Researchers from the firm Recorded Future said that the company has developed what it described as a “support vector machine” model to analyze contextual open source intelligence (OSINT) data on malicious online behavior. (https://www.recordedfuture.com/artificial-intelligence-cyber-defense/) That is cross referenced to “CIDR neighborhoods” – blocks of Internet addresses identified using Classless Internet Domain Routing. The AI's output is a predictive risk score for specific IP addresses that are likely to turn to crime.
So far the results are promising. In one case, Recorded Future tagged an IP address as likely to be used in an attack a full 10 days before it actually was. In an analysis of 500 previously unseen IPs with a predictive risk scores that suggested they would become malicious, 25% turned up on independent, open source lists of malicious IP addresses within 7 days, the company said. By comparison, just %.02 percent of the entire population of global (IPV4) IP addresses are marked as malicious at any time, the company said.
As for why, the explanation that Recorded Future gives sounds similar to the findings of sociological and psychologic research on the effects of bad neighborhoods. The notion there is that “bad neighborhoods” – characterized by crime, poverty and a scarcity of good role models and economic opportunities – can affect the cognitive development of children and even of the children of those children.(https://psmag.com/growing-up-poor-has-effects-on-your-children-even-if-you-escape-poverty-df11e668378a#.a27begtv0)
In the case of Internet connected systems that are destined to ‘go bad,’ the issue is proximity to computers that are involved in malicious activity, Staffan Truve, CTO, Recorded Future told The Security Ledger.(https://securityledger.com/2016/12/bad-neighborhoods-predict-which-computers-turn-to-crime-also/)
Hackers and botnet operators are rational, economic beings, he observes. That means that they will eventually use infrastructure that they rent for a purpose (like virtual systems in a data center that might be rented out for use in a denial of service attack). By analyzing the “closeness” of IPV4 addresses, Recorded Future found a predictor of future malicious activity. Proximity to one of those bad apples makes it more likely that you’re a bad apple, also – or soon will be, he said. “There’s an underlying logic, which is that the neighborhood (the system) is in will be the core part of whether it becomes malicious, but also how your neighbors are talked about.”