Malware Spreading Model for Routers in Wi-Fi Networks

Malware attacks have become very common in recent years. The variety and continuous improvement of malware capabilities threaten any network. Wi-Fi is also not an exception in that context. This paper proposes a model describing the spreading of malware inWi-Fi networks using an epidemiological mathematical model. This model is built on the characteristics of encryption and authentication in Wi-Fi networks. In addition, we also consider state transitions of devices based on some assumptions about modern malware capabilities. We calculate the basic reproduction number R0 and thereby indicate the condition to limit the spread of malware. This spreading model is analyzed through numerical simulation. Besides, for the readers to have an overview of the main threats and the security capabilities of the Wi-Fi devices, we also briefly present security threats and encryption methods used in Wi-Fi.


I. INTRODUCTION
T ODAY, Wi-Fi, which is one type of Wireless Local Area Network (WLAN), has become a ubiquitous wireless technology widely used everywhere for data transmission and connection to the Internet [1]. Since 1997, Wi-Fi has evolved with many different features and services. The first version of Wi-Fi (also called Wi-Fi 0) based on the IEEE 802.11 family of standards provided up to 2 Mbps link speeds. Then, in turn, other versions were introduced, such as Wi-Fi 1 ( [4]. Recent statistics also show that the number of Wi-Fi users has increased very quickly, and the traffic over Wi-Fi is also forecasted to reach an impressive indicator soon. Here are some information from the Cisco Annual Internet Report for the period of 2018 -2023 [5] and Cisco Visual Networking Index (VNI) -Forecast and Trends for the period of 2017 -2022 [6]: • From 2018 to 2023, the number of Wi-Fi hotspots will quadruple. By 2023, there will be almost 628 million public Wi-Fi hotspots worldwide. This figure in 2018 was 169 million. • From 2020 to 2023, Wi-Fi 6 hotspots will increase and account for 11% of all public Wi-Fi hotspots. • By 2023, mobile device Wi-Fi speeds will triple. The average Wi-Fi speed worldwide will increase from 30.3 Mbps in 2018 to 92 Mbps in 2023. • By 2022, conventional networks will account for only 29% of IP traffic, while 71% will come from mobile and Wi-Fi networks.
While Wi-Fi enables convenient network connectivity, it also exposes significant security risks. Wi-Fi networks in public places such as airports, amusement parks, supermarkets, or shopping malls have become the target of attackers [7]. In these locations, most Wi-Fi networks have a very lowsecurity level. They use weak passwords or do not use any security. Some Wi-Fi owners even openly share passwords with everyone. Despite widespread awareness of public Wi-Fi's potential vulnerabilities, most people connect to it in public places [8]- [11].
In addition to the security issues that come from the user side, Wi-Fi devices themselves have many vulnerabilities [12]- [14]. Attackers can control Wi-Fi routers by leveraging vulnerabilities in configurations [15]- [17] and protocols used in routers [18]- [20].

A. WIRELESS AUTHENTICATION AND ENCRYPTION METHODS
When constructing a Wi-Fi network, it is essential to employ strong authentication and encryption mechanisms to ensure that the network may be used only by authorized users and devices.
In Wi-Fi, three primary methods of authentication are used: • Open authentication: This is the most straightforward option. The end device only needs Service-Set Identifier (SSID) information used on the network. The device will be able to connect to the network as long as the SSID is known. In this process, any wireless client that attempts to access a Wi-Fi network sends a request containing the identity of the sending client for authentication and connection to the wireless access point (AP). The AP then returns an authentication frame to confirm access to the requested client, thereby completing the authentication process. The disadvantage of this approach is that the SSID is often broadcast, and the passive capturing techniques can easily reveal it. • Shared authentication: It is frequently utilized in wireless LAN deployments for individuals and small businesses. This approach employs a shared key (Pre-Shared Key -PSK). This key is shared between the two parties of the connection. If they match, the device is permitted to connect to the network. • Extensible Authentication Protocol (EAP) authentication: It is the most frequently employed approach by businesses. The EAP technique employs an authentication server (RADIUS -Remote Authentication Dial-in User Service) that is contacted for authentication using some credential settings.
Along with the authentication, selecting an encryption method is critical while constructing a WLAN. Wireless encryption is a procedure that secures a wireless network from attackers that try to steal sensitive data by intercepting Radio-Frequency (RF) communication. It is critical to understand the difference between authenticating onto a network and sending the encrypted traffic in that network. It is possible to connect to a network, be authenticated, and then transmit unencrypted data. There are different wireless encryption techniques available for securing a WLAN. Each wireless encryption method offers several benefits and drawbacks. •  While WPS supports a variety of alternative techniques, the most prevalent is the "push button" option. However, when used in home networks, this security standard is quite susceptible to brute force attacks.

B. WIRELESS THREATS
Numerous encryption methods used in older WLAN standards have been demonstrated to be unsafe and have been superseded by more contemporary approaches. It is certain to happen with all encryption systems over time, as they become more widely used and as processing capacity continues to increase.
There are many issues in existing encryption methods as follows: • Prone to password cracking attacks [21], [22] • Associate/disassociate messages are not authenticated • The pre-shared key is vulnerable to eavesdropping and dictionary attacks [23] • WPA-TKIP is vulnerable to packet spoofing and decryption attacks [24]- [26] • Vulnerabilities in TKIP allow attackers to guess the IP address of the subnet • Hole96 vulnerability [27] makes WPA2 vulnerable to some attacks such as Denial of Service (DoS), Man-inthe-Middle (MITM) • Weakness of 4-way handshake process in WPA2/PSK [28], [29] • Insecure WPS Personal Identification Number (PIN) recovery [30] • WPS flaws [18] and so on. New encryption methods such as WPA2 and WPA3 also face several other attacks, such as Active Dictionary Attack on WPA3 [31], [32], Key Reinstallation Attack on WPA2 [33]. In addition, firmware vulnerabilities [34] are also vulnerable to weaknesses of Wi-Fi routers.
Besides the issues in encryption methods, the wireless network can also be at risk to various types of attacks, including authentication attacks, access-control attacks, availability attacks, confidentiality attacks, and integrity attacks.
• Access Control Attacks are launched to compromise a network by defeating WLAN access-control mechanisms such as Wi-Fi port access restrictions and AP MAC filters. Access-control attacks come in a variety of types: WarDriving [35] (WLANs are identified by transmitting probing requests or by monitoring web beacons); Rogue Access Points [36]- [38] (an attacker may install an unsecured AP or fake AP inside a firewall); MAC spoofing [39] (an attacker modifies a MAC address so that it seems to be an authorized access point (AP) to a host on a trusted network); AP misconfiguration [40]; Ad-hoc associations [41] (an attacker connects the host to an untrusted client to attack that client or to bypass AP security data packets to replay them (modified) afterward); Bit-Flipping Attacks [44] (grabbing the packet and randomly flipping bits in the payload, then altering and delivering the payload to the user). • Confidentiality Attacks attempt to capture confidential information transmitted via a wireless network, regardless of whether the system transmits data in cleartext or an encrypted format. Some different types of confidentiality attacks are Eavesdropping [45], [46] (eavesdropping on and decoding unsecured application traffic to get potentially sensitive data); Evil Twin AP [47]- [49] (spoofing an authorized AP by broadcasting the WLAN's SSID to entice users); Honeypot AP [50], [51] (setting an AP's SSID to be the same as that of a legitimate AP); Session Hijacking [52] (tampering with the network in such a way that the attacker's host seems to be the intended destination); Masquerading [53], [54] (pretending to be an authorized user to gain access to a system); MITM [55], [56]. • Availability Attacks disrupt the supply of services to legal users by disabling WLAN resources or by refusing users access to those resources. This attack makes wireless network services unavailable to legitimate users. Attackers can perform availability attacks in various ways: Disassociation Attacks [57], [58] (severing the connection between an access point and a client to make the target inaccessible to other devices); Beacon Flood [59] (producing hundreds of bogus 802.11 beacons to make it more difficult for clients to locate a legal access point); Denial-of-Service [60], [61]; De-authenticate Flood [62], [63] (to disconnect users from an access point by flooding clients with fake de-authenticates or disassociates); Routing Attacks (distributing routing information within the network). • Authentication Attacks compromise Wi-Fi customers' identities, confidential information, and account credentials to gain illegal access to the network. Some different types of confidentiality attacks are PSK Cracking [64], [65] (using a dictionary attack to recover a WPA PSK from captured key handshake frames); Key Reinstallation Attack [66]- [68] (exploiting the four-way handshake of the WPA2 protocol). It can be seen that Wi-Fi networks always face many threats despite continuous improvements in authentication and encryption methods. Additionally, malware attacks have arisen as a danger to Wi-Fi networks. The next subsection will briefly analyze malware attacks in Wi-Fi networks.

C. MALWARE THREAT IN WI-FI NETWORKS
As discussed above, attackers can take control of a Wi-Fi router by exploiting vulnerabilities in the configuration and protocols used in the router device. After gaining control of the Wi-Fi device, attackers can completely deploy manin-the-middle attacks, redirecting to a malicious website to infect users, conduct denial of service, and steal personal information, causing much damage. VOLUME 4, 2016 Today, one of the most common hijacking attacks is malware attacks [5]. The special feature of malware is that it can propagate in network environments quickly and silently.
