Dual-SPIR model for predicting APT malware spread in organization networks

Modeling the spread of Advanced Persistent Threat (APT) malware in systems is currently an important task. Several compartmental models have been proposed, and they have shown some effectiveness, indicating this is a promising research direction. However, these approaches still face some key challenges, including: i) they have not yet fully modeled the lifecycle and processes of APT malware; ii) they have not yet calculated or identified the influence of environmental factors on predicting the malware spread. To address these two issues, this paper introduces a new model called a Dual Susceptible-Protected-Infected-Recovered (Dual-SPIR) model. For the first issue, the proposed Dual-SPIR model will be a two-layer model that represents the spread, privilege escalation, and data theft process of APT malware. To address the second issue, this research proposes three main factors that affect the spread of APT malware, including: i) the behavior of the malware; ii) the security technologies used by the system; and iii) system vulnerabilities. The Dual-SPIR model will calculate the impact of these three factors on the spread of APT malware within the system. Specifically, for malware behavior, we suggest using the MITRE ATT&CK Framework, which is currently one of the best tools for defining APT attack strategies and tactics. For system protection, we selected antivirus software, a widely used tool by organizations to protect their systems from APT campaigns. Lastly, for system vulnerabilities, the research focuses on office software vulnerabilities in the Windows 10 operating system. Different scenarios have shown that the Dual-SPIR model in this paper performs better than other approaches across all evaluation metrics. This demonstrates that the research not only has academic value but also practical relevance, as it successfully combines three key factors to model the spread of APT malware within systems.