PSIDR model

Complex software for modelling the spread

of malware Вікно модуля для реалізації моделі керування поширенням ШПЗ на базі детермінованого підходу й оптимізаційної моделі

PSIDR

Information

about developers

The structure of the developed software complex can be modified by additional modules, since each model works independently of other modules of the software complex.

Figure 3 shows the interface of one of the modules of the complex software application – the implementation of the control model, which involves minimizing the total costs of purchasing and updating antivirus software systems, which is present in modern energy facilities and systems. Figure 4 shows the SM software interface for modeling the spread of malicious software.

The program interface and its logical part are implemented according to the principle of a modular structure in the MATLAB system of applied mathematics.

The developed software complex can be modified by finalizing the corresponding models of the spread of malicious software for special cases of malware that may occur when working with information systems.

In the course of simulations using different models, it was determined that SMs are more adapted to modeling the processes of the spread of malware. The effectiveness of SM based on the CA is manifested in the fact that it is possible to simultaneously obtain statistics, which are present when using DM based on differential equations and their systems, and a picture of the spread of the process itself with a time scale. Also, the advantage of the SM based on the CA is the integer number of statistics, which is absent in the simulation of the propagation of malware using the DM based on differential equations and their systems. The disadvantage of SM is the relatively long working time compared to the time allocated for working out DM.

It should also be noted that any implemented models can be modified quite quickly in order to take into account all the factors that affect the processes of the spread of malware in general.

The current rate of development of computer systems requires the maximum possible protection against malware. The entry of malware even into a local information system can lead to serious consequences, which can include the loss of system user data, data extraction from the system, data substitution in this system, even financial losses of a specific company to which the relevant system belongs.

In order to maximally reduce the risks of the formation of various unpleasant and / or catastrophic consequences from the impact of malware on one or another system, various types of modeling are carried out, for example, simulation, which will make it possible to assess the degree of risk and financial losses that may occur in the company. A comparative analysis of modern methods, tools, and software for modeling the spread of malicious software was conducted. The MALTAB system of applied mathematics was chosen as the development environment for the corresponding software. The system is flexible for software development, the program code is short, logically designed, and the interface is developed quite quickly with the help of a suitable designer. The developed software complex for simulation of the spread of malware consists of 3 main software modules: the module for forecasting the spread of malware based on the PSIDR DM, which is presented in the form of a Cauchy problem for SODE; the module for forecasting the spread of malware on the basis of PSIDR SM, which is programmed on the basis of CA using Neumann and Moore circles; a control model implementation module for the PSIDR DM, which in turn uses population (multi-agent) stochastic methods and algorithms to minimize costs at each time step. All three software modules of the complex have been tested and verified on different input data (initial conditions for simulating the spread of malware in the system). A graphical user interface has been developed for each software module with the possibility of simulating processes for various initial conditions. It should be noted that DMs are less flexible when modeling similar tasks. Their disadvantage is manifested in the fact that the number of studied objects is not always a natural number, and in this case rounding is used according to classical mathematical rules. Also, the DM modification process is complicated compared to the SM modification process. SMs have another significant advantage, which is the transparency of the process. This gives a clearer picture of the process itself and makes modeling much more flexible not only for this kind of tasks.