Application of Impulsive SIRQ Models for the Development of Forecasting and Cyberattack Mitigation Scenarios

1. Introduction

Over recent years, cyberattacks against critical infrastructure have assumed a systemic character and evolved from isolated incidents into an integral component of hybrid threats. Energy systems, transportation networks, the banking sector, communication systems, and water and heat supply facilities are increasingly becoming targets of well-organized and technically sophisticated adversaries. Of particular concern are distributed denial-of-service (DDoS) attacks [1,2], which are capable of paralyzing the operation of critically important services within minutes, causing significant economic losses and large-scale social consequences.

Unlike traditional cyberattacks, which are typically aimed at data theft or unauthorized access, DDoS attacks primarily seek to disrupt service availability [3]. For critical infrastructure facilities, this entails the risk of halting production processes, losing control over technological systems, and experiencing disruptions in the supply of electricity, water, or heat, and in some cases poses a direct threat to human life and health. Consequently, cybersecurity in this domain acquires strategic importance and is no longer viewed solely as a technical issue, but rather as a transnational security challenge [4,5].

Modern attacks on critical infrastructure are characterized by a high degree of automation, the use of botnets comprising hundreds of thousands of compromised devices, and sophisticated techniques for masquerading as legitimate traffic [2]. This significantly complicates their timely detection by conventional filtering and monitoring mechanisms. Under these conditions, mathematical models are gaining increasing importance, as they make it possible not only to describe the dynamics of attack propagation within a network, but also to forecast its evolution and to assess the effectiveness of various defense strategies [6]

At present, the modeling of malicious object propagation in computer networks is increasingly carried out using methodologies borrowed from classical epidemiological models [7]. The spread of computer viruses, botnets, or DDoS agents exhibits a pronounced structural analogy with the dynamics of biological epidemics [8], which makes compartmental approaches – particularly SIR and SIRQ models – an effective tool for analysis and forecasting [6].

In the cybersecurity context, the variables $\mathcal{S}$ (Susceptible), $\mathcal{I}$ (Infected), $\mathcal{R}$ (Removed/Recovered), and $\mathcal{Q}$ (Quarantined) are interpreted as components of a network: in particular, $\mathcal{I}$ represents bots actively attacking a server, $\mathcal{S}$ denotes potential new bots, $\mathcal{Q}$ corresponds to blocked IP addresses, network segments, or VLANs, and $\mathcal{R}$ refers to cleaned and patched devices. Such a representation makes it possible to estimate the rate of malicious code propagation, identify critical thresholds (analogous to the epidemiological threshold ${\mathcal{R}}_0$), and forecast cyberattack development scenarios in real time [9].

However, the practical operation of a network is characterized by the presence of sudden and irregular influences that cannot be adequately captured within the framework of classical continuous models. Such influences include mass antivirus updates, forced reboots, the enforcement of isolation policies, traffic throttling, or other instantaneous mitigation measures. These effects are naturally described by so-called impulsive systems [10], which make it possible to model discrete control actions embedded within the continuous dynamics of threat propagation.

The application of impulsive approaches in SIR-type models enables the formulation of realistic cyberattack response scenarios. In particular, periodically or quasi-periodically acting impulses allow one to represent situations in which preventive or protective measures are applied irregularly but within certain constraints – for example, in the case of unscheduled updates, nonuniform security checks, or automated responses to traffic anomalies. The analysis of the existence and asymptotic stability of infection-free periodic or quasi-periodic solutions of such systems reflects the conditions under which a network can maintain functional stability [11,12] and return to a secure state after sudden impulsive perturbations. This constitutes an important component that qualitatively distinguishes the controllability of complex systems described by classical models with well-studied mathematical formalisms [13,14,15,16].

The use of such models is critically important for the development of adaptive cyberattack mitigation strategies and for forecasting their evolution [6]. They make it possible to:

• Assess network infection rates as a function of network topology and the security level of individual nodes;
• Evaluate the effectiveness of different types of impulsive control, ranging from mass updates to the isolation of individual segments;
• Develop resilience scenarios for critical infrastructure under conditions of repeated attacks;
• Model the behavior of malicious botnets and substantiate optimal intervention points;
• Forecast the consequences of large-scale DDoS campaigns in environments with varying densities of vulnerable IoT devices;
• Design multi-layered cyber defense systems based on principles of controllability and asymptotic stability.

