Epidemiological study of browser-based malware for university network with partially observed flow data

Document Type

Conference Proceeding

Date of Original Version



The presence of personal financial data, intellectual property, and classified documents on University computer systems makes them particularly attractive to hackers, but not well prepared for their attacks. The University of Rhode Island (URI) is one of the few institutions collecting network traffic data (NetFlow) for inference and analysis of normal and potentially malicious activity. This research focuses on web-based traffic with client-server architecture and adopts simple probability-based transmission models to explore the vulnerability of the URI web-network to anticipated threats. The fact that the URI firewall captures only traffic data in- and out- of URI necessitates the modeling of internal un-observed traffic. Relying on a set of intuitive assumptions, we simulate the spread of infection on the dynamic bipartite graph inferred from observed external and modeled unobserved internal web-browsing traffic and evaluate the susceptibility of URI nodes to threats initiated by random clients and clients from specific countries. Overall, the results suggest higher rates of infection for client nodes compared to servers with maximum rates achieved when infection is initiated randomly. Remarkably, very similar rates are observed when infection is initiated from 100 different clients from each of selected countries (e.g., China, Germany, UK) or from one most active node from Denmark. Interestingly, the daily analysis over a three-month period reveals that the simulated infection rates that are not consistent with the intensity of the flow traffic may indicate the presence of compromised node activity and possible intrusion.

Publication Title, e.g., Journal

Studies in Computational Intelligence