A Mobility-Based Epidemic Model for IoT Malware Spread

With the rapid advancement of technology, IoT has become inseparable from human lives. IoT is extensively used in transport, healthcare, and manufacturing, among other sectors. However, this technology lacks sufficient security defense capabilities, thus becoming a highway for malicious actors. IoT networks use infrastructure-based (INF) and device-to-device (D2D) communications to propagate data. The INF communication utilizes technologies such as WLAN, LTE, GPRS, and GSM to relay information from source to destination. The D2D paradigm, on the other hand, is a close-proximity communication in which sensors exchange data in a multi-hop manner. Since malware can utilize both D2D and INF links to spread out, IoT networks are exceptionally vulnerable to attacks. Therefore, we propose Susceptible-Exposed-Infected-Recovered-Dead (SEIRD) model to examine the dynamics of IoT malware spread via INF and D2D communications. We analyze the impacts of mobility on infection propagation and illustrate that our model adequately captures IoT malware spread behaviors through mathematical analysis and simulations. We also compute the malware transmission threshold, which can be used as a guideline to mitigate and suppress an attack.

Node mobility aggravates the spread of malware by increasing the contact rate between the infected gadgets and the susceptible ones [10], [23]. In particular, mobility causes a node's neighbor to change constantly, thus increasing nodes' contact rate. The effects of mobility on malware spread have been studied in [17], [21], and [24]. Furthermore, in [17] and [21], authors model malware diffusion via both D2D and INF transmission links. However, unlike our proposed model, these studies assume that the infection spread only happens after a node has moved, thus failing to capture the spreading behavior during the movement.
This paper explores the implications of node mobility and dual communication schemes (INF and D2D) on IoT malware propagation through epidemic modeling. Specifically, our contributions are summarized below. • We propose a mobility-based SEIRD model to study IoT malware spread. SEIRD model accurately captures the dynamics of mobile IoT malware propagation by covering the essential aspects of infection spread from inception to recovery and death of the IoT devices upon damage or power depletion. Unlike the traditional SEIRD, our model considers the impacts of dual propagation schemes (INF and D2D) and node mobility on the spread of malware.
• We conduct mathematical analysis of the proposed model, including computing the malware transmission threshold, which can serve as a security guideline to mitigate an attack.
• Through rigorous experimental evaluations, we validate the effectiveness of the proposed model in capturing realistic dynamics of IoT malware. From the results in section V, it is evident that most propagation models such as [13] and [19] significantly underestimate the extent of malware diffusion by failing to consider key IoT aspects such as mobility and the use of INF and D2D communications. The rest of the paper is arranged as follows: section II reviews the related work and the background information, while section III introduces the proposed model and the state transition diagram. Then, in section IV, we provide mathematical analysis, including the computation of malware transmission threshold. Next, section V presents the simulation setup, results, and comparative analysis. Finally, section VI states the conclusion of the study.

II. RELATED WORK A. IoT MALWARE
The widespread adoption and development of IoT technology raise significant security and data privacy concerns. For instance, limited memory capacity, computational ability, and battery power make it challenging to implement intensive security defense mechanisms in IoT gadgets. As a result, IoT networks have become highly vulnerable to attacks. Additionally, IoT users lack the necessary knowledge regarding security measures that need to be undertaken to deter malicious actors. Therefore, there is a dire need to understand IoT malware attack behaviors and spread patterns in order to develop effective mitigation strategies to curb them. Different malware types have varying spreading and attacking techniques. For example, [25] studied android malware propagation behaviors and their attack methods. The authors classified android malware based on the installation mode, malicious behaviors, and activation method. Malware in android gadgets is mainly spread through SMS and WIFI. Initially, a malicious program is injected into popular applications, which are re-uploaded to the android app market for the users to download. After gaining access to a device, the malware obtains the remote control permissions and launches an attack. Once in the host device, android malware can spread through WIFI and SMS.
DDoS is the most common attack technique against IoT. Through this method, attackers gather an army of bots and block the target network's services [7]. Kolias et al. [5] investigated the formation and spread of botnets such as Mirai and Hajime. Botnets have three main parts: the command and control (C&C) server, bots, and botmaster. The botmaster can access the bots through SSH or Telnet [2]. Bots are recruited into the botnet until the botmaster meets the desired target number. During the attack execution, the C&C server informs the bots about the target's IP address and the attack mode, such as traffic attacks on HTTP or TCP. DDoS attacks severely compromise service availability, data security, and privacy.

