Home / Chroniques / Using epidemiology to combat cyberthreats
virus attacks on smartphones, trojans, attacks.
π Digital

Using epidemiology to combat cyberthreats

Christophe Gaie
Christophe Gaie
Head of the Engineering and Digital Innovation Division at the Prime Minister's Office
Jean LANGLOIS-BERTHELOT
Jean Langlois-Berthelot
Ph.D. in applied mathematics and Head of Division in the French Army
Jean-Fabrice LEBRATY
Jean-Fabrice Lebraty
Professor of Management Science at iaelyon
Key takeaways
  • The advent of digital technology has led to a proliferation of cyberthreats, and protecting against them is now a major challenge.
  • Identifying potential risks, detecting threats, determining propagation mechanisms... the scope of cybersecurity is vast.
  • To combat the spread of computer viruses, experts are drawing inspiration from epidemiology.
  • In fact, computer viruses (like infectious viruses) have a unique signature that enables them to be identified.
  • In particular, the SEIR model has been optimised to characterise the degree of sensitivity of computer hardware to contamination.
  • This system seems particularly promising in terms of improving the security of IT systems, especially in the public sector.

The mod­ern world has been built around dig­i­tal tech­nol­o­gy, which is now cen­tral to the activ­i­ties of busi­ness­es, organ­i­sa­tions, and the state. At the same time, this new con­fig­u­ra­tion has giv­en rise to a pro­lif­er­a­tion of mali­cious actors. By tak­ing advan­tage of this new oppor­tu­ni­ty, they are try­ing to achieve polit­i­cal, finan­cial or even mafia-style aims. One of the most press­ing chal­lenges is to put in place IT secu­ri­ty strate­gies to pro­tect against these cyber threats.

Anticipating and monitoring in real-time to reduce risks

The nat­ur­al reac­tion to a threat is often to flee or try to pro­tect one­self. This is a nat­ur­al mech­a­nism aimed at ward­ing off a threat that has just been detect­ed. This reac­tion enables liv­ing things to sur­vive in the face of preda­tors and to pro­tect them­selves from their ene­mies. How­ev­er, a more appro­pri­ate response in nature, as for any dig­i­tal sys­tem, is to antic­i­pate threats so as not to expose one­self to them1.

In the field of cyber­se­cu­ri­ty, it is there­fore advis­able to iden­ti­fy poten­tial risks as part of a pro­tec­tion strat­e­gy. This is made pos­si­ble by the EBIOS2 risk analy­sis approach rec­om­mend­ed by ANSSI. More­over, it is impor­tant to rely on real-time detec­tion mech­a­nisms such as “Dynam­ic Fore­cast­ing”3.

Drawing on epidemiology to combat the spread of computer viruses

Dur­ing their research4, the researchers drew inspi­ra­tion from epi­demi­o­log­i­cal mech­a­nisms to iden­ti­fy com­put­er virus­es. The idea is very sim­i­lar to match­ing a crim­i­nal’s fin­ger­prints or DNA: cyber­crim­i­nals leave dig­i­tal foot­prints too. Indeed, com­put­er virus­es have a sig­na­ture that can be used to iden­ti­fy them (exam­ples: MyDoom.A, Psyb0t, Cher­nobyl, Con­fick­er, Cryp­tolock­er…). This is often the mech­a­nism used by antivirus soft­ware to detect them. For exam­ple, since August 2016, a piece of mal­ware called Mirai, which focus­es on con­nect­ed objects, has been evolv­ing to infect com­put­er sys­tems. This behav­iour could be rem­i­nis­cent of a virus such as COVID-19. 

Our objec­tive goes beyond sim­ply iden­ti­fy­ing a virus. We want to deter­mine its prop­a­ga­tion mech­a­nisms to bet­ter pro­tect inter­con­nect­ed infor­ma­tion sys­tems. Gov­ern­ment infor­ma­tion sys­tems may be par­tic­u­lar­ly exposed to inter­ac­tions with users, eco­nom­ic part­ners, and oth­er gov­ern­ment depart­ments. As a result, a virus may not only be the result of an attack, but also of prop­a­ga­tion from an infect­ed partner.

