Forecasting Cyberattacks as Time Series with Different Aggregation Granularity
| Title | Forecasting Cyberattacks as Time Series with Different Aggregation Granularity |
| Publication Type | Conference Paper |
| Year of Publication | 2018 |
| Authors | Werner, Gordon, Okutan, Ahmet, Yang, Shanchieh, McConky, Katie |
| Conference Name | 2018 IEEE International Symposium on Technologies for Homeland Security (HST) |
| ISBN Number | 978-1-5386-3443-1 |
| Keywords | aggregation granularity, ARIMA, auto-regressive integrated moving average models, autoregressive moving average processes, Bayesian networks, belief networks, binary occurrence metrics, Computer crime, computer network security, Correlation, cyber attack occurrences, cyber defense, Forecasting, incident count forecasting, intrusion detection methods, malicious activity, Malicious Traffic, Malware, Metrics, potential external factors, Predictive models, predictive security metrics, pubcrawl, security, target configuration, time series, Time series analysis, time series construction, Uniform resource locators |
| Abstract | Cyber defense can no longer be limited to intrusion detection methods. These systems require malicious activity to enter an internal network before an attack can be detected. Having advanced, predictive knowledge of future attacks allow a potential victim to heighten security and possibly prevent any malicious traffic from breaching the network. This paper investigates the use of Auto-Regressive Integrated Moving Average (ARIMA) models and Bayesian Networks (BN) to predict future cyber attack occurrences and intensities against two target entities. In addition to incident count forecasting, categorical and binary occurrence metrics are proposed to better represent volume forecasts to a victim. Different measurement periods are used in time series construction to better model the temporal patterns unique to each attack type and target configuration, seeing over 86% improvement over baseline forecasts. Using ground truth aggregated over different measurement periods as signals, a BN is trained and tested for each attack type and the obtained results provided further evidence to support the findings from ARIMA. This work highlights the complexity of cyber attack occurrences; each subset has unique characteristics and is influenced by a number of potential external factors. |
| URL | https://ieeexplore.ieee.org/document/8574185 |
| DOI | 10.1109/THS.2018.8574185 |
| Citation Key | werner_forecasting_2018 |
- intrusion detection methods
- Uniform resource locators
- time series construction
- Time series analysis
- time series
- target configuration
- security
- pubcrawl
- predictive security metrics
- Predictive models
- potential external factors
- Metrics
- malware
- Malicious Traffic
- malicious activity
- aggregation granularity
- incident count forecasting
- forecasting
- cyber defense
- cyber attack occurrences
- Correlation
- computer network security
- Computer crime
- binary occurrence metrics
- belief networks
- Bayesian networks
- autoregressive moving average processes
- auto-regressive integrated moving average models
- ARIMA