There are many reasons for malware attacks in Wi-Fi networks becoming increasingly common: • Most Access Points (or we usually call Routers) are always on and connected to the Internet. It is a very good chance for hackers to exploit vulnerabilities and perform attacks at any time. • Unlike PCs, Wi-Fi routers rarely have tools to prevent malware. • A single router may handle several devices, including a phone, a laptop, a smart home system, and even an electricity meter. It provides hackers with a variety of attack options. • Users' interest and understanding are limited, leading to using old encryptions or setting weak passwords, even using default passwords or not using passwords for their Wi-Fi networks. • Current malware can use many different methods to gain access to the system (for example, the ability to perform brute-force) and spread widely. • The mesh Wi-Fi networks model [69], [70], in which routers connect and exchange data, unintentionally creates a favorable environment for malware to propagate more quickly between different Wi-Fi networks. There has been quite a lot of malware created to attack routers. A typical example is the VPNFilter malware [71], [72]. VPNFilter is a well-known piece of router malware. Since 2016, it has infected over half a million routers and network-attached storage devices in more than 54 countries [71]. VPNFilter is extremely persistent since it may continue to harm your network even after a router is reset, and removing malware from a router requires much effort. This malware can intercept users' internet traffic and manipulate the pages the user visits. It has a destructive capacity that makes infected devices inoperable, and it may be activated on specific victim PCs.
Additionally, it can disable internet access for over a thousand victims linked to the network on a global scale. Once launched on the router, VPNFilter can disable it, gather data from systems connected to the network, and restrict network traffic. Many routers from different vendors are affected by this malware attack, such as Asus, ZTE, Netgear, D-link, Mikorik, TP-link, Huawei, Ubiquiti.
Another type of malware with greater danger than VPN-Filter is the Emotet trojan. For example, the new malware, Emotet [73], is fully capable of brute-forcing authentication and rapidly propagating between routers, resulting in catastrophic effects. Emotet initiates the infection process by infecting a host. The malware then downloads and runs the Wi-Fi spreader module. After that, this module enumerates all enabled Wi-Fi devices. It then generates a list of reachable wireless networks. Afterward, the module conducts bruteforce operations against each identified Wi-Fi network. If this effort is successful, a second brute-force attempt is launched to guess the login credentials for devices connected to the hacked Wi-Fi network [74].
A few years ago, a research team from the University of Liverpool identified a malware called Chameleon [75]. It spreads "as efficiently as the common cold between humans" over Wi-Fi in densely populated places. Chameleon is designed to attack APs that utilize default passwords, do not need passwords, or have insufficient encryption measures. Once an access point has been compromised, an attacker may simply discover the login details of the connected devices then use them to continue their attack. Chameleon spreads mostly unnoticed because it affects wireless networks rather than PCs or phones, where security tools might identify strange behavior. Chameleon signals the dawn of a new era of technological viruses, for which we should prepare.
As seen in the above investigation, preventing malware from propagating over the network is critical. Numerous factors affect this process. To mitigate malware's impact and prevent it from propagation over the network, a malware spreading model adapted to the characteristics of each network type is necessary. There are different models of spreading, which will be described in further depth in the next section. However, most current spreading models use only three epidemiological states: Susceptible-Infectious-Recovered (SIR) for the routers.
Additionally, recent malware has plenty of capabilities and may result in different states of Wi-Fi routers rather than just three states above. Which states must we consider? How does the state transition in the network occur? What is the impact of the encryption and authentication characteristics in Wi-Fi on the state transition? To address these concerns, we propose a malware spreading model based on the features of the employed authentication and encryption techniques of Wi-Fi and malware behaviors. Our primary contributions are as follows: • Analyzing and reviewing the security issues and threats, especially malware attacks on Wi-Fi networks. • Proposing a mathematical model describing the spread of malware in a Wi-Fi network based on several possible states caused by malware and based on encryption methods and the complexity level of passwords in the encryption methods. • Providing the method for calculating the fundamental reproduction number R 0 and analyzing the stability of malware-free and endemic equilibrium. R 0 showed whether the malware spreading process will be diminished or remain robust over time. The rest of the paper is organized as follows: In section 2, we briefly review related studies. Section 3 presents the fundamental of the SIR model. In section 4, we detail the proposed mathematical model and analyze that model. Section 5 evaluates the proposed model using numerical simulation. Section 6 includes the conclusions and the proposed model's shortcomings.

II. RELATED WORKS
Malware spreading models have been of interest for quite some time. Various models have been proposed for many types of networks, such as models for wireless sensor networks [83]- [86], peer-to-peer network [87], IoT networks [88], [89], Vehicular Ad-hoc Network (VANET) [90], [91], mobile network [92], heterogeneous networks [93], [94], scale-free networks [95]- [98] etc. Most of these models are mathematical models based on epidemiological models, in which the population (by whom the infectious disease is spread) is classified according to the disease's features, for example, susceptible, infectious, recovered.
There have been few studies considering the spread of malware in the Wi-Fi network until now. The first study referring to malware epidemiology in Wi-Fi networks is done by Hao Hu et al. in [99]. In that paper, they built an epidemiological model that considers the routers' common security weaknesses. They simulated the malware spreading on real-world data collected from Wireless Geographic Logging Engine (WiGLE) website for georeferenced wireless routers. This pure SIR model considers the strong and weak forms of authentication and encryption methods: WEP, WPA, and no password. They developed the spreading model using an approach similar to that used in epidemic modeling. Each individual (i.e., each router) is classified according to the phase of the infection. There basic levels (classes) of encryption and authentication were considered: routers without encryption are grouped to the first category of susceptible class S; routers using the WEP encryption method are grouped to the second category of the susceptible class denoted S W EP ; and routers using the WPA encryption method correspond to the removed class R. This paper highlighted a real concern about the malware propagation in Wi-Fi.
