Malware in the future? Forecasting of analyst detection of cyber events

Jonathan Z. Bakdash, Steve Hutchinson, Erin G. Zaroukian, Laura R. Marusich, Saravanan Thirumuruganathan, Charmaine Sample, Blaine Hoffman, Gautam Das

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Cyberattacks endanger physical, economic, social, and political security. There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate such cyberattacks. A common approach is time-series forecasting of cyberattacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyberattacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are “analyst-detected” and “-verified” occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the US Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately 7 years. This curated dataset has characteristics that distinguish it from most datasets used in prior research on cyberattacks. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number of important tasks for CSSPs such as resource allocation, estimation of security resources, and the development of effective risk-management strategies. To quantify bursts, we used a Markov model of state transitions. For forecasting, we used a Bayesian State Space Model and found that events one week ahead could be predicted with reasonable accuracy, with the exception of bursts. Our findings of systematicity in analyst-detected cyberattacks are consistent with previous work using cyberattack data from other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead, similar to a weather forecast. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical capabilities for cyber defense.

Original languageEnglish
JournalJournal of Cybersecurity
Volume4
Issue number1
DOIs
Publication statusPublished - 1 Jan 2018

Fingerprint

event
Computer Security
Resource Allocation
Information Storage and Retrieval
United States Department of Defense
Space Simulation
Telescopes
Intrusion detection
Security of data
Risk management
resources
threat
Social Security
Resource allocation
Weather
Risk Management
Time series
Research
data quality
staffing

Keywords

  • Computer security service provider
  • Cyberattack
  • Cybersecurity
  • Forecasting
  • Malware
  • Prediction

ASJC Scopus subject areas

  • Computer Science (miscellaneous)
  • Social Psychology
  • Safety, Risk, Reliability and Quality
  • Political Science and International Relations
  • Computer Networks and Communications
  • Law

Cite this

Bakdash, J. Z., Hutchinson, S., Zaroukian, E. G., Marusich, L. R., Thirumuruganathan, S., Sample, C., ... Das, G. (2018). Malware in the future? Forecasting of analyst detection of cyber events. Journal of Cybersecurity, 4(1). https://doi.org/10.1093/cybsec/tyy007

Malware in the future? Forecasting of analyst detection of cyber events. / Bakdash, Jonathan Z.; Hutchinson, Steve; Zaroukian, Erin G.; Marusich, Laura R.; Thirumuruganathan, Saravanan; Sample, Charmaine; Hoffman, Blaine; Das, Gautam.

In: Journal of Cybersecurity, Vol. 4, No. 1, 01.01.2018.

Research output: Contribution to journalArticle

Bakdash, JZ, Hutchinson, S, Zaroukian, EG, Marusich, LR, Thirumuruganathan, S, Sample, C, Hoffman, B & Das, G 2018, 'Malware in the future? Forecasting of analyst detection of cyber events', Journal of Cybersecurity, vol. 4, no. 1. https://doi.org/10.1093/cybsec/tyy007
Bakdash JZ, Hutchinson S, Zaroukian EG, Marusich LR, Thirumuruganathan S, Sample C et al. Malware in the future? Forecasting of analyst detection of cyber events. Journal of Cybersecurity. 2018 Jan 1;4(1). https://doi.org/10.1093/cybsec/tyy007
Bakdash, Jonathan Z. ; Hutchinson, Steve ; Zaroukian, Erin G. ; Marusich, Laura R. ; Thirumuruganathan, Saravanan ; Sample, Charmaine ; Hoffman, Blaine ; Das, Gautam. / Malware in the future? Forecasting of analyst detection of cyber events. In: Journal of Cybersecurity. 2018 ; Vol. 4, No. 1.
@article{9ffd3da1bb454c0ea4b4c6f23c81870a,
title = "Malware in the future? Forecasting of analyst detection of cyber events",
abstract = "Cyberattacks endanger physical, economic, social, and political security. There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate such cyberattacks. A common approach is time-series forecasting of cyberattacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyberattacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are “analyst-detected” and “-verified” occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the US Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately 7 years. This curated dataset has characteristics that distinguish it from most datasets used in prior research on cyberattacks. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number of important tasks for CSSPs such as resource allocation, estimation of security resources, and the development of effective risk-management strategies. To quantify bursts, we used a Markov model of state transitions. For forecasting, we used a Bayesian State Space Model and found that events one week ahead could be predicted with reasonable accuracy, with the exception of bursts. Our findings of systematicity in analyst-detected cyberattacks are consistent with previous work using cyberattack data from other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead, similar to a weather forecast. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical capabilities for cyber defense.",
keywords = "Computer security service provider, Cyberattack, Cybersecurity, Forecasting, Malware, Prediction",
author = "Bakdash, {Jonathan Z.} and Steve Hutchinson and Zaroukian, {Erin G.} and Marusich, {Laura R.} and Saravanan Thirumuruganathan and Charmaine Sample and Blaine Hoffman and Gautam Das",
year = "2018",
month = "1",
day = "1",
doi = "10.1093/cybsec/tyy007",
language = "English",
volume = "4",
journal = "Journal of Cybersecurity",
issn = "2057-2093",
publisher = "Oxford University Press",
number = "1",

