Strictly speaking, worm propagation is a discrete event process. The evolution of the process is according to the specific events taking place and indicating broader system state transitions. For instance, an infection of a specific susceptible node leads to a +1/-1 type of variation of nodes in the infected/susceptible groups, respectively. However, the presented epidemics models and all others based on them, which is the majority of models, treat the worm propagation as a continuous process and use the continuous differential equations models provided earlier to describe it [130]. Such an approximation is accurate for large-scale systems and it is widely used in epidemics modeling [58,74], Internet traffic fluid modeling [159], etc. The propagation of Internet worms is inherent in cases of large-scale problems, since they take place in the global Internet, so the presented models are suitable to use the continuous differential equations for modeling purposes.

Most of the earliest malware modeling approaches, presented above, have been based on epidemics models and have yielded several confirmations of the designed models through numerical validations and observed data [130]. In fact, one of the emerging facts is that the epidemics models were evolved (from the simple epidemic to general epidemic, the dynamic quarantine, and two-factor models) according to the observed real data that were collected from actual attacks. Utilizing these observations, it was possible to extend previous differential equations to model more complex dynamics of malware spreading. Thus, all these models are very accurate for the specific attacks they have been designed for. Unfortunately, this has two consequences. The first one is that a specific model cannot be used cumulatively for all observed attacks, but rather only for the specific one it was developed for. The second is that these models cannot guarantee accuracy in case of new attacks, not even variations of them. The emergent threats can be considerably modified, casting the already established epidemics models outdated (where not even some parameter modification can alleviate the involved discrepancy). Both consequences reduce the broader value of epidemics models in the field of malware diffusion and their impact on further driving the evolution in the corresponding research.

On the other hand, these models have been proven invaluable at the early stages of malware modeling, when the first Internet connected networks emerged and shortly the first malware threats were introduced. Their simplicity aided in understanding their behavior and design the first countermeasures, which later were used for more advanced defense systems. In fact, if the time dependence is discarded for a moment, the epidemics process of a single threat resembles that of a random walk[183] on a line, visiting nodes sequentially. Multiple threats diffusing resemble multiple concurrent random walks. As it will become evident in the subsequent sections, epidemics models have formed a solid basis for more advanced malware diffusion models.

In summary, the earlier and even some of the latest epidemics techniques have the disadvantage of not being able to model the behavior of generic malware propagating attacks, but only special cases of them. The latter is meant in the sense that models developed for specific attacks, e.g. CodeRed worm propagation, are not capable to model the behavior and dynamics of any type of worm or other computer virus. Nevertheless, significant targeted results have been obtained and were initially used to design the first countermeasures that enabled also assessing the severity and status of malware attacks. These approaches have constituted a solid basis for more advanced studies and developing the more intelligent and accurate methodologies for malware diffusion modeling, e.g. study of periodicity and stability [100].

Some of the interesting open problems in epidemiology with potential applications in malware diffusion modeling and analysis for communications and computer complex networks include the following:

In the main part of the book, some of these open problems are tackled, while some others are not. We discuss the latter problems in more detail in Part 3 of the book in Chapter 10, where potential approaches to tackle these problems are identified.