New predictive approach seeks to stay ahead of hackers

SAN FRANCISCO — Military and academic researchers are collaborating to protect computer networks—by figuring out what cyberspace intruders are likely to do next.

The researchers are looking at intrusion prediction, which uses mathematical models and algorithms to map out a hacker's or attacker's probable moves once they have broken into a network.

"We want to be one step ahead of them and predict what they are going to do," said Shanchieh Jay Yang, a computer engineering assistant professor at the Rochester Institute of Technology (RIT). "When they first get in, we try to observe what they are doing, and use that information to forecast their probable future actions."

Security specialists said the research is worthwhile, but may be of little use in a fast-changing network environment.

Nevertheless, researchers from RIT, the University of Buffalo, and Pennsylvania State University are working with CUBRC, a Buffalo-based nonprofit research and development organization, and the U.S. Air Force.

The goal is to provide information about how an intruder will react to particular network defenses and architectures so that administrators can reduce the damage they might do and better protect their systems.

Intrusion prediction modeling isn't meant to be the sole solution but part of a larger picture of network protection, according to Yang. It's designed to defend against the different tactics used by network intruders. One might be more interested in interrupting service, another in obtaining data, he said.

In either case, software first filters out false alarms and not-so-important alerts of anomalous activity. Then the scheme correlates different alert systems to the number of attackers. It can follow particular attackers and can work on parallel tracks for multiple attackers, Yang said.

The approach has both military and commercial applications, Yang said.

In a commercial setting such as a bank, the software could collect observations about a hacker's efforts to transfer money or interrupt online service. It could determine what kind of operating systems the hacker is familiar with, and whether he was a first-time hacker or a pro.

That information would go to the bank's intrusion detection system, which would send alert messages to its IT department.

The bad news is that there's no way to completely block cyberspace attacks, Yang said.

When they do occur, there's another cyberspace-specific issue, said Rebecca Bace, who ran an intrusion detection research program for the National Security Administration in the 1990s. Now president and CEO of Infidel, Inc. (Scotts Valley, Calif.), an information security provider, Bace said it isn't always clear whether an attack is intentional.