**1. Introduction**

100 Earthquake Research and Analysis – Statistical Studies, Observations and Planning

Wortel, M.J.R., & Spakman, W. (2000). Subduction and slab detachment in Mediterranean-

Currently, security of the cyber space (computer networks and the Internet) is mostly based on detection and/or blocking of attacks by the use of Intrusion Detection and Prevention System (IDPS), according to (National Institute of Standards and Technology [NIST SP800- 94], 2010). However IDPS lacks in security as it is based on *postmortem* approaches - threats and attacks are identified and/or blocked only after they can inflict serious damage to the computer systems either while attacks are happening, or when attacks have already imposed losses to the systems (Haslum et al, 2008).

On the subject of earthquakes, one can notice the same kind of limitation: once an earthquake has already begun, devices can provide warnings with just few seconds before major shaking arrives at a given location (Bleier & Freund, 2005), (Su & Zhu, 2009). In the cyber space context, intending to cover the deficiency of late warnings, predicting techniques have already been approached in a small number of studies for cyber attacks in the last few years (Pontes & Zucchi, 2010), (Haslum et al, 2008), (Lai-Chenq, 2007), (Yin et al 2004).

#### **1.1 Motivation**

Although studies based on 1) historical earthquake records and 2) monitoring the earth's surface had contributed to map affected regions, short-term earthquake predictions are not efficient yet (Bleier & Freund, 2005).

Some researchers are studying and correlating signals gathered in the ionosphere that can precede earthquakes, like odd radio noise and lights in the sky.

According to (Bleier & Freund, 2005) "both the lights and the radio waves appear to be electromagnetic disturbances that happen when crystalline rocks are deformed--or even broken--by the slow grinding of the earth that occurs just before the dramatic slip that is an earthquake".

Some occurrences of earthquakes show signals and disturbances like following reported ones:


Earthquake Prediction: Analogy with Forecasting

Fig. 2. Electromagnetic signals detection (Bleier & Freund, 2005)

the recombination of electrons and holes, not a real temperature increase.

Fig. 3. Infrared radiation detected by satellites n (Bleier & Freund, 2005)

According to (Bleier & Freund, 2005), "infrared radiation detected by satellites may also prove to be a warning sign of earthquakes to come". In China satellite-based instruments had registered the occurrence of several infrared signature instances with a jump of 4 to 5 oC before some earthquakes during the past two decades Sensors in NASA's Terra Earth Observing System satellite registered what NASA called a thermal anomaly on 21 January 2001 in Gujarat, India, just five days before a 7.7-magnitude quake there; the anomaly was gone a few days after the quake (Fig. 3). Accordingly with (Bleier & Freund, 2005), in both cases researches believe these sensosrs have detected an infrared luminescence generated by

Models for Cyber Attacks in Internet and Computer Systems 103

disturbance were detected. Three times before the quake the signals jumped to 60 times normal size at the 0.01 Hz frequency;


Those examples show that the occurrence of electromagnetic signals does not justify a public warning, but it is an important source of data for forecasters and are also useful for directing the course of research on earthquake prediction such as changes in the conductivity of the air over the quake zone caused by current welling up from the ground, that contribute to the formation of the so-called earthquake lights in the Mojave Desert (Fig. 1).

Fig. 1. Earthquake lights (Bleier & Freund, 2005)

There are some theories about these signals generation, but details are not conclusive yet. Notwithstanding, electromagnetic effects of the signals can be detected in a number of ways (see Fig. 2 next page).

Ground-based sensors, monitor changes in the low-frequency magnetic field and measure changes in the conductivity level of the air. Satellites monitor noise level at extremely low frequency and monitor the infrared light which is probably emitted when rocks are deformed or even broken. Some example:


#### Earthquake Prediction: Analogy with Forecasting Models for Cyber Attacks in Internet and Computer Systems 103

102 Earthquake Research and Analysis – Statistical Studies, Observations and Planning


There are some theories about these signals generation, but details are not conclusive yet. Notwithstanding, electromagnetic effects of the signals can be detected in a number of ways

Ground-based sensors, monitor changes in the low-frequency magnetic field and measure changes in the conductivity level of the air. Satellites monitor noise level at extremely low frequency and monitor the infrared light which is probably emitted when rocks are




disturbances were observed by a Soviet Cosmos satellite by a month;


four to five times normal size (0.2 to 0.9 Hz frequency) were detected;

formation of the so-called earthquake lights in the Mojave Desert (Fig. 1).

normal size at the 0.01 Hz frequency;

Fig. 1. Earthquake lights (Bleier & Freund, 2005)

deformed or even broken. Some example:

(see Fig. 2 next page).

