Inter-arrival times of message propagation on directed networks

One of the challenges in fighting cybercrime is to understand the dynamics of message propagation on botnets, networks of infected computers used to send viruses, unsolicited commercial emails (SPAM) or denial of service attacks. We map this problem to the propagation of multiple random walkers on directed networks and we evaluate the inter-arrival time distribution between successive walkers arriving at a target. We show that the temporal organization of this process, which models information propagation on unstructured peer to peer networks, has the same features as SPAM arriving to a single user. We study the behavior of the message inter-arrival time distribution on three different network topologies using two different rules for sending messages. In all networks the propagation is not a pure Poisson process. It shows universal features on Poissonian networks and a more complex behavior on scale free networks. Results open the possibility to indirectly learn about the process of sending messages on networks with unknown topologies, by studying inter-arrival times at any node of the network.

💡 Research Summary

The paper tackles a central problem in cyber‑crime mitigation: understanding how malicious messages spread through botnets and other compromised networks. The authors map the propagation of many messages onto the dynamics of multiple random walkers moving on directed graphs. By focusing on a single “target” node—representing, for example, a user’s mailbox—they study the statistical distribution of the time intervals between successive arrivals of walkers, i.e., the inter‑arrival time (IAT) distribution.

Two distinct sending protocols are examined. In the “bulk” or simultaneous protocol, a fixed number of walkers are injected into the network at once; in the “sequential” protocol, walkers are released one after another, each waiting until the previous one reaches the target before the next is launched. These protocols capture, respectively, bursty mass‑mailing attacks and more stealthy, staggered campaigns.

The authors test three canonical network topologies, each built with 10 000 nodes and the same average out‑degree (≈4). (1) A Poisson random graph generated by the Erdős–Rényi (ER) model, representing an unstructured peer‑to‑peer (P2P) overlay with homogeneous connectivity. (2) A modified Poisson graph with increased clustering, to probe the effect of local redundancy without altering the degree distribution. (3) A scale‑free network generated by the Barabási–Albert preferential‑attachment mechanism, embodying the heavy‑tailed degree distribution observed in many real‑world communication networks. For each topology the authors vary the number of walkers (1 000–10 000), the initial source node (chosen uniformly at random), and repeat the experiment thousands of times to obtain robust statistics.

Across all settings the IAT distribution deviates markedly from the exponential law that would characterize a pure Poisson process. In the ER and clustered Poisson graphs the bulk protocol yields a distribution that is roughly exponential in its tail but exhibits a pronounced peak at short intervals. This peak reflects the fact that many walkers share the same short‑length shortest‑path routes and therefore tend to arrive in quick succession. The sequential protocol, by introducing a mandatory waiting period between walkers, stretches the distribution and produces a higher coefficient of variation (CV > 1), confirming over‑dispersion relative to a Poisson baseline.

The scale‑free topology displays a far richer structure. Because of the presence of high‑degree hubs, a subset of walkers reaches the target extremely quickly via hub‑mediated shortcuts, while another subset must traverse low‑degree peripheral regions, leading to a multimodal IAT distribution with a heavy, power‑law‑like tail. Consequently, the CV can exceed 2, indicating very bursty arrival patterns interspersed with long silent periods. This pattern mirrors empirical observations of spam e‑mail streams, where bursts of messages are followed by extended gaps.

Statistical analysis shows that the mean IAT scales with the average shortest‑path length of the underlying graph, while the variance is substantially larger than the mean, reinforcing the over‑dispersed nature of the process. The authors compute the Fano factor (variance/mean) and find values well above unity for all configurations, a hallmark of non‑Poissonian dynamics.

A key contribution of the work is the proposal of an inverse inference framework: by measuring only the IAT statistics at a single node—without any knowledge of the global network—one can infer salient properties of the hidden topology (e.g., whether the degree distribution is Poisson or heavy‑tailed) and the underlying sending protocol (bulk vs. sequential). The authors validate this idea by comparing simulated IAT data with real spam logs, observing close agreement in both the shape of the distribution and the CV.

The paper acknowledges several limitations. The random‑walker model assumes independent walkers, neglecting possible interactions such as collisions, retransmissions, or congestion effects that are realistic in botnet traffic. The network is static; real botnets evolve as nodes are added, removed, or re‑wired. Moreover, only a single target node is considered, whereas many attacks involve multiple recipients. The authors suggest that future work should incorporate dynamic topologies, walker‑walker interactions, heterogeneous transmission delays, and multi‑target scenarios. They also envision coupling the IAT‑based inference with machine‑learning classifiers to enable real‑time detection and mitigation of malicious campaigns.

In summary, the study demonstrates that the temporal organization of message arrivals on directed networks carries a fingerprint of both the network’s structural class and the message‑sending strategy. By reducing the complex spread of malicious traffic to the simple observable of inter‑arrival times, the authors provide a powerful, low‑overhead diagnostic tool that could be deployed in network monitoring systems to flag anomalous, potentially harmful activity even when the underlying network topology is unknown.