The SEIR model

The SEIR mod­el (Sus­cep­ti­ble, Exposed, Infect­ed and Recov­ered) is a well-estab­lished epi­demi­o­log­i­cal tool. It is used in the fight against pan­demics5, but also in the field of cyber secu­ri­ty6. Adapt­ed to our con­text, this mod­el can be used to cat­e­gorise com­put­er hard­ware in dif­fer­ent stages with regard to con­t­a­m­i­na­tion by the virus under study. Hard­ware is con­sid­ered “sen­si­tive” if it is vul­ner­a­ble to attack, “exposed” if it has been in con­tact with the virus, “infect­ed” if it has been com­pro­mised, and “recov­ered” if it has been infect­ed and has under­gone reme­di­al action to pro­vide immu­ni­ty against the virus.

Epi­demi­ol­o­gists have long been famil­iar with this mod­el7. In the con­text of dig­i­tal envi­ron­ments, it cor­re­sponds to the sit­u­a­tion where an ecosys­tem reach­es a suf­fi­cient lev­el of pro­tec­tion when it has been suf­fi­cient­ly exposed and pro­tect­ed by coun­ter­mea­sures. It then acquires a form of immu­ni­ty that coun­ter­acts cyber-attacks based on the virus in question.

A multi-level collective immunity model with resource optimisation

In the course of our research, we iden­ti­fied lim­i­ta­tions in the ini­tial approach­es to the SEIR mod­el. While it pro­vides a valu­able frame­work, it does not take into account com­plex­i­ties such as the vari­a­tion in sys­tem vul­ner­a­bil­i­ties or the evo­lu­tion of attack types. Fur­ther­more, the herd immu­ni­ty mod­el is con­cep­tu­al­ly pow­er­ful, but lacks a con­crete method for achiev­ing immu­ni­ty. And this presents risks in the event of mas­sive infec­tion of the system.

We have there­fore pro­posed a mul­ti-lev­el SEIR mod­el with resource opti­mi­sa­tion. This refined mod­el incor­po­rates two key aspects:

  • Mul­ti-lev­el: it takes into account the dif­fer­ent lev­els of secu­ri­ty matu­ri­ty and pro­tec­tion between dif­fer­ent stake­hold­ers, such as gov­ern­ments, pri­vate com­pa­nies and indi­vid­ual users.
  • Dif­fer­en­ti­at­ed threats: it dif­fer­en­ti­ates cyber threats accord­ing to their prob­a­bil­i­ty and poten­tial impact.

The mod­el uses para­me­ters such as trans­mis­sion rate, laten­cy peri­od and recov­ery rate to describe the prop­a­ga­tion of cyber-attacks through dif­fer­ent sys­tems. It high­lights the impor­tance of for­ti­fy­ing cyber­se­cu­ri­ty through­out the ecosys­tem, as the weak­est link rep­re­sents the great­est risk.

Final­ly, a sig­nif­i­cant advan­tage of using this type of mod­el is its abil­i­ty to pre­dict, at least in the short term, the behav­iour of the virus. On the one hand, thresh­olds can be deter­mined and, on the oth­er, dif­fer­en­tial equa­tions can be solved to pre­dict behav­iour and trig­ger auto­mat­ed alerts or respons­es via EDR (End­point Detec­tion and Response) mechanisms.

Optimising the protection of critical systems with limited resources

A fun­da­men­tal aspect of this new pro­pos­al is to focus on opti­mis­ing resources in a con­text of lim­it­ed finan­cial resources. This mod­el takes into account the lim­it­ed bud­gets allo­cat­ed to cyber­se­cu­ri­ty and focus­es efforts on the major risks. This approach enables a spe­cif­ic strat­e­gy to be put in place for each sys­tem, focus­ing on the dimen­sion that will reduce the over­all infec­tion as much as pos­si­ble. Con­vex opti­mi­sa­tion, a wide­ly used math­e­mat­i­cal method8, is rec­om­mend­ed for solv­ing this resource allo­ca­tion problem.

The pro­pos­als put for­ward seem promis­ing for improv­ing the secu­ri­ty of IT sys­tems, par­tic­u­lar­ly in the pub­lic sec­tor. They are inspired by epi­demi­o­log­i­cal meth­ods, which are high­ly suit­able for mon­i­tor­ing and com­bat­ing the spread of virus­es. Work is cur­rent­ly planned to test these pro­pos­als in real-life sit­u­a­tions, imple­ment them in oper­a­tional sys­tems and con­tin­ue to improve the cyber­se­cu­ri­ty of crit­i­cal systems.

