The algorithm is designed to protect networks against worms that scan for hosts locally within networks or subnets, according to Yoon-Ho Choi, a postdoctoral fellow in information sciences and technology at Penn State University.
Worms will often spread quickly inside an organization by scanning ports to find machines that they can infect. This enables them to infect large numbers of machines in a small space of time, especially when those machines are clustered together. The more contactable machines that exist on that network, the bigger the potential infection base and the broader the scope of the attack.
The algorithm developed by Choi and his team works by assessing the number of computers on a network and then setting a threshold for the average number of scans necessary to infect a host. It then monitors the number of port scans on the network to see if they exceed the threshold. If that happens, it quarantines the worm and then segments the network into a number of much smaller networks, thus limiting the spread of a worm.
The algorithm is designed to dramatically slow the spread of network worms, which in the past have relied heavily on port scans to find their victims. Although the number of network worms that have spread in this way has slowed in recent years, some still emerge occasionally. The most notable example of a network worm in recent times is Conficker, which spread using a vulnerability in the SSL service, accessible via port 443. However, subsequent versions of that worm also spread using removable media such as USB keys.