In the paper [100], Shan Bowei built an epidemiology model to describe the spread of malware on Wi-Fi networks. This study also used the SIR model and built a transition diagram based on three classes: routers with no encryption and no strong password, routers with no encryption but with a strong password, routers with WEP encryption. The author considered attack rates according to different sizes of Wi-Fi networks. However, there were no details about the model, its appearance, and how to compute important parameters of that model. The results were also not validated by any real data or simulation result.
Hamdi Kavak et al. in [101] had revisited the research [99] with real data from WiGLE at that time (December 18, 2016). This study has some findings: model predictions are dependent on the amount of Wi-Fi routers and their density; they noted that the model in [99] could not forecast current malware spread because it was only evaluated using data acquired at the time of their research; they suggested that spreading model needs to account for weaknesses in WPA encryption and the flaw in the WPS mechanism.
In [18], Amirali Sanatinia et al. employed an epidemiological methodology in conjunction with experimental wardriving measures to examine the rate of spreading infection in four different cities. This study used statistical information of encryption methods collected from large-scale Wi-Fi networks to analyze the spreading. They noted that all examined situations display significant similarities in infection and spread, despite their disparate population demographics.
In [102], Yi-Hong Du and Shi-Hua Liu constructed an epidemic spread model with three states as in the SIR model, but instead of the Recovered state, they used the Immune state. Furthermore, the authors assumed that the WPA/WPA2 encryption could be cracked with a specified probability of a successful infection. The authors also assumed that a worm could use the Kernel Density Estimation (KDE) algorithm to assist the worm in infecting the network efficiently. The performance test was carried out with raw data collected in a region in Beijing City.
From that research context, it can be seen that the Wi-Fi malware spreading models are still quite sketchy and do not consider many of the characteristics of modern malware. Some of the described models are unclear or use the collected raw data to analyze the spread of malware. These results are difficult to help us understand the propagation process and predict the impact and prevent malware effectively. Similar to epidemiology, for "epidemics" with such a rapid and widespread form, it is usually necessary to have a model to predict the extent of spread. We can suggest solutions to cluster, isolate, or recover infectious cases from the predicted result.
That fact motivated us to carry out this study with several specific tasks: • It is necessary to select mathematical tools appropriate to the characteristics and scope of the Wi-Fi networks and the characteristics of the malware. • It is necessary to build a model of malware spreading in Wi-Fi networks considering the corresponding factors as in epidemiology: infection, suspicion, isolation, recovery, re-infection, etc. This model helps predict the spreading state and suggests appropriate solutions to deal with malware.

III. SIR MODEL
In this section, we briefly present the fundamental model of epidemics, based on which we propose our malware spreading model. Kermack and McKendrick introduce this model in [103]. The model is known as the SIR model. According to disease states, this model categorizes the people into three categories: i) (Susceptible) -people who are susceptible to disease; ii) (Infected) -people who are infected and can distribute the disease to others; and iii) (Removed or VOLUME 4, 2016 Recovered) -people who are no longer susceptible to disease. A person cannot be infected again, and the state may only change from S -> I or I -> R (Figure 1).
The amount of individuals in each category at every moment is given by S(t), I(t), and R(t). The entire population is assumed to be constant in the simple SIR model, which means that S(t) + I(t) + R(t) = N does not vary on t. The most concerned state is I(t): the degree of its rise or decline indicates the epidemic's proclivity. When N is "big enough," the following set of differential equations can be used to estimate the change in the SIR model: The equations reflect the rate of change of the S, I, and R according to t as a function of the system's state. The infection rate (transition from S -> I) is denoted by β. The recovery rate is denoted by γ. Therefore, the average disease period (i.e., in I state) is 1/γ.
The SIR model has an essential quantity -the basic reproduction number or coefficient R 0 . In the simple SIR model, R 0 = βN/γ. If R 0 > 1, the disease will spread widely. Conversely, if R 0 < 1, the disease will gradually decrease. Table 1 summarizes the symbols and descriptions used in this study.

B. PROPOSED MALWARE SPREADING MODEL FOR ROUTERS IN WI-FI NETWORKS 1) Research Gap and Motivation
As the related works section analyzed, the existing models have almost used the simple SIR model to build a spreading model for Wi-Fi networks. However, the limitation of the SIR model is that the number of states is not enough to describe the behavior of malware in the network. Modern malware has a lot of special capabilities and is constantly changing its behavior on infected systems. In [104], the author discussed common malware behavior patterns and spreading models, which include Susceptible (S), Exposed (E), Infectious (I), Recovered (R), Quarantined (Q), Vaccinated (V), and Immunized (I). As is obvious, those states match epidemiological states. We may create a variety of alternative variations of these states due to the circumstances, for example, SEIR, SIRS, SIRQ, SEIQV, and SEIQRS. The combination of those states encouraged us to develop a novel model of malware spreading across a Wi-Fi network.