B. EPIDEMIC MODELS
Epidemic models originated from the study of human viruses. This modeling technique continues to be widely used to examine the spread of pathogens [40] and is equally popular in studying malware propagation. Epidemic models are primarily derived from states such as susceptible (S), infected (I), exposed (E), vaccinated (V), quarantined (Q), recovered (R), and dead (D). The typical models are SIS [11], [12], [13], [14], SI [8], [9], [10], and SIR [15], [16], [17]. As discussed below, these traditional models, alongside other advanced ones with many states, have been extensively used to study the spread of malware.
Some propagation models primarily focus on the spread of malware over long distances, usually through INF links. For example, [9] and [26] proposed SI model for malware propagation in large-scale networks. In [9], propagation happens mainly within groups with different infection rates, but in [26], malware spreads across groups through the search engine. Although individual groups have different numbers and categories of devices, the authors in [26] assume that the infection rate is homogeneous. In [12] and [27], the authors propose SIS model for malware propagation. In [27], the authors calculate immunization and infection probability based on the Markov chain. Moreover, infection rates are heterogeneous due to different link weights. Authors in [12] suggest that there is a relationship between the sender and the receiver, and thus the links between the nodes are bidirectional and have the same infection rate. SIR propagation model is studied in [15] and [25]. Wei et al. [15] considered interest-based communities where nodes with similar interests connect. This form of connection forms multi-layered complex networks conducive to malware propagation. Olivier et al. [28] applied game theory to derive Susceptible-Infected-Resistant (SIR) model for botnet propagation. In addition to the classic S-I states, the authors added the ''resistant'' state (R) to refer to patched and password-protected gadgets. However, despite the gainful contribution in controlling and suppressing botnet spread, this paper fails to consider the impact of mobility and dual communication schemes (INF and D2D) on the infection spread.
Yi et al. [41] used epidemic theory to develop a novel Unacquired-Acquired-Hibernated (UAH) model for information dissemination in the industrial IoT. The authors categorized the IoT gadgets into three compartments where nodes are classified based on whether they have acquired/not acquired and disseminated information and whether they have hibernated or are active.
Le et al. [31] applied SEIQVS (Susceptible-Exposed-Quarantined-Vaccinated-Susceptible) model to study the spread of malware in Wi-Fi routers. The authors conducted mathematical analysis and simulations to analyze and validate their model.
In a bid to more realistically capture the behaviors of malware propagation through INF links, more complicated epidemic models have emerged. For example, [29] proposed SISV model for malware spread in multiplex networks. This model combined the features of classic SIS and SIR models. In [19], authors suggested Susceptible-Delitescent (Exposed)-Infected-Recovered (SD(E)IR) model, where nodes in state E/D are not immediately infected after receiving malware; the infection occurs only when a user opens a malicious file. The two papers consider homogeneous infection probability, which does not reflect the effect of different transmission links. Guillen et al. [30] introduced SCI-RAS (Susceptible-Carrier-Infectious-Recovered-Attacked-Susceptible) model for studying zero-day attacks in IoT. The various states of the model make it possible to analyze different stages of the malware propagation process, making the model more accurate and realistic. Using stochastic SIRS and SEIRS models, Arash et al. [7] analyzed IoT botnet propagation dynamics in complex networks. The authors compared the results from the two models and concluded that SEIRS was more suitable for modeling botnets as it reflects their long incubation periods. Arash et al. [34] used SIRS epidemiology model, comprising micro (initial infection) and macro (spread) sub-models, to study the propagation of cross-platform malware. The macro model was significantly influenced by the contact rate via a USB connection. The analysis of the macro model illustrated that the malware mutation ability remarkably impacts the infection spread as it decimates the immunity rate.
