Software Engineering Institute

This white paper was published at the Joint Statistical Meetings (JSM) Conference on August 4, 2010.

To study rapidly evolving populations of Internet threats under views from multiple watch lists, we propose a hierarchical Bayesian model we call Continuous-Time List Capture (CTLC). Methodologically, CTLC is related to survival analysis under competing risks, in which individuals under study admit as many survival curves as there are sources of watch-list data. We suggest a Weibull model for the lifetime of a file from birth to appearance on a watch list, and we propose a Markov-Chain Monte Carlo method for simultaneous estimation of birth times for individuals, Weibull rate parameters for lists, and the effects of heterogeneity in behavior or traits among lists and individuals.

We describe a population study of unique malware files under the CTLC framework and present a preliminary simulation study as well as future work.