Transmissive & Epidemic Attack Models

Updated 30 January 2026

Transmissive and epidemic-inspired attack models are quantitative frameworks that analogize malware spread to biological contagion using compartmental models like SI, SIS, and SIR.
These models extend classical paradigms with features such as dormancy, stealth, and network topological effects to accurately assess outbreak thresholds and propagation dynamics.
Analyses of credential-based lateral movement and adaptive defenses employ metrics like reproduction numbers and spectral radii to optimize countermeasure strategies.

Transmissive and epidemic-inspired attack models constitute a class of quantitative frameworks for representing the propagation of self-propagating malware, credential-based lateral movement, and related cyber threats using methodologies adapted from mathematical epidemiology. Central to these models is the analogy between malware transmission and biological contagion, allowing rigorous analysis of outbreak thresholds, propagation speed, topological vulnerability, and countermeasure efficacy. Modern work extends classical SI, SIS, and SIR paradigms with features capturing real cyber-epidemic nuances such as dormancy, privilege escalation, stealth/visibility tradeoffs, user awareness propagation, and network structure effects.

1. Foundational Compartmental Models for Malware Propagation

Transmissive models reframe each computing device or host as inhabiting one of several epidemiological compartments, with malware state transitions governed by rates directly analogous to those in infectious disease dynamics. The Susceptible-Infected-Infected Dormant-Recovered (SIIDR) model exemplifies this approach, introducing compartments $S$ , $I$ , $I_D$ , $R$ to represent uninfected hosts, actively propagating infectives, dormantly infected nodes, and recovered/immune nodes, respectively. Dynamics are captured by the ODE system

$\begin{aligned} \frac{dS}{dt} &= -\beta S \frac{I}{N} \ \frac{dI}{dt} &= \beta S \frac{I}{N} - \mu I - \gamma_1 I + \gamma_2 I_D \ \frac{dI_D}{dt} &= \gamma_1 I - \gamma_2 I_D \ \frac{dR}{dt} &= \mu I \end{aligned}$

where $\beta$ is the infection rate, $\mu$ the removal/patching rate, $\gamma_1$ the dormancy-onset rate, and $\gamma_2$ the reactivation rate. The outbreak threshold, or basic reproduction number, is $R_0 = \beta/\mu$ , coinciding with the SIR model's criticality criterion: epidemics occur if and only if $R_0 > 1$ (Chernikova et al., 2022). In real-world datasets such as 15 WannaCry traces, the SIIDR model provides superior fit compared to SI, SIS, or SIR models due to its ability to capture bursty scanning and silent intervals inherent to network malware.

In network-aware settings, models generalize by letting state variables $S_v$ , $I_v$ , $R_v$ reside on nodes $v$ of a graph $G=(V,E)$ ; transition rates are then weighted sums over adjacent nodes. The spectral radius $\lambda_{\max}(A)$ of the adjacency matrix $A$ modifies the epidemic threshold to $\lambda_{\max}(A)\, \tilde\beta/\mu = 1$ , tying network topology directly to outbreak potential.

2. Lateral Movement and Credential Chaining: Epidemic and Reachability Analysis

Credential-based lateral movement, a hallmark of advanced persistent threats (APTs), is formalized as a contagion process on a directed graph (“authnet”) where edges represent administrative authentication capabilities, inherited via credential theft (Powell, 2019). Both “SI” (persistence-only) and “SIR” (infection/removal with detection) models are used, with transitions

$\begin{aligned} dS_v/dt &= -\beta \sum_{u} A_{uv} I_u S_v \ dI_v/dt &= +\beta \sum_{u} A_{uv} I_u S_v - \gamma I_v \ dR_v/dt &= \gamma I_v \end{aligned}$

Metrics derived from epidemic analysis—such as expected reachability (descendant set size), eccentricity, betweenness, Katz centrality, and collective influence—support systematic identification of “spreader” nodes, “escalators” (nodes high in privilege-escalation liability), and “gatekeepers” bridging ordinary nodes to high-value targets.

Countermeasure simulations, e.g., disabling remote local-account login or enabling Windows Remote Credential Guard, can then be evaluated quantitatively: reductions in average descendants (M_desc), effective reproduction number ( $R_0$ ), escalator counts, and gatekeeper set size are directly mapped to control efficacy.

3. Epidemic Thresholds, Adaptive Defense, and Topological Influence

Across classic SIR, SIS, and SEIR families, the epidemic threshold is determined by the ratio of infection to recovery rates, modulated by network structure. For SIS on arbitrary time-varying networks (Xu et al., 2013), the dominant eigenvalue of the time-averaged adjacency matrix, together with the long-run average infection and cure rates, determines system behavior. Migration to adaptive defense is realized either via semi-adaptive scheduling (parameters known a priori) or fully-adaptive feedback (cure rates $\beta_v(t)$ adjust in real-time based on observed infection levels). The key spectral-criterion for fast extinction is

$\bar{\gamma}\, \lambda_{\max} < \bar{\beta}$

where $\bar{\gamma}$ is average infection intensity, and $\bar{\beta}$ average cure rate.

Network topology critically shapes epidemic dynamics: scale-free (power-law) topologies possess much larger spectral radii, thereby lowering extinction thresholds and engendering persistent infections, as compared to lattice or ER graphs (Lucatero, 2021). Surgical edge removals or topological rewiring (e.g., constructing minimum-spectral-radius subgraphs) can inflate the threshold, pushing the system below epidemic criticality without complete node immunization.

