Today's society depends heavily on its information infrastructure to properly store, transmit and process vast amount of information. Computer viruses and worms pose serious threats to the normal operation of the information infrastructure by destroying stored information, disrupting information transmission and improperly collecting and handling information. These malicious activities have caught the attention of the society through a series of high-profile incidents such as the “CodeRed” worm and “Nimda” worm in 2001, the “Stammer” worm and “SoBig.F” virus in 2003 and the “Mydoom (Novarg)” worm in 2004. Worms and viruses use various ways to spread themselves. Email is increasingly becoming the most popular transmission media used by worms and viruses. In the first half of 2004, there have been several notorious email virus incidents including W32/Bagle and W32/Novarg. Several studies have shown that empirical data on “CodeRed” worm propagation fits well with simple epidemiological mathematical models. Other earlier papers have similar observations.
The similarity of growth patterns between real-world viruses and network viruses leads us to look for the existence of common ground in control strategy. Two types of techniques are used in epidemiology. One of them includes molecular epidemiological techniques such as DNA fingerprinting technique used in Tuberculosis (TB) control. DNA fingerprinting uses a DNA signature sequence, such as the insertion sequence IS6110 used by restriction fragment length polymorphism (RFLP) in TB analysis, to identify the existence of an outbreak. The other type includes classical epidemiological methods such as contact tracing. Contact tracing technique uses contact investigations to identify the transmission chain of an infectious disease. Classical epidemiological methods and molecular epidemiological methods are usually used together to detect and control the spread of infective diseases worldwide. The winning of the battles against epidemic disease spread has always been achieved by the application of multiple control methods: “Control of tuberculosis relies on well-defined tools such as case finding, contact tracing, completion of successful treatment and vaccination”. Control of SARS was accomplished by “early case identification and isolation, vigorous contact tracing, voluntary home quarantine . . . ”. The victory can be claimed only after the pathogen transmission chain has been broken. In network worm and virus control field, most of the techniques used to protect computers from being infected, such as patches and antivirus software, depend on the availability of virus signatures. This approach is analogous to the molecular epidemiology approach such as DNA fingerprinting. However, some effective classical epidemiological methods such as contact tracing have not found applications in network worm and virus control. The absence of key techniques like contact tracing and transmission chain identification also makes current cyber-virus defense schemes less systematic than their real world counterpart.
The early works of epidemiological modeling of worm propagation were done more than a decade ago. Several papers modeled the spread of “CodeRed” worm in recent years. Staniford-Paxson et al. used a simple epidemiological logistic equation to mode the propagation of “CodeRed”. Zou-Gong et al. proposed a “two-factor” model to model the effect of human countermeasures and congestion caused by worm traffic]. Chen-Gao et al. proposed an analytical active worm propagation (AAWP) model to characterize the propagation of worms that employ random scanning. Zou-Gao et al. proposed a worm early warning system based on epidemiological models. Garetto-gong et al. used interactive Markov chains to model worm propagation.
Quarantine as a containment method has been studied in several papers. Moore-Shannon et al. studied the impacts of several design factors on the dynamics of a worm epidemic. Zou-Gong et al. proposed a dynamic quarantine method and analyzed its impact on worm propagation. It showed that dynamic quarantine can slow down worm spread. Their dynamic quarantine system quarantines a host whenever its behavior looks suspicious. The quarantine decision is made on the abnormal behavior of a host itself. To alleviate the impact of the common false alarming problem, the quarantine system will release a quarantined host after a short time so a falsely quarantined host won't be blocked for too long. Williamson proposed another behavior-based detection and control method to contain worm propagation by restricting the probing rate of infected hosts. Toth-Kruegel used the existence of similar connection pattern (destination port, content) from the connection history to detect worm propagation in an enterprise network. Wang-Knight et al. studied the effect of immunization on virus propagation. They compared the effect of random immunization and selective immunization. They showed that selectively immunizing nodes with the highest degrees has better effect than random immunization. Wang-Guo et al. proposed to use shields, vulnerability specific, exploit generic network filters to correct traffic that exploits known vulnerabilities. They demonstrated that shields can be used to prevent exploitation of a substantial fraction of the most dangerous ones. On email virus related studies, Zou-Towsley et al. studied email virus propagation on power law, small world and random graph topologies. They also studied the effect of selective immunization. Swab proposed SMTP gateway virus filtering.