I will expand on this at a later date, however the possibility of _not_ just using QOS as a marking and dropping mechanism for malicious packets, but using it as a fingerprint and trust mechanism for hosts is appealing.
By using a specific subset of DSCP values, marked by a 'trusted' host's binary, a QOS fingerprint of perhaps a few DSCP values may be used by a network to permit packets to traverse the network. Each organisations network would have a different DSCP fingerprint making it even harder for malicious binaries to arbitrarily spread using standard packets.
The concept of trust may need to be addressed via some form of NAC ( Network Admission Control ) and this becomes tightly coupled with the concept of a well developed and understood SOE ( Standard Operating Environment ).
Having a 'Scavenger' class at your disposal is handy from a QOS perspective also as it allows you to protect the 'Control Plane' of the network from DSCP values you are unsure of also.
So you either explicitly drop anything not in your DSCP fingerprint, or place in a 'Scavenger' class that cannot harm your network, albeit it could be a malicious packet that exploits your next host!
Maybe even cycle the markings in a sequential manner e.g. a rotating key based system....