Researchers create cyber attack strike time formula

A mathematical model has been created by researchers from the University of Michigan that can predict when a cyber attack is likely to be launched.

The model's calculations are based on two parameters: the stealth of the attack vector and its persistence.

The former relates to the probability that if the attack vector is used now it will still be available afterwards, whereas persistence is the probability that not exploiting the resource means it will still be usable in future.

The heart of our model is the trade-off between waiting until the stakes are high enough to use the resource, but not waiting so long the vulnerability the resource exploits might be discovered.

Simply put, this allows cyber attackers to work out when best to launch an assault against a target's systems for maximum impact.

It was created by Robert Axelrod, a professor of political science and public policy at the university, and Rumen Iliev, who is one of the academic institution's postdoctoral research fellows.

"A good resource should have both stealth and persistence," Iliev said. "The less persistent a resource is, the sooner it should be used lest the vulnerability is fixed before there's a chance to exploit it."

In a research paper, outlining their findings, the pair said cyber attackers need to carefully time their attacks to exploit vulnerabilities within their target's computer systems.

"The heart of our model is the trade-off between waiting until the stakes of the present situation are high enough to warrant the use of the resource, but not waiting so long that the vulnerability the resource exploits might be discovered and patched even if the resource is never used," the report states.

While their findings are largely presented from the perspective of a cyber attacker, the pair insist their research will also benefit those who need to safeguard a computer system's defences.

"Our model is presented from the perspective of the offence: when should a cyber resource be used to exploit a vulnerability in a target's computer network," their report reads.

"The results, however, are equally relevant to a defender who wants to estimate how high the stakes have to be in order for the offence to exploit an unknown vulnerability."

The report uses four case studies, including the Stuxnet attack on Iran's nuclear power programme and the Iranian cyber attack on the energy firm Saudi Aramco, to highlight how the model works.

"We hope this will encourage other efforts to study these things in a rigorous way," Axelrod said.

"There's a lot of discussion about cyber problems, but it's so new that the language isn't established. People use the word attack to mean anything from stealing a credit card number to sabotage of an industrial system," he added.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.