Chen Peng,Maochao Xu,Shouhuai Xu,Taizhong Hu

DOI: https://doi.org/10.1080/02664763.2016.1257590

IF: 1.416

2017-01-01

Journal of Applied Statistics

Abstract:Cyber attacks have become a problem that is threatening the economy, human privacy, and even national security. Before we can adequately address the problem, we need to have a crystal clear understanding about cyber attacks from various perspectives. This is a challenge because the Internet is a large-scale complex system with humans in the loop. In this paper, we investigate a particular perspective of the problem, namely the extreme value phenomenon that is exhibited by cyber attack rates, which are the numbers of attacks against a system of interest per time unit. It is important to explore this perspective because understanding the statistical properties of extreme cyber attack rates will pave the way for cost-effective, if not optimal, allocation of resources in real-life cyber defense operations. Specifically, we propose modeling and predicting extreme cyber attack rates via marked point processes, while using the Value-at-Risk as a natural measure of intense cyber attacks. The point processes are then applied to analyze some real data sets. Our analysis shows that the point processes can describe and predict extreme cyber attack rates at a very satisfactory accuracy.

Gordon Werner,Shanchieh Yang,Katie McConky

DOI: https://doi.org/10.1145/3064814.3064831

2017-04-04

Abstract:Cyber attacks occur on a near daily basis and are becoming exponentially more common. While some research aims to detect the characteristics of an attack, little focus has been given to patterns of attacks in general. This paper aims to exploit temporal correlations between the number of attacks per day in order to predict future intensity of cyber incidents. Through analysis of attack data collected from Hackmageddon, correlation was found among reported attack volume in consecutive days. This paper presents a forecasting system that aims to predict the number of cyber attacks on a given day based only on a set of historical attack count data. Our system conducts ARIMA time series forecasting on all previously collected incidents to predict the expected number of attacks on a future date. Our tool is able to use only a subset of data relevant to a specific attack method. Prediction models are dynamically updated over time as new data is collected to improve accuracy. Our system outperforms naive forecasting methods by 14.1% when predicting attacks of any type, and up to 21.2% when forecasting attacks of a specific type. Our system also produces a model which more accurately predicts future cyber attack intensity behavior.

Yu-Zhong Chen,Zi-Gang Huang,Shouhuai Xu,Ying-Cheng Lai

DOI: https://doi.org/10.1371/journal.pone.0124472

2016-03-24

Abstract:A relatively unexplored issue in cybersecurity science and engineering is whether there exist intrinsic patterns of cyberattacks. Conventional wisdom favors absence of such patterns due to the overwhelming complexity of the modern cyberspace. Surprisingly, through a detailed analysis of an extensive data set that records the time-dependent frequencies of attacks over a relatively wide range of consecutive IP addresses, we successfully uncover intrinsic spatiotemporal patterns underlying cyberattacks, where the term "spatio" refers to the IP address space. In particular, we focus on analyzing {\em macroscopic} properties of the attack traffic flows and identify two main patterns with distinct spatiotemporal characteristics: deterministic and stochastic. Strikingly, there are very few sets of major attackers committing almost all the attacks, since their attack "fingerprints" and target selection scheme can be unequivocally identified according to the very limited number of unique spatiotemporal characteristics, each of which only exists on a consecutive IP region and differs significantly from the others. We utilize a number of quantitative measures, including the flux-fluctuation law, the Markov state transition probability matrix, and predictability measures, to characterize the attack patterns in a comprehensive manner. A general finding is that the attack patterns possess high degrees of predictability, potentially paving the way to anticipating and, consequently, mitigating or even preventing large-scale cyberattacks using macroscopic approaches.

Cryptography and Security,Data Analysis, Statistics and Probability,Physics and Society,Applications

Xing Fang,Maochao Xu,Shouhuai Xu,Peng Zhao

DOI: https://doi.org/10.1186/s13635-019-0090-6

2019-01-01

EURASIP Journal on Information Security

Abstract:Like how useful weather forecasting is, the capability of forecasting or predicting cyber threats can never be overestimated. Previous investigations show that cyber attack data exhibits interesting phenomena, such as long-range dependence and high nonlinearity, which impose a particular challenge on modeling and predicting cyber attack rates. Deviating from the statistical approach that is utilized in the literature, in this paper we develop a deep learning framework by utilizing the bi-directional recurrent neural networks with long short-term memory, dubbed BRNN-LSTM. Empirical study shows that BRNN-LSTM achieves a significantly higher prediction accuracy when compared with the statistical approach.