While the terms Susceptible and Infectious are synonymous with those used in the epidemic model, the term Exposed requires additional definition. If a router in the Wi-Fi network has been infected but has not infected other devices, it belongs to this state. We suggest employing this state because several varieties of malware take advantage of Windows API calls such as Sleepex, NtdelayExecution, GetSystemTimeSfiletime, and Sleep [105] to freeze their actions on the target machine temporarily.
In this paper, we also use the Quarantined state to describe a possible state of a Wi-Fi router when attacked by malware. We consider that when a router device is attacked, there may be some cases such as the network speed is significantly reduced, the network connection is constantly unstable. Or, for some reason, the owner detects the hacked device and performs a router shutdown, reconfigures the router, or even installs new firmware to remove the malware. In this case, that router will not be able to spread the malware to the whole network anymore. That is why we use the Quarantined state in the proposed model.
In addition, since there are already some Wi-Fi routers equipped with antivirus firmware or software, we assume that malware will not be able to infect these routers. Therefore, we additionally use the Vaccinated state to describe the state of these routers. However, it should be noted that this state may change if malware has new updates that can bypass the antivirus on these routers.
Besides, because previous studies have not considered the risk of WPS attack as a factor leading to state changes of the malware spreading model and WPS has its characteristics compared to other encryption methods, we will separate the WPS enabled routers into a separate group in the Susceptible state.
In our model, we also consider the addition of new routers and the removal of out-of-use routers. It means the total number of routers in the network is a quantity that changes over time.
According to that analysis, we propose a malware spreading model that describes the state transitions of routers based on the malware behaviors and the characteristics of the Wi-Fi network. The model is named SEIQ-VS.

Symbol Description WPAm
Routers using encryption methods WPA2 and WPA3 S W P S , S W EP , S W P A , S W P Am Number of routers using corresponding encryption methods WPS, WEP, WPA, WPAm S W EAK , S ST RON G Number of routers using low-complexity and high-complexity passwords β W P S , β W EP , β W P A , β W P Am The average attack rate of malware on S W P S , S W EP , S W P A , S W P Am states The average attack rate of malware on S W EAK , S ST RON G N or N(t) Total number of routers in the network at t S or S(t) Number of susceptible routers at t E or E(t) Number of exposed routers at t I or I(t) Number of infectious routers at t Q or Q(t) Number of quarantined routers at t V or V(t) Number of vaccinated routers at t Spass Number of routers that are under password attack at a given time A The average number of new routers joining the network The probabilities that a new router using one of the following encryption methods WPS, WEP, WPA, WPAm s The probability that a node in S W P S is successfully attacked by malware q The probability that a node in S W EP is successfully attacked by malware r The probability that a node in S W P A is successfully attacked by malware p The probability that a node in S W P Am is successfully attacked by malware b The probability of a router using a weak password v The probability that a node belonging to S W EAK is successfully attacked by malware u The probability that a node belonging to S ST RON G is successfully attacked by malware α The transition rate S -> V of a router β The transition rate S -> E of a router θ The transition rate E -> I of a router γ The transition rate I -> Q of a router ω The transition rate E -> Q of a router µ The transition rate Q -> S of a router η The transition rate V -> S of a router λ The rate that a router is removed from the network but not due to malware ε The rate that a router is removed from the network due to malware P 0 Malware-free equilibrium P * Endemic equilibrium G Next-generation matrix R 0 Basic reproduction number to other routers; (iv) Q -infected routers are detected and are being disconnected from surrounding routers; (v) V -routers are considered immune to malware or have a very high level of security. This model is based on the following state transitions and conventions: • Wi-Fi network is considered a large network with a significant number of routers in the network • There are always many new routers set up in the network after a certain period • We assume that all the routers in the network are using one of the encryption methods listed above (WEB, WPA, WPA2, WPA3, WPS). No router works with open access • Routers using encryption methods WPA2 and WPA3 with a high level of protection are grouped in a group called WPAm • The network's overall number of routers (nodes) varies over time as new routers are deployed, and some are removed from the network • For the routers belonging to the S state, if they use strong encryption with high complex passwords, then the speed and the probability of state transition S -> V increased • If a router is infected by malware, it will move from state S -> E • If a router is infected and in the E state, it will change to the I state (E -> I) at a specified rate. However, if it is discovered, it changes to quarantined (E -> Q) • We assume that malware always takes a certain amount of time to penetrate and exploit a router, so the router will always be in an E state before it can switch to state I (E -> I), and there is no direct transition from other states to I state • Routers become infected solely by interaction with other routers in the I state • For routers in the I state: if malware is not detected and handled, these routers will remain in the I state. If malware is detected, those routers will enter Q state (I -> Q) • Routers in Q state after being processed (e.g., updating firmware, using antivirus, resetting default configuration, rebooting) will return to S state (Q -> S). We suggest this transition since various types of malware can exist on Wi-Fi. Other malware is capable of infecting the router once again • Routers in the V state can still switch to the S state (V -> S) with a specific rate because the malware can be improved and overcome the Wi-Fi-antivirus • A router may be disconnected from the network in any of these states, although this is not due to malware. For instance, the router may be broken, and the connection fails. This rate is assumed to be constant for all states S, E, I, Q, and V. Additionally, we expect that malware may occasionally result in a loss of connectivity, even damage the router and make the router out of the network with a specific rate Figure 2 presents the SEIQ-VS model with Wi-Fi encryption methods and different states generated by malware in the network.