Dis­claimer: The con­tent of this arti­cle is the sole respon­si­bil­i­ty of its authors and is not intend­ed for any pur­pose oth­er than aca­d­e­m­ic infor­ma­tion and research.

1Camp, L.J., Grob­ler, M., Jang-Jac­card, J., Prob­st, C., Renaud, K., & Wat­ters, P. (2019) Mea­sur­ing Human Resilience in the Face of the Glob­al Epi­demi­ol­o­gy of Cyber Attacks. Pro­ceed­ings of the 52nd Hawaii Inter­na­tion­al Con­fer­ence on Sys­tem Sci­ences, MAUI Unit­ed States, 8 Jan­u­ary 2019, 4763–4772. https://​doi​.org/​1​0​.​2​4​2​5​1​/​H​I​C​S​S​.​2​0​1​9.574
2EBIOS (Expres­sion des besoins et iden­ti­fi­ca­tion des objec­tifs de sécu­rité), https://​cyber​.gouv​.fr/​l​a​-​m​e​t​h​o​d​e​-​e​b​i​o​s​-​r​i​s​k​-​m​a​nager
3Moradzadeh, A., Moham­mad­pour­fard, M., Genc, I., Şek­er, Ş.S. and Moham­ma­di-Ivat­loo, B., 2022. Deep learn­ing-based cyber resilient dynam­ic line rat­ing fore­cast­ing. Inter­na­tion­al Jour­nal of Elec­tri­cal Pow­er & Ener­gy Sys­tems, 142, p.108257.
4Lan­glois J., Gaie C., Lebraty J‑F., Epi­demi­ol­o­gy inspired Cyber­se­cu­ri­ty Threats Fore­cast­ing Mod­els applied to e‑Government, in: Gaie, C., Mehta, M. (eds.) Trans­form­ing Pub­lic Ser­vices – Com­bin­ing Data and Algo­rithms to Ful­fil Citizen’s Expec­ta­tions. Intel­li­gent Sys­tems Ref­er­ence Library, vol 252. Springer, Cham. https://​link​.springer​.com/​b​o​o​k​/​9​7​8​3​0​3​1​5​55749
5Christophe Gaie, Markus Mueck, An arti­fi­cial intel­li­gence frame­work to ensure a trade-off between san­i­tary and eco­nom­ic per­spec­tives dur­ing the COVID-19 pan­dem­ic, Deep Learn­ing for Med­ical Appli­ca­tions with Unique Data,  Aca­d­e­m­ic Press, 2022, Pages 197–217, ISBN 9780128241455, https://doi.org/10.1016/B978‑0–12-824145–5.00008–3
6Batista, F.K., Martín del Rey, Á., Quin­tero-Bonil­la, S., Queiru­ga-Dios, A. (2018). A SEIR Mod­el for Com­put­er Virus Spread­ing Based on Cel­lu­lar Automa­ta. In: Pérez Gar­cía, H., Alfon­so-Cendón, J., Sánchez González, L., Quin­tián, H., Cor­cha­do, E. (eds) Inter­na­tion­al Joint Con­fer­ence SOCO’17-CISIS’17-ICEUTE’17 León, Spain, Sep­tem­ber 6–8, 2017, Pro­ceed­ing. SOCO ICEUTE CISIS 2017 2017 2017. Advances in Intel­li­gent Sys­tems and Com­put­ing, vol 649. Springer, Cham. https://doi.org/10.1007/978–3‑319–67180-2_62
7Het­h­cote, H.W. (1989). Three Basic Epi­demi­o­log­i­cal Mod­els. In: Levin, S.A., Hal­lam, T.G., Gross, L.J. (eds) Applied Math­e­mat­i­cal Ecol­o­gy. Bio­math­e­mat­ics, vol 18. Springer, Berlin, Hei­del­berg. https://doi.org/10.1007/978–3‑642–61317-3_5
8Boyd, S. P., & Van­den­berghe, L. (2004). Con­vex opti­miza­tion. Cam­bridge uni­ver­si­ty press.

Our world explained with science. Every week, in your inbox.

Get the newsletter