Mingyue Zhang Wu,Jinzhu Luo,Xing Fang,Maochao Xu,Peng Zhao

DOI: https://doi.org/10.1080/02664763.2021.1936468

IF: 1.416

2021-06-04

Journal of Applied Statistics

Abstract:Modeling cyber risks has been an important but challenging task in the domain of cyber security, which is mainly caused by the high dimensionality and heavy tails of risk patterns. Those obstacles have hindered the development of statistical modeling of the multivariate cyber risks. In this work, we propose a novel approach for modeling the multivariate cyber risks which relies on the deep learning and extreme value theory. The proposed model not only enjoys the high accurate point predictions via deep learning but also can provide the satisfactory high quantile predictions via extreme value theory. Both the simulation and empirical studies show that the proposed approach can model the multivariate cyber risks very well and provide satisfactory prediction performances.

statistics & probability

Zheyuan Sun,Maochao Xu,Kristin M. Schweitzer,Raymond M. Bateman,Alexander Kott,Shouhuai Xu

DOI: https://doi.org/10.1007/978-3-031-45933-7_4

2023-01-01

Abstract:Cyber attacks are a major and routine threat to the modern society. This highlights the importance of forecasting (i.e., predicting) cyber attacks, just like weather forecasting in the real world. In this paper, we present a study on characterizing, modeling and forecasting the number of cyber attacks at an aggregate level by leveraging a high-quality, publicly-available dataset of cyber attacks against enterprise networks; the dataset is of high quality because more than 99% of the attacks were examined and confirmed by human analysts. We find that the attacks exhibit high volatilities and burstiness. These properties guide us to design statistical models to accurately forecast cyber attacksand draw useful insights.

Zaid Almahmoud,Paul D Yoo,Omar Alhussein,Ilyas Farhat,Ernesto Damiani

DOI: https://doi.org/10.1038/s41598-023-35198-1

2023-05-17

Abstract:Traditionally, cyber-attack detection relies on reactive, assistive techniques, where pattern-matching algorithms help human experts to scan system logs and network traffic for known virus or malware signatures. Recent research has introduced effective Machine Learning (ML) models for cyber-attack detection, promising to automate the task of detecting, tracking and blocking malware and intruders. Much less effort has been devoted to cyber-attack prediction, especially beyond the short-term time scale of hours and days. Approaches that can forecast attacks likely to happen in the longer term are desirable, as this gives defenders more time to develop and share defensive actions and tools. Today, long-term predictions of attack waves are mostly based on the subjective perceptiveness of experienced human experts, which can be impaired by the scarcity of cyber-security expertise. This paper introduces a novel ML-based approach that leverages unstructured big data and logs to forecast the trend of cyber-attacks at a large scale, years in advance. To this end, we put forward a framework that utilises a monthly dataset of major cyber incidents in 36 countries over the past 11 years, with new features extracted from three major categories of big data sources, namely the scientific research literature, news, blogs, and tweets. Our framework not only identifies future attack trends in an automated fashion, but also generates a threat cycle that drills down into five key phases that constitute the life cycle of all 42 known cyber threats.

Maochao Xu,Kristin M. Schweitzer,Raymond M. Bateman,Shouhuai Xu

DOI: https://doi.org/10.1109/tifs.2018.2834227

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Analyzing cyber incident data sets is an important method for deepening our understanding of the evolution of the threat situation. This is a relatively new research topic, and many studies remain to be done. In this paper, we report a statistical analysis of a breach incident data set corresponding to 12 years (2005-2017) of cyber hacking activities that include malware attacks. We show that, in contrast to the findings reported in the literature, both hacking breach incident inter-arrival times and breach sizes should be modeled by stochastic processes, rather than by distributions because they exhibit autocorrelations. Then, we propose particular stochastic process models to, respectively, fit the inter-arrival times and the breach sizes. We also show that these models can predict the inter-arrival times and the breach sizes. In order to get deeper insights into the evolution of hacking breach incidents, we conduct both qualitative and quantitative trend analyses on the data set. We draw a set of cybersecurity insights, including that the threat of cyber hacks is indeed getting worse in terms of their frequency, but not in terms of the magnitude of their damage.

