search menu icon-carat-right cmu-wordmark

A Continuous Time List Capture Model for Internet Threats

August 2010 White Paper
Rhiannon Weaver

In this paper, Rhiannon Weaver describes a population study of malware files under the CTLC framework and presents a simulation study as well as future work.


Software Engineering Institute


This white paper was published at the Joint Statistical Meetings (JSM) Conference on August 4, 2010.

To study rapidly evolving populations of Internet threats under views from multiple watch lists, we propose a hierarchical Bayesian model we call Continuous-Time List Capture (CTLC). Methodologically, CTLC is related to survival analysis under competing risks, in which individuals under study admit as many survival curves as there are sources of watch-list data. We suggest a Weibull model for the lifetime of a file from birth to appearance on a watch list, and we propose a Markov-Chain Monte Carlo method for simultaneous estimation of birth times for individuals, Weibull rate parameters for lists, and the effects of heterogeneity in behavior or traits among lists and individuals.

We describe a population study of unique malware files under the CTLC framework and present a preliminary simulation study as well as future work.