Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!usc!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: padgett%tccslr.dnet@UVS1.orl.mmc.com (A. Padgett Peterson)
Newsgroups: comp.virus
Subject: "The Kinetics of Computer Virus Replication" by Dr. Peter Tippett
Message-ID: <0006.9005251302.AA06957@ubu.cert.sei.cmu.edu>
Date: 24 May 90 20:20:49 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1.BITNET>
Lines: 48
Approved: krvw@sei.cmu.edu


	Having had the opportunity to review this paper (22 pages), I
find it on one hand a very complex analysis, and on the other, an
overly simplistic approach to the situation.

	As some confusion concerning the definition of "virus" and "worm"
(a worm can certainly have a trigger event), and the speed of PCs
(a 12 Mhz machine is not a 12 MIPS machine) indicate, the paper
is based on a few flawed assumptions.

	The most basic is that of Assumption #4 "The replication and
infection ... is essentially a binary process" (page 3) and the basis
of Equation #1 "...(infected) computers have more or less equal chance(s)
of causing infection of another...". Since the extrapolated rate of
increase of infections leads from this assumption, I cannot accept the
rest of the math though he does make some valid points. The simple
fact is that NOT all computers are equally likely to infect others.
Certainly, my office unit is far less likely to infect another than
that at HOMEBASE should it become infected. (Of course mine is somewhat
more likely to become infected).

	I would suggest that at least three separate classes of
computers is required: Source nodes (manufacturers and software developers),
Transit nodes (bulletin boards, "open" educational and corporate PCs),
and End nodes (most home and corporate units). The first two classes,
while able to widely spread infections through networks and modem
connections, are in the minority: 10% or 5,000,000 PCs (WAG). End nodes,
while they may exhibit some binary characteristics, would do so within
a relatively small domain ( <100 PCs).

	Additionally, viral dynamics would have to consider at least two
stages: slow leaps between nodes via type 1 or type 2 systems, and rapid
spread within an end node (type 3) which may follow a binary
progression for a short time.

	Finally, once the characteristics are recognized, detection
time is reduced within nodes and most nodes, lead by type 1 and 2,
will develop some form of "immunity" to that strain. Thus the curve
most likely will have two "knees", one at discovery by the global-
expert community, and one at discovery by the local-user communities.

	Thus, while Dr. Tippett concludes that there will be an
explosive growth in virii (I like ii better), my feeling is that
while there probably will be growth, it will be containable, and
that appropriate levels of response will be dictated by the importance
and exposure of the systems.

		Padgett Peterson, Orlando, Florida, USA