For D2D malware propagation, SIS model is proposed in [11] and [14]. In [11], the authors studied botnet formation in wireless IoT networks and discovered that node density profoundly affects malware spread dynamics. Shen et al. [14] used a discrete-time SIS model to study malware spread in heterogeneous WSNs. However, these studies consider the D2D link as the only channel through which malware propagates. Liu et al. [10] proposed a mobile SI model to study malware propagation in ad hoc wireless networks. The authors proposed two spread mechanisms, i.e., communication and diffusion modes. Zhou et al. [35] applied the attack-defense game model (SID) to study malware propagation in WSNs. Shen et al. [32] introduced SNIRD model for malware propagation in heterogeneous WSNs while [24] proposed (vulnerable-compromisedquarantined-patched-scrapped) VCQPS for malware propagation in mobile heterogeneous WSNs. In [24], a random walk model is used to depict the mobility of the sensors. A similar heterogeneous susceptible-infectedrecovered-dead (HSIRD) model is proposed in [22] to examine malware diffusion where WSNs have different connectivity capabilities. Zhang et al. [33] used the SEIRD model to study malware diffusion in heterogeneous WSNs based on the cellular automaton concept. Achar et al. [36] used a fractional derivative-based SEIRV model to study the spread of worms in wireless sensor networks. The authors argued that the frail defense mechanisms of sensors make them attractive targets for attacks. Through mathematical analysis and simulations, the authors discovered that node density and the sensor's communication capabilities significantly contribute to the dissemination of worms in WSNs.
Jiang et al. [37] used the SIR model to study virus propagation control mechanisms WSNs. The authors found out that the average degree of nodes, the communication radius of devices, and the probability of virus infection significantly inhibited the control mechanism.
Yu et al., [38] proposed a SEI 2 RS malware dissemination model for cyber-physical systems. The authors categorized the I state into infected nodes with low infection ability and the infection nodes with high infection ability. The authors argued that newly infected nodes propagate malware at a lower rate as compared to nodes infected earlier.
Some authors focus more on malware propagation through both INF and D2D communication links. For example, [8] proposed SI model to simulate malware spread in generalized social networks. In [39], the authors used six states, including susceptible (S), latent (L), infected (I), quarantined (Q), recovered (R), and dead (E), (SLIQRE), to analyze IoT malware dissemination. Acarali et al. [13] also considered INF and D2D transmission links and proposed SIS model to investigate malware spread dynamics in IoT-based WSNs. In addition to multiple transmission links, [17], [21] incorporated node mobility to study malware propagation in social IoT networks. However, contrary to our proposed model, [17], [21] assume that the infection only happens after the node movement, thus ignoring the infection during the movement. Wang et al. [21] proposed SADI (Susceptible-Active-Dormant-Infected) to model the propagation of worms in hierarchical social networks. In [17], the authors argue that IoT users might have multiple devices and, thus, malware propagation happens not only through INF and D2D but also via self-infection by IoT users possessing more than one gadget.
As depicted in the discussion above, only a handful of studies in the existing literature consider mobility, INF transmission, and D2D links in modeling IoT malware spread. Furthermore, the only two papers [21] and [17] that have employed the three aspects (mobility, INF, and D2D) have not adequately captured the effect of mobility on the spread of malware. Therefore, we aim to fill this gap in our proposed mobility-based SEIRD model by incorporating D2D and INF transmission links and correctly modeling node mobility to reflect malware spread effects during and after node movement.

