Steve White, Jeffrey Kephart, David Chess
In Proceedings of the 5th Virus Bulletin International Conference, Boston, September 20-22, 1995, Virus Bulletin Ltd, Abingdon, England, pp. 165-181.
September 1995
Download PDF (233.97Kb) (You need to be registered on forum)Technical accounts of computer viruses usually focus on the microscopic details of individual viruses: their structure, their function, the type of host programs they infect, etc. The media tends to focus on the social implications of isolated scares. Such views of the virus problem are useful, but limited in scope.
One of the missions of IBM's High Integrity Computing Laboratory is to understand the virus problem from a global perspective, and to apply that knowledge to the development of anti-virus technology and measures. We have employed two complementary approaches: observational and theoretical virus epidemiology 1, 2, 3, 4, 5, 6]. Observation of a large sample population for six years has given us a good understanding of many aspects of virus prevalence and virus trends, while our theoretical work has bolstered this understanding by suggesting some of the mechanisms that govern the behavior that we have observed.
In this paper, we review some of the main ndings of our previous work. In brief, we show that, while thousands of DOS viruses exist today, less than 10% of these have actually been seen in real virus incidents. Viruses do not tend to spread wildly. Rather, it takes months or years for a virus to become widespread, and even the most common a ect only a small percentage of all computers. Theoretical models, based on biological epidemiology, can explain these major features of computer virus spread.
Then, we demonstrate some interesting trends that have become apparent recently. We examine several curious features of viral prevalence over the past few years, including remarkable peaks in virus reports, the rise of boot-sector-infecting viruses to account for almost all incidents today, and the near extinction of le-infecting viruses. We show that anti-virus software can be remarkably e ective within a given organization, but that it is not responsible for the major changes in viral prevalence worldwide. Instead, our study suggests that changes in the computing environment, including changes in machine types and operating systems, are the most important e ects in uencing what kinds of viruses become prevalent and how their prevalence changes.
Finally, we look at current trends in operating systems and networking, and attempt to predict their e ect on the nature and extent of the virus problem in the coming years.