Beyond the blacklist: Modeling malware spread and the effect of interventions

Benjamin Edwards, Tyler Moore, George Stelle, Steven Hofmeyr, Stephanie Forrest

Research output: Chapter in Book/Report/Conference proceedingConference contribution

9 Scopus citations


Malware spread among websites and between websites and clients is an increasing problem. Search engines play an important role in directing users to websites and are a natural control point for intervening using mechanisms such as blacklisting. The paper presents a simple Markov model of malware spread through large populations of websites and studies the effect of two interventions that might be deployed by a search provider: blacklisting infected web pages by removing them from search results entirely and a generalization of blacklisting, called depreferencing, in which a website's ranking is decreased by a fixed percentage each time period the site remains infected. We analyze and study the trade-offs between infection exposure and traffic loss due to false positives (the cost to a website that is incorrectly blacklisted) for different interventions. As expected, we find that interventions are most effective when websites are slow to remove infections. Surprisingly, we also find that low infection or recovery rates can increase traffic loss due to false positives. Our analysis also shows that heavy-tailed distributions of website popularity, as documented in many studies, leads to high sample variance of all measured outcomes. This result implies that it will be difficult to determine empirically whether certain website interventions are effective, and it suggests that theoretical models such as the one described in this paper have an important role to play in improving web security.

Original languageEnglish (US)
Title of host publicationNSPW 2012 - Proceedings of the 2012 New Security Paradigms Workshop
Number of pages13
StatePublished - Dec 1 2012
Externally publishedYes
Event2012 21st New Security Paradigms Workshop, NSPW 2012 - Bertinoro, Italy
Duration: Sep 18 2012Sep 21 2012

Publication series

NameProceedings New Security Paradigms Workshop


Other2012 21st New Security Paradigms Workshop, NSPW 2012


  • Blacklist
  • Drive-by-Downloads
  • Graduated Response
  • Malware
  • Modeling
  • Search
  • Web Security

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture
  • Software
  • Information Systems


Dive into the research topics of 'Beyond the blacklist: Modeling malware spread and the effect of interventions'. Together they form a unique fingerprint.

Cite this