Tuesday, 8 January 2008

Quantitative Risk models in Malware Research

Research into antivirus and Malware incidents have demonstrated a significant increase in both the prevalence of computer virus varietals as well as a continued increase in the number of viruses found "in the wild". The use of time based statistical models aid in the prediction of computer systems vulnerabilities and malware based attacks.

To effectively protect against attacks to the computers systems and network architecture, we need to understand the threats and to be able to create predictive models for them. Viruses, worms, malware and represent a staple in the Information Security Professional’s daily routine. So far, little emphasis has been placed on the formal quantitative analysis of the intelligence for the purpose of risk and threat management.

The creation of Quantitative Risk models in Information Systems Security is a field in its infancy. The prediction of threats is oft touted as being too difficult due to a shortage of data and the costs associated with collecting an analysing data for a site.

Research has been conducted by a number of parties such as ICSA laboratories and the numerous antivirus vendors. Many researchers have commented on the apparent seasonality of the data. Banes (2001) reported that there exists "increased levels of virus and worm activity around Easter time". Coulthard and Vuori (2002) support assertions by the antivirus software vendor McAfee that states there are associations between an increased number of incidents and the winter months of the northern hemisphere.

In particular the IEEE (Spectrum) has recently published a paper on the use of Chaos (entropy) for the detection of network based/distributed malware. More effort and study into the mathematical properties of an attack are needed.

  • Chen, Z., Gao, L. & Kwiat. K, (2003) “Modeling the spread of active worms”. In IEEE INFOCOM
  • Coulthard, A. Vuori, T. A. (2002) “Computer Viruses: a quantitative analysis” Logistics Information Management, Volume 15, Number 5/96, 2002 pp 400-409

No comments: