Beyond the Blacklist: Modeling Malware Spread and the Effect of Interventions

TL;DR

This paper develops a Markov model to analyze malware spread on websites and evaluates interventions like blacklisting and depreferencing, revealing trade-offs and challenges in measuring effectiveness due to distribution variances.

Contribution

It introduces a simple yet insightful Markov model for malware spread and assesses the impact of blacklisting and depreferencing interventions on infection and traffic loss.

Findings

Interventions are most effective when websites are slow to remove infections.

Low infection or recovery rates can increase traffic loss due to false positives.

Heavy-tailed website popularity distributions cause high outcome variance, complicating empirical evaluation.

Abstract

Malware spread among websites and between websites and clients is an increasing problem. Search engines play an important role in directing users to websites and are a natural control point for intervening, using mechanisms such as blacklisting. The paper presents a simple Markov model of malware spread through large populations of websites and studies the effect of two interventions that might be deployed by a search provider: blacklisting infected web pages by removing them from search results entirely and a generalization of blacklisting, called depreferencing, in which a website's ranking is decreased by a fixed percentage each time period the site remains infected. We analyze and study the trade-offs between infection exposure and traffic loss due to false positives (the cost to a website that is incorrectly blacklisted) for different interventions. As expected, we find that interventions are most effective when websites are slow to remove infections. Surprisingly, we also find that low infection or recovery rates can increase traffic loss due to false positives. Our analysis also shows that heavy-tailed distributions of website popularity, as documented in many studies, leads to high sample variance of all measured outcomes. These result implies that it will be difficult to determine empirically whether certain website interventions are effective, and it suggests that theoretical models such as the one described in this paper have an important role to play in improving web security.