Research and Development of Adaptive Mathematical Modeling for Malware Prediction and Analysis

Abstract

The purpose of this study is to develop and numerically analyze an improved mathematical model for the spread of malware in network structures based on a modified SIR immune response model. The research methodology is based on constructing a model that takes into account the processes of infection, recovery, and loss of immunity of network nodes, as well as applying the fourth-order Runge–Kutta numerical method to calculate the dynamics of malware propagation. During the simulation, key parameters of cyber threat propagation were determined, including infection, recovery, and immunity loss rates. The obtained results showed that the maximum infection level reaches 34.7% of the total number of network nodes, while the malware propagation peak occurs after 32.5 conditional time units. The research results confirm that response speed, timely software updates, and continuous monitoring of network activity have a significant impact on reducing the scale of infection. It is concluded that the proposed model can be used as a tool for the quantitative assessment of cyber threats and for justifying measures aimed at increasing the resilience of network systems to malicious attacks. The practical significance of the study lies in the possibility of applying the obtained results in developing strategies for the optimal allocation of information security resources and preventing the widespread propagation of malware.

Introduction

This study examines modern approaches to modeling malware propagation in computer networks and proposes an improved framework based on a modified SIR (Susceptible–Infected–Recovered) epidemiological model. The goal is to better understand malware spread dynamics and support proactive cybersecurity strategies.

1. Background and Motivation

The rapid evolution of cyber threats has reduced the effectiveness of traditional, reactive security measures. Organizations require predictive tools that can model and forecast malware propagation, enabling proactive defense and efficient allocation of cybersecurity resources.

A major challenge is understanding how factors such as:

• Infection rate,
• Recovery effectiveness,
• Immunity loss (reinfection probability),

influence the spread of malware across networks.

Previous research has applied epidemiological models to cyber threats, including:

• Basic SIR models,
• SEIRS and SIRS variants,
• Models considering network saturation and node scanning,
• Complex network structures and human behavior,
• Machine learning and game-theoretic cybersecurity approaches,
• Deep learning-based malware detection and classification systems.

Despite these advances, there remains a need for improved models that reflect the characteristics of modern cyber threats and network infrastructures.

2. Methodology

The study employs a modified SIR model, dividing network nodes into three categories:

• Susceptible (S): Vulnerable nodes that can be infected.
• Infected (I): Nodes currently compromised by malware.
• Recovered (R): Protected or disinfected nodes.

Key Parameters

The model assumes:

• Susceptible nodes become infected through contact with infected nodes.
• Infected nodes recover at rate δ.
• Recovered nodes may lose immunity and become susceptible again at rate γ.

To solve the system of differential equations accurately, the researchers applied the fourth-order Runge–Kutta numerical method, which effectively handles the nonlinear interactions among node groups.

3. Results

Malware Propagation Dynamics

Simulation results show that malware spreads rapidly in the early stages:

• The number of infected nodes increases sharply.
• Infection peaks at approximately 347 nodes (34.7% of the network).
• The peak occurs around 32.5 time units after the outbreak begins.
• By the end of the simulation (100 time units), approximately 442 nodes (44.2%) have recovered.

Observations

• The infection initially grows exponentially.
• After reaching its peak, recovery and containment mechanisms reduce infections.
• Eventually, only a small number of infected nodes remain.
• The high proportion of recovered nodes indicates successful threat containment.

The model demonstrates a typical epidemic pattern:

1. Rapid outbreak phase.
2. Peak infection period.
3. Recovery and stabilization phase.

4. Discussion

The study highlights the significant influence of SIR model parameters on malware propagation:

Infection Rate (β)

• Higher β leads to faster and broader malware spread.
• Reducing β through user awareness, access controls, and security policies can significantly improve resilience.

Recovery Rate (δ)

• Increasing δ through rapid patching, antivirus tools, and incident response reduces the infection peak and shortens attack duration.

Immunity Loss Rate (γ)

• A non-zero γ indicates that recovered systems may become vulnerable again.
• Continuous updates and adaptive security mechanisms are therefore essential.

The basic reproduction number (R?) demonstrates the potential speed of malware spread and underscores the importance of reducing infections while increasing recovery rates.

5. Recommendations

Based on the simulation results, the authors recommend:

• Implementing early malware detection and rapid response systems.
• Applying regular software updates and security patches.
• Continuously monitoring networks even after infection levels decline.
• Enhancing cybersecurity awareness among users.
• Adapting defenses to emerging threats to counter immunity loss and reinfection risks.
• Maintaining long-term preventive security measures rather than relying solely on reactive responses.

Conclusion

The article presents a comprehensive analysis of the application of a modified SIR model for modeling and understanding malware propagation in network infrastructures. The results of the study emphasize the importance of a clear understanding and management of indicators such as infection rate, recovery rate, and immunity loss rate, which are key components in developing effective strategies to combat cyber threats. The modeling demonstrates the critical role of rapid response measures, such as updating network security protocols and training users, in reducing infection peaks and protecting the network. The obtained data indicate that even after the main wave of infection has declined, the network may remain vulnerable, which highlights the need for continuous monitoring and adaptation of security measures. The research findings can be practically applied to strengthen cybersecurity in various sectors, including corporate networks and government information systems. The use of the identified strategies helps increase system resilience against new types of threats. Thus, this study makes a significant contribution to understanding the dynamics of malware propagation and proposes relevant solutions for improving the cybersecurity of modern networks.

