18 research outputs found
Malware in the Future? Forecasting of Analyst Detection of Cyber Events
There have been extensive efforts in government, academia, and industry to
anticipate, forecast, and mitigate cyber attacks. A common approach is
time-series forecasting of cyber attacks based on data from network telescopes,
honeypots, and automated intrusion detection/prevention systems. This research
has uncovered key insights such as systematicity in cyber attacks. Here, we
propose an alternate perspective of this problem by performing forecasting of
attacks that are analyst-detected and -verified occurrences of malware. We call
these instances of malware cyber event data. Specifically, our dataset was
analyst-detected incidents from a large operational Computer Security Service
Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on
automated systems. Our data set consists of weekly counts of cyber events over
approximately seven years. Since all cyber events were validated by analysts,
our dataset is unlikely to have false positives which are often endemic in
other sources of data. Further, the higher-quality data could be used for a
number for resource allocation, estimation of security resources, and the
development of effective risk-management strategies. We used a Bayesian State
Space Model for forecasting and found that events one week ahead could be
predicted. To quantify bursts, we used a Markov model. Our findings of
systematicity in analyst-detected cyber attacks are consistent with previous
work using other sources. The advanced information provided by a forecast may
help with threat awareness by providing a probable value and range for future
cyber events one week ahead. Other potential applications for cyber event
forecasting include proactive allocation of resources and capabilities for
cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs.
Enhanced threat awareness may improve cybersecurity.Comment: Revised version resubmitted to journa
Exploratory Data Analysis of a Network Telescope Traffic and Prediction of Port Probing Rates
Understanding the properties exhibited by large scale network probing traffic
would improve cyber threat intelligence. In addition, the prediction of probing
rates is a key feature for security practitioners in their endeavors for making
better operational decisions and for enhancing their defense strategy skills.
In this work, we study different aspects of the traffic captured by a /20
network telescope. First, we perform an exploratory data analysis of the
collected probing activities. The investigation includes probing rates at the
port level, services interesting top network probers and the distribution of
probing rates by geolocation. Second, we extract the network probers
exploration patterns. We model these behaviors using transition graphs
decorated with probabilities of switching from a port to another. Finally, we
assess the capacity of Non-stationary Autoregressive and Vector Autoregressive
models in predicting port probing rates as a first step towards using more
robust models for better forecasting performance.Comment: IEEE Intelligence and Security Informatic
The Cyberattack Intensity Forecasting to Information Systems of Critical Infrastructures
В нормативных документах последних лет в сфере информационной безопасности уделяется большое внимание информационным системам критических инфраструктур. Это, в свою очередь, обосновывает необходимость научных исследований по разработке новых методов защиты от кибератак на такие информационные системы. Для этой задачи рекомендуется интервальное прогнозирование на основе вероятностной нейронной сети с динамическим обновлением параметра сглаживания. В качестве эталонов для сравнения результатов интервального прогнозирования были выбраны наивная байесовская модель и вероятностная кластерная модель.In regulatory documents of recent years in the field of information security, much attention is paid to information systems of critical infrastructures. This, in turn, justifies the need for scientific research on the development of new methods of protection against cyberattacks on such information systems. For this task, interval forecasting is recommended based on a probabilistic neural network with dynamic updating of the smoothing parameter. As benchmarks for comparing the interval forecasting results, the naive Bayesian model and the probabilistic cluster model were chosen
ThreatPredict: From Global Social and Technical Big Data to Cyber Threat Forecast
International audiencePredicting the next threats that may occurs in the Internet is a multifaceted problem as the predictions must be enough precise and given as most as possible in advance to be exploited efficiently, for example to setup defensive measures. The ThreatPredict project aims at building predictive models by integrating exogenous sources of data using machine learning algorithms. This paper reports the most notable results using technical data from security sensors or contextual information about darkweb cyber-criminal markets and data breaches
Exploratory Data Analysis of a Network Telescope Traffic and Prediction of Port Probing Rates
International audienceUnderstanding the properties exhibited by large scale network probing traffic would improve cyber threat intelligence. In addition, the prediction of probing rates is a key feature for security practitioners in their endeavors for making better operational decisions and for enhancing their defense strategy skills. In this work, we study different aspects of the traffic captured by a /20 network telescope. First, we perform an exploratory data analysis of the collected probing activities. The investigation includes probing rates at the port level, services interesting top network probers and the distribution of probing rates by geolocation. Second, we extract the network probers exploration patterns. We model these behaviors using transition graphs decorated with probabilities of switching from a port to another. Finally, we assess the capacity of Non-stationary Autoregressive and Vector Autoregressive models in predicting port probing rates as a first step towards using more robust models for better forecasting performance