Self-propagating malware (SPM) has recently resulted in large financial losses and high social impact, with well-known campaigns such as WannaCry and Colonial Pipeline being able to propagate rapidly on the Internet and cause service disruptions. To date, the propagation behavior of SPM is still not well understood, resulting in the difficulty of defending against these cyber threats. To address this gap, in this paper we perform a comprehensive analysis of a newly proposed epidemiological model for SPM propagation, Susceptible-Infected-Infected Dormant-Recovered (SIIDR). We perform a theoretical analysis of the stability of the SIIDR model and derive its basic reproduction number by representing it as a system of Ordinary Differential Equations with continuous time. We obtain access to 15 WananCry attack traces generated under various conditions, derive the model's transition rates, and show that SIIDR fits best the real data. We find that the SIIDR model outperforms more established compartmental models from epidemiology, such as SI, SIS, and SIR, at modeling SPM propagation.

翻译：自传播恶意软件（SPM）近期造成了重大经济损失和高社会影响，诸如WannaCry和Colonial Pipeline等知名攻击活动能够在互联网上迅速传播并导致服务中断。迄今为止，SPM的传播行为仍未得到充分理解，导致防御此类网络威胁困难重重。为弥补这一不足，本文对一种新提出的SPM传播流行病学模型——易感-感染-感染潜伏-恢复（SIIDR）进行了全面分析。我们对SIIDR模型的稳定性进行了理论分析，通过将其表示为连续时间常微分方程组，推导出其基本再生数。我们获取了在不同条件下生成的15个WannaCry攻击迹线，推导了模型的转移率，并证明SIIDR能最佳拟合真实数据。我们发现，在建模SPM传播方面，SIIDR模型优于流行病学中更成熟的仓室模型，如SI、SIS和SIR。