}

TY - JOUR

T1 - Malware in the future? Forecasting of analyst detection of cyber events

AU - Bakdash, Jonathan Z.

AU - Hutchinson, Steve

AU - Zaroukian, Erin G.

AU - Marusich, Laura R.

AU - Thirumuruganathan, Saravanan

AU - Sample, Charmaine

AU - Hoffman, Blaine

AU - Das, Gautam

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Cyberattacks endanger physical, economic, social, and political security. There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate such cyberattacks. A common approach is time-series forecasting of cyberattacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyberattacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are “analyst-detected” and “-verified” occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the US Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately 7 years. This curated dataset has characteristics that distinguish it from most datasets used in prior research on cyberattacks. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number of important tasks for CSSPs such as resource allocation, estimation of security resources, and the development of effective risk-management strategies. To quantify bursts, we used a Markov model of state transitions. For forecasting, we used a Bayesian State Space Model and found that events one week ahead could be predicted with reasonable accuracy, with the exception of bursts. Our findings of systematicity in analyst-detected cyberattacks are consistent with previous work using cyberattack data from other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead, similar to a weather forecast. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical capabilities for cyber defense.

AB - Cyberattacks endanger physical, economic, social, and political security. There have been extensive efforts in government, academia, and industry to anticipate, forecast, and mitigate such cyberattacks. A common approach is time-series forecasting of cyberattacks based on data from network telescopes, honeypots, and automated intrusion detection/prevention systems. This research has uncovered key insights such as systematicity in cyberattacks. Here, we propose an alternate perspective of this problem by performing forecasting of attacks that are “analyst-detected” and “-verified” occurrences of malware. We call these instances of malware cyber event data. Specifically, our dataset was analyst-detected incidents from a large operational Computer Security Service Provider (CSSP) for the US Department of Defense, which rarely relies only on automated systems. Our data set consists of weekly counts of cyber events over approximately 7 years. This curated dataset has characteristics that distinguish it from most datasets used in prior research on cyberattacks. Since all cyber events were validated by analysts, our dataset is unlikely to have false positives which are often endemic in other sources of data. Further, the higher-quality data could be used for a number of important tasks for CSSPs such as resource allocation, estimation of security resources, and the development of effective risk-management strategies. To quantify bursts, we used a Markov model of state transitions. For forecasting, we used a Bayesian State Space Model and found that events one week ahead could be predicted with reasonable accuracy, with the exception of bursts. Our findings of systematicity in analyst-detected cyberattacks are consistent with previous work using cyberattack data from other sources. The advanced information provided by a forecast may help with threat awareness by providing a probable value and range for future cyber events one week ahead, similar to a weather forecast. Other potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Enhanced threat awareness may improve cybersecurity by helping to optimize human and technical capabilities for cyber defense.

KW - Computer security service provider

KW - Cyberattack

KW - Cybersecurity

KW - Forecasting

KW - Malware

KW - Prediction

UR - http://www.scopus.com/inward/record.url?scp=85063287962&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85063287962&partnerID=8YFLogxK

U2 - 10.1093/cybsec/tyy007

DO - 10.1093/cybsec/tyy007

M3 - Article

AN - SCOPUS:85063287962

VL - 4

JO - Journal of Cybersecurity

JF - Journal of Cybersecurity

SN - 2057-2093

IS - 1

ER -

Access to Document