èƵ

Online chatter could give warning of incoming cyber attacks

An early warning system that monitors cyber-security discussions online could help prevent the next big malware outbreak
Early warning is essential
Early warning is essential
Description: iStock / Getty

Like canaries in a coal mine, social networks like Twitter can be used as early warning systems for incoming cyberattacks. By monitoring online discussions for chatter about incoming threats it is possible to predict attacks, including ones like last year’s Wannacry and Notpetya ransomware outbreaks, before they happen, giving potential targets a valuable heads-up.

“In the last few years cyberattacks have grown in number, diversity and impact,” says Anna Sapienza at the University of Southern California in Marina del Rey.

But this also means that discussions about such attacks have become more frequent and more visible. “Our idea was to leverage this growth in cyber attacks and use it as a double-edged sword,” she says.

Sapienza and colleagues at USC and Arizona State University built a tool that , as well as blogs and other online forums. It scans for posts about cyber-security topics such as software vulnerabilities or malware, using text-mining software to pick out relevant keywords.

They found that in the days before an attack there was often a spike in cyber-security talk online. This reflects the team’s assumption that those behind an attack typically do not operate in a bubble.

They have to interact with others to identify the weaknesses in a targeted system, get hold of the tools needed to exploit those weaknesses and recruit participants. These interactions may get noticed and discussed elsewhere.

Sound the alarm

When it detects an increase in relevant chatter, the tool raises an alarm automatically. “We believe our system may help to surface potentially disruptive attacks, days and in some cases even weeks before they start,” says Emilio Ferrara, also at the University of Southern California. “This should help most of the targets to take at least some form of countermeasure or preventive action.”

The system works for several types of attacks, including distributed denial of service, or DDoS, attacks like the one in October 2016 that took out hundreds of popular websites, such as Netflix and Paypal, by spamming the internet with fake traffic. It can also predict malware outbreaks, botnets and data breaches.

In tests between September 2016 and January 2017 the tool generated 661 alerts. Around 84 per cent flagged current or imminent cyber-threats. Using past data from February to June 2017, the team also showed that their system would have generated alerts for Wannacry and NotPetya, both of which caused massive disruption around the world.

Eric Nunes at Arizona State University in Pheonix, who was not involved in the work, thinks the use of keywords to filter out irrelevant discussions is simplistic but agrees the system could still spot future attacks. “The case studies looking at popular cyberattacks demonstrate its effectiveness,” he says.

Nunes has developed a tool that on the dark web, a portion of the internet that requires special software to access, looking for information that could help defend against attacks. “I can clearly see my collected data feed into their warning system,” he says.

Topics: cyberattacks