Initial growth rates of malware epidemics fail to predict their reach

TL;DR

This study shows that initial malware spread rates do not reliably predict their total impact due to heterogeneity in computer susceptibilities, with most outbreaks dying out early despite rapid initial growth.

Contribution

The paper provides a detailed analysis of malware spread dynamics, revealing how susceptibility heterogeneity limits epidemic reach and challenges traditional predictive models.

Findings

Most malware outbreaks die out early despite rapid initial spread.

Heterogeneity in susceptibility causes a disconnect between initial growth and total reach.

Pervasive malware target less susceptible computers, avoiding the vulnerable tail.

Abstract

Empirical studies show that epidemiological models based on an epidemic's initial spread rate often fail to predict the true scale of that epidemic. Most epidemics with a rapid early rise die out before affecting a significant fraction of the population, whereas the early pace of some pandemics is rather modest. Recent models suggest that this could be due to the heterogeneity of the target population's susceptibility. We study a computer malware ecosystem exhibiting spread mechanisms resembling those of biological systems while offering details unavailable for human epidemics. Rather than comparing models, we directly estimate reach from a new and vastly more complete data from a parallel domain, that offers superior details and insight as concerns biological outbreaks. We find a highly heterogeneous distribution of computer susceptibilities, with nearly all outbreaks initially over-affecting the tail of the distribution, then collapsing quickly once this tail is depleted. This mechanism restricts the correlation between an epidemic's initial growth rate and its total reach, thus preventing the majority of epidemics, including initially fast-growing outbreaks, from reaching a macroscopic fraction of the population. The few pervasive malwares distinguish themselves early on via the following key trait: they avoid infecting the tail, while preferentially targeting computers unaffected by typical malware.