5- ConclusionA mutually-supportive combination of theory and observation has enabled us to infer much about computer virus prevalence and the factors which influence it. Computer viruses are considerably less prevalent than many have claimed. The rate of PC-DOS virus incidents in medium to large North American businesses appears to be approximately 1 per 1000 PCs per quarter; the number of infected machines is perhaps 3 or 4 times this figure if we assume that most such businesses are at least weakly protected against viruses. Businesses with virtually no anti-virus protection can probably expect a higher rate than this, but we have no data on which to base an estimate. Gradually, computer viruses are becoming more prevalent. This is not because any one viral strain is getting out of hand; it is because the number of different viruses is growing with time. Most viruses that are written appear to be below the epidemic threshold. Of the ones that we have seen, just a small minority account for a substantial majority of the incidents. The ones that are most successful seem to increase in prevalence for a year or two at a strongly sub-exponential rate (approximately linear!) and then level off at a very low level of incidence. This qualitatively slow spread rate indicates that software exchange is highly localized. It is good news for known-virus technology; it means that updates can be sent out less frequently than would be required if the growth rate were exponential. Even more so, it is very good news for all PC users, who should be thankful that previous predictions of exponential growth were so far off the mark. Furthermore, previous claims about the ineffectiveness of virus scanning are discredited. Simple epidemiological models show that, by increasing the virus death rate sufficiently, one can push viruses below the epidemic threshold. Virus scanners are an effective way to increase the death rate, particularly if they are designed such that they scan periodically without any prompting from the user. Finally, our observations and our theoretical analysis of the effect of centralized reporting and response suggest that this is an extremely effective way to manage the virus problem in organizations. We strongly recommend the following policies to all organizations:
These policies have helped to cut the average incident size by more than a factor of two within our sample population. Furthermore, the information collected by the central agency can be used to assess the organization's progress in dealing with the computer virus problem. Theoretical results on kill signals suggest that they are highly effective in reducing the virus threat. In the not-too-distant future, we plan to implement them in networks of PCs. As time passes, our knowledge and understanding of the computer virus problem is bound to increase. With more data, trends in computer virus prevalence will become clearer. In addition, the theory will continue to advance in a number of directions. Currently, we can only say that the topology of software exchange among the world's computers has a very important effect, and that the global trends appear to indicate that it is highly localized. In order to make our theories more quantitative and predictive, we must find ways of characterizing the world's topology. From user surveys and automatic monitoring techniques, we hope to obtain enough information about individual behavior to be able to predict and to influence the future course of computer virus trends within organizations and throughout the world.
|