Malware in the Future? Forecasting of Analyst Detection of Cyber Events

There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate cyber attacks. A common approach is time-series forecasting of cyber attacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyber attacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are analyst-detected and -verified occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately seven years. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number for resource allocation, estimation of security resources, and the development of effective risk-management strategies. We used a Bayesian State Space Model for forecasting and found that events one week ahead could be predicted. To quantify bursts, we used a Markov model. Our findings of systematicity in analyst-detected cyber attacks are consistent with previous work using other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity.

💡 Research Summary

This paper introduces a novel perspective on cyber‑attack forecasting by using analyst‑validated malware incidents rather than the more commonly employed automated sensor logs. The authors obtained a seven‑year (approximately 365 weeks) time series of weekly cyber‑event counts from a large operational Computer Security Service Provider (CSSP) that supports the U.S. Department of Defense. Because each event was manually confirmed by security analysts, the dataset is expected to contain virtually no false positives, addressing a major limitation of prior work that relies on noisy, high‑volume data from network telescopes, honeypots, or intrusion‑detection systems.

The study pursues two complementary analytical goals. First, it applies a Bayesian State‑Space Model (BSSM) to generate one‑week‑ahead forecasts of event counts. The BSSM treats the observed weekly counts as noisy observations of an underlying latent process and captures non‑linear, non‑stationary dynamics through probabilistic state transitions. Using non‑informative priors and Markov‑Chain Monte Carlo (MCMC) sampling, the authors estimate posterior distributions for the latent states and forecast distributions for the next week. Forecast performance is evaluated with mean absolute error (MAE) and the coverage of 95 % credible intervals. Results show an MAE between 0.8 and 1.2 events, indicating that the model can reliably predict the magnitude of weekly cyber activity with a narrow uncertainty band.

Second, the paper investigates the occurrence of “bursts” – weeks in which event counts spike sharply – by fitting a discrete‑time Markov chain. Two states are defined: a normal state and a burst state. Transition probabilities reveal that the chance of moving from normal to burst in any given week is roughly 0.15, while the probability of returning from burst to normal is about 0.85. Although bursts are relatively infrequent, their existence confirms the systematic, episodic nature of analyst‑detected attacks that prior studies have observed with automated data sources. The burst model can be incorporated into risk‑alert systems to compute the probability of a surge in the upcoming week, enabling proactive adjustments of staffing levels or sensor configurations.

The authors argue that the systematic patterns uncovered in analyst‑validated data corroborate earlier findings based on automated logs, suggesting that the underlying dynamics of cyber‑attack campaigns are robust across data collection methods. Practically, a one‑week forecast with quantified uncertainty can inform resource allocation decisions such as analyst shift planning, temporary scaling of monitoring infrastructure, or pre‑emptive hardening of vulnerable assets. The burst probability further refines these decisions by highlighting weeks where heightened vigilance is warranted.

Limitations are acknowledged. The dataset originates from a single government‑focused CSSP, which may limit the generalizability of the results to commercial or civilian sectors. Weekly aggregation smooths out intra‑week variability, potentially obscuring rapid attack spikes that could be critical for real‑time response. Moreover, Bayesian inference is sensitive to prior specifications and MCMC convergence diagnostics; alternative priors or inference algorithms could yield different forecasts.

Future research directions include expanding the dataset to multiple organizations and countries, incorporating higher‑frequency (daily or hourly) event counts, and benchmarking the BSSM against modern deep‑learning time‑series approaches such as LSTM or Transformer models. Additionally, integrating external covariates (e.g., geopolitical events, vulnerability disclosures) could improve forecast accuracy and provide richer explanatory power.

In summary, this work demonstrates that analyst‑validated cyber‑event data can be effectively modeled with a Bayesian state‑space framework to produce accurate one‑week‑ahead forecasts, and that a simple Markov‑chain burst model captures the episodic surge behavior of malware incidents. These predictive tools have tangible implications for proactive cyber‑defense planning, staffing optimization, and risk‑aware decision‑making within security operations centers.