On the Efficiency of Sampling and Countermeasures to Critical-Infrastructure-Targeted Malware Campaigns

Ensuring system survivability in the wake of advanced persistent threats is a big challenge that the security community is facing to ensure critical infrastructure protection. In this paper, we define metrics and models for the assessment of coordinated massive malware campaigns targeting critical infrastructure sectors. First, we develop an analytical model that allows us to capture the effect of neighborhood on different metrics (e.g., infection probability and contagion probability). Then, we assess the impact of putting operational but possibly infected nodes into quarantine. Finally, we study the implications of scanning nodes for early detection of malware (e.g., worms), accounting for false positives and false negatives. Evaluating our methodology using an hierarchical topology typical of factory automation networks, we find that malware infections can be effectively contained by using quarantine and appropriate rates of scanning for soft impacts.