OneFirewall Alliance is continuously looking for the improvement and the enhancement of its cyber security solutions. To this aim partnerships and collaborations have been established for the implementation of research and development activities.
Our goal is to involve the top academic players in the sector of cyber security for the achievement of increasingly effective protection solutions.
One of our first partners is the Polytechnic of Turin, one of the most prominent technological and educational institutions in Italy, with renown skills in the study and development of Machine Learning (ML) processes.
The ML research project
The research project we are carrying on with the Department of Control and Computer Engineering of the Polytechnic aims to develop an additional software application for our cyber security platform, to improve the available services with the capacity of anticipating the future cyber threats. To this aim, Machine Learning (ML) techniques will be used to define cyber threat forecast models starting from the available OneFirewall Alliance data and to implement these algorithms in software modules.
The research will start from a data set consisting of a list of the IP addresses already processed by OneFirewall Alliance platform and the Crime Score attributed to them by the platform Score Engine. These data will be enriched by the information about the IP related Autonomous System (AS), Internet Service Provider (ISP), reference organisation and location or origin site. In the development phase it is possible to use open-source services for the geolocalization data, although in the production phase use of fee-based databases may be considered.
According to the ML criteria, training will be performed on the above-mentioned data to individuate recurring patterns. This will allow defining forecast algorithms for the individuation of future potentially malicious IP addresses.
The new software module will be known as OneEye Forecast, representing an important enhancement of the defence provided by OneFirewall Alliance platform against the cyber threats.
The goal of the research project is the achievement of an operative condition where, for example submitting a million IP addresses with their Credit Score and other metadata to the ML forecast module in the evening, within the day after many more IP addresses will be generated and marked as potentially malicious by the module itself.
It is to be noted that the working approach is not to perform the unconditional exclusion of the IP addresses individuated by the ML algorithm. If a new IP address is marked as potentially dangerous, the platform will attribute a basic Crime Score value, for example 20, to it. Whenever such IP will be actually involved in an intrusion attempt at a member of OneFirewall Alliance, its Crime Score will be updated accordingly. This will limit the possible risk of excluding those harmless IP addresses that the ML algorithm has indicated as to watch.
An interesting aspect is that the input data for the algorithm training according to the ML techniques will be selected depending on the alliance members’ type. Previous cyber-attack massive events have shown that specific categories of alliance members are usually targeted by intrusion attempts with similar characteristics. It is hence necessary to envisage forecast models that are optimised for each type of potential target.
Another important feature of the new application will be its modularity. It will be designed as an additional component of OneFirewall Alliance platform that can be enabled according to the alliance member’s choice.
In the following some plots are displayed, followign the first preliminary analysis with the introduction of geolocation details. The first plot represents the distribution of a sample of IP addresses from OneFirewall Alliance database according to their danger score.
This plot shows the distribution of malicious IP addresses depending on geographical latitude.
This latter plot shows the distribution of malicious IP addresses depending on longitude.