References

[1] J. O. Kephart and S. R. White, «Directed-graph epidemiological models of computer viruses», in Proc. IEEE Comput. Soc. Symp. Res. Security Privacy, 1991, pp. 343-359, https://doi.org/10.1109/RISP.1991.130801. [2] C. C. Zou, W. Gong, and D. Towsley, «Code red worm propagation modeling and analysis», in Proc. 9th ACM Conf. Comput. Commun. Security, 2002, pp. 138-147, https://doi.org/10.1145/586110.586130. [3] Y. Wang, C. Wang, and C. C. Zou, «Modeling the propagation and defense of internet e-mail worms», IEEE Trans. Dependable Secure Comput., vol. 4, no. 2, pp. 105-118, Apr.-Jun. 2007, https://doi.org/10.1109/TDSC.2007.1001. [4] B. K. Mishra and N. Jha, «SEIQRS model for the transmission of malicious objects in computer network», Appl. Math. Model., vol. 34, no. 3, pp. 710-715, Mar. 2010, https://doi.org/10.1016/j.apm.2009.06.011. [5] L. X. Yang and X. Yang, «A new epidemic model of computer viruses», Commun. Nonlinear Sci. Numer. Simul., vol. 17, no. 11, pp. 5324-5331, Nov. 2012, https://doi.org/10.1016/j.cnsns.2012.05.030. [6] R. Pastor-Satorras and A. Vespignani, «Epidemic spreading in scale-free networks», Phys. Rev. Lett., vol. 86, no. 14, p. 3200, Apr. 2001, https://doi.org/10.1103/PhysRevLett.86.3200. [7] C. H. Nwokoye and V. Madhusudanan, “Epidemic models of malicious-code propagation and control in wireless sensor networks: An in-depth review,” Wireless Personal Communications, vol. 125, pp. 1827–1856, 2022, doi: 10.1007/s11277-022-09636-8. [8] N. P. Dong, H. V. Long, and N. T. K. Son, “The dynamical behaviors of fractional-order SE?E?IQR epidemic model for malware propagation on wireless sensor network,” Communications in Nonlinear Science and Numerical Simulation, vol. 111, 2022, Art. no. 106428, doi: 10.1016/j.cnsns.2022.106428. [9] S. M. Al-Tuwairqi and W. S. Bahashwan, “The impact of quarantine strategies on malware dynamics in a network with heterogeneous immunity,” Mathematical Modelling and Analysis, vol. 27, no. 2, pp. 282–302, 2022, doi: 10.3846/mma.2022.14391. [10] A. Valence, «ICAR, a categorical framework to connect vulnerability, threat and asset managements», Cryptography and Security, Jun. 2023. [Online]. Available: https://doi.org/10.48550/arXiv.2306.12240. [11] W. Zhang, Z. Wang, Z. Zhang, and J. Zou, “Delay effect on a malware propagation model incorporating user awareness,” in Proc. International Conference on Cyber-Physical Social Intelligence (ICCSI), 2022, pp. 555–560, doi: 10.1109/ICCSI55536.2022.9970556. [12] A. Wolsey, \"The State-of-the-Art in AI-Based Malware Detection Techniques: A Review, «Cryptography and Security», Oct. 2022. [Online]. Available: https://doi.org/10.48550/arXiv.2210.11239. [13] A. Chernikova, N. Gozzi, N. Perra, S. Boboila, T. Eliassi-Rad, and A. Oprea, “Modeling self-propagating malware with epidemiological models,” Applied Network Science, vol. 8, 2023, Art. no. 52, doi: 10.1007/s41109-023-00578-z. [14] R. Pascanu, J. W. Stokes, H. Sanossian, M. Marinescu, and A. Thomas, «Malware classification with recurrent networks», in Proc. IEEE Int. Conf. Acoust. Speech Signal Process. (ICASSP), 2015, pp. 1916–1920, https://doi.org/10.1109/ICASSP.2015.7178304. [15] W. Huang and J. W. Stokes, «Mtnet: A multi-task neural network for dynamic malware classification», in Proc. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2016, pp. 399–418, https://doi.org/10.1007/978-3-319-40667-1_20. [16] B. Athiwaratkun and J. W. Stokes, «Malware classification with LSTM and GRU language models and a character-level CNN», in Proc. IEEE Int. Conf. Acoust. Speech Signal Process. (ICASSP), 2017, pp. 2482–2486, https://doi.org/10.1109/ICASSP.2017.7952603. [17] L. Tian, F. Shang, and C. Gan, “Optimal control analysis of malware propagation in cloud environments,” Mathematical Biosciences and Engineering, vol. 20, no. 8, pp. 14502–14517, 2023, doi: 10.3934/mbe.2023649. [18] I. J. Goodfellow, J. Shlens, and C. Szegedy, «Explaining and harnessing adversarial examples», in Proc. Int. Conf. Learn. Representations (ICLR), 2015. [19] M. T. Jafar, L.-X. Yang, G. Li, Q. Zhu, C. Gan, and X. Yang, “Malware containment with immediate response in IoT networks: An optimal control approach,” Computer Communications, vol. 228, 2024, Art. no. 107951, doi: 10.1016/j.comcom.2024.107951. [20] O. A. M. Omar, H. M. Ahmed, T. A. Nofal, A. Darwish, and A. M. Sayed Ahmed, “Analysis and optimal control of propagation model for malware in multi-cloud environments with impact of Brownian motion process,” Mathematical and Computational Applications, vol. 30, no. 1, 2025, Art. no. 8, doi: 10.3390/mca30010008.

Copyright

Copyright © 2026 Assylbek Dias Orynbekuly, Galymzhanov Alisher Maratovich, Beketova Gulzhanat Sakitzhanovna. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.