Thus, extending epidemic models to incorporate impulsive periodic effects enhances their applied value and enables the development of realistic tools for risk forecasting and control in the field of cybersecurity. This approach combines the mathematical rigor of classical stability theory with the practical demands of modern complex telecommunication and information systems, and can be effectively employed in tasks related to planning, threat analysis, and the design of adaptive protection strategies for both epidemiological and cyber applications.

In this paper, we investigate an electronic epidemic model of a DDoS attack on target resources in a computer network. Particular attention is devoted to a detailed analysis of the stability conditions of periodic regimes in the corresponding impulsive system.

2. Motivation and Problem Statement

In the proposed model, the entire set of network nodes is divided into two populations: an attacking population and a targeted population. It is natural to assume that the primary objective of an adversary is to identify as many vulnerable nodes as possible within the attacking population and subsequently exploit them to carry out an attack against a specified targeted population. In practice, the total size of the targeted population can be assumed to be constant. Accordingly, the loss of any infected nodes as a result of a DDoS attack is considered to be compensated through their recovery, cleansing from compromise (“infection”) in a quarantine mode, and subsequent return to the class of recovered target nodes [9]. This assumption ensures the constancy of the targeted population size throughout the entire modeling process.

Vulnerable nodes operate according to a dual scheme: on the one hand, they are used to discover new nodes for the subsequent propagation of the attack, and on the other hand, they are directly involved in attacks on target resources (Figure 1). At the same time, vulnerable nodes do not enter a state of permanent recovery and, after completing the corresponding stages, return to the susceptible class.

Since attacks on critical infrastructure facilities are typically extremely intensive and destructive, the target network resources must therefore be equipped with significantly more powerful protection and response mechanisms compared to conventional information systems.

In the model presented in Figure 1, the following system of variables and parameters is employed. The symbol S denotes the class of susceptible attacking nodes, i.e., nodes of the attacking population that have not yet been involved in the attack but may be compromised. The class $\mathcal{I}$ corresponds to infected attacking nodes that actively participate in the generation of malicious traffic and the execution of DDoS attacks.

The quantity ${\mathcal{S}}_t$ characterizes the number of susceptible target nodes that are in a normal operational state but may be affected by an attack. The variable ${\mathcal{I}}_t$ corresponds to infected target nodes whose functioning is disrupted as a result of a DDoS attack. The notation ${\mathcal{Q}}_t$ denotes target nodes that have been placed in a quarantine mode in order to localize the attack and carry out recovery measures. The class ${\mathcal{R}}_t$ describes recovered target nodes that, after cleansing and technical maintenance, have returned to normal operating conditions [9].

The parameter $\beta$ is the infection contact rate and determines the intensity of attack propagation in the network, proportional to the product of the numbers of susceptible and infected nodes. The parameter $\mu$ characterizes the natural rate of removal and admission of attacking nodes in the network, corresponding to node failures due to technical reasons and the appearance of new nodes, respectively. The parameter $\epsilon$ defines the rate at which infected attacking nodes return to the susceptible class, while the parameter ${\epsilon }_t$ describes the rate of immunity loss of recovered target nodes and their subsequent transition back to the susceptible class.

The intensity of transferring infected nodes into quarantine is determined by the parameter $\gamma$. The parameter $\eta$ characterizes the rate at which quarantined nodes, after undergoing recovery procedures, return to the class of recovered target nodes.

Note that the coefficients $\beta$, $\delta$, $\eta$, $\epsilon$, $\mu$, and $\gamma$ are positive.

