Researchers developing cyber-attack predictive model

News by Steve Gold

Removing the uncertainty from cyber attack risk calculations

Researchers at the University of Michigan are developing a statistical model that uses a complex set of calculations to predict the likelihood of when a cyber attack is likely to be launched against a given organisation.

Researchers Robert Axelrod and Rumen Illiev have published a white paper –entitled ‘Timing of Cyber Conflict' – on the matter, which details that there are four main variables to define the risk of a cyber attack taking place at any given time.

These include the specific vulnerability being exploited; the overall stealth level of the attack vector - and its potential for re-use; the risk of the attack methodology being spotted and remediated; and the threshold (point) at which the attacker will gain more than they will lose.

These parameters will be familiar to anyone involved with major war or battle strategies, especially the final one, which is integral to the calculation of DEFCON, the readiness state for warfare of the US Armed Forces.

According to the researcher's paper, the exploitation of vulnerabilities in computer systems is already in active use by espionage and sabotage practitioners and - in the near future - "cyber conflict will likely allow international sanctions to be more precisely targeted than economic sanctions alone.”

The white paper concludes that the implications of the researcher's model boil down to two primary and desirable issues - stealth and persistence – with the level of each issue having an opposite effect to the other in terms of the optimum time to use a given attack resource.

Incoming Thought analyst Sarb Sembhi described the findings as "fascinating" and says that the risk calculation methodology used by the researchers centres on the risk issues associated with vulnerabilities and zero-day attacks.

These parameters, he adds, are then used to work out the likelihood of being attacked.

"Whilst this model can be used to predict the risk, the limitation is that it can only be used in a number of cases," he said, adding that the model would be especially useful to telcos, who could predict the likelihood that their network could come under attack.

Sembhi, who is also a leading light at non-profit organisation ISACA, did however warn that it remains very early days in terms of the development of a mathematical risk model, and added that work needs to be done to refine the model.

Professor John Walker of Nottingham-Trent University added that that there are other parameters that need to be considered when calculating the risk of a cyber attack being imminent.

These, he explained, include industry placement, size, and exposure - the latter of which is defined by the form of business change - and which allow the model to predict which industries and sectors will have the highest levels of risk attached to them.

"In 2012 - under the banner of the School of Science and Technology at Nottingham-Trent University - the vectors of attack for a DDoS (Distributed Denial of Attack) were monitored over a 12 month period," he said, adding that the results allowed researchers to predict the geography of a risk map, as well as the periodic lows and highs involved.

Rather than wondering if an attack will occur, it is more a case of when, he explained, adding that these types of models allow experts to predict the likelihood of events taking place with relatively high degrees of informed certainty.

Walker added that the invisible/variable element of these attacks is an aspect known as passive footprinting, which - in the case of large organisations - allows the identification of a point of interest that the attackers will exploit.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews