Many of our measures used in cyber security are based on Boolean logic applied to directly observable data. A thing, or set of things, is either present or not and thus a condition may be classified as true or false. For example, in the presence of a certain protocol, port number and contents of a packet payload, network traffic may be classified as malicious or benign.

The challenge is that much of this data may be obfuscated, may be present in a polymorphic form or, in many cases, may have only come into existence today. What is needed is a fuzzy approach to classification of threats; one in which there are degrees of truth.

In this talk, I introduce the concept of the “Ripple in the Pond”. With this metaphor, what is of interest is a change in recognized behavioural patterns of a system; the ripple in the surface of a calm pond.

The presence of a change in the behaviour of any system is this “Ripple”. Previous attempts at behaviour classifications have fallen into the trap on relying, once again, on directly observable data and therefore tend to be rule-based. The problem with this approach is that much of this data may be under the control of the threat actor and may be manipulated.

The approaches that will be discussed use data that are longitudinally derived and abstracted such that they are not easily manipulated or obfuscated. Examples are proposed with application to classification as well as behavioural and predictive analytics.