Modeling self-propagating malware with epidemiological models

Abstract

Self-propagating malware (SPM) is responsible for large financial losses and major data breaches with devastating social impacts that cannot be understated. Well-known campaigns such as WannaCry and Colonial Pipeline have been able to propagate rapidly on the Internet and cause widespread service disruptions. To date, the propagation behavior of SPM is still not well understood. As result, our ability to defend against these cyber threats is still limited. Here, we address this gap by performing a comprehensive analysis of a newly proposed epidemiological-inspired model for SPM propagation, the Susceptible-Infected-Infected Dormant-Recovered (SIIDR) model. We perform a theoretical analysis of the SIIDR model by deriving its basic reproduction number and studying the stability of its disease-free equilibrium points in a homogeneous mixed system. We also characterize the SIIDR model on arbitrary graphs and discuss the conditions for stability of disease-free equilibrium points. We obtain access to 15 WannaCry attack traces generated under various conditions, derive the model’s transition rates, and show that SIIDR fits the real data well. We find that the SIIDR model outperforms more established compartmental models from epidemiology, such as SI, SIS, and SIR, at modeling SPM propagation.