Predicting Cyber Attack Rates with Extreme Values

TL;DR

This paper introduces a gray-box prediction methodology for cyber attack rates, demonstrating that combining Extreme Value Theory and Time Series Theory improves short-term and long-term attack rate forecasts, with high accuracy.

Contribution

It is the first to apply gray-box models incorporating LRD to predict cyber attack rates and analyzes extreme attack values using EVT and TST for enhanced forecasting.

Findings

Gray-box models predict attack rates 1-hour ahead with 86-88% accuracy.

EVT enables 24-hour ahead predictions of extreme attack values.

Combining EVT and TST offers comprehensive insights into attack rate extremes.

Abstract

It is important to understand to what extent, and in what perspectives, cyber attacks can be predicted. Despite its evident importance, this problem was not investigated until very recently, when we proposed using the innovative methodology of {\em gray-box prediction}. This methodology advocates the use of gray-box models, which accommodate the statistical properties/phenomena exhibited by the data. Specifically, we showed that gray-box models that accommodate the Long-Range Dependence (LRD) phenomenon can predict the attack rate (i.e., the number of attacks per unit time) 1-hour ahead-of-time with an accuracy of 70.2-82.1\%. To the best of our knowledge, this is the first result showing the feasibility of prediction in this domain. We observe that the prediction errors are partly caused by the models' incapability in predicting the large attack rates, which are called {\em extreme values} in statistics. This motivates us to analyze the {\em extreme-value phenomenon}, by using two complementary approaches: the Extreme Value Theory (EVT) and the Time Series Theory (TST). In this paper, we show that EVT can offer long-term predictions (e.g., 24-hour ahead-of-time), while gray-box TST models can predict attack rates 1-hour ahead-of-time with an accuracy of 86.0-87.9\%. We explore connections between the two approaches, and point out future research directions. Although our prediction study is based on specific cyber attack data, our methodology can be equally applied to analyze any cyber attack data of its kind.