By analyzing worm behavior researchers discovered that it's possible to use certain worm characteristics to contain its spread.
Working as a team, Sarah H. Sellke, Ness B. Shroff, and Saurabh Bagchi analyzed the behavior of several worms and found that a major key in containing them is to monitor scanning activity on the local network. It can be reasonably assumed that machines that perform too many scans too fast might be infected with some sort of worm. Such machines can then be quarantined until they've been thoroughly examined and cleared of any malware.
During simulations in a lab the team discovered that by using the technique they could significantly slow the spread of worms--especially during the first hour of infection--and contain a worm within the originating network a large percentage of the time depending on the type of worm and its methods of conduction network scans.
"The difficulty was figuring out how many scans were too many," Shroff is quoted as saying in an Ohio State University news release. "How many could you allow before an infection would spread wildly? You want to make sure the number is small to contain the infection. But if you make it too small, you'll interfere with normal network traffic."
The team published details of their research in the April-June issue of IEEE Transactions on Dependable and Security Computing.