In the SEIQ-VS malware spreading model, state S is divided into subclasses corresponding to the encryption methods: S W P S , S W EP , S W P A and S W P Am . In addition, each node in each of these subclasses can belong to one of two other subclasses with specific probabilities: S W EAK (nodes use low-complexity passwords (can be attacked by dictionary attacks ∼ 65000 words)) and S ST RON G (nodes use highcomplexity passwords (must attack with dictionaries up to millions of words)).
In the model, we use the following symbols: • In certain other research, the quantity of routers in a particular state at a given time is sometimes symbolized as N(t), S(t), I(t), E(t), Q(t), V(t). In this paper, for simplicity's sake, we only use the symbols N, S, I, E, Q, V. • A: The average number of new routers added to the network. • a 1 , a 2 , a 3 , a 4 : the probabilities that a new router joins the network using encryption methods WPS, WEP, WPA, WPAm, respectively. Where a 1 + a 2 + a 3 + a 4 = 1. • b: the probability of a node using a weak password.
Thus, (1-b) is the probability that a node uses a strong password. • β W P S , β W EP , β W P A , β W P Am : the average attack rate of malware on S W P S , S W EP , S W P A , S W P Am states. There are two cases: transition to E or V states from S state. It depends on the strength of the password and the attacking ability of the malware. • s, q, r, p: the probability that a node in S W P S , S W EP , S W P A , S W P Am is successfully attacked by malware, respectively. • v, u: the probability that a node belonging to S W EAK , S ST RON G is successfully attacked by malware, respectively. Then there is the transition from S -> E state. Thus, (1-v), (1-u) are the probabilities that the malware will fail to attack a node belonging to S W EAK , S ST RON G , respectively. Then there is the transition from S -> V state. • λ: The rate that a router is removed from the network but not due to malware. • ε: The rate that a router is removed from the network due to malware. It should be noted that, at any given time, only a certain number of routers in the S state are subjected to password attacks. We call the number of such routers: S pass . Then we have: Based on the SIR model, the number of nodes transitioning from state S to state E in a unit of time can be found as: Then β is the transition rate from S -> E, and the number of nodes transitioning from S -> E state is βSI N . The number of nodes transitioning from S -> V state in a unit of time is: Then α is the transition rate from S -> V, and the number of nodes transitioning from S -> V is αS.
The process of changing the state of the nodes in the network is shortened, as shown in Figure 3: From the analysis above, we can develop a system of differential equations that adequately reflects the state transitions in the SEIQ-VS model: where derivative notation S ′ , E ′ , I ′ , Q ′ , V ′ are the rates of change of S, E, I, Q, V versus time: N denotes the network's overall number of routers at time t : By combining the equations in (2), we obtain: Applying the well-known Gronwall's inequality in its differential form [106] to (5), we obtain: Where, λ } is a positively invariant set for model (2). If N 0 > A λ then it turns out that lim t→∞ N (t) = A λ . Thereby, the set Ω is the globally attractive set for model (2).
Differentiating these matrices for S, E, I, Q, V and analyzing at the malware-free equilibrium P 0 = ( A(η+λ) λ(α+η+λ) , 0, 0, 0, Aα λ(α+η+λ) ), we will have Jacobian matrices: Now we can discover the basic reproduction number R 0 . The number R 0 is the estimated number of secondary cases generated by a typical infective router in an entirely susceptible network. Diekmann et al. in [107] defined R 0 as the spectral radius of the next generation matrix. The nextgeneration matrix is defined as the square matrix G in which the ijth element of G, g ij , is the expected number of secondary infections of type i caused by a single infected individual of type j, again assuming that the population of type i is entirely susceptible. Each element of the matrix G is a reproduction number, but one where who infects whom is accounted for [108]. Additionally, the spectral radius of the next generation matrix is also referred to as the dominant eigenvalue of G. It is worth noting that the matrix G is a non-negative matrix, which means that there will be a unique and real eigenvalue. This eigenvalue is greater than others, and it is also called R 0 . Following [107], let G = FV −1 is the next-generation matrix for our model, we have: Where ρ(M ) defines the spectral radius of a matrix M . From that we have: Replace S 0 and N 0 , which are calculated from (7) to (10) we have: The Stability Analysis for Equilibriums The following equations describe the equilibriums of the model (2): As is evident, for the case E * = 0, I * = 0, Q * = 0, we obtain the malware-free equilibrium P 0 We can obtain: Stability Analysis of Malware-Free Equilibrium It is trivial to demonstrate that model (2) has a malware-free equilibrium defined by P 0 = ( A(η+λ) λ(α+η+λ) , 0, 0, 0, Aα λ(α+η+λ) ). Lemma 1. If R 0 < 1, P 0 is locally asymptotically stable with respect to Ω. Otherwise, P 0 is unstable.
