Predicting Cyber Attack Rates with Extreme Values

Abstract

It is important to understand to what extent, and in what perspectives, cyber attacks can be predicted. Despite its evident importance, this problem was not investigated until very recently, when we proposed using the innovative methodology of gray-box prediction. This methodology advocates the use of gray-box models, which accommodate the statistical properties/phenomena exhibited by the data. Specifically, we showed that gray-box models that accommodate the Long-Range Dependence (LRD) phenomenon can predict the attack rate (i.e., the number of attacks per unit time) 1-hour ahead-of-time with an accuracy of 70.2-82.1\%. To the best of our knowledge, this is the first result showing the feasibility of prediction in this domain. We observe that the prediction errors are partly caused by the models' incapability in predicting the large attack rates, which are called extreme values in statistics. This motivates us to analyze the extreme-value phenomenon, by using two complementary approaches: the Extreme Value Theory (EVT) and the Time Series Theory (TST). In this paper, we show that EVT can offer long-term predictions (e.g., 24-hour ahead-of-time), while gray-box TST models can predict attack rates 1-hour ahead-of-time with an accuracy of 86.0-87.9\%. We explore connections between the two approaches, and point out future research directions. Although our prediction study is based on specific cyber attack data, our methodology can be equally applied to analyze any cyber attack data of its kind.