4. Extensions: Information Theory, Dependence, Dormancy, and Stealth

Transmissive malware often leverages non-uniform vulnerable host distributions and advanced scanning strategies, with propagation speedups precisely governed by the “non-uniformity factor” $\beta^{(l)}$ —a Renyi–entropy-derived measure quantifying how uneven host clustering multiplies the basic infection rate (0805.0802). Random scanning achieves baseline growth, while network-aware or importance scanning increases exponential growth rate by exactly $\beta^{(l)}$ , allowing substantially faster outbreaks in the early stage. Defense by host-based protections or address-space expansion (IPv6) is only effective if it materially reduces either the scanning rate $s$ or the clustering factor $\beta^{(l)}$ .

Dormancy and delayed activity are addressed by models that incorporate “inactive” or “sleep” states, for example, in wireless sensor networks via coupled Markov chains over “active/inactive” and “SIS” states. The epidemic threshold in such models becomes inversely proportional to the mean activation probability $p_a$ ; increasing nodes’ sleep time or randomizing duty cycles sharply raises the epidemic barrier (Wu et al., 2023).

Where multiple concurrent attack vectors exist, or attacks are coordinated, classical models assuming independent infection events may misrepresent risk. Generalizing with copula-based dependence models allows inclusion of any correlation structure among attack events; positive dependence increases epidemic risk, negative dependence reduces it, and thresholds calibrated under independence may either under- or over-provision security (Xu et al., 2016).

Visibility-aware and stealth-optimal malware campaigns are modeled as controls over infection variant deployment, with attackers optimizing a running payoff balancing efficacy (total infections) and visibility penalty (infected detectable hosts) (Eshghi et al., 2015). Optimal policies are “bang–bang” with a single switch: maximize aggressive (visible) spread up to a time $t^*$ , then transition to stealthier infection for the remainder of the campaign. Defender-aware countermeasures (e.g., adaptive detection tied to visible infection rates) can reduce net impact.

5. Non-Monotonicity, Behavioral Adaptation, and Defense Implications

While traditional models guarantee monotonic outbreak growth with increasing transmissibility, behavioral feedback can induce non-monotonicity. The 2FleeSIR model formalizes self-protective avoidance: nodes observing two infected neighbors sever their incoming links, suppressing outbreaks at high transmissibility (Gutfraind, 2010). This destroys classical epidemic thresholds on well-connected graphs; in security applications, threshold-based “auto-isolation” rules introduced in hosts can leverage such non-monotonicity for containment. Attacks can partially evade these mechanisms by moderating their propagation speed, staying below triggering thresholds.

Malware-specific compartmental models that couple malware propagation with user awareness and countermeasures yield multi-wave epidemic phenomena: an initial outbreak triggers a wave of information diffusion (awareness), which then induces defensive responses (antivirus deployment) (Aleja et al., 2022). Quantitative analysis reveals that scale-free topologies are systemically more vulnerable, mutating/time-bomb malware strains can temporarily outpace awareness, and that lower awareness thresholds or increased recovery rates are the most effective defensive levers.

6. Spatial and Mobility-Driven Modeling in Wireless and Opportunistic Networks

Wireless and mobile networks require models incorporating spatial correlation and node activity cycles. In wireless ad hoc networks, the communication topology is well-approximated by random geometric graphs, imparting high clustering and spatially-local interactions; epidemic thresholds are elevated, and sub-exponential early-time growth is common (0707.2293). Transmission protocols such as MAC “listen-before-talk” rules yield self-throttling effects, further impeding worm spread. In mobility-driven proximity infection (e.g., via Bluetooth devices), kinetic-theory contact rates determine the mass-action infection parameter $\beta$ , with $R_0$ scaling linearly in device density, mean speed, and interaction range (0802.2685).

Targeted design and defense strategies emerge:

To maximize transmissibility, attackers focus on increasing node activation probabilities, exploiting high-degree nodes in heterogeneous networks, deploying time-delayed or mutating strains, and exploiting clustering-induced low thresholds.
Defenders prioritize reducing the effective spectral radius via segmentation, isolation, or dynamical topology management; elevating patch/deployment rates; implementing threshold-based behavioral defenses; and, in wireless contexts, manipulating duty cycles and leveraging MAC-layer constraints.

7. Open Problems and Research Directions

Ongoing challenges encompass the need for network-aware, non-homogeneous models that scale to enterprise levels, accurate inferential methods for transition-rate estimation from real data, integration of adversarial dependence and strategic adaptiveness, and coevolutionary modeling of attacker-defender dynamics. Extensions to multi-strain, cross-network, or “network-of-networks” architectures will likely require richer stochastic or agent-based frameworks, and more sophisticated feedback-based control strategies that dynamically allocate remediation effort. The development of analytical tools quantifying the effect of user awareness propagation, delayed attack activation, and defense-induced network evolution remains a significant area of inquiry.

Key references: (Chernikova et al., 2022, Powell, 2019, Xu et al., 2013, Aleja et al., 2022, Wu et al., 2023, 0805.0802, Xu et al., 2016, Eshghi et al., 2015, Gutfraind, 2010, 0707.2293, 0802.2685, Lucatero, 2021)