III. SYSTEM MODEL
As stated previously, the main aim of this paper is to explore the dynamics of IoT malware propagation where mobility and the use of dual communication schemes (INF and D2D) are involved. IoT gadgets have a simple architecture with constrained resources, resulting in weak defense capabilities. Additionally, the lack of security awareness by the users exposes IoT infrastructure to malware attacks. As highlighted in [2], most IoT gadget users continue using the default passwords, while others use simple and predictable passwords that attackers can easily bypass. Due to these reasons, brute-force and DoS attacks have become rampant as IoT technology advances. Therefore, in this paper, we assume that IoT devices have security vulnerabilities due to their weak defense capabilities and the use of weak or default passwords, which give room for brute-force and DoS attacks. Before presenting the proposed model in subsection III-B, we first introduce the Gauss-Markov model, which has been used to generate node mobility in this paper. Later, in subsections III-C and III-D we briefly discuss D2D and INF communication schemes, respectively.

A. GAUSS-MARKOV MOBILITY MODEL
The proposed SEIRD model utilizes the Gauss-Markov model(GMM) as the basis of its mobility. Usually, researchers use GMM to simulate non-stationary machine-to-machine networks, where machines can include sensors, computers, or IoT gadgets [42]. GMM describes the velocity (given by v t i ) and direction of the device at time t i (expressed as d t i ) based on their corresponding values at time t i−1 . GMM is expressed as shown in (1).
. and the notations χ v and χ d are tuning parameters within the range of 0 and 1. χ v and χ d are used to introduce a degree of randomness in the computation of the speed and direction. If both parameters are 0, it implies that the movement trajectory is completely random, whereas if they are both 1, the trajectory is linear. The parameters µ v and µ d denote the average speed and mean direction, respectively. Notations α v and α d are stationary, independent, and uncorrelated Gaussian processes with a mean of zero. Finally, χ s is a conversion parameter to model the randomness. To eliminate the mobility randomness, parameter χ s is set to 0, while complete randomness is modeled by setting χ s to 1. We, therefore, set this parameter to 1.
Mobility in the proposed model will affect the number of IoT devices that can communicate directly at any given time. The communication range is given by r, and thus, a neighbor of the IoT device i in D2D communication is defined as any node j that is within the communication radius of node i, i.e., where ψ is the distance between i and j and D2D Neighbor i will change over time.

B. SEIRD MODEL
This paper employs the SEIRD model to study mobile IoT malware's propagation dynamics. We choose this model for its suitability in accurately capturing the essential stages of the infection process. As opposed to the classical SIR model, the additional E and D states appropriately reflect the incubation period and the death of IoT devices upon power depletion, respectively. The SEIRD model categorizes the population of devices into five states: susceptible, exposed, infected, recovered, and dead. These states are briefly explained below.

1) SUSCEPTIBLE STATE (S)
Nodes in S state have security shortcomings, are neither infected nor patched, and are vulnerable to malware attacks. Also, immunized devices that lose their immunity are categorized as susceptible since they can get attacked again.

2) EXPOSED STATE (E )
Susceptible nodes that receive a malicious file transit to state E. IoT devices in the exposed state contain malware that can be activated once the user opens the malicious file. However, since nodes in state E are already compromised, they can propagate malware to the susceptible nodes they contact, thus exposing them to malware. Specifically, nodes in the E state are infected but do not depict the infection symptoms, such as high power consumption rates and increased processing activities.

3) INFECTED STATE (I)
IoT devices in state E transit to state I once a user opens a malicious file. Therefore, infected gadgets can propagate infection to other vulnerable devices in the network. In this state, the malware is active and running in the IoT devices, increasing the power consumption rate due to increased processing activities.

4) RECOVERED STATE (R)
The IoT devices that are cleared of malware and equipped with the updated antivirus software belong to the R state. These nodes can resist and detect the malware spreading in the network.

