Using epidemiology to combat cyberthreats

The mod­ern world has been built around digit­al tech­no­logy, which is now cent­ral to the activ­it­ies of busi­nesses, organ­isa­tions, and the state. At the same time, this new con­fig­ur­a­tion has giv­en rise to a pro­lif­er­a­tion of mali­cious act­ors. By tak­ing advant­age of this new oppor­tun­ity, they are try­ing to achieve polit­ic­al, fin­an­cial or even mafia-style aims. One of the most press­ing chal­lenges is to put in place IT secur­ity strategies to pro­tect against these cyber threats.

The nat­ur­al reac­tion to a threat is often to flee or try to pro­tect one­self. This is a nat­ur­al mech­an­ism aimed at ward­ing off a threat that has just been detec­ted. This reac­tion enables liv­ing things to sur­vive in the face of pred­at­ors and to pro­tect them­selves from their enemies. How­ever, a more appro­pri­ate response in nature, as for any digit­al sys­tem, is to anti­cip­ate threats so as not to expose one­self to them¹.

In the field of cyber­se­cur­ity, it is there­fore advis­able to identi­fy poten­tial risks as part of a pro­tec­tion strategy. This is made pos­sible by the EBIOS² risk ana­lys­is approach recom­men­ded by ANSSI. Moreover, it is import­ant to rely on real-time detec­tion mech­an­isms such as “Dynam­ic Fore­cast­ing”³.

Dur­ing their research⁴, the research­ers drew inspir­a­tion from epi­demi­olo­gic­al mech­an­isms to identi­fy com­puter vir­uses. The idea is very sim­il­ar to match­ing a crim­in­al’s fin­ger­prints or DNA: cyber­crim­in­als leave digit­al foot­prints too. Indeed, com­puter vir­uses have a sig­na­ture that can be used to identi­fy them (examples: MyDoom.A, Psyb0t, Chernobyl, Con­fick­er, Crypto­lock­er…). This is often the mech­an­ism used by anti­vir­us soft­ware to detect them. For example, since August 2016, a piece of mal­ware called Mirai, which focuses on con­nec­ted objects, has been evolving to infect com­puter sys­tems. This beha­viour could be remin­is­cent of a vir­us such as COVID-19. 

Our object­ive goes bey­ond simply identi­fy­ing a vir­us. We want to determ­ine its propaga­tion mech­an­isms to bet­ter pro­tect inter­con­nec­ted inform­a­tion sys­tems. Gov­ern­ment inform­a­tion sys­tems may be par­tic­u­larly exposed to inter­ac­tions with users, eco­nom­ic part­ners, and oth­er gov­ern­ment depart­ments. As a res­ult, a vir­us may not only be the res­ult of an attack, but also of propaga­tion from an infec­ted partner.

The SEIR mod­el (Sus­cept­ible, Exposed, Infec­ted and Recovered) is a well-estab­lished epi­demi­olo­gic­al tool. It is used in the fight against pan­dem­ics⁵, but also in the field of cyber secur­ity⁶. Adap­ted to our con­text, this mod­el can be used to cat­egor­ise com­puter hard­ware in dif­fer­ent stages with regard to con­tam­in­a­tion by the vir­us under study. Hard­ware is con­sidered “sens­it­ive” if it is vul­ner­able to attack, “exposed” if it has been in con­tact with the vir­us, “infec­ted” if it has been com­prom­ised, and “recovered” if it has been infec­ted and has under­gone remedi­al action to provide immunity against the virus.

Epi­demi­olo­gists have long been famil­i­ar with this mod­el⁷. In the con­text of digit­al envir­on­ments, it cor­res­ponds to the situ­ation where an eco­sys­tem reaches a suf­fi­cient level of pro­tec­tion when it has been suf­fi­ciently exposed and pro­tec­ted by coun­ter­meas­ures. It then acquires a form of immunity that coun­ter­acts cyber-attacks based on the vir­us in question.

In the course of our research, we iden­ti­fied lim­it­a­tions in the ini­tial approaches to the SEIR mod­el. While it provides a valu­able frame­work, it does not take into account com­plex­it­ies such as the vari­ation in sys­tem vul­ner­ab­il­it­ies or the evol­u­tion of attack types. Fur­ther­more, the herd immunity mod­el is con­cep­tu­ally power­ful, but lacks a con­crete meth­od for achiev­ing immunity. And this presents risks in the event of massive infec­tion of the system.

We have there­fore pro­posed a multi-level SEIR mod­el with resource optim­isa­tion. This refined mod­el incor­por­ates two key aspects:

• Multi-level: it takes into account the dif­fer­ent levels of secur­ity matur­ity and pro­tec­tion between dif­fer­ent stake­hold­ers, such as gov­ern­ments, private com­pan­ies and indi­vidu­al users.
• Dif­fer­en­ti­ated threats: it dif­fer­en­ti­ates cyber threats accord­ing to their prob­ab­il­ity and poten­tial impact.

The mod­el uses para­met­ers such as trans­mis­sion rate, latency peri­od and recov­ery rate to describe the propaga­tion of cyber-attacks through dif­fer­ent sys­tems. It high­lights the import­ance of for­ti­fy­ing cyber­se­cur­ity through­out the eco­sys­tem, as the weak­est link rep­res­ents the greatest risk.

Finally, a sig­ni­fic­ant advant­age of using this type of mod­el is its abil­ity to pre­dict, at least in the short term, the beha­viour of the vir­us. On the one hand, thresholds can be determ­ined and, on the oth­er, dif­fer­en­tial equa­tions can be solved to pre­dict beha­viour and trig­ger auto­mated alerts or responses via EDR (End­point Detec­tion and Response) mechanisms.

A fun­da­ment­al aspect of this new pro­pos­al is to focus on optim­ising resources in a con­text of lim­ited fin­an­cial resources. This mod­el takes into account the lim­ited budgets alloc­ated to cyber­se­cur­ity and focuses efforts on the major risks. This approach enables a spe­cif­ic strategy to be put in place for each sys­tem, focus­ing on the dimen­sion that will reduce the over­all infec­tion as much as pos­sible. Con­vex optim­isa­tion, a widely used math­em­at­ic­al meth­od⁸, is recom­men­ded for solv­ing this resource alloc­a­tion problem.

The pro­pos­als put for­ward seem prom­ising for improv­ing the secur­ity of IT sys­tems, par­tic­u­larly in the pub­lic sec­tor. They are inspired by epi­demi­olo­gic­al meth­ods, which are highly suit­able for mon­it­or­ing and com­bat­ing the spread of vir­uses. Work is cur­rently planned to test these pro­pos­als in real-life situ­ations, imple­ment them in oper­a­tion­al sys­tems and con­tin­ue to improve the cyber­se­cur­ity of crit­ic­al systems.

Dis­claim­er: The con­tent of this art­icle is the sole respons­ib­il­ity of its authors and is not inten­ded for any pur­pose oth­er than aca­dem­ic inform­a­tion and research.