3. Impulsive SIRQ Model

Accordingly, the model can be mathematically represented by a system of differential equations of the form:

$$\left\{\begin{array}{c}\dot{{\mathcal{S}}_t}=-\beta {\mathcal{S}}_{t}I+{\epsilon }_t{\mathcal{R}}_t,\\ \dot{{\mathcal{I}}_t}=\beta {\mathcal{S}}_{t}I-\gamma {\mathcal{I}}_t, \\ \dot{{\mathcal{Q}}_t}=\gamma {\mathcal{I}}_t-\eta {\mathcal{Q}}_t, \\ {\dot{\mathcal{R}}}_t=\eta {\mathcal{Q}}_t-{\epsilon }_t{\mathcal{R}}_t. \end{array}\right.$$

(1)

Here is ${\mathcal{S}}_t+{\mathcal{I}}_t+{\mathcal{Q}}_t+{\mathcal{R}}_t=1.$

$$\left\{\begin{array}{c}\dot{\mathcal{S}}=\mu -\beta SI+\mu S+\epsilon I,\\ \dot{\mathcal{I}}=\mu SI-\left(\mu +\epsilon \right)I. \end{array}\right.$$

(2)

Here is $\mathcal{S}+\mathcal{I}=1.$Eliminating from systems (1) and (2) ${\mathcal{R}}_t=1-{\mathcal{S}}_t-{\mathcal{I}}_t-{\mathcal{Q}}_t$ and $\mathcal{S}=1-\mathcal{I},$ we obtain

$$\left\{\begin{array}{c}\dot{{\mathcal{S}}_t}=-\beta {\mathcal{S}}_{t}I+{\epsilon }_t\left(1-{\mathcal{S}}_t-{\mathcal{I}}_t-{\mathcal{Q}}_t\right),\\ \dot{{\mathcal{I}}_t}=\beta {\mathcal{S}}_{t}I-\gamma {\mathcal{I}}_t, \\ \dot{{\mathcal{Q}}_t}=\gamma {\mathcal{I}}_t-\eta {\mathcal{Q}}_t, \\ \dot{\mathcal{I}}=\beta \left(1-\mathcal{I}\right)I-\left(\mu +\epsilon \right)I. \end{array}\right.$$

(3)

Let’s put

$$\mathsf{\Omega }=\left\{P=\left\{{\mathcal{S}}_t, {\mathcal{I}}_t, {\mathcal{Q}}_t,\mathcal{I}\right\}\in {\mathbb{R}}_{+}^4 \right| {\mathcal{S}}_t+{\mathcal{I}}_t+{\mathcal{Q}}_t\le 1, \mathcal{I}\le 1\}.$$

An important indicator characterizing the epidemic threshold is – ${\mathcal{R}}_0$, the value of which is determined by the ratio

$${\mathcal{R}}_0={\displaystyle \frac{\beta }{\mu +\epsilon }}.$$

Theorem 1 [9]. For any initial data $P\left(0\right)\in \mathsf{\Omega }$, the solution $P\left(t\right)$ of system (3) exists on the interval $[0,+\mathrm{\infty })$ and satisfies $P\left(t\right)\in \mathsf{\Omega }$ for all $t\ge 0$.

If ${\mathcal{R}}_0\le 1$, then there exists a unique equilibrium point (infection-free) in the set $\mathsf{\Omega }$,

$$P_0^{*}=\left\{{\mathcal{S}}_t^{*}=1, {\mathcal{I}}_t^{*}=0, {\mathcal{Q}}_t^{*}=0, {\mathcal{I}}^{*}=0\right\}$$

which is globally asymptotically stable in $\mathsf{\Omega }$.

If ${\mathcal{R}}_0>1$, an avalanche-like propagation of the attack occurs. In this case, $P_0^{*}$ is unstable and another equilibrium point

$$P_0^{**}=\left\{{\mathcal{S}}_t^{**}, {\mathcal{I}}_t^{*}, {\mathcal{Q}}_t^{*}, {\mathcal{I}}^{*}\right\}$$

with positive components (endemic equilibrium) emerges in $\mathsf{\Omega }$, which is globally asymptotically stable in $\mathrm{int}\mathsf{\Omega }$.