5) DEAD STATE (D)
Since IoT devices are battery-powered, they may deplete their power and transit to state D. If a device's power runs out, it is regarded as dead since it cannot communicate with the others in the network. The state transition diagram in Fig 2 illustrates how nodes shift from one state to another during the infection process. When nodes in the S state get exposed to malware, they transit to state E at the rate of INF SE + D2D SE . If susceptible nodes are patched, they shift to the R state at the rate of γ . Furthermore, susceptible nodes may die when they deplete their battery power and move to state D at the rate of δ. After infection, nodes in E state shift to I class at the rate of INF EI + D2D EI . However, if a node in the exposed state is recovered, it transits to state R at the rate of γ . Exposed nodes that die transit to D state at the rate of δ. Similarly, infected nodes recover at the rate of γ or die at the rate of δ + δ ex . Recovered nodes can lose immunity and become susceptible again at the rate of λ. Nodes in the R state can also die at the rate of δ RD . Damaged and irreplaceable dead nodes are discarded from state D at the rate of µ and replaced at state S with the same rate of µ. The birth rate is set to be equal to the discard rate to simulate a closed system in which nodes eliminated from the system are actively replaced to ensure continuity. From Fig. 2, the death rate of the infected nodes is higher than that of other nodes because malware activities consume more battery power causing IoT devices to die faster. Table 2 shows the notations used in this paper and their descriptions. There are N IoT devices in the network, which are divided into k groups based on node degree, i.e., G 1 + G 2 + G 3 + . . . , G k = N . In each group, the population of S, E, I , R, and D at any point in time add up to 1, i.e., S t k + E t k + I t k + R t k + D t k = 1. The SEIRD model can be expressed as shown in (3).

C. D2D PROPAGATION
The probability of an IoT device receiving malware via D2D transmission is given by D2D SE . Since IoT devices can be infected along the path of movement, we define the area covered by the moving device in any given group k as k and is given by (4).
where v avg is average velocity of the moving devices in group G k , and t step is the time step between t and t − 1. Besides, we consider the density of the compromised IoT devices, i.e., ρ EI , in the total area covered by the moving devices in all the groups ( ) as shown in (5).
where E and I are the total number of devices in exposed and infected states, respectively, i.e., To obtain the infection force due to the D2D link (D2D SE ), we compute the product of the mobility area, k , the density of the infected devices, ρ EI , and the scanning rate (R s ). The resultant D2D SE is given by (7).
With the increasing number of infected devices in the IoT network, malware will quickly spread out, and after the malware saturation point, the population of state I will start declining. This phenomenon will effectively reduce the number of devices transiting from states E to I . We, therefore, define the decline rate (R d ), which we can use to obtain the value of D2D EI .

D. INF PROPAGATION
For the long-distance (INF) transmission, we define social network S net . To determine the connectedness of the social network, we define the adjacency matrix N × N . If S i,j = 1, there is a connection between nodes i and j, otherwise, S i,j = 0, and i and j are not connected. INF SE is the probability that the device receives malware through long-distance transmission. Because IoT devices in the same group, G k , have the same degree, they have an equal probability of contacting an infected device, O k (E + 1), i.e., where φ k is the degree of G k . By multiplying O k (E + I ) with the contact rate and success rate, we obtain INF SE as After receiving the malware file, IoT users do not open it immediately. Therefore, the probability of a user opening a malicious file depends on the opening rate and the number of infected devices among friends. Since many friends might trust that the malware file is safe, the user's alert level might be low. We, therefore, define the infection rate, INF EI as Due to malware activity, infected devices are more likely to run out of power faster than uninfected ones. Therefore, the death rate of the I state is increased by δ ex . The death rate of the recovered nodes, δ RD , is determined by the number of infected IoT devices that transit to R and δ RD is given as When there are many infected IoT devices, δ RD approaches δ + δ ex . For simulation purposes in section V, we initialize I 0 k to a small value, τ , whereby 0 ≤ τ ≤ 1. The other states are initialized as shown below.

