An epidemiological model of virus spread and cleanup
Matthew WilliamsonHewlett Packard Labs
Jasmin LeveilleHewlett Packard Labs
Corporate stream: Friday 26 Sept 2003, 16.20-17.00.
An epidemiological model of virus spread and cleanup
While it is relatively straightforward to compare the features of anti-virus systems, it is more
difficult to determine their effectiveness from an operational point of view, i.e. what impact
do they have on the cost of virus outbreaks?
This paper presents a model that analyses the effectiveness of signature-based and other types
of countermeasure from an operational perspective. The model calculates the expected cost or
impact of a virus outbreak, taking into account the full lifecycle of the attack: the virus
spreading unhindered before a signature is available, the distribution of the signature making
some machines immune to the virus and detecting the virus on others, and those infected machines
being cleaned up. By varying parameters, the effect on the outbreak size of the virus spreading
rate and the particular countermeasures used can be explored.
Results from the model are used to expose and quantify the strengths and weaknesses of
signature-based approaches, and to suggest areas for improvement. Results are also presented on
the effectiveness of countermeasures based on behaviour blocking (virus throttling), showing
that this approach is particularly effective against fast spreading viruses.
