Matthew Williamson Hewlett Packard Labs
Jasmin Leveille Hewlett Packard Labs
An epidemiological model of virus spread and cleanup
While it is relatively straightforward to compare the features of anti-virus systems, it is more difficult to determine their effectiveness from an operational point of view, i.e. what impact do they have on the cost of virus outbreaks?
This paper presents a model that analyses the effectiveness of signature-based and other types of countermeasure from an operational perspective. The model calculates the expected cost or impact of a virus outbreak, taking into account the full lifecycle of the attack: the virus spreading unhindered before a signature is available, the distribution of the signature making some machines immune to the virus and detecting the virus on others, and those infected machines being cleaned up. By varying parameters, the effect on the outbreak size of the virus spreading rate and the particular countermeasures used can be explored.
Results from the model are used to expose and quantify the strengths and weaknesses of signature-based approaches, and to suggest areas for improvement. Results are also presented on the effectiveness of countermeasures based on behaviour blocking (virus throttling), showing that this approach is particularly effective against fast spreading viruses.