Jieying Jiao,Zefan Tang,Peng Zhang,Meng Yue,Chen Chen,Jun Yan

DOI: https://doi.org/10.1109/PESGM40551.2019.8973804

2019-01-01

Abstract:Cyberattacks in power systems can alter load forecasting modelsu0027 input data. Although extreme outliers that fail to follow regular patterns can be easily identified, other more carefully-designed attacks can escape detection and seriously impact load forecasting. While existing work mainly focuses on enhancing attack detection, we propose a cyberattack-resilient load forecasting model that is based on an adaptation of classic Huberu0027s robust statistical method. In a large-scale simulation study, the proposed method performed better than the classic method in various settings.

Raisa Dzhamtyrova,Carsten Maple

DOI: https://doi.org/10.1007/s10618-021-00814-z

Abstract:The increasing value of data held in enterprises makes it an attractive target to attackers. The increasing likelihood and impact of a cyber attack have highlighted the importance of effective cyber risk estimation. We propose two methods for modelling Value-at-Risk (VaR) which can be used for any time-series data. The first approach is based on Quantile Autoregression (QAR), which can estimate VaR for different quantiles, i. e. confidence levels. The second method, we term Competitive Quantile Autoregression (CQAR), dynamically re-estimates cyber risk as soon as new data becomes available. This method provides a theoretical guarantee that it asymptotically performs as well as any QAR at any time point in the future. We show that these methods can predict the size and inter-arrival time of cyber hacking breaches by running coverage tests. The proposed approaches allow to model a separate stochastic process for each significance level and therefore provide more flexibility compared to previously proposed techniques. We provide a fully reproducible code used for conducting the experiments.

Viacheslav Kovtun,Krzysztof Grochla,Mohammed Al-Maitah,Saad Aldosary,Wojciech Kempa

DOI: https://doi.org/10.1016/j.csbj.2024.08.017

IF: 6.155

2024-08-20

Computational and Structural Biotechnology Journal

Abstract:The approaches used in biomedicine to analyze epidemics take into account features such as exponential growth in the early stages, slowdown in dynamics upon saturation, time delays in spread, segmented spread, evolutionary adaptations of the pathogen, and preventive measures based on universal communication protocols. All these characteristics are also present in modern cyber epidemics. Therefore, adapting effective biomedical approaches to epidemic analysis for the investigation of the development of cyber epidemics is a promising scientific research task. The article is dedicated to researching the problem of predicting the development of cyber epidemics at early stages. In such conditions, the available data is scarce, incomplete, and distorted. This situation makes it impossible to use artificial intelligence models for prediction. Therefore, the authors propose an entropy-extreme model, defined within the machine learning paradigm, to address this problem. The model is based on estimating the probability distributions of its controllable parameters from input data, taking into account the variability characteristic of the last ones. The entropy-extreme instance, identified from a set of such distributions, indicates the most uncertain (most negative) trajectory of the investigated process. Numerical methods are used to analyze the generated set of investigated process development trajectories based on the assessments of probability distributions of the controllable parameters and the variability characteristic. The result of the analysis includes characteristic predictive trajectories such as the average and median trajectories from the set, as well as the trajectory corresponding to the standard deviation area of the parameters' values. Experiments with real data on the infection of Windows-operated devices by various categories of malware showed that the proposed model outperforms the classical competitor (least squares method) in predicting the development of cyber epidemics near the extremum of the time series representing the deployment of such a process over time. Moreover, the proposed model can be applied without any prior hypotheses regarding the probabilistic properties of the available data. Graphical abstract Download: Download high-res image (268KB) Download: Download full-size image

biochemistry & molecular biology

Weijia Sun,Qi Wang,Manli Li,Ming Ni

DOI: https://doi.org/10.1109/ei250167.2020.9346650

2020-01-01

Abstract:Recently, wide concern of extreme risk events in power system has been aroused due to several big blackouts at home and abroad. The present study is designed to assess the extreme risk of power system considering cyber attacks, which can not be reflected by using traditional risk assessment method. Based on the theory of value at risk(VaR) and extreme value theory(EVT) in financial terms, a method to evaluate and quantize extreme risk of power system is proposed to determine the potential risk resulted from extreme events with low probabilities and serious consequences. The method is applied to evaluate the extreme risk of cyber attacks in power system and comparisons between evaluation results of commom risk and extreme risk are conducted. Statistically significant results have justified the validity of extreme risk assessment method, which could be regarded as a complement and improvement to traditional risk assessment. It is recommended that further study is needed to be conducted for risk prevention so as to enhance the operation security and reliability of power system.

