GOLDEN MEANS: DATA MINING AND SECURITY -- THE LAST LINE OF DEFENSE?
by Inderpal Bhandari, executive editor at large
Recently, Business Week reported that more than 80% of companies in a survey said that security is the leading barrier to expanding electronic links with customers and partners. This fear is not unfounded. Cyber crooks have been known to break into even the most secure systems. In one particularly brazen attempt, they re-routed phone calls meant for a major intelligence organization to sex chat lines in Hong Kong and Moldova.
Such an attitude ensures that the bad boys of cyberspace get attention. Recently, I was asked about the potential of applying data mining to the problem of network security. After talking with an expert on the subject, I concluded that there were at least two approaches that held promise.
First, the use of data mining to improve the design of secure systems. By way of example, consider the use of off-the-shelf firewall products. Two organizations may buy the same product but use it very differently. Why? They have different ideas about who they want to let in and keep out of specific areas of the network. In other words, the firewall must be customized by the organizations to suit their individual requirements. This customization is an instance of designing a secure system.
In general, such design has to do with allowing access to certain parts of the network only to certain individuals. The characteristics of those that must be let in and those that must be kept out reside in the head of the designer. Some of his ideas may be erroneous. For example, he may have erred on the side of caution and consequently, his system is denying access to many legitimate users. By mining the access log, the designer can learn about such subtle errors. That, in turn, will lead to a rapid evolution of the design. "Accommodation to change, the thoughtful pursuit of alternative futures are keys to the survival of civilization and perhaps the human species", said Carl Sagan. Data mining will promote the pursuit of alternative futures by the designer that he otherwise may not have considered. As such, it could well be the key to the survival of the network.
The second approach that holds promise is the use of data mining for the automatic detection of problems. We have all heard about the patterns that reveal a computer system under attack, e.g., excessive number of log-on attempts, unusually heavy traffic, system resources that are utilized far more rapidly than they usually are, etc. Current approaches to automatic detection are rule-based. Rules capture the knowledge of known patterns such as the above and can then be executed to detect those patterns should they occur. But we know that hackers can be quite ingenious. What is to be done when the attack embodies a new approach, one that does not leave known tell-tale tracks as those above?
A data mining application could help address this circumstance. It could be used to detect unusual conditions in the network. For example, crashes occurring mainly at night, high traffic at times when usually things are slow, etc. Thus applied, a data mining application would stand as the last line of defense, to address the possibility of a hitherto-unknown mode of attack.
In closing, some words of caution presented in the form of an anecdote about a conversation between a bad-boy hacker and a CIO.
B-B hacker: I will bring down your network.
CIO: Unlikely. I'm deeply religious. I pray everyday that you are unsuccessful.
B-B hacker (looking confused): Hmm. That's a new one. I guess I better pray too.
CIO: Good is on my side. God will listen to me.
Hacker (brightening perceptibly): True, but God has to be on my side only once.
While I am sure that it will vastly improve the existing situation, the use of data mining in security applications will not change that fundamental balance between the good boys and the bad boys. Given enough time, a determined hacker will still be able to break into any system. What data mining will do is increase the amount of time that elapses between successful attacks.
Inderpal Bhandari can be reached via http://www.virtualgold.com