Dual-SPIR model for predicting APT malware spread in organization networks

IF 4 3区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computers & Electrical Engineering Pub Date : 2025-03-03 DOI:10.1016/j.compeleceng.2025.110214

Hai Anh Tran , Xuan Cho Do , Thanh Thuy Nguyen

{"title":"Dual-SPIR model for predicting APT malware spread in organization networks","authors":"Hai Anh Tran , Xuan Cho Do , Thanh Thuy Nguyen","doi":"10.1016/j.compeleceng.2025.110214","DOIUrl":null,"url":null,"abstract":"<div><div>Modeling the spread of Advanced Persistent Threat (APT) malware in systems is currently an important task. Several compartmental models have been proposed, and they have shown some effectiveness, indicating this is a promising research direction. However, these approaches still face some key challenges, including: i) they have not yet fully modeled the lifecycle and processes of APT malware; ii) they have not yet calculated or identified the influence of environmental factors on predicting the malware spread. To address these two issues, this paper introduces a new model called a Dual Susceptible-Protected-Infected-Recovered (Dual-SPIR) model. For the first issue, the proposed Dual-SPIR model will be a two-layer model that represents the spread, privilege escalation, and data theft process of APT malware. To address the second issue, this research proposes three main factors that affect the spread of APT malware, including: i) the behavior of the malware; ii) the security technologies used by the system; and iii) system vulnerabilities. The Dual-SPIR model will calculate the impact of these three factors on the spread of APT malware within the system. Specifically, for malware behavior, we suggest using the MITRE ATT&CK Framework, which is currently one of the best tools for defining APT attack strategies and tactics. For system protection, we selected antivirus software, a widely used tool by organizations to protect their systems from APT campaigns. Lastly, for system vulnerabilities, the research focuses on office software vulnerabilities in the Windows 10 operating system. Different scenarios have shown that the Dual-SPIR model in this paper performs better than other approaches across all evaluation metrics. This demonstrates that the research not only has academic value but also practical relevance, as it successfully combines three key factors to model the spread of APT malware within systems.</div></div>","PeriodicalId":50630,"journal":{"name":"Computers & Electrical Engineering","volume":"123 ","pages":"Article 110214"},"PeriodicalIF":4.0000,"publicationDate":"2025-03-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Electrical Engineering","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0045790625001570","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Modeling the spread of Advanced Persistent Threat (APT) malware in systems is currently an important task. Several compartmental models have been proposed, and they have shown some effectiveness, indicating this is a promising research direction. However, these approaches still face some key challenges, including: i) they have not yet fully modeled the lifecycle and processes of APT malware; ii) they have not yet calculated or identified the influence of environmental factors on predicting the malware spread. To address these two issues, this paper introduces a new model called a Dual Susceptible-Protected-Infected-Recovered (Dual-SPIR) model. For the first issue, the proposed Dual-SPIR model will be a two-layer model that represents the spread, privilege escalation, and data theft process of APT malware. To address the second issue, this research proposes three main factors that affect the spread of APT malware, including: i) the behavior of the malware; ii) the security technologies used by the system; and iii) system vulnerabilities. The Dual-SPIR model will calculate the impact of these three factors on the spread of APT malware within the system. Specifically, for malware behavior, we suggest using the MITRE ATT&CK Framework, which is currently one of the best tools for defining APT attack strategies and tactics. For system protection, we selected antivirus software, a widely used tool by organizations to protect their systems from APT campaigns. Lastly, for system vulnerabilities, the research focuses on office software vulnerabilities in the Windows 10 operating system. Different scenarios have shown that the Dual-SPIR model in this paper performs better than other approaches across all evaluation metrics. This demonstrates that the research not only has academic value but also practical relevance, as it successfully combines three key factors to model the spread of APT malware within systems.

查看原文本刊更多论文

对高级持续威胁（APT）恶意软件在系统中的传播进行建模是当前的一项重要任务。目前已经提出了几种分区模型，并显示出一定的有效性，表明这是一个很有前景的研究方向。然而，这些方法仍面临一些关键挑战，包括：i) 它们尚未完全模拟 APT 恶意软件的生命周期和流程；ii) 它们尚未计算或识别环境因素对预测恶意软件传播的影响。为了解决这两个问题，本文提出了一个新模型，称为 "易受感染-受保护-受感染-受恢复"（Dual-SPIR）双重模型。针对第一个问题，提出的 Dual-SPIR 模型将是一个双层模型，代表 APT 恶意软件的传播、权限升级和数据窃取过程。针对第二个问题，本研究提出了影响 APT 恶意软件传播的三个主要因素，包括：i) 恶意软件的行为；ii) 系统使用的安全技术；iii) 系统漏洞。Dual-SPIR 模型将计算这三个因素对 APT 恶意软件在系统内传播的影响。具体来说，对于恶意软件行为，我们建议使用 MITRE ATT&CK Framework，它是目前定义 APT 攻击战略和战术的最佳工具之一。在系统保护方面，我们选择了防病毒软件，这是企业广泛使用的一种保护系统免受 APT 攻击的工具。最后，在系统漏洞方面，研究重点是 Windows 10 操作系统中的办公软件漏洞。不同的场景表明，本文中的 Dual-SPIR 模型在所有评估指标上的表现都优于其他方法。这表明该研究不仅具有学术价值，而且具有实际意义，因为它成功地将三个关键因素结合起来，为 APT 恶意软件在系统内的传播建立了模型。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Electrical Engineering 工程技术-工程：电子与电气

CiteScore

9.20

自引率

7.00%

发文量

661

审稿时长

47 days

期刊介绍： The impact of computers has nowhere been more revolutionary than in electrical engineering. The design, analysis, and operation of electrical and electronic systems are now dominated by computers, a transformation that has been motivated by the natural ease of interface between computers and electrical systems, and the promise of spectacular improvements in speed and efficiency. Published since 1973, Computers & Electrical Engineering provides rapid publication of topical research into the integration of computer technology and computational techniques with electrical and electronic systems. The journal publishes papers featuring novel implementations of computers and computational techniques in areas like signal and image processing, high-performance computing, parallel processing, and communications. Special attention will be paid to papers describing innovative architectures, algorithms, and software tools.