Jinkun Geng,Daren Ye,Ping Luo

DOI: https://doi.org/10.1007/978-3-319-27161-3_13

2015-01-01

Abstract:Vulnerabilities usually represents the risk level of software, therefore, it is of high value to predict vulnerabilities so as to evaluate the security level of software. Current researches mainly focus on predicting the number of vulnerabilities or the occurrence time of vulnerabilities, however, to our best knowledge, there are no other researches focusing on the prediction of vulnerabilities' severity, which we think is an important aspect reflecting vulnerabilities and software security. To compensate for this deficiency, we propose a novel method based on grey system theory to predict the severity of vulnerabilities. The experiment is carried on the real data collected from CVE and proves the feasibility of our predicting method.

Y M Ivanyo,Y M Krakovsky,A N Luzgin

DOI: https://doi.org/10.1088/1757-899x/327/2/022044

2018-03-01

IOP Conference Series: Materials Science and Engineering

Abstract:At present, cyber-security issues of industrial control systems occupy one of the key niches in a state system of planning and management Functional disruption of these systems via cyber-attacks may lead to emergencies related to loss of life, environmental disasters, major financial and economic damage, or disrupted activities of cities and settlements. There is then an urgent need to develop protection methods against cyber-attacks. This paper studied the results of cyber-attack interval forecasting with a pre-set intensity level of cyber-attacks. Interval forecasting is the forecasting of one interval from two predetermined ones in which a future value of the indicator will be obtained. For this, probability estimates of these events were used. For interval forecasting, a probabilistic neural network with a dynamic updating value of the smoothing parameter was used. A dividing bound of these intervals was determined by a calculation method based on statistical characteristics of the indicator. The number of cyber-attacks per hour that were received through a honeypot from March to September 2013 for the group 'zeppo-norcal' was selected as the indicator.

Zuhua Guo,Yangbo Li,Lixin Xu,Xiao Zhang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2015.11.052

2015-01-01

Abstract:In the cloud service environment,virtualization puts forward higher requirements to network security risk assess-ment.Through constructing a virtual component-centric system risk evaluation model on the cloud computing virtualization platform,the paper implemented network security risk prediction for the Web service DDoS attack.This model used a hierar-chical analysis method to achieve a risk prediction of Web service that improved the prediction accuracy of risk values.Mean-while,the paper used of RBF neural network for prediction parallelization,which achieved the purpose of rapid real-time pre-diction with multiple nodes.Experimental tests show that the method has a better risk evaluation result,which can provide scientific basis for developing the network security defense strategy of cloud computing systems.

Degang Sun,Zhengrong Wu,Yan Wang,Qiujian Lv,Bo Hu

DOI: https://doi.org/10.1109/iscc47284.2019.8969646

2019-01-01

Abstract:Application systems maintain critical sensitive information of an enterprise and especially huge number of data with specific ownership. Unauthorized modification or deletion of data caused by cyber attacks may bring tremendous loses for enterprises. To reduce the damage of cyber attacks, existing techniques have been proposed to predict the potential risk of external attacks at the level of an enterprise, a user, or a machine. However, risk prediction has not been conducted at the level of application systems, which may suffer from external attacks or insider threats. This paper proposes a model based on machine learning to predict whether the application systems of an enterprise have the risk of unauthorized access by using a cyber profile. In particular, the cyber profile is composed of features extracted from the information of the three domains in cyberspace: Information Infrastructure domain, Data domain, and Application domain. The core idea of the model selects the most significant features that have a large impact on the occurrence of unauthorized access to application systems. At last, by using a limited number of selected features, high forecast accuracy is achieved. These results verify the effectiveness of the prediction model, which can potentially be exploited to guide the adjustment of access control policies for effective access control.

