BT applies Covid-19 R number modelling to threat response

Researchers at BT have deployed epidemiological modelling – a method more usually associated with the spread in humans of viruses such as Covid-19 and other diseases – in the development of a prototype cyber security tool, called Inflame, which the telco and IT services provider is revealing for the first time today.

According to BT, Inflame uses deep reinforcement learning to automatically detect and respond to cyber attacks before they compromise an organisation’s network, and it will form a key component in the recently announced BT Eagle-i threat detection and management service.

The use of epidemiological modelling helps the tool understand how computer viruses and cyber attacks spread through networks, and how to stop that from happening.

“We know the risk of cyber attack is higher than ever and has intensified significantly during the pandemic,” said Howard Watson, BT’s chief technology officer.

“Enterprises now need to look to new cyber security solutions that can understand the risk and consequence of an attack, and quickly respond before it’s too late.”

BT’s researchers at its Adastral Park, Suffolk research centre built a number of models of enterprise networks which they used to test various cyber attack scenarios based on differing reproduction (R) rates of infection.

The R rate (or number) has of course become well-known to many people in the past 18 months as a measure of how quickly numbers of Covid-19 infections are rising or falling in a population, and was frequently referred to by chief medical officer Chris Whitty during government coronavirus briefings.

As a refresher, R refers to the number of people that one person infected with Covid-19 (or any viral infection) will pass the virus on to. Without any action, Covid-19 has a natural R rate of about three. When R is equal to or above one, it means that every 10 infected individuals will pass the virus to between nine and 10 others, and therefore a virus is spreading through a given population. When it is below one, the rate of infection is therefore slowing and the case load will drop.

At the time of writing, the government estimates the R number of Covid-19 in England to be between 0.9 and 1.1, meaning the number of new coronavirus infections is either shrinking by about 1% daily, roughly flat, or growing by about 2% daily.

By applying this principle to cyber security, BT’s team were able to begin to understand how cyber threats can penetrate and compromise a network, and use that information to develop “optimal automated responses” to contain and prevent further spread.

Ultimately, the deep reinforcement training and learning undertaken enables Inflame to automatically model a detected threat, and respond to it having modelled the attack lifecycle – which is done by assessing real-time security alerts against established patterns to understand the stage an attack has reached, and from there predicting the next stages and identifying the best response to stop it progressing any further – the cyber equivalent of mandating face masks or social distancing.

“Epidemiological testing has played a vital role in curbing the spread of infection during the pandemic, and Inflame uses the same principles to understand how current and future digital viruses spread through networks,” said Watson.

“Inflame will play a key role in how BT’s Eagle-i platform automatically predicts and identifies cyber attacks before they impact, protecting customers’ operations and reputation.”