Abstract
Cyberattacks endanger physical, economic, social, and political security. There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate such cyberattacks. A common approach is time-series forecasting of cyberattacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyberattacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are “analyst-detected” and “-verified” occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the US Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately 7 years. This curated dataset has characteristics that distinguish it from most datasets used in prior research on cyberattacks. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number of important tasks for CSSPs such as resource allocation, estimation of security resources, and the development of effective risk-management strategies. To quantify bursts, we used a Markov model of state transitions. For forecasting, we used a Bayesian State Space Model and found that events one week ahead could be predicted with reasonable accuracy, with the exception of bursts. Our findings of systematicity in analyst-detected cyberattacks are consistent with previous work using cyberattack data from other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead, similar to a weather forecast. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical capabilities for cyber defense.
Original language | English |
---|---|
Journal | Journal of Cybersecurity |
Volume | 4 |
Issue number | 1 |
DOIs | |
Publication status | Published - 1 Jan 2018 |
Fingerprint
Keywords
- Computer security service provider
- Cyberattack
- Cybersecurity
- Forecasting
- Malware
- Prediction
ASJC Scopus subject areas
- Computer Science (miscellaneous)
- Social Psychology
- Safety, Risk, Reliability and Quality
- Political Science and International Relations
- Computer Networks and Communications
- Law
Cite this
Malware in the future? Forecasting of analyst detection of cyber events. / Bakdash, Jonathan Z.; Hutchinson, Steve; Zaroukian, Erin G.; Marusich, Laura R.; Thirumuruganathan, Saravanan; Sample, Charmaine; Hoffman, Blaine; Das, Gautam.
In: Journal of Cybersecurity, Vol. 4, No. 1, 01.01.2018.Research output: Contribution to journal › Article
}
TY - JOUR
T1 - Malware in the future? Forecasting of analyst detection of cyber events
AU - Bakdash, Jonathan Z.
AU - Hutchinson, Steve
AU - Zaroukian, Erin G.
AU - Marusich, Laura R.
AU - Thirumuruganathan, Saravanan
AU - Sample, Charmaine
AU - Hoffman, Blaine
AU - Das, Gautam
PY - 2018/1/1
Y1 - 2018/1/1
N2 - Cyberattacks endanger physical, economic, social, and political security. There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate such cyberattacks. A common approach is time-series forecasting of cyberattacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyberattacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are “analyst-detected” and “-verified” occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the US Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately 7 years. This curated dataset has characteristics that distinguish it from most datasets used in prior research on cyberattacks. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number of important tasks for CSSPs such as resource allocation, estimation of security resources, and the development of effective risk-management strategies. To quantify bursts, we used a Markov model of state transitions. For forecasting, we used a Bayesian State Space Model and found that events one week ahead could be predicted with reasonable accuracy, with the exception of bursts. Our findings of systematicity in analyst-detected cyberattacks are consistent with previous work using cyberattack data from other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead, similar to a weather forecast. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical capabilities for cyber defense.
AB - Cyberattacks endanger physical, economic, social, and political security. There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate such cyberattacks. A common approach is time-series forecasting of cyberattacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyberattacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are “analyst-detected” and “-verified” occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the US Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately 7 years. This curated dataset has characteristics that distinguish it from most datasets used in prior research on cyberattacks. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number of important tasks for CSSPs such as resource allocation, estimation of security resources, and the development of effective risk-management strategies. To quantify bursts, we used a Markov model of state transitions. For forecasting, we used a Bayesian State Space Model and found that events one week ahead could be predicted with reasonable accuracy, with the exception of bursts. Our findings of systematicity in analyst-detected cyberattacks are consistent with previous work using cyberattack data from other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead, similar to a weather forecast. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical capabilities for cyber defense.
KW - Computer security service provider
KW - Cyberattack
KW - Cybersecurity
KW - Forecasting
KW - Malware
KW - Prediction
UR - http://www.scopus.com/inward/record.url?scp=85063287962&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85063287962&partnerID=8YFLogxK
U2 - 10.1093/cybsec/tyy007
DO - 10.1093/cybsec/tyy007
M3 - Article
AN - SCOPUS:85063287962
VL - 4
JO - Journal of Cybersecurity
JF - Journal of Cybersecurity
SN - 2057-2093
IS - 1
ER -