Shuang Wei,Yijing Ding,Tongxin Li,Shuaifu Dai,Xinfeng Wu,Xinhui Han

2017-01-01

Abstract:DDoS defense nowadays relies on expensive and proprietary hardware appliances. When a massive attack begins, improper choices such as choosing fewer appliances or those without enough capacity may lead to more severe damage. As the previous work proposed[1], the choice heavily depends on the peak volume of the attack traffic(measured by packets per second). However, no prediction methods have been proposed to the best of our knowledge. In this paper we propose a method called DDoSPVPredictor to predict the peak volume of the DDoS traffic both effectively and efficiently. Based on machine learning, DDoSPVPredictor can predict the peak with only 24 features and for each attack the procedure can be finished in about 1.2s. We evaluate our solution’s prediction accuracy using the 1998 MIT DARPA dataset. Result shows that DDoSPVPredictor is able to predict the peak volume of attack traffic with an accuracy of 85%. Therefore DDoSPVPredictor can help a lot in defending against massive DDoS attacks by optimizing its mitigation method using the predicted outcome.

Zhenxin Zhan,Maochao Xu,Shouhuai Xu

DOI: https://doi.org/10.1109/tifs.2013.2279800

IF: 7.231

2013-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Rigorously characterizing the statistical properties of cyber attacks is an important problem. In this paper, we propose the first statistical framework for rigorously analyzing honeypot-captured cyber attack data. The framework is built on the novel concept of stochastic cyber attack process, a new kind of mathematical objects for describing cyber attacks. To demonstrate use of the framework, we apply it to analyze a low-interaction honeypot dataset, while noting that the framework can be equally applied to analyze high-interaction honeypot data that contains richer information about the attacks. The case study finds, for the first time, that long-range dependence (LRD) is exhibited by honeypot-captured cyber attacks. The case study confirms that by exploiting the statistical properties (LRD in this case), it is feasible to predict cyber attacks (at least in terms of attack rate) with good accuracy. This kind of prediction capability would provide sufficient early-warning time for defenders to adjust their defense configurations or resource allocations. The idea of “gray-box” (rather than “black-box”) prediction is central to the utility of the statistical framework, and represents a significant step towards ultimately understanding (the degree of) the predictability of cyber attacks.

Haitian Liu,Rong Jiang,Bin Zhou,Xing Rong,Juan Li,Aiping Li

DOI: https://doi.org/10.1109/dsc53577.2021.00069

2021-01-01

Abstract:This paper provides an overview of related prediction techniques used in the field of cyber security, and discusses three main types of cyber security prediction tasks: projection and intention recognition of multi-stage or persistent network attack, prediction of other network attacks, and network security situation forecasting. Attack intention recognition could analyze the attacker's attack intention, or predict the attacker's ultimate goal. The prediction of cyber attacks will discuss in more detail what kind of attack will happen when and where. Network security situation forecasting refers to the prediction of the global network security situation. This paper specifically studies the methods and implementation techniques to solve these tasks. In this survey, we find that although the implementation technologies of research topics with similar theoretical background are usually complementary, the application technologies of different research directions have different selection tendencies based on the specific situation of cyber security field.

Hongyu Yang,Le Zhang,Xugao Zhang,Jiyong Zhang

DOI: https://doi.org/10.1007/s11036-021-01837-y

2021-10-27

Mobile Networks and Applications

Abstract:With the rapid development of the Internet of things (IoT) technology, how to effectively predict the network security situation of the IoT has become particularly important. It is difficult to quantify the IoT network situation due to a large number of historical data dimensions, and there are also has the problem of low accuracy for IoT network security situation prediction with multi-peak changes. To solve the above problems, this paper proposed an adaptive IoT network security situation prediction model, which makes the IoT network security situation prediction accuracy higher. Firstly, the paper used the entropy correlation method to calculate the network security situation value sequence in each quantization period according to Alarm Frequency (AF), Alarm Criticality (AC), and Alarm Severity (AS). Then, the security situation values arranged in time series are fragmented through the sliding window mechanism, and then the adaptive cubic exponential smoothing method is used to initially generate the IoT network security situation prediction results. Finally, the paper built the time-varying weighted Markov chain to predict the error value and modify the initial predicted value based on the error state. The experimental results show that the model has a better fitting effect and higher prediction accuracy than other models, and this model’s determination coefficient is 0.811. Compared with the other two models, the sum of squared errors in this model is reduced by 78 %-82 %. The model can better reflect the changes in the IoT network security situation over a while.

computer science, information systems,telecommunications, hardware & architecture