There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate cyber attacks. A common approach is time-series forecasting of cyber attacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyber attacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are analyst-detected and -verified occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately seven years. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number for resource allocation, estimation of security resources, and the development of effective risk-management strategies. We used a Bayesian State Space Model for forecasting and found that events one week ahead could be predicted. To quantify bursts, we used a Markov model. Our findings of systematicity in analyst-detected cyber attacks are consistent with previous work using other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity.
Deep Dive into Malware in the Future? Forecasting of Analyst Detection of Cyber Events.
There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate cyber attacks. A common approach is time-series forecasting of cyber attacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyber attacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are analyst-detected and -verified occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately seven years. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic
Malware in the future? forecasting of analyst detection of cyber events
Jonathan Z. Bakdash1,2*, Steve Hutchinson3, Erin G. Zaroukian4, Laura R. Marusich5, Saravanan
Thirumuruganathan6, Charmaine Sample3, Blaine Hoffman4, and Gautam Das7
1U.S. Army Research Laboratory South at the
University of Texas Dallas
Richardson, TX, USA
2Department of Psychology, Counseling, and Special Education
Texas A&M Commerce
Commerce, TX, USA
3Computational and Information Sciences Directorate
ICF for the U.S. Army Research Laboratory
Adelphi, MD, USA
4Human Research and Engineering Directorate
U.S. Army Research Laboratory
Aberdeen Proving Ground, MD, USA
5U.S. Army Research Laboratory South at the
University of Texas Arlington
Arlington, TX, USA
6Qatar Computing and Research Institute
Qatar Foundation
Doha, Qatar
7Computer Science and Engineering Department
University of Texas Arlington
Arlington, TX, USA
*Corresponding author: E-mail: jonathan.z.bakdash.civ@mail.mil
Key words: cybersecurity; forecasting; prediction; cyber attack; malware; computer security service
provider
Revised version resubmitted to a journal on 6/8/2018
Abstract
Cyber attacks endanger physical, economic, social, and political security. There have been extensive efforts
in government, academia, and industry to anticipate, forecast, and mitigate such cyber attacks. A common
approach is time-series forecasting of cyber attacks based on data from network telescopes, honeypots, and
automated intrusion detection/prevention systems. This research has uncovered key insights such as
systematicity in cyber attacks. Here, we propose an alternate perspective of this problem by performing
forecasting of attacks that are analyst-detected and -verified occurrences of malware. We call these
instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large
operational Computer Security Service Provider (CSSP) for the U.S. Department of Defense, which rarely
relies only on automated systems. Our data set consists of weekly counts of cyber events over
approximately seven years. This curated dataset has characteristics that distinguish it from most datasets
used in prior research on cyber attacks. Since all cyber events were validated by analysts, our dataset is
unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality
data could be used for a number of important tasks for CSSPs such as resource allocation, estimation of
security resources, and the development of effective risk-management strategies. To quantify bursts, we
used a Markov model of state transitions. For forecasting, we used a Bayesian State Space Model and
found that events one week ahead could be predicted with reasonable accuracy, with the exception of bursts.
Our findings of systematicity in analyst-detected cyber attacks are consistent with previous work using
cyber attack data from other sources. The advanced information provided by a forecast may help with threat
awareness by providing a probable value and range for future cyber events one week ahead, similar to a
weather forecast. Other potential applications for cyber event forecasting include proactive allocation of
resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs.
Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical
capabilities for cyber defense.
Introduction
Internet infrastructure plays a crucial role in a number of daily activities. The pervasive nature of cyber
systems ensures far-reaching consequences of cyber attacks. Cyber attacks threaten physical, economic,
social, and political security. The effects of cyber attacks can disrupt, deny, and even disable the operation
of critical infrastructure including power grids, communication networks, hospitals, financial institutions,
and defense and military systems. To protect its critical infrastructure, the U.S. Department of Defense
(DoD) has identified cyberspace (information networks for computers, communication, and other systems)
as a key operational environment for the military, one that is interdependent with the physical (air, land,
maritime, and space) environment [1]. A key component of the DoD’s strategy and implementation plans
for protecting cyberspace is enhancing threat awareness for Computer Security Service Providers1 [CSSPs]
[2,3]. Analysts in DoD CSSPs protect DoD and DoD affiliated computers and networks by finding,
analyzing, remediating, and documenting cyber attacks.
To improve threat awareness for CSSPs, we investigate whether intrinsic, predictable patterns exist
among analyst-detected and -verified occurrences of malware, referred to here as cyber events. This
research is unique because the dataset comprises over seven years of cyber events from an operational DoD
CSSP that r
…(Full text truncated)…
This content is AI-processed based on ArXiv data.
