Using Analytics and Modeling to Predict Attacks

Tuesday, August 24, 2010

Fred Williams


Business Intelligence and analytics are a hot topic and for good reason. In today's economic climate, any cost savings that a company can eke out is a win.  By taking a closer look at data that already exists, companies can use analytics to make more informed decisions that are optimal and realistic.

My question is: can analytics and predictive modeling be used to sniff out potential computer attacks better that what's out there right now?  

When you think about security, you can consider antivirus-type traffic analysis or any 'signature' based technology as reactionary.  These types of threats have already occurred and already known to the world.  A company has put out a protective layer to protect against a known entity. 

Anomaly based systems differ from signature based systems in that anomaly based systems first determine what comprises 'normal' traffic on the network and then alerts when something is detected that is out of the norm.  It tries to stay on top of the unknown.

In a predictive modeled system, the idea is that all of the facets of analytics will come into play in order to predict the next attack: data mining and text analytics will scrub over forms of structured and unstructured data in order to ferret out trends and models will be developed based upon statistical analysis. Data can come from any form: social media, server logs, database entries, calendar events.  

For example, how could the knowledge of a non-work day in China factor into a potential attack?  Well, off-days and late nights before a holiday is the perfect time to cyber mobilize a vast army of people.  Would that be the perfect time for a system administrator to ensure all signatures are up to date?  Maybe.

In analytics, your range of capabilities start with such reactionary questions such as "what happened?" and "what exactly is the problem?".  However, the competitive advantage comes into play when you reach into the proactive realm of questioning such as "what if these trends continue?" and "what will happen next?".

My research paper for my last semester of graduate school is trying to answer these questions and propose types of predictive models that could assist in uncovering the next big computer attack. 

Possibly Related Articles:
IDS/IDP Network Access Control Enterprise Security
Risk Management Threat Modeling Attacks
Post Rating I Like this!
Fred Williams Leading news story today: "Web app and other security threats skyrocket, IBM report says..." "Threat dynamics continue to multiply and evolve at a furious pace, making it more crucial than ever to look at unfolding trends so we can better prepare our clients for the future," said Steve Robinson, general manager of IBM Security Solutions.

It is obvious that our defenses are not working especially in webapp related attacks.

Analytics could assist in this effort by text mining server and app logs and uncovering trends in traffic spikes and other malicious acts.

I have read discussions on this site about improved logging. I would agree that more developer training in logging could go along way in providing the unstructured data that a predictive model would need.
Anton Chuvakin >can analytics and predictive modeling be
>used to sniff out potential computer
>attacks better that what's out there
>right now?

Well, it is a high-level question so I'd guess we probably can. The devil is in the details though - we still have not figured out how :-(
Fred Williams Yes,very high level. I'm in the process of narrowing the scope down and hope to post more information later.

The main point of my paper will try to: "Use analytics methods against organizational data sources and extract metrics on how computer attacks and threats affect the company. Goal: Develop and test hypothesis

1) Do companies in certain fields experience more attacks than others?

2) Does company size correlate to volume and frequency of attacks?

3) Is there any correlation to recent media reports and increases in attacks?

4) Any correlation to certain times of the year (events, holidays) and volume of attacks

5) Any correlations to profitability of a company and it's volume of attacks

6) Any correlations between the nature of an attack (stealing or curiosity) and a company?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.