By modeling a network as a population, we can apply theories from epidemiology to find the most “infectious” devices. We can use these results to better allocate defensive resources, because infectious devices are likely to cause more disruption when compromised.

Our method monitors low-level interactions between network devices and correlates them with modes of transmission. For example, a device forming an SSH connection with another is direct transmission. A device accessing data from a file share, to which another device contributes is indirect transmission. Then we estimate the probability of infection, using device information such as the number of CVEs present and how quickly out-of-date software is updated. Finally, run Monte Carlo simulations to predict the flow of a disease through the population and find reservoirs of infection. In computing terms, we predict the spread of malicious code through the network and find the devices which can cause the most damage.

In testing, we examined a network of 20,000 devices in around 10 minutes and identified which devices were more deserving of defensive resources. Our method will enable security teams to better allocate defensive resources when planning for cyber-attacks.