IV. MATHEMATICAL ANALYSIS A. EQUILIBRIUM POINTS
In malware spread modeling, two types of equilibrium points are of interest to researchers: endemic equilibrium (EE) and malware-free equilibrium (MFE) points. At equilibrium, the rate of change in all states is zero, i.e., The endemic equilibrium point refers to the stability point at which the number of nodes in all the states remains constant after a certain duration, t * , and there is malware in the network. That is, ∀t > t * , S = E = I = R = D = 0, where is the rate of change from time t − 1 to t, and I = 0, E = 0. At this point, the malware transmission threshold value (discussed in subsection IV-B) is greater than one, implying that malware will persist in the network unless intervention measures are undertaken. The EE point, denoted can be expressed as shown below. , is the rate of change from time t − 1 to t. Also, at MFE, I = E = 0, ∀t > t * . As shown in (17), the population of devices in states E, I , S, R, and D at the MFE point is given by The MFE point is achieved when the malware spread threshold value is below one, as discussed in the subsequent subsection. Malware-free equilibrium point analysis can be used to highlight the parameter values that need to be adjusted to ensure that the malware dies off from the network. This can be achieved through the computation of the malware transmission threshold.

B. MALWARE TRANSMISSION THRESHOLD
Here, by calculating the SEIRD malware transmission threshold, σ , we provide an indicator of the effectiveness of the current security measures. The transmission threshold plays an important role in modeling malware propagation as it indicates whether malware in the network will survive and persist in the future or fade away after some time. To compute σ , we use the Next-generation matrix method (NGM) presented in [43]. The transmission threshold, σ , is expressed as the spectral radius (denoted as ) of the NGM, i.e., where A is the advent rate matrix, and B is the transition rate matrix at MFE. Matrices A and B are generated from infectious classes E and I . The advent rate matrix, A, comprises only the parameters that cause new infections, i.e., the parameters that cause susceptible nodes to become compromised. Matrix B is derived from the parameters that transmit the infection, e.g., the parameters that make exposed nodes transit to I state. These two matrices are shown below.
To compute the malware transmission threshold, we first compute the inverse of matrix B (B −1 ), which is given by where Following equation (21), matrix B must be invertible, i.e., the determinant should not be equal to 0. Computing the determinant of matrix, |B|, we obtain, which is non-zero, and therefore matrix B is invertible. Finally, we derive the malware transmission threshold (basic reproduction number) as, The transmission threshold, σ , can be used as a security guideline to determine whether the malware is likely to die out in the future or not. For instance, when σ < 1, one primary case infects less than one device, implying that the malware will eventually disappear, and the IoT network will stabilize at the malware-free equilibrium point. MFE point implies that the current security measures are sufficient for mitigating an attack. On the contrary, if σ > 1, one index case produces more than one infection, thus implying that the malware will remain in the network if proper security interventions are not undertaken to reduce the threshold value.
From equation (23), P EI , δ, and γ have the greatest implications on the threshold value. Increasing maintenance frequency for IoT devices could effectively reduce δ, and accelerating the patching rate could increase γ . For the P EI , it is not easy to tune as it requires users' security awareness. To control the value of P EI , the network administrator can do some advocacy and improve the users' knowledge of attack protection strategies. Therefore, to reduce the value of σ , network administrators need to reduce the value of δ, increase γ rate, and improve user security awareness.

