Cyber Network Resilience against Self-Propagating Malware Attacks

TL;DR

This paper develops a compartmental model called SIIDR to analyze and evaluate cyber defense strategies against self-propagating malware like WannaCry, demonstrating effective methods to significantly reduce infection spread in real-world networks.

Contribution

It introduces the SIIDR model for realistic malware spread simulation and evaluates multiple defense strategies, including novel reconfiguration techniques, on real-world network data.

Findings

Certain defenses reduce malware spread by over 95%

Strategic node hardening can contain infections with minimal resource use

Reconfiguration methods outperform traditional hardening strategies

Abstract

Self-propagating malware (SPM) has led to huge financial losses, major data breaches, and widespread service disruptions in recent years. In this paper, we explore the problem of developing cyber resilient systems capable of mitigating the spread of SPM attacks. We begin with an in-depth study of a well-known self-propagating malware, WannaCry, and present a compartmental model called SIIDR that accurately captures the behavior observed in real-world attack traces. Next, we investigate ten cyber defense techniques, including existing edge and node hardening strategies, as well as newly developed methods based on reconfiguring network communication (NodeSplit) and isolating communities. We evaluate all defense strategies in detail using six real-world communication graphs collected from a large retail network and compare their performance across a wide range of attacks and network topologies. We show that several of these defenses are able to efficiently reduce the spread of SPM attacks modeled with SIIDR. For instance, given a strong attack that infects 97% of nodes when no defense is employed, strategically securing a small number of nodes (0.08%) reduces the infection footprint in one of the networks down to 1%.