Modeling infection methods of computer malware in the presence of vaccinations using epidemiological models: an analysis of real-world data
- Elad Yom-Tov ,
- Nir Levy ,
- Amir Rubin
International Journal of Data Science and Analytics |
Computer malware and biological pathogens often use similar infection mechanisms. For this reason, it has been suggested to model malware spread using epidemiological models developed to characterize the spread of biological pathogens. However, to date, most work examining the similarities between malware and pathogens using such methods was based on theoretical analysis and simulation. Here we extend the classical susceptible–infected–recovered epidemiological model to describe two of the most common infection methods used by malware. We fit the proposed model to malware collected between April 2017 and April 2018 from a major anti-malware vendor. We show that by fitting the proposed model it is possible to identify the method of transmission used by the malware, its rate of infection, and the number of machines which will be infected unless blocked by anti-virus software. In a large sample of malware infections, the Spearman correlation between the number of actual and predicted infected machines is
. Examining cases where an anti-malware “signature” was transmitted to susceptible computers by the anti-virus provider, we show that the time to remove the malware will be short and independent of the number of infected computers if fewer than approximately 60% of susceptible computers have been infected. If more computers were infected, the time to removal will be approximately 3.2 times greater and will depend on the fraction of infected computers. Our results show that the application of epidemiological models of infection to malware can provide anti-virus providers with information on malware spread and its potential damage. We further propose that similarities between computer malware and biological pathogens, the availability of data on the former, and the dearth of data on the latter, make malware an extremely useful model for testing interventions which could later be applied to improve medicine.