By modeling the processes of updating the corresponding antivirus software of the target node population as abrupt reductions in the number of vulnerable nodes at prescribed time instants, we arrive at an impulsive problem

$${\left.∆{\mathcal{S}}_t\right|}_{t=t_n}≔ {\mathcal{S}}_t\left(t_n+0\right)-{\mathcal{S}}_t\left(t_n\right)=-b_n\mathcal{S}\left(t_n\right),$$

(4)

where $\left\{b_n\right\}\subset \left(\mathrm{0,1}\right),$ $\left\{t_n\right\}$ are the given values and moments of impulse disturbances, respectively.

We assume that the presence of the immunizing perturbation (4) can fundamentally alter the linear behavior of the solutions of system (3) described in Theorem 1.

In particular, when ${\mathcal{R}}_0>1$ and under certain conditions on the sequences $\left\{b_n\right\}$ and $\left\{t_n\right\}$, system (3), (4) admits an infection-free periodic solution $\bar{P}\left(t\right)$ that is asymptotically stable with respect to the subset of coordinates corresponding to the target nodes.

Let us consider the following problem (4):

$$0<t_1<t_2<\dots <t_p<T, t_{n+p}=t_n+T, n\ge 1,\mathrm{br}-\mathrm{to}-\mathrm{break} b_{n+p}=b_n, n\ge 1.$$

(5)

Theorem 2. Under conditions (5), problem (3) admits a $T$ -periodic impulsive solution$\overline{P}\left(t\right)=\left\{\overline{\mathcal{S}}\right(t), 0, 0, 0\}$, which is infection-free. Moreover,

$$\underset{t\ge 0}{\sup }\overline{\mathcal{S}}\left(t\right)\to 0, T\to 0.$$

(6)

Proof of Theorem 2. Let us find $\overline{\mathcal{S}}\left(t\right)$ as a $T$-periodic impulse solution of the problem

$$\left\{\begin{array}{c}\dot{\mathcal{S}}=\epsilon \left(1-s\right), \\ {\left.∆\mathcal{S}\right|}_{t=t_n}=-b_{n}S\left(t_n\right). \end{array}\right.$$

(7)

System (7) is obtained from (3) for ${\mathcal{I}}_t\equiv 0$, ${\mathcal{Q}}_t\equiv 0$, $\mathcal{I}\equiv 0$. For convenience, we denote $\mathcal{S}={\mathcal{S}}_t$, $\epsilon ={\epsilon }_t$. On the interval of continuity $\left[\tau ,t\right]$

$$\mathcal{S}\left(t\right)=\left(\mathcal{S}\left(\tau \right)-1\right)e^{-\epsilon \left(t-T\right)}+1.$$

Therefore

$$\mathcal{S}\left(t_1+0\right)=\left[\left(\mathcal{S}\left(0\right)-1\right)e^{-\epsilon t_1}+1\right]\left(1-b_1\right)=\mathcal{S}\left(0\right)e^{-\epsilon t_1}\left(1-b_1\right)+{\alpha }_1,$$

where $0<{\alpha }_1<1-e^{-\epsilon t_1}$.

Next, we calculate $\mathcal{S}\left(t_2+0\right)$, $\mathcal{S}\left(t_3+0\right)$, etc. At the $p$-th step, we obtain

$$\mathcal{S}\left(t_p+0\right)=\mathcal{S}\left(0\right)e^{-\epsilon t_p}\prod _{i=1}^p\left(1-b_i\right)+{\alpha }_p,$$

where $0<{\alpha }_p<1-e^{-\epsilon t_p}$.

