Using epidemiology to combat cyberthreats

The mod­ern world has been built around dig­i­tal tech­nol­o­gy, which is now cen­tral to the activ­i­ties of busi­ness­es, organ­i­sa­tions, and the state. At the same time, this new con­fig­u­ra­tion has giv­en rise to a pro­lif­er­a­tion of mali­cious actors. By tak­ing advan­tage of this new oppor­tu­ni­ty, they are try­ing to achieve polit­i­cal, finan­cial or even mafia-style aims. One of the most press­ing chal­lenges is to put in place IT secu­ri­ty strate­gies to pro­tect against these cyber threats.

The nat­ur­al reac­tion to a threat is often to flee or try to pro­tect one­self. This is a nat­ur­al mech­a­nism aimed at ward­ing off a threat that has just been detect­ed. This reac­tion enables liv­ing things to sur­vive in the face of preda­tors and to pro­tect them­selves from their ene­mies. How­ev­er, a more appro­pri­ate response in nature, as for any dig­i­tal sys­tem, is to antic­i­pate threats so as not to expose one­self to them¹.

In the field of cyber­se­cu­ri­ty, it is there­fore advis­able to iden­ti­fy poten­tial risks as part of a pro­tec­tion strat­e­gy. This is made pos­si­ble by the EBIOS² risk analy­sis approach rec­om­mend­ed by ANSSI. More­over, it is impor­tant to rely on real-time detec­tion mech­a­nisms such as “Dynam­ic Fore­cast­ing”³.

Dur­ing their research⁴, the researchers drew inspi­ra­tion from epi­demi­o­log­i­cal mech­a­nisms to iden­ti­fy com­put­er virus­es. The idea is very sim­i­lar to match­ing a crim­i­nal’s fin­ger­prints or DNA: cyber­crim­i­nals leave dig­i­tal foot­prints too. Indeed, com­put­er virus­es have a sig­na­ture that can be used to iden­ti­fy them (exam­ples: MyDoom.A, Psyb0t, Cher­nobyl, Con­fick­er, Cryp­tolock­er…). This is often the mech­a­nism used by antivirus soft­ware to detect them. For exam­ple, since August 2016, a piece of mal­ware called Mirai, which focus­es on con­nect­ed objects, has been evolv­ing to infect com­put­er sys­tems. This behav­iour could be rem­i­nis­cent of a virus such as COVID-19. 

Our objec­tive goes beyond sim­ply iden­ti­fy­ing a virus. We want to deter­mine its prop­a­ga­tion mech­a­nisms to bet­ter pro­tect inter­con­nect­ed infor­ma­tion sys­tems. Gov­ern­ment infor­ma­tion sys­tems may be par­tic­u­lar­ly exposed to inter­ac­tions with users, eco­nom­ic part­ners, and oth­er gov­ern­ment depart­ments. As a result, a virus may not only be the result of an attack, but also of prop­a­ga­tion from an infect­ed partner.

The SEIR mod­el (Sus­cep­ti­ble, Exposed, Infect­ed and Recov­ered) is a well-estab­lished epi­demi­o­log­i­cal tool. It is used in the fight against pan­demics⁵, but also in the field of cyber secu­ri­ty⁶. Adapt­ed to our con­text, this mod­el can be used to cat­e­gorise com­put­er hard­ware in dif­fer­ent stages with regard to con­t­a­m­i­na­tion by the virus under study. Hard­ware is con­sid­ered “sen­si­tive” if it is vul­ner­a­ble to attack, “exposed” if it has been in con­tact with the virus, “infect­ed” if it has been com­pro­mised, and “recov­ered” if it has been infect­ed and has under­gone reme­di­al action to pro­vide immu­ni­ty against the virus.

Epi­demi­ol­o­gists have long been famil­iar with this mod­el⁷. In the con­text of dig­i­tal envi­ron­ments, it cor­re­sponds to the sit­u­a­tion where an ecosys­tem reach­es a suf­fi­cient lev­el of pro­tec­tion when it has been suf­fi­cient­ly exposed and pro­tect­ed by coun­ter­mea­sures. It then acquires a form of immu­ni­ty that coun­ter­acts cyber-attacks based on the virus in question.

In the course of our research, we iden­ti­fied lim­i­ta­tions in the ini­tial approach­es to the SEIR mod­el. While it pro­vides a valu­able frame­work, it does not take into account com­plex­i­ties such as the vari­a­tion in sys­tem vul­ner­a­bil­i­ties or the evo­lu­tion of attack types. Fur­ther­more, the herd immu­ni­ty mod­el is con­cep­tu­al­ly pow­er­ful, but lacks a con­crete method for achiev­ing immu­ni­ty. And this presents risks in the event of mas­sive infec­tion of the system.

We have there­fore pro­posed a mul­ti-lev­el SEIR mod­el with resource opti­mi­sa­tion. This refined mod­el incor­po­rates two key aspects:

• Mul­ti-lev­el: it takes into account the dif­fer­ent lev­els of secu­ri­ty matu­ri­ty and pro­tec­tion between dif­fer­ent stake­hold­ers, such as gov­ern­ments, pri­vate com­pa­nies and indi­vid­ual users.
• Dif­fer­en­ti­at­ed threats: it dif­fer­en­ti­ates cyber threats accord­ing to their prob­a­bil­i­ty and poten­tial impact.

The mod­el uses para­me­ters such as trans­mis­sion rate, laten­cy peri­od and recov­ery rate to describe the prop­a­ga­tion of cyber-attacks through dif­fer­ent sys­tems. It high­lights the impor­tance of for­ti­fy­ing cyber­se­cu­ri­ty through­out the ecosys­tem, as the weak­est link rep­re­sents the great­est risk.

Final­ly, a sig­nif­i­cant advan­tage of using this type of mod­el is its abil­i­ty to pre­dict, at least in the short term, the behav­iour of the virus. On the one hand, thresh­olds can be deter­mined and, on the oth­er, dif­fer­en­tial equa­tions can be solved to pre­dict behav­iour and trig­ger auto­mat­ed alerts or respons­es via EDR (End­point Detec­tion and Response) mechanisms.

A fun­da­men­tal aspect of this new pro­pos­al is to focus on opti­mis­ing resources in a con­text of lim­it­ed finan­cial resources. This mod­el takes into account the lim­it­ed bud­gets allo­cat­ed to cyber­se­cu­ri­ty and focus­es efforts on the major risks. This approach enables a spe­cif­ic strat­e­gy to be put in place for each sys­tem, focus­ing on the dimen­sion that will reduce the over­all infec­tion as much as pos­si­ble. Con­vex opti­mi­sa­tion, a wide­ly used math­e­mat­i­cal method⁸, is rec­om­mend­ed for solv­ing this resource allo­ca­tion problem.

The pro­pos­als put for­ward seem promis­ing for improv­ing the secu­ri­ty of IT sys­tems, par­tic­u­lar­ly in the pub­lic sec­tor. They are inspired by epi­demi­o­log­i­cal meth­ods, which are high­ly suit­able for mon­i­tor­ing and com­bat­ing the spread of virus­es. Work is cur­rent­ly planned to test these pro­pos­als in real-life sit­u­a­tions, imple­ment them in oper­a­tional sys­tems and con­tin­ue to improve the cyber­se­cu­ri­ty of crit­i­cal systems.

Dis­claimer: The con­tent of this arti­cle is the sole respon­si­bil­i­ty of its authors and is not intend­ed for any pur­pose oth­er than aca­d­e­m­ic infor­ma­tion and research.