Over the years, cybercriminals have refined their tools by developing increasingly stealthy malware. One effective approach involves temporarily putting malware into a dormant state to evade detection, then reactivating it at the right moment to relaunch the infection. Notable examples, such as Emotet and Marap, well illustrate this strategy: the former is capable of remaining inactive for several weeks before launching new attacks, while the latter passively gathers minimal system data while awaiting further instructions. These behaviors suggest the presence of two distinct categories of infected nodes: active and dormant. Motivated by these practical illustrations, we propose an SI \(^{2}\) R model in which an infected node can transition into a dormant, undetectable state and be reactivated at a speed controlled by the attacker. The goal is to identify optimal transition strategies (both for dormancy and reactivation) to optimize the peak number of dormant nodes reached during the process, prepared to strike at the most effective moment. This model provides a mathematical framework for analyzing delayed cyber threats and the attacker’s timing strategies while also informing proactive defense mechanisms against such latent threats (DISTRIBUTION A. Approved for public release: distribution unlimited).

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Optimizing Stealth Infections in an SI \(^{2}\) R Model with Active-to-Sleep Dynamics

  • Mohamed Arnouss,
  • Willie Kouam,
  • Yezekael Hayel

摘要

Over the years, cybercriminals have refined their tools by developing increasingly stealthy malware. One effective approach involves temporarily putting malware into a dormant state to evade detection, then reactivating it at the right moment to relaunch the infection. Notable examples, such as Emotet and Marap, well illustrate this strategy: the former is capable of remaining inactive for several weeks before launching new attacks, while the latter passively gathers minimal system data while awaiting further instructions. These behaviors suggest the presence of two distinct categories of infected nodes: active and dormant. Motivated by these practical illustrations, we propose an SI \(^{2}\) R model in which an infected node can transition into a dormant, undetectable state and be reactivated at a speed controlled by the attacker. The goal is to identify optimal transition strategies (both for dormancy and reactivation) to optimize the peak number of dormant nodes reached during the process, prepared to strike at the most effective moment. This model provides a mathematical framework for analyzing delayed cyber threats and the attacker’s timing strategies while also informing proactive defense mechanisms against such latent threats (DISTRIBUTION A. Approved for public release: distribution unlimited).