Researchers from the U.S. Army Research Laboratory have discovered that the process of intrusion detection in computer networks exhibits a significant degree of burstiness as well as strong memory. Until now, this combination was not known.
Researchers say significant burstiness means that bunches (“bursts”) of events cluster together, occurring rapidly one after another, with much higher probability than if it was merely random, as if some ‘invisible hand’ is causing it. It hints that some underlying reason is “hiding behind that burstiness,” said Dr. Alexander Kott, ARL Chief Scientist. Although he and former colleague Dr. Richard Harang found the burstiness, which alone is a big step, they can’t say for sure what causes it. They do, however, propose a hypothesis for the cause of the burstiness and a model of it.
Harang is now with the security software and hardware company Sophos Group PLC.
This analysis and the model provide better understanding of the observed burstiness and open opportunities for quantifying a network’s risks and requirements for defensive efforts. Their work is the first demonstration, with strong empirical evidence, that involves data from multiple organizations and use of several statistical techniques, of burstiness in the process of detecting infections effected by cyber threats against networks of large organizations.
Kott and Harang’s research will be published in October 2017 in the journal IEEE Transactions on Information Forensics and Security (http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7931672)
Kott said the combination of burstiness and strong memory suggests to cyber researchers that the reason behind the burstiness has something to do with so called threshold phenomena. “For example, earthquakes occur in bunches; they exhibit similar combination of burstiness and memory parameters. Earthquakes are caused by gradually accumulating strain within the plates, and then finally exceeding a threshold. For us, this is a hint that our burstiness is also probably caused by some accumulation and then exceeding the threshold.”
“Simply discovering that the burstiness exists, and that its parameters are of certain type, we know that we need to look for an invisible hand that causes it, and that the invisible hand probably has something to do with a threshold effect,” he said. That’s a big step in building scientific foundation of cyber security, particularly in trying to understand the underlying causes and effects in the world of cyber phenomena.
To complement that discovery, ARL researchers developed a way to model and simulate this burstiness. Models of this kind could be used by managers in cyber defense organizations to estimate how variable would be the workload cyber analysts face over time. “With that, they can make appropriate arrangements for workforce scheduling, arranging for surge capacity and the like.”
The researchers also showed, in their scientific paper, that higher burstiness is probably associated with higher percentage of sophisticated, hard-to-detect intrusions. That means, by looking at burstiness, it may become possible in the future to assess the sophistication of threats, and the degree of risk that the particular network is facing.
“When cyber defenders find an intrusion in a network of the organization they defend — is the timing random? Does it depend, for example, on the time when the intrusion happened, or some other factors? We were aware of anecdotal evidence that cyber analysts seem to detect intrusions in a kind of bursts, but such anecdotes can be misleading,” Kott said.
Often, to defend their corporate computer networks, companies hire a specialized organization — Managed Security Service Provider — that monitors computer networks and analyzes the information obtained from the network. When MSSP detects intrusions and activities of malware on the network, it makes sure to confirm that it is a real intrusion and then reports such detections to the operators of the network. Those, in turn, take measures necessary to recover from the intrusion. MSSP analysts strive to submit each report as soon as possible after detecting an infection. Thus, the process of monitoring and analysis yields a series of incident reports each of which documents a detection of an infection.
“We looked at empirical data provided to us by a MSSP covering several large, non-residential networks, belonging to several organizations. These were essentially time series of intrusion reports. First, we used several statistical techniques to determine whether the timing of those reports is random, that is complying with the so-called Poisson process,” Harang said.
Researchers found that when they apply the statistical technique called Kolmogorov test to the arrival and inter-arrival times of the time series, the test shows that at least for some of the organizations, this distribution clearly violates a Poisson process. Examining a variant of the K-statistic across a range of scales shows that the rate at which observations cluster is significantly higher than that of the Poisson process. Finally, researchers estimated memory and bustiness parameters of the data, and found that some data sets display marked deviations from the Poisson process. Although the burstiness is less pronounced in some cases, it is highly visible in the largest datasets that cover the largest number of intrusions.
“To the best of our knowledge, this is the first demonstration, with strong empirical evidence that involves data from multiple organizations and use of several statistical techniques, of burstiness in the process of detecting infections effected by cyber threats against networks of large organizations,” Harang said.
However, researchers do not conclude that burstiness is always present, in a general case, or can be observed in all networks and in all intrusion detection processes. In other words, they only show that burstiness is present in some cases, but not necessarily in all generic cases. It is entirely possible that there may exist classes of networks, and/or associated intrusion processes, and intrusion detection processes where burstiness is either absent in principle, or cannot be detected from the available data. Identifying conditions under which burstiness exists, and can be observed, is a topic of future research.
Burstiness and memory parameters suggest that the nature of the process under consideration is more reminiscent of natural processes, like earthquakes, than of anthropogenic processes such as sending emails. Unlike anthropogenic processes, intrusion detection exhibits strong memory. To explain these findings, researchers propose the hypothetical mechanism called the Analyst Knowledge Threshold. “The likely mechanism of the burstiness in intrusion detection is reminiscent of the integrate-and-fire or similar threshold phenomenon: the analysts’ knowledge about a new malware accumulates to the point until it becomes actionable and enables analysts to recognize a particular type of intrusion that was previously difficult or impossible to find. At that point, the analysts are able to rapidly recognize a number of pre-existing intrusions within a network under their care and produce multiple reports in rapid succession,” Kott said.
Harang, Richard, and Alexander Kott. “Burstiness of Intrusion Detection Process: Empirical Evidence and a Modeling Approach.” IEEE Transactions on Information Forensics and Security (2017).