Recorded future professes to predict tomorrow's IT attacks

Can accurate predictions be made about serious terrorist attacks and future attacks on companies solely by analysing the flow of open information sources? This remains a fantasy for those who do not have vast resources at their disposal. But, there is another way. By combining Big Data handling with, among other things, semantic analysis and by clustering myriad small puzzle pieces, Recorded Future has acquired multinational companies and international security services as customers.

Actually, this already started in the 1990's. Staffan Truvé and a few colleagues at Chalmers constructed a tool to visualise data quantities in manner both simple and accessible. Because the visualisation tool made it easy to analyse data quantities, it was used for numerous purposes in the subsequent years, such as for understanding quality data from factories and genetic data within pharmaceutical research. Visualisation made it possible to, for example, see when quality in a manufacturing process began to diminish. Everything was based on customers analysing their own data.

Meanwhile, an idea began to form among the three innovators: Would it be possible to utilise the same basic principle to do something more? To predict large-scale events? When they sold their business in 2007, they started thinking about creating something completely new. This time around, the challenge would be to identify proprietary, interesting data quantities which could serve as the basis for understanding what was happening in the world!

"What's new is that humanity is our sensor," claims Staffan Truvé. "In the form of everything that is written, tweeted and posted online. We therefore developed our tool to organise this data, and to analyse and formulate predictions based on it."

Attempted to Predict the Stock Market

At the beginning, the newly-inspired team focused on, among other things, the stock market. As so many others had tried to do, they attempted to predict the behaviour of the stock market.

"We didn't feel as if we had any kind of functioning business model, so we started looking at other options. We tested a few things and discovered that our model was good at detecting threats. Therefore, we opted to focus on further developing the system. Today, this is the basis for our entire business idea."

The company Recorded Future professes with great certainty that they are able to predict future IT attacks. Their customers include law enforcement agencies and, primarily, large American companies with in-house security departments.

"Our business idea is based on companies having proprietary resources for conducting analyses and for managing the results of our predictions. Our tool can warn about a probable intrusion or attack against the company, but the company's own experts are required to make a final assessment and implement measures as required."

Semantic Analysis for predicting threats

In practice, the tool scans and analyses 20-30 million documents per day, in seven different languages, including Chinese and Farsi. A document could be anything from a voluminous report to a single tweet.

"What's different from other, similar systems, is that we conduct an in-depth semantic analysis," says Staffan. "It can be said that our greatest innovation is in combining our tool to scan, manage and analyse huge volumes of data with semantics, something that is otherwise primarily used by major news corporations for financial news."

Common red flag words linked to bomb attacks, IT attacks, etc. are put into context in order to understand the severity of the threat to a company, country or customer. The process involves several automatic steps:

  • 1. Wide-ranging scanning of the internet.
  • 2. Searching for red flag words.
  • 3. Semantic analysis – in which language context do the words exist and what incidents are being described?
  • 4. Analysis of the source's credibility and comparisons with known risk profiles and IP addresses which have previously manifested in similar contexts.
  • 5. Clustering of all references to a single incident.
  • 6. Determining the severity of the threat based on gathered information, analyses and clustering.
  • 7. Presenting this information to the customer who carries out a final assessment of the threat including any measures to be taken.

Open information sources sufficient

"By scanning such expansive material we achieve great accuracy, even though we only use open information sources," says Staffan. "There are a multitude of threats only being expressed by one or very few individuals. But when we see that, perhaps, 50 individuals are all commenting on the same incident, such as a protest demonstration or a collective attack, and if we can link this to known criminals or troublemakers, we can be fairly certain that something serious in underway. By analysing what's being written and typed, and by following events and their potential escalation, it is possible to predict when and where the incident will occur."

For example, angry agitators are a good indicator of what will take place. They seek followers online and they do this when they need to synchronise. Each individual puzzle piece can at best serve as a warning, but when put together they can quite often predict an exact date for an attack and reveal the number of perpetrators.

Angry opinions a good starting point

It is possible to detect an impending situation from the numerous threats and ongoing incitement. Both with regard to imminent physical attacks and online attacks.

"Essentially, it is machine learning that forms the basis for our predictive models," says Staffan. "By investigating how past incidents developed, we can make predictions concerning future events. A clear example is when a cluster analysis indicates that something seems to be more promulgated than what it normally would be. There are many reasons this may be the case, but by using language analysis and other known variables we can predict with great certainty that, for example, trouble will break out on the streets within 4-5 days in a certain Middle Eastern city. This information can prove invaluable to a company, as it affords employees time to prepare or get to a place of safety."

About Recorded Future

Recorded Future has around 100 employees, 30 of whom work in Sweden. Despite the relatively small number of employees, the company has four of the world's five largest companies as customers and more than 17,000 users. The company's R&D is conducted in its entirety in Gothenburg.