If R 0 < 1, an infected router generates on average less than one new infected router throughout its infectious period, and the malware cannot spread. On the other hand, if R 0 > 1, each infected router creates more than one new infection on average, and the malware can spread across the network.
Proof of Lemma 2. Let L(S, E, I, Q, V ) = I > 0 as a Lyapunov function; then L P 0 = 0. Its derivative along the solutions to the model (2) is: It is obvious that, L ′ = 0 if and only if I = 0 or R 0 = 1. Thus, the largest compact invariant set in {(S, E, I, Q, V ) | L ′ = 0} is the singleton P 0 . When R 0 ≤ 1, the global stability of P 0 follows from LaSalle's invariance principle [110]. It implies that P 0 is globally asymptotically stable in Ω. When R 0 > 1, we have L ′ > 0 if I > 0. As a result, the lemma is proven.
Endemic Equilibrium and Its Stability Analysis Lemma 3. If R 0 > λ A , P * is locally asymptotically stable with respect to Ω. Otherwise, P * is unstable.
Proof of Lemma 3. We examine the local stability of the endemic equilibrium P * = (S * , E * , I * , Q * , V * ). Model (2) has the following Jacobian matrix at the endemic equilibrium P * : (20) Therefore, the characteristic equation corresponding to this matrix can be expressed as: From (20) we can write the (21) as follows: The real roots δ of the equation (22) are the corresponding eigenvalues of J (P * ).
Proof of Lemma 4. By employing the same proving technique as in Lemma 2 with P * = (S * , E * , I * , Q * , V * ), we have: (2) is globally asymptotically stable if dL dt (S, E, I, R) ≤ 0 at P * = (S * , E * , I * , Q * , V * ). It means that we need: We may summarize the above discussion as follows: if R 0 ≤ η+λ φ1 , the unique positive equilibrium P * of the model (2) is globally asymptotically stable in Ω.
Malware epidemic control Lemma 2 implies that collective efforts (as described in the formulation of R 0 ) are capable of eradicating malware prevalence over the network. We analyze how to maintain a malware-free equilibrium in the Wi-Fi network using the SEIQ-VS propagation model.
It is easy to see that, to control and limit the spread of malware in Wi-Fi networks, we need to improve the security level, the complexity of passwords, and encryption methods. It is equivalent to the fact that we need to increase the transition rate from S -> V state. The parameter α plays a major role in this process.
From (11) and (18), we have: where, From this condition, we realize that to control the epidemic in the network, one of the solutions is to increase α. We cannot change the characteristics of malware or the capability of cracking the password of malware. Therefore, to increase , it is necessary to reduce the number of devices using weak passwords and increase the number of devices using complex passwords and high-level security encryption methods such as WPA and WPAm. It means that when we decrease s,q,r,p parameters, the number of routers in the V state will be increased. It is an effective way to prevent the possibility of malware from spreading in the Wi-Fi network. Because devices that use weak passwords in the S W EAK are often more vulnerable than devices in the S ST RON G .
In addition, to prevent and limit malware from spreading more effectively, the isolation measures for nodes used in E, I states need to be considered. If inequality (26) cannot be satisfied, malware will disseminate broadly over networks.

V. NUMERICAL ANALYSIS
In this section, we use numerical simulation to analyze and illustrate different scenarios of model SEIQ-VS. We will show the change of states respectively in each scenario R 0 < 1 and R 0 > 1. To observe a clear difference between the 12 VOLUME 4, 2016 This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3182243 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ two scenarios mentioned above, we use two different sets of parameters, as shown in Table 2. In addition, there are some notes in the selection of parameters as follows: • Since the time to crack the weak password will be faster than when cracking the strong password, we have β W EAK >β ST RON G and the parameters u, v are chosen so that u < v. • Because the security level of WPS<WEP<WPA<WPAm, we will have β W P S >β W EP >β W P A >β W P Am and the parameters s, q, r, p are chosen so that p<r<q<s. The difference between the two sets of parameters is mainly related to the strength of the password and the ability of malware to crack the password. In the scenario of R 0 > 1, the parameter set s, q, r, p will increase because, at this time, the number of cracked routers will increase, leading to a decrease in the number of routers transitioning from S -> V. Besides, the time it takes for malware to attack a router is also reduced when R 0 > 1 compared to the scenario R 0 < 1, so β W EAK , β ST RON G also increases in scenario 2 compared to scenario 1. The values of b, u, v also change according to the same logic.