2003 at California;

malfunctioning.

disturbance were detected. Three times before the quake the signals jumped to 60 times

Fig. 2. Electromagnetic signals detection (Bleier & Freund, 2005)

According to (Bleier & Freund, 2005), "infrared radiation detected by satellites may also prove to be a warning sign of earthquakes to come". In China satellite-based instruments had registered the occurrence of several infrared signature instances with a jump of 4 to 5 oC before some earthquakes during the past two decades Sensors in NASA's Terra Earth Observing System satellite registered what NASA called a thermal anomaly on 21 January 2001 in Gujarat, India, just five days before a 7.7-magnitude quake there; the anomaly was gone a few days after the quake (Fig. 3). Accordingly with (Bleier & Freund, 2005), in both cases researches believe these sensosrs have detected an infrared luminescence generated by the recombination of electrons and holes, not a real temperature increase.

Fig. 3. Infrared radiation detected by satellites n (Bleier & Freund, 2005)

Earthquake Prediction: Analogy with Forecasting

applied for predicting future attacks (forecasting).

employed forecasting models.

forecasting results.

**1.3 Proposal** 

Models for Cyber Attacks in Internet and Computer Systems 105

Nevertheless, forecasts and alert correlation may be challenging as they depend on the reliability of the source of the security alerts (Silva & Guelfi, 2010). Therefore, the precision level of the detection tools is an important issue for validating correlations. Multi-correlation or integration of alerts with information from different sources, e.g. tools for monitoring or operating system logs, can allow a new classification for alerts, improving accuracy of the results (Abad et al, 2003), (Zhay et al, 2006). References (Abad et al, 2003), (Zhay et al, 2006), (Zhay et al, 2004) employed multi-correlation; however neither a detailed analysis concerning influence of isolated alerts in the FP rates, nor forecasting techniques were not

Forecasting analysis in the information security area can be similar to forecasting methodologies used in any other fields: meteorology, for instance, use sensors to capture data about temperature, humidity, etc (Lajara et al, 2007), (Lorenz, 2005); seismology employs sensors to capture electromagnetic emissions from the rocks (Bleier & Freund, 2005); for economics, specifically stock market, data is collected from diverse companies (annual profit, potential customers, assets, etc) to draw trends about shares of companies (Prechter & Frost, 2002), (Mandelbrot & Hudson, 2006). For any field formal models can be applied to predict events over the collected data. But, before applying formal models, data regarding different kind of variables should be correlated (Armstrong, 2002). According to (Armstrong, 2002), to obtain a more accurate and realistic result about predictions it is suggested: (1) to use diverse forecasting techniques; (2) to analyze information regarding diverse variables and acquired data, from sensors for instance; (3) to employ diverse kind of

Concerning cyber attacks, (Lai-Chenq, 2007), (Yin et al 2004) employed forecasting models, however they used just one formal method for predicting events and they did not make use of any kind of correlation process. In this chapter, security events for cyber security are actions, processes that have an effect on the system, disregarding the kind of the effect – in other words, actions that could result in positive or negative effects on the system. In other hand, security alerts are types of security events, indicating anomalous activities or cyber attacks (Silva & Guelfi, 2010). In our earlier works we proposed the Distributed Intrusion Forecasting System (DIFS) (Pontes & Guelfi, 2009), (Pontes & Zucchi, 2010), which covered the following gaps of today's forecasting techniques in IDPS: a) the use of few sensors and/or sensors employed locally for capturing data; b) the use of just one forecasting technique; and c) lack of information sharing among sensors to be used for correlation. Notwithstanding, we faced huge amount of alerts which could have negative influence over

The goal of this chapter is to propose a Distributed Intrusion Forecasting System (DIFS) with a two stage system which allows: (1) in the first stage it is possible to make a correlation of security alerts using an Event Analysis System (EAS); and (2) to apply forecasting techniques on the data (historical series) generated by the previous stage (EAS). The DIFS works with prediction models and sensors acting in different network levels (host, border and backbone), which enables the use of different forecasting techniques (e.g. Fibonacci sequence and moving averages), the cooperation among points of analysis and the correlation of predictions. Additionally to the main goal, the aim of this chapter is proposing an analogous approach for earthquake prediction. As results it is intended to increase reliability of incidents predictions (e.g. earthquake incidents, cyber attacks), to prevent

The connection between large earthquakes and electromagnetic phenomena in the ground and in the ionosphere is becoming increasingly solid. Researchers in many countries, including China, France, Greece, Italy, Japan, Taiwan, and the United States, are now contributing to the data by monitoring known earthquake zones.

Some correlations between historical data can be traced as well: monitoring 144 earthquakes (1997-1999), Taiwanese researches noticed significant changes in the electron content of the ionosphere some days before the quakes higher than 6-magnitude.

Therefore, the integration of: (1) several types of sensors (ground and space-based), (2) a network to bring together those signals, (3) a good distribution of the sensors (several sensors in a large area), (4) several types of detection (Ultral Low Frequency (ULF), ELF and magnetic-field changes, ionospheric changes, infrared luminescence, and air-conductivity changes--along with traditional mechanical and GPS monitoring of movements of the earth's crust and (5) the correlation of all data gathered, could make forecast more reliable.
