3.2.2- Internal SpreadWe can get some insight into the second issue -- that of internal spread -- by the following simple model. Let us assume that central reporting and response are perfectly effective, so that an incident is completely cleaned up as soon as any machine is found to be infected. We wish to know:
To make the problem tractable, let us assume that homogeneous
mixing applies within the organization.
Then, an excellent approximation to the distribution of incident sizes can
be derived as follows. Suppose that a virus has infected a machine in
an organization, and that after some period of time the number of infected
machines stemming from this initial event is n.
The next event
will be either a birth (resulting in n+1 infections) or a death (resulting in 0 infections,
assuming that the clean-up is instantaneous and contemporaneous with detection by one of the
machines). The rate at which deaths occur is simply
with the approximation being valid to the extent that
Thus the size distribution is very nearly exponential, with mean
which is valid provided that
Note that, if the average incident size is less than two, the organization is below the epidemic threshold, and viruses would not propagate much even if central response were suddenly eliminated. However, if the average incident size is greater than two, the organization is intrinsically above the epidemic threshold, and elimination of central response would make the organization highly susceptible to widespread propagation of any virus that happened to enter it.
As a first step in deriving the distribution of incident durations, we can calculate
the probabilities p(n,t) for there to be n infections at time t. Suppose that there
are n infected machines at time t. Then the probability per unit time of making a
transition to n+1 infected machines is
valid for
or the normalization condition:
Typically, we are interested in solving Eq. 6 given the initial condition
p(1,t) = 1; p(n,t) = 0,
If we make the approximation
Given the initial condition p(1,0) = 1, we immediately obtain:
The equation for p(2,t) is:
Using the method of integrating factors and the initial condition p(2,0)=0, we obtain the solution:
In general, the solution for p(n,t) can be expressed as a convolution involving p(n-1,t):
as can be shown by induction. To obtain p(0,t), we can insert Eq. 13 into the normalization condition given by Eq. 8. Summing the resulting geometric series, we obtain:
It is straightforward to verify that this solution for p(0,t) also satisfies the rate
equation (Eq. 7). As one would expect, p(0,t) increases monotonically from 0 at
t=0 towards 1 as
Having obtained analytic formulas for the probabilities p(n,t) of n infections at time
t, we can now use them to calculate several quantities of interest. As a simple warmup
exercise, we can calculate the distribution of incident sizes, which was derived earlier by
another method. The probability for there to be n infections at time t followed by a transition
to 0 infections at some time t' in the infinitesimal interval
in agreement with the result given by Eq. 4.
(The substitution
The duration distribution Q(n,t) for an incident of size n is simply the extinction time
distribution normalized such that
To obtain the average duration Q(n) of an incident of size n, we need to solve the following integral:
For sufficiently large n, Eq. 17 is approximately
where
To obtain the overall duration distribution Q(t), we can average the distribution Q(n,t) over all incident sizes n (using the weighting factor given by Eq. 4). Alternatively (and more simply), we can note that
Finally, the overall average duration Q is given by:
In the above derivation, the order of summation was switched in going from the first line to
the second, and the fourth line was obtained from the third by identifying the
Taylor series expansion for
The rates
For several reasons, such an exercise might be difficult. Although data on the
incident size distribution can be collected (see Section 4), data on incident
durations are very difficult to obtain because it is hard to tell when an incident
began. In addition, there are several idealizations
in this particular model that may not reflect the real world.
In principle (if they can be measured), the various probability distributions
derived in this section can be used as independent checks of the validity of
the approximations made. For example,
in a population of individuals in which
Thus, a model based on the organizational perspective
has the potential to help us measure important theoretical parameters,
but attempts to do so now are probably premature. In the future, by incorporating
topological and other effects into the theory and by finding ways
of measuring either the average incident duration,
An additional point should be rescued from the morass of equations and emphasized very clearly here. Central reporting and response appears to be a powerfully effective policy. Even if an organization is intrinsically above the epidemic threshold, central reporting and response prevent the incident size from scaling with the number of machines in the organization. Not only do incidents remain small; their duration is finite (rather than infinite). As will be seen in the next section, our virus prevalence statistics also suggest that organizations should adopt this policy.
|
, and the rate at which births
occur is
, where N is the total number
of machines in the organization. Thus the probability of going from n
infections to n+1 infections is
. Then the
probability that an incident will be discovered and cleaned-up after n machines are
infected is:
given by:
(or equivalently
). Previously, we
found that in the absence of centralized response, an epidemic can occur if
.
However, Eq. 
even when
is not so small as
O(1/N).
.
The probability per unit time of discovering the virus on one machine (and thus making
an instantaneous transition to 0 infected machines) is
.
From these considerations we obtain the coupled differential equations:
. p(0,t) can be obtained either from the rate equation:
.
.
is
. Integrating over all possible
``extinction'' times t, we obtain the probability P(n) that the incident size was n:
was made in going from the first line to the second in the above derivation.)
for all n:
is Euler's constant. Thus the expected duration of an
incident scales logarithmically with its size. This can be attributed to the exponential
growth in the number of infections with time, a hallmark of the homogeneous approximation.
. Of course, the same result could have been obtained
by performing the integral
.
and
figure prominently in the various expressions for
probability distributions and averages of the incident size and incident duration.
By measuring the average incident size
in that organization. In order to estimate