Using epidemiology to combat cyberthreats

The modern world has been built around digi­tal tech­no­lo­gy, which is now cen­tral to the acti­vi­ties of busi­nesses, orga­ni­sa­tions, and the state. At the same time, this new confi­gu­ra­tion has given rise to a pro­li­fe­ra­tion of mali­cious actors. By taking advan­tage of this new oppor­tu­ni­ty, they are trying to achieve poli­ti­cal, finan­cial or even mafia-style aims. One of the most pres­sing chal­lenges is to put in place IT secu­ri­ty stra­te­gies to pro­tect against these cyber threats.

The natu­ral reac­tion to a threat is often to flee or try to pro­tect one­self. This is a natu­ral mecha­nism aimed at war­ding off a threat that has just been detec­ted. This reac­tion enables living things to sur­vive in the face of pre­da­tors and to pro­tect them­selves from their ene­mies. Howe­ver, a more appro­priate res­ponse in nature, as for any digi­tal sys­tem, is to anti­ci­pate threats so as not to expose one­self to them¹.

In the field of cyber­se­cu­ri­ty, it is the­re­fore advi­sable to iden­ti­fy poten­tial risks as part of a pro­tec­tion stra­te­gy. This is made pos­sible by the EBIOS² risk ana­ly­sis approach recom­men­ded by ANSSI. Moreo­ver, it is impor­tant to rely on real-time detec­tion mecha­nisms such as “Dyna­mic Fore­cas­ting”³.

During their research⁴, the resear­chers drew ins­pi­ra­tion from epi­de­mio­lo­gi­cal mecha­nisms to iden­ti­fy com­pu­ter viruses. The idea is very simi­lar to mat­ching a cri­mi­nal’s fin­ger­prints or DNA : cyber­cri­mi­nals leave digi­tal foot­prints too. Indeed, com­pu­ter viruses have a signa­ture that can be used to iden­ti­fy them (examples : MyDoom.A, Psyb0t, Cher­no­byl, Confi­cker, Cryp­to­lo­cker…). This is often the mecha­nism used by anti­vi­rus soft­ware to detect them. For example, since August 2016, a piece of mal­ware cal­led Mirai, which focuses on connec­ted objects, has been evol­ving to infect com­pu­ter sys­tems. This beha­viour could be remi­nis­cent of a virus such as COVID-19. 

Our objec­tive goes beyond sim­ply iden­ti­fying a virus. We want to deter­mine its pro­pa­ga­tion mecha­nisms to bet­ter pro­tect inter­con­nec­ted infor­ma­tion sys­tems. Govern­ment infor­ma­tion sys­tems may be par­ti­cu­lar­ly expo­sed to inter­ac­tions with users, eco­no­mic part­ners, and other govern­ment depart­ments. As a result, a virus may not only be the result of an attack, but also of pro­pa­ga­tion from an infec­ted partner.

The SEIR model (Sus­cep­tible, Expo­sed, Infec­ted and Reco­ve­red) is a well-esta­bli­shed epi­de­mio­lo­gi­cal tool. It is used in the fight against pan­de­mics⁵, but also in the field of cyber secu­ri­ty⁶. Adap­ted to our context, this model can be used to cate­go­rise com­pu­ter hard­ware in dif­ferent stages with regard to conta­mi­na­tion by the virus under stu­dy. Hard­ware is consi­de­red “sen­si­tive” if it is vul­ne­rable to attack, “expo­sed” if it has been in contact with the virus, “infec­ted” if it has been com­pro­mi­sed, and “reco­ve­red” if it has been infec­ted and has under­gone reme­dial action to pro­vide immu­ni­ty against the virus.

Epi­de­mio­lo­gists have long been fami­liar with this model⁷. In the context of digi­tal envi­ron­ments, it cor­res­ponds to the situa­tion where an eco­sys­tem reaches a suf­fi­cient level of pro­tec­tion when it has been suf­fi­cient­ly expo­sed and pro­tec­ted by coun­ter­mea­sures. It then acquires a form of immu­ni­ty that coun­te­racts cyber-attacks based on the virus in question.

In the course of our research, we iden­ti­fied limi­ta­tions in the ini­tial approaches to the SEIR model. While it pro­vides a valuable fra­me­work, it does not take into account com­plexi­ties such as the varia­tion in sys­tem vul­ne­ra­bi­li­ties or the evo­lu­tion of attack types. Fur­ther­more, the herd immu­ni­ty model is concep­tual­ly power­ful, but lacks a concrete method for achie­ving immu­ni­ty. And this pre­sents risks in the event of mas­sive infec­tion of the system.

We have the­re­fore pro­po­sed a mul­ti-level SEIR model with resource opti­mi­sa­tion. This refi­ned model incor­po­rates two key aspects :

• Mul­ti-level : it takes into account the dif­ferent levels of secu­ri­ty matu­ri­ty and pro­tec­tion bet­ween dif­ferent sta­ke­hol­ders, such as govern­ments, pri­vate com­pa­nies and indi­vi­dual users.
• Dif­fe­ren­tia­ted threats : it dif­fe­ren­tiates cyber threats accor­ding to their pro­ba­bi­li­ty and poten­tial impact.

The model uses para­me­ters such as trans­mis­sion rate, laten­cy per­iod and reco­ve­ry rate to des­cribe the pro­pa­ga­tion of cyber-attacks through dif­ferent sys­tems. It high­lights the impor­tance of for­ti­fying cyber­se­cu­ri­ty throu­ghout the eco­sys­tem, as the wea­kest link repre­sents the grea­test risk.

Final­ly, a signi­fi­cant advan­tage of using this type of model is its abi­li­ty to pre­dict, at least in the short term, the beha­viour of the virus. On the one hand, thre­sholds can be deter­mi­ned and, on the other, dif­fe­ren­tial equa­tions can be sol­ved to pre­dict beha­viour and trig­ger auto­ma­ted alerts or res­ponses via EDR (End­point Detec­tion and Res­ponse) mechanisms.

A fun­da­men­tal aspect of this new pro­po­sal is to focus on opti­mi­sing resources in a context of limi­ted finan­cial resources. This model takes into account the limi­ted bud­gets allo­ca­ted to cyber­se­cu­ri­ty and focuses efforts on the major risks. This approach enables a spe­ci­fic stra­te­gy to be put in place for each sys­tem, focu­sing on the dimen­sion that will reduce the ove­rall infec­tion as much as pos­sible. Convex opti­mi­sa­tion, a wide­ly used mathe­ma­ti­cal method⁸, is recom­men­ded for sol­ving this resource allo­ca­tion problem.

The pro­po­sals put for­ward seem pro­mi­sing for impro­ving the secu­ri­ty of IT sys­tems, par­ti­cu­lar­ly in the public sec­tor. They are ins­pi­red by epi­de­mio­lo­gi­cal methods, which are high­ly sui­table for moni­to­ring and com­ba­ting the spread of viruses. Work is cur­rent­ly plan­ned to test these pro­po­sals in real-life situa­tions, imple­ment them in ope­ra­tio­nal sys­tems and conti­nue to improve the cyber­se­cu­ri­ty of cri­ti­cal systems.

Dis­clai­mer : The content of this article is the sole res­pon­si­bi­li­ty of its authors and is not inten­ded for any pur­pose other than aca­de­mic infor­ma­tion and research.