Modeling Self-Propagating Malware with Epidemiological Models

TL;DR

This paper introduces and validates a new epidemiological model, SIIDR, for understanding and predicting the rapid spread of self-propagating malware, with empirical data showing its superior accuracy over existing models.

Contribution

The paper proposes the SIIDR model for malware propagation, performs a theoretical stability analysis, and demonstrates its effectiveness using real attack traces.

Findings

SIIDR outperforms traditional epidemiological models in fitting malware data.

The model's basic reproduction number is derived from differential equations.

Empirical data from WannaCry traces validate the model's accuracy.

Abstract

Self-propagating malware (SPM) has recently resulted in large financial losses and high social impact, with well-known campaigns such as WannaCry and Colonial Pipeline being able to propagate rapidly on the Internet and cause service disruptions. To date, the propagation behavior of SPM is still not well understood, resulting in the difficulty of defending against these cyber threats. To address this gap, in this paper we perform a comprehensive analysis of a newly proposed epidemiological model for SPM propagation, Susceptible-Infected-Infected Dormant-Recovered (SIIDR). We perform a theoretical analysis of the stability of the SIIDR model and derive its basic reproduction number by representing it as a system of Ordinary Differential Equations with continuous time. We obtain access to 15 WananCry attack traces generated under various conditions, derive the model's transition rates, and show that SIIDR fits best the real data. We find that the SIIDR model outperforms more established compartmental models from epidemiology, such as SI, SIS, and SIR, at modeling SPM propagation.