SAN FRANCISCO — Military and academic researchers are collaborating to protect computer networks—by figuring out what cyberspace intruders are likely to do next.

The researchers are looking at intrusion prediction, which uses mathematical models and algorithms to map out a hacker's or attacker's probable moves once they have broken into a network.

"We want to be one step ahead of them and predict what they are going to do," said Shanchieh Jay Yang, a computer engineering assistant professor at the Rochester Institute of Technology (RIT). "When they first get in, we try to observe what they are doing, and use that information to forecast their probable future actions."

Security specialists said the research is worthwhile, but may be of little use in a fast-changing network environment.

Nevertheless, researchers from RIT, the University of Buffalo, and Pennsylvania State University are working with CUBRC, a Buffalo-based nonprofit research and development organization, and the U.S. Air Force.

The goal is to provide information about how an intruder will react to particular network defenses and architectures so that administrators can reduce the damage they might do and better protect their systems.

Intrusion prediction modeling isn't meant to be the sole solution but part of a larger picture of network protection, according to Yang. It's designed to defend against the different tactics used by network intruders. One might be more interested in interrupting service, another in obtaining data, he said.

In either case, software first filters out false alarms and not-so-important alerts of anomalous activity. Then the scheme correlates different alert systems to the number of attackers. It can follow particular attackers and can work on parallel tracks for multiple attackers, Yang said.

The approach has both military and commercial applications, Yang said.

In a commercial setting such as a bank, the software could collect observations about a hacker's efforts to transfer money or interrupt online service. It could determine what kind of operating systems the hacker is familiar with, and whether he was a first-time hacker or a pro.

That information would go to the bank's intrusion detection system, which would send alert messages to its IT department.

The bad news is that there's no way to completely block cyberspace attacks, Yang said.

When they do occur, there's another cyberspace-specific issue, said Rebecca Bace, who ran an intrusion detection research program for the National Security Administration in the 1990s. Now president and CEO of Infidel, Inc. (Scotts Valley, Calif.), an information security provider, Bace said it isn't always clear whether an attack is intentional.

"You have to do a fair amount of inference to know who your enemies are. That ups the complexity," she said. "You don't have the same degree of liberty. You don't know whether you're going to find a commando squad or a 12-year-old at the other end."

Bace agreed that the technology has a future in both military and commercial networks, and that it could be part, but not all, of the solution. Those who want to do damage to businesses or national security have the know-how, money and motivation, she said.

"The adversaries are bright, well-funded and responsive enough so that once you make the assertion that you've got this one nailed, they're perfectly capable of coming back and rerouting around you," she said.

The element of surprise is what makes attacks successful, said Paul Kocher, president and chief scientist at San Francisco-based Cryptography Research Inc. If intrusion prediction technology removes that, attackers will simply find other ways to accomplish their goals.

"If people start protecting networks based on predictive models of attacker behavior, attackers will learn that they can be more effective by deviating from the model," he said.

Other considerations include what constitutes anomalous behavior in a network and when to take appropriate actions, such as shutting it down. There are also unanticipated situations such as Sept. 11 that no network can be completely prepared for, Kocher said.

"In times of crisis, network behavior changes radically," he said. "The best-made plans don't always predict what's going to happen."

Hackers and others bent on cyberspace mischief are difficult to detect at the moment they're causing trouble, Kocher said. "It's really easy to observe ordinary viruses and connection attempts on the Internet, but it's extremely rare to catch a skilled perpetrator in action," he said.

Hackers targeting government networks are probably the hardest of all to track because of the lengths they go to in order to conceal their activities, he said. For instance, Pentagon analysts have reported that China is stepping up its abilities to break into U.S. corporate and government networks.

"The spying that goes on between China and the U.S. is at a very high degree of sophistication," Kocher said.

The question is what to do about it. So-called "honey pots"—sites that masquerade as part of a network and appear to hold information an attacker might want—would be more effective than intrusion prediction technology, according to Kocher.

While he thinks intrusion prediction is worth studying, Kocher said he is skeptical that the technology would have significant real-world commercial use. "For the mass market, I don't see a lot of application for this partly because the models have to adapt quickly as the technology changes," he said.