Self-propagating malware (SPM) has recently resulted in large financial losses and high social impact, with well-known campaigns such as WannaCry and Colonial Pipeline being able to propagate rapidly on the Internet and cause service disruptions. To date, the propagation behavior of SPM is still not well understood, resulting in the difficulty of defending against these cyber threats. To address this gap, in this paper we perform a comprehensive analysis of a newly proposed epidemiological model for SPM propagation, Susceptible-Infected-Infected Dormant-Recovered (SIIDR). We perform a theoretical analysis of the stability of the SIIDR model and derive its basic reproduction number by representing it as a system of Ordinary Differential Equations with continuous time. We obtain access to 15 WananCry attack traces generated under various conditions, derive the model's transition rates, and show that SIIDR fits best the real data. We find that the SIIDR model outperforms more established compartmental models from epidemiology, such as SI, SIS, and SIR, at modeling SPM propagation.

翻译：自传播恶意软件（SPM）近期造成了巨大的经济损失和严重的社会影响，其中WannaCry和Colonial Pipeline等知名攻击事件能够迅速在互联网上传播并导致服务中断。迄今为止，SPM的传播行为仍未得到充分理解，导致这类网络威胁的防御面临困难。为填补这一空白，本文对一种新提出的SPM传播流行病学模型——易感-感染-潜伏感染-康复（SIIDR）模型进行了全面分析。我们对该模型的稳定性进行了理论分析，并通过将其表示为连续时间的常微分方程组，推导出其基本再生数。我们获取了15个在不同条件下生成的WannaCry攻击痕迹数据集，推导出模型的转移率，并证明SIIDR模型与实际数据的拟合效果最优。研究发现，在建模SPM传播方面，SIIDR模型优于流行病学中更为经典的房室模型，如SI、SIS和SIR模型。