Scenario 1: R 0 < 1 In this scenario, we set the parameters to the appropriate values to ensure that many routers use high-level security encryption methods with highly complex passwords. It ensures that the basic reproduction number is always low and the malware cannot propagate aggressively in the Wi-Fi network.
In this scenario, R 0 = 0.13, the ability of malware to propagate in the network is reduced according to Lemma 1 and Lemma 2 ( Figure 4). As a result, the I state tends to decline; meanwhile S state and V state increase over time. In the early stage, because the parameters s, q, r, p are small, the number of routers switching from S -> V state increases, while the transition rates from V -> S and Q -> S are maintained at a small level. Hence, the number of routers in the V state tends to increase initially. Then, because some routers are removed from the network (parameter λ) and due to the impact of malware, the number of routers in state V will decrease. Under the impact of malware (parameters β, θ), the number of routers switching from S -> E and E -> I began to rise. Despite this, the number of routers that are not infected with malware is still maintained at a high level because the impact of malware in this scenario is not significant. Scenario 2: R 0 > 1 In this scenario, we have the basic reproduction number R 0 = 1.62. With R 0 > 1, the ability of malware to propagate in the network increases ( Figure 5). The I state tends to increase; meanwhile S state and V state decrease over time.
With the set of parameters in this scenario, the malware can crack passwords faster. The number of devices using low-level security encryption methods with weak passwords increases significantly, decreasing the number of routers in the V state. At the same time, we also increased the transition rate from E -> I to ensure malware propagation in the network is stronger and faster. Under the impact of malware (the parameters β, θ increase), the number of routers switching from S -> E and E -> I increased significantly. The number of infected routers will remain high because the impact of the malware in this scenario is large enough. It is perfectly consistent with the above stability analysis of endemic equilibrium.
From (11), it can be seen that there are many factors affecting the change of R 0 . To evaluate the impact of these factors on R 0 we use the same set of parameters in scenario 2 and change the necessary parameters. Figure 6a depicts the effect of α on R 0 . This influence shows how to control the malware epidemic in the network. Increasing the transition rate from the S -> V state increases the ability to limit the spread of malware. Figure 6b depicts the linear influence of parameter β on R 0 . The transition rate from S -> E is an important factor leading to the spread of malware in the network because it increases the number of routers that have successfully been cracked passwords. Figure 6c depicts the change of R 0 under the impact of the transition rate from E -> I state. As θ increases, R 0 will also increase. However, R 0 does not increase rapidly, and the impact of θ will not be as great as the impact of β because when in the E state, routers have not yet caused malware propagation; only when routers switch to the I state the process of spreading will take place. Figure 6d demonstrates the dependence of R 0 on the transition rate from I -> Q. R 0 decreases rapidly as γ increases, while γ is small, R 0 is greatly affected. It is completely understandable because if routers infected with malware (i.e., potentially causing the spread of malware in the network) switch to the quarantined state, they will reduce the malware threat and limit the spread of malware. From that, it can be seen that the method of isolating routers used in E, I states needs to be considered.

VI. CONCLUSIONS
Wi-Fi networks have become very popular. However, security issues in Wi-Fi networks have always been a big challenge. Like other types of networks, Wi-Fi networks have fallen victim to malware attacks in recent years. To analyze the impact of malware within a wide-ranging Wi-Fi network and come up with solutions to limit the impact of malware, we need to build a malware spreading model for this network. This model needs to consider the characteristics of encryption methods and the complexity of passwords used by routers in the network. Besides, it is also necessary to consider the specific characteristics of the malware in each stage of the attack. Therefore, in this paper, we proposed a mathematical SEIQ-VS model with five states: Susceptible (S), Exposed (E), Infectious (I), Quarantined (Q), and Vaccinated (V) to describe the malware spreading behavior in Wi-Fi network.
We calculated the basic reproduction number R 0 to show whether the spreading of malware would be weakened (R 0 < 1) or remained high over time (R 0 > 1). We also provided an analysis of malware-free and endemic equilibrium stability. The analysis pointed out how to control the malware in the Wi-Fi network. We should use more routers with high-level security encryption methods and complex passwords.
However, there are still some limitations: • The model only considered the spread between routers but did not consider the spread of malware from the client to the Wi-Fi router. • The model is built on some assumptions, and, in some cases, it may not be suitable for real cases. This model works well in the scenario of a mesh network. • The mathematical model was not verified by a real test case because this model requires a huge number of routers, and there is no chance of having a real test case for it. • We ignore the case of routers that do not use any security (i.e., OPEN Wi-Fi), although there are still many such routers, especially in public places.
In future works, we will consider the spread of malware from clients to routers and consider the scenario when malware uses roaming as a way to spread in Wi-Fi networks. In addition, we will implement some ways to verify the mathematical model, for example, using an agent-based simulation environment.