Therefore

$$\mathcal{S}\left(T\right)=\mathcal{S}\left(0\right)e^{-\epsilon T}\prod _{i=1}^p\left(1-b_i\right)+\left({\alpha }_p-1\right)e^{-\epsilon \left(T-t_p\right)}+1.$$

Then the initial data for the $T$-periodic solution $\overline{\mathcal{S}}\left(t\right)$ is determined in the following way:

$$\mathcal{S}\left(0\right)={\displaystyle \frac{\left({\alpha }_p-1\right)e^{-\epsilon \left(T-t_p\right)}+1}{1-e^{-\epsilon T}\prod _{i=1}^p\left(1-b_i\right)}}.$$

(8)

At the same time, from (8)

$$\mathcal{S}\left(0\right)<{\displaystyle \frac{1-e^{-\epsilon T}}{1-e^{-\epsilon T}\prod _{i=1}^p\left(1-b_i\right)}},$$

which means that $\mathcal{S}\left(0\right)\to 0$ when $T\to 0$. Then from (7) we deduce that $\forall \epsilon >0$ $\exists T^{*}>0$ $\forall T\in (0,T^{*})$

$$\overline{\mathcal{S}}\left(t\right)<\epsilon$$

for $\forall t\ge 0$.

Hence we have (6). □

Corollary 1. 

In problem (7), the$T$-periodic solution$\overline{\mathcal{S}}\left(t\right)$is asymptotically stable; that is, for any$\mathcal{S}\left(0\right)\in \left(\mathrm{0,1}\right)$, the corresponding solution$\mathcal{S}\left(t\right)$of problem (7) satisfies:

$$\mathcal{S}\left(t\right)-\overline{\mathcal{S}}\left(t\right)\to 0, t\to \infty .$$

(9)

It is easy to see that for ${\mathcal{R}}_0>1$ the equilibrium position $\mathcal{I}=0$ of the fourth equation of system (3) is unstable. Moreover, for $\forall \mathcal{I}\left(0\right)\in \left(\mathrm{0,1}\right),$ $\forall t>0,$ $\mathcal{I}\left(t\right)\in \left(\mathrm{0,1}\right)$

$$\underset{t\to \infty }{\lim }\mathcal{I}\left(t\right)=1-{\displaystyle \frac{1}{{\mathcal{R}}_0}}.$$

Thus, it is fundamentally impossible to achieve asymptotic stability of $\overline{P}\left(t\right)=\left\{\overline{\mathcal{S}}\left(t\right), 0, 0, 0\right\}$ with respect to all coordinates. However, from the standpoint of the original model, this is not required. It is essential to achieve asymptotic stability of the infection-free impulsive solution with respect to the first three coordinates, which correspond to the state of the target node population.

Definition 1. 

The solution$\overline{P}\left(t\right)=\left\{\overline{\mathcal{S}}\right(t), 0, 0, 0\}$of problems (3), (4) is said to be asymptotically stable with respect to the variables $\left({\mathcal{S}}_t, {\mathcal{I}}_t, {\mathcal{Q}}_t\right)$if for any$\epsilon >0$there exists$\tau \ge T$such that

$$\forall P\left(0\right)=\left\{{\mathcal{S}}_t\left(0\right), {\mathcal{I}}_t\left(0\right), {\mathcal{Q}}_t\left(0\right),\mathcal{I}\left(0\right)\right\}\in \mathrm{i}nt \mathsf{\Omega }$$

is true

$${\mathcal{S}}_t\left(t\right)<\overline{\mathcal{S}}\left(t\right)+\epsilon ,$$

$$\left|{\mathcal{I}}_t\left(t\right)\right|+\left|{\mathcal{Q}}_t\left(t\right)\right|<\epsilon .$$

Theorem 3. Suppose that in problems (5), (6) the impulsive perturbation satisfies condition (5), and let $\overline{P}\left(t\right)=\left\{\overline{\mathcal{S}}\right(t), 0, 0, 0\}$ be the corresponding infection-free impulsive periodic solution. Then there exists$T^{*}>0$such that for$T<T^{*}$, the solution$\overline{P}\left(t\right)$is asymptotically stable with respect to the variables$\left({\mathcal{S}}_t, {\mathcal{I}}_t, {\mathcal{Q}}_t\right)$in the sense of Definition 1.

