Propagation of the Malware Used in APTs Based on Dynamic Bayesian Networks

Abstract

Malware is becoming more and more sophisticated these days. Currently, the aim of some special specimens of malware is not to infect the largest number of devices as possible, but to reach a set of concrete devices (target devices). This type of malware is usually employed in association with advanced persistent threat (APT) campaigns. Although the great majority of scientific studies are devoted to the design of efficient algorithms to detect this kind of threat, the knowledge about its propagation is also interesting. In this article, a new stochastic computational model to simulate its propagation is proposed based on Bayesian networks. This model considers two characteristics of the devices: having efficient countermeasures, and the number of infectious devices in the neighborhood. Moreover, it takes into account four states: susceptible devices, damaged devices, infectious devices and recovered devices. In this way, the dynamic of the model is SIDR (susceptible–infectious–damaged–recovered). Contrary to what happens with global models, the proposed model takes into account both the individual characteristics of devices and the contact topology. Furthermore, the dynamics is governed by means of a (practically) unexplored technique in this field: Bayesian networks.