Peter Cochrane: Our habits give us away and that's great for cyber security

We're becoming better at detecting attacks before they've even started

The detailed study of human behaviour now spans some 200 years and describes much of our psychology, sociology, anthropology, economic and technology-based activity generation-on-generation. Within the broad envelope of human behaviours we see two really important aspects of growing interest to the fields of ICT, cyber and physical security: our individual idiosyncrasies and our habitualities.

No matter how we might try, it is next to impossible for us to hide or eradicate our established patterns of behaviour. So behavioural analysis is now being applied in the recognition and identity assurance systems of institutions and companies. The reality is that people are always the biggest risk factor in any physical or cyber security scenario.

How did so much material escape from supposedly secure establishments, and how come the security systems didn't detect this insider activity?

Looking back over the many data leaks and cyber attacks of the last decade, we have witnessed a lack of effective protection that would have been evident through the detection of abnormal behaviours. Two stellar examples would be WikiLeaks and Edward Snowden, and their illegal release of classified government documentation into the public domain on a grand scale. How did so much material escape from supposedly secure establishments, and how come the security systems didn't detect this insider activity?

In principle, it is extremely easy to spot an employee arriving one or two hours early for work, logging on, and then downloading Gigabytes of information, screen scraping, or indeed, injecting unwanted and dangerous software. All it takes is surveillance cameras, keyloggers and electronic activity analysis. An established database of normal day-to-day behaviours by employee and staff members is a good basis on which to start, and over the last three years, products that do a small fraction of all this have appeared on the market. However, they need to be far more sophisticated and fully automated if they are to be really effective.

There is a further (and neglected) dimension to behavioural analysis that can be applied to things, devices, machines, networks, data hubs and data centres. Perhaps not surprisingly, human habituality and idiosyncrasy migrates into all devices at every interface via keystroke, fingerprint or facial recognition. Interestingly, all things, devices, machines and networks also exhibit their own traits - almost as if they are a new and independent species. If we monitor these components individually we see day-on-day patterns, repetition and exceptions in their traffic, routines and general behaviours. Monitoring PCs, devices and networks sees repeatable behaviour patterns induced by security patches and updates, and it doesn't stop there; a whole raft of behaviours are evident across complete populations in the form of waves propagating across local, national and, sometimes, international networks.

Recent studies have revealed network precursors to cyber attacks

Recent studies have also revealed network precursors to cyber attacks and other unwanted network-based events. Intuitively, we have known about this type of phenomenon for well over 50 years but only recently have we had the hardware and software ability capability to detect and analyse in depth. How powerful might this be? I see it as possibly being the ultimate cyber security tool in heading off all forms of attack and penetration before any serious damage can be affected. In reality, it would appear that almost every form of incident may have some form of precursor event, if only we know where to look.

It is not by accident that finding precursors currently involves a degree of luck, as criminals, rogue states and enemies of democracy constantly change their tactics in order to maintain an element of surprise. However, this creates an additional - and hidden - layer of habituality and idiosyncrasy, right in the sweet spot for relatively basic AI. For sure, humans are not good at recognising stochastic patterns, but AI is!

Peter Cochrane OBE is Professor of Sentient Systems at the University of Suffolk

Computing 's CyberSecurity Festival is coming in June - Register today for free!