Proof of Theorem 3. For fixed functions $\mathcal{I}\left(t\right)$, ${\mathcal{I}}_t\left(t\right)$, and ${\mathcal{Q}}_t\left(t\right)$, consider the impulsive problem associated with the first equation of system (3).

$$\left\{\begin{array}{c}\dot{{\mathcal{S}}_t}=-\beta {\mathcal{S}}_{t}I+{\epsilon }_t\left(1-{\mathcal{S}}_t-{\mathcal{I}}_t-{\mathcal{Q}}_t\right),\\ {\left.∆\mathcal{S}\right|}_{t=t_n}=-b_{n}S\left(t_n\right), \end{array}\right.$$

(10)

${\left.∆\mathcal{S}\right|}_{t=0}={\mathcal{S}}_t^0\in \left(\mathrm{0,1}\right).$Since $\mathcal{I}\left(t\right)\ge 0$, ${\mathcal{I}}_t\left(t\right)\ge 0$, ${\mathcal{Q}}_t\left(t\right)\ge 0$, then

$$\forall t\ge 0,{\mathcal{S}}_t\left(t\right)\le \mathcal{S}\left(t\right),$$

(11)

where $\mathcal{S}\left(t\right)$ is the solution to (7), $\mathcal{S}\left(0\right)={\mathcal{S}}_t^0$, and therefore, according to Corollary 1 of Theorem 2

$$\mathcal{S}\left(t\right)-\overline{\mathcal{S}}\left(t\right)\to 0, t\to \infty .$$

(12)

Now, with fixed $\mathcal{I}\left(t\right)$, ${\mathcal{S}}_t\left(t\right)$, let us consider the second and third equations of system (3)

$$\left\{\begin{array}{c}\dot{{\mathcal{I}}_t}=\beta {\mathcal{S}}_{t}I-\gamma {\mathcal{I}}_t,\\ \dot{{\mathcal{Q}}_t}=\gamma {\mathcal{I}}_t-\eta {\mathcal{Q}}_t, \end{array}\right.$$

(13)

$${\mathcal{I}}_t\left(0\right)={\mathcal{I}}_t^0\in \left(\mathrm{0,1}\right), {\mathcal{Q}}_t\left(0\right)={\mathcal{Q}}_t^0\in \left(\mathrm{0,1}\right).$$

Since system (13) is cooperative, then by Kamke’s theorem

$$0\le {\mathcal{I}}_t\left(t\right)\le Y\left(t\right), 0\le {\mathcal{Q}}_t\left(t\right)\le Z\left(t\right),$$

(1)

where $\left\{Y\left(t\right), Z\left(t\right)\right\}$ is the solution of the system

$$\left\{\begin{array}{c}\dot{Y}=\beta S\left(t\right)Z-\gamma Y,\\ \dot{Z}=\gamma Y-\eta Z, \end{array}\right.$$

(14)

$$Y\left(0\right)={\mathcal{I}}_t^0, Z\left(0\right)={\mathcal{Q}}_t^0.$$

(2)

where $\mathcal{S}\left(t\right)$ satisfies (12).

Then for sufficiently large $t$

$${\displaystyle \frac{d}{dt}}\left(2Y\left(t\right)+Z\left(t\right)\right)=2\beta \mathcal{S}\left(t\right)Z-\gamma Y-\eta Z=\mathrm{br}\mathrm{to}\mathrm{break}=-{\displaystyle \frac{\gamma }{2}}\bullet 2Y-\left(\eta -2\beta \mathcal{S}\left(t\right)\right)Z\le \lambda \left(2Y+Z\right),$$

(15)

where $\lambda =\min \left\{{\displaystyle \frac{\gamma }{2}},{\displaystyle \frac{\epsilon }{2}}\right\}$, if $T^{*}$ is chosen so that for $T<T^{*}$

$$\underset{t\ge 0}{\sup }\overline{\mathcal{S}}\left(t\right)<{\displaystyle \frac{\epsilon }{4\beta }}.$$

(16)

Thus, $\forall t\ge 0$

$${\mathcal{I}}_t\left(t\right)+{\mathcal{Q}}_t\left(t\right)\le K\bullet \left({\mathcal{I}}_t\left(0\right)+{\mathcal{Q}}_t\left(0\right)\right)e^{-\lambda t},$$

(17)

where $K>0$ is some constant.

