A method and apparatus optimizes the protection of computing networks. This protection utilizes attenuated (weakened) strains of live, replicating, malicious code such as viruses and worms, analogous to the development of live, attenuated, human vaccines in the medical field. In a preferred embodiment, this is achieved by (1) attenuating a malicious program, e.g. a
virus or worm, or
software vulnerability by limiting its
virulence, i.e., limiting its damage and resource usage, (2) modifying the
virus to confer
immunity on the network that it infects, e.g., automatically patching a
vulnerability, or marking the infected host as immune to further infection, (3) releasing the newly attenuated
virus into the network, (4) tracking the attenuated virus and its success rate (e.g., rate and ratio of successfully patched to un-patched vulnerable hosts), and (5) limiting the spread of the
virus vaccine, e.g., emergency termination,
timeout to die, “white-
list” of hosts not to touch, network
IP address limitation, restricted IP ranges, variable address
selection algorithm.