To understand the problem, it helps to review the history of intrusion detection. The field is generally considered to have started in 1987 with a paper by Dorothy E. Denning, a computer scientist then at SRI International, Menlo Park, Calif. In "An Intrusion-Detection Model," published in "IEEE Transactions on Software Engineering", she described how to model the statistical characteristics of a system operating normally so that deviations from the model could be taken as evidence that intruders were present.

Intrusion-detection systems attempt to detect things that are "wrong" in a computer network or system. Because legitimate and illegitimate activities often look alike, the diagnosis depends heavily on the context. For instance, a single Web request sent to a computer may be innocuous. If the same request, however, is sent to a large number of computers across the planet, it may be part of reconnaissance performed to find potential attack targets.

The problem of noticing when things are amiss is compounded by the need to operate in an adversarial environment. Attackers pride themselves on foreseeing the responses of common detection systems and taking pains to sidestep or even exploit them.

Computer systems face a variety of threats—not only from worms but also from viruses and other forms of attack. Each of these threats is best detected by a different method.

A virus, for example, is a program that embeds itself within another program. It executes when that program executes, typically causing some mischief, like deleting data, altering a display, or scrolling a message. Just as human viruses need a cell to reproduce, computer viruses need a host program. They cannot spread from one computer to another on their own; usually, they get into a computer when a naive user runs an infected program, often by opening an infected e-mail attachment. Viruses can often be detected by observing changes in the files stored on the machine.

Worms, unlike viruses, are specifically designed to propagate through a network, usually the Internet, replicating themselves at each machine before jumping to new ones. No human action is needed for a worm to get from one computer to another. In most cases, the frenetic activity and communication the worm causes is itself the point: a worm like Sapphire creates so much network traffic so quickly that it overwhelms routers and other network nodes, in what is called a denial-of-service attack.

Thus, while viruses are an enormous problem, it is worms that generally get the most intense media coverage, because their outbreaks can affect many millions of people at the same time and cause significant economic havoc as well. There are straightforward ways of detecting a worm attack—a flooded network is a pretty good initial indicator—but, as recent experience has shown, many of the defensive measures don't function fast enough to contain the spread of an effectively written worm.