Then from (11), (12), (17) we have the desired result. □

4. Discussion

It should be noted that estimate (17) formalizes the requirement of functional resilience of an information system subjected to aggressive adversarial interference. Even for ${\mathcal{R}}_0>1$ (which corresponds to a natural tendency toward avalanche-like growth of a botnet), properly organized periodic impulses (updates, blocking, and segmentation) ensure exponential reduction of the active component of the attack within the target population (Figure 2).

The left-hand side of inequality (17), ${\mathcal{I}}_t\left(t\right)+{\mathcal{Q}}_t\left(t\right)$, describes the total “active threat” to the target network, comprising active bots $I_t$ and isolated but not yet recovered nodes $Q_t$. The factor $e^{-\lambda t}$ guarantees that, under appropriately selected impulsive control (mass updates or node isolation applied with period $T<T^{*}$), the active threat decays at an exponential rate.

The parameter $\lambda =\min \left\{{\displaystyle \frac{\gamma }{2}},{\displaystyle \frac{\epsilon }{2}}\right\}$ reflects the “bottleneck” in the defense mechanism:

• If $\gamma$ is small, the network is characterized by slow isolation processes (IDS/IPS/IDPS and SOC respond sluggishly);
• If $\epsilon$ is small, rapid loss of immunity is observed (outdated patches, policies, etc.).

The constant $K$ aggregates the initial conditions and the comparison inequalities (Kamke conditions); in practical terms, it represents the model’s safety margin.

In Figure 2, the red dashed line depicts the “teeth,” corresponding to the moments of impulsive intervention $t_n$, when software updates or isolation measures lead to an abrupt reduction in the number of infected nodes. The pink dashed line visualizes estimate (17). It demonstrates that, provided the impulse frequency is sufficiently high ($T<T^{*}$), the attack is guaranteed to decay, regardless of any attempts by adversaries to propagate it. Overall, Figure 2 shows that over time the system converges to an infection-free state (the values tend toward zero), which constitutes the objective of protection.

In this way, estimate (17) provides a quantitative guarantee of exponential suppression of the active phase of a DDoS attack in the target network under properly configured impulsive control, which directly corresponds to the engineering requirements for the resilience of critical infrastructure services. Moreover, estimate (17) establishes a necessary condition for ensuring the functional resilience of a critical infrastructure information system and for designing multi-layered defense systems for it.

5. Conclusions

This paper proposes an impulsive SIRQ model that generalizes classical epidemic approaches to the analysis of cyberattacks and consistently integrates the continuous dynamics of malware propagation in a network with discrete control actions representing mass updates, node isolation, and the enforcement of access policies. Such an approach provides an adequate mathematical description of real-world response mechanisms to large-scale viral and DDoS attacks.

The fundamental role of the basic reproduction number ${\mathcal{R}}_0$ is established as a threshold parameter determining the attack dynamics: for ${\mathcal{R}}_0\le 1$, the infection-free equilibrium is globally asymptotically stable, whereas for ${\mathcal{R}}_0>1$ the system admits an endemic regime with a nonzero fraction of infected nodes.

It is shown that the application of periodic impulsive control actions enables stabilization of the infection-free regime with respect to the target population even when the threshold value ${\mathcal{R}}_0$ is exceeded. Such stabilization constitutes a practically sufficient condition for ensuring the availability of critical services and maintaining the functional resilience of network infrastructure under large-scale attacks.

The derived estimate (17) establishes exponential decay of the total active threat ${\mathcal{I}}_t+{\mathcal{Q}}_t$ with rate $\lambda$, which admits a clear applied interpretation in terms of the isolation rate of infected nodes and the level of immunity retention in recovered systems. This estimate provides a quantitative guarantee of the effectiveness of impulsive cyber defense strategies.

The proposed model forms a theoretical foundation for the design of adaptive cybersecurity systems, the determination of optimal frequency and intensity of preventive impulses, the forecasting of the consequences of large-scale DDoS campaigns, and the development of multi-layered defense strategies for critical information infrastructure.