V. SIMULATION AND RESULTS
This section illustrates that the analytical results fit the simulation findings. For the analytical illustrations, we solved equations (3) while simulation results were achieved through performing Monte Carlo simulations, each repeated 1000 times with varying inputs. We also used the ONE simulator proposed in [44] to simulate the Gauss Markov mobility model, whereby we reset the position of IoT devices 100 times and computed the average value to use in the final simulations. The ONE simulator provides an environment to model node movement and inter-node contacts  using different mobility models. Additionally, we analyzed the impact of changing specific parameter values on the malware spread rate and observed that different parameter settings profoundly affected the simulation results. Also, we performed experiments to illustrate the malware transmission threshold, i.e, when σ > 1, and σ < 1. Finally, we compared the proposed model with similar existing works, and the results are reported in subsection V-B. The parameters used in this paper are recorded in Table 3.   (contact rate) and R o (malware file opening rate) positively correlate with the number of infected devices in the network. Specifically, contacting friends on social networks more frequently and increasing the probability of opening a malware file exacerbates the infection spread.
Figs. 5 and 6 illustrate the population of the infected IoT devices under different values of P EI and R d . Both P EI and R d affect the infection probability in D2D transmission. While P EI increases the population of infected IoT devices, R d does not. The growth of the I state is influenced by other parameters because R d reduces the number of devices that transit from state E to I . Because of the decline rate, R d , the I proportion is relatively lower at time t than it was at time t − 1. Concretely, the population of infected devices increases before gradually decreasing and finally plateauing. Fig. 7 demonstrates that a higher death rate, δ, δ ex , reduces the fraction of the infected devices. The increased malware activity in infected nodes depletes devices' battery power, thus reducing the number of nodes in the I state.
As illustrated in Fig. 8, the higher the birth rate (µ), the smaller the proportion of the IoT devices in the D state. However, after a certain duration, a further increase in µ does not alter the proportion of the D state. Fig. 9 illustrates the effect of δ, δ ex on the proportion of devices in D state. A higher death rate causes more nodes to transit to state D after power depletion.
Figs. 10 and 11 show the effect of movement speed, v, on the population of E and I , respectively. The proportion of E and I states increases with speed, but after a certain threshold, the number of exposed nodes plateaus  while the number of the infected nodes decreases steadily over time.
The effects of changing the value of the communication range are shown in Figs. 12 and 13. The larger the radius, the higher the infection rate since malware can reach more target victims. Fig. 14 illustrates the malware-free equilibrium (MFE) point, i.e., when σ < 1. Applying equation (23), we obtain the threshold value for MFE and as expected it is less than 1, i.e., σ = 0.38 < 1. The rate of change in all states is zero, and there is no malware in the network. The MFE point implies that the current security measures are sufficient to eliminate the malware from the network. In Fig. 15, the malware threshold is greater than 1, i.e, σ > 1, and mal-   ware is present in the network since E = 0 and I = 0. Specifically, applying equation (23), we obtain the malware   threshold in endemic equilibrium as σ = 2.5 > 1. This value indicates that the malware will remain in the network in  the future unless effective strategies are adopted to suppress them.

B. MODEL COMPARISON AND FACEBOOK DATASET IMPLEMENTATION
This subsection compares the performance of the proposed work with the models presented in [13] and [19]. Fig. 16 shows the ratio of states I and S of our model and those of models proposed in [13] and [19], under the same parameter settings. Liu et al. [19] only consider long-distance transmission, while [13] studies both INF and D2D communications but ignores the role of mobility in malware propagation. From Fig. 16, the ratio of I state in [19] and [13] is not as high as that of the proposed model. Liu et al. [19] seriously underestimated malware propagation by failing to factor in the role of INF in malware spread. Acarali et al. [13] also underrated the severity of IoT malware propagation by failing to recognize the impact of mobility in the spread of malware.  Finally, we tested our model on a real-world dataset, the Facebook dataset from the Stanford Network Analysis Project (SNAP) [45]. The Facebook dataset is an undirected graph with 4,039 nodes and 88,234 edges. The simulation results presented in Fig. 17 demonstrate that the experimental findings under the FB dataset match the analytical results discussed previously.

VI. CONCLUSION
In this paper, we proposed SEIRD epidemic model to study mobile IoT malware. In addition to mobility, we analyzed the impacts of leveraging infrastructure-based and D2D communication schemes on IoT malware spread. Our discussions and analysis demonstrated that our model adequately captures the dynamics of realistic IoT malware propagation. We conducted mathematical evaluations and computed the malware transmission threshold, which can be used as a security guideline in suppressing IoT malware attacks. When the transmission threshold value is less than one, the malware will eventually die out even without further interventions; otherwise, it will persist in the future. Our analysis and simulation results revealed that mobility and the use of both INF and D2D connections significantly aggravate malware diffusion in IoT networks. However, we discovered that intervention measures such as increasing IoT user security awareness and improving the recovery rate could substantially reduce the extent and severity of malware spread.
BO-RUI CHEN received the M.Sc. degree in computer science and information engineering from the National Taiwan University of Science and Technology, Taipei, Taiwan, in 2020. His research interest includes malware propagation modeling in IoT networks.