Intrusion Detection Forecasting Using Time Series for Improving Cyber Defence

The strength of time series modeling is generally not used in almost all current intrusion detection and prevention systems. By having time series models, system administrators will be able to better plan resource allocation and system readiness to defend against malicious activities. In this paper, we address the knowledge gap by investigating the possible inclusion of a statistical based time series modeling that can be seamlessly integrated into existing cyber defense system. Cyber-attack processes exhibit long range dependence and in order to investigate such properties a new class of Generalized Autoregressive Moving Average (GARMA) can be used. In this paper, GARMA (1, 1; 1, ±) model is fitted to cyber-attack data sets. Two different estimation methods are used. Point forecasts to predict the attack rate possibly hours ahead of time also has been done and the performance of the models and estimation methods are discussed. The investigation of the case-study will confirm that by exploiting the statistical properties, it is possible to predict cyber-attacks (at least in terms of attack rate) with good accuracy. This kind of forecasting capability would provide sufficient early-warning time for defenders to adjust their defense configurations or resource allocations.

[1]  Matteo Manera,et al.  Econometric models for oil price forecasting: a critical survey , 2009 .

[2]  S. Peiris,et al.  TIME SERIES PROPERTIES OF THE CLASS OF FIRST ORDER AUTOREGRESSIVE PROCESSES WITH GENERALIZED MOVING AVERAGE ERRORS , 2009 .

[3]  Mehmet Celenk,et al.  Anomaly prediction in network traffic using adaptive Wiener filtering and ARMA modeling , 2008, 2008 IEEE International Conference on Systems, Man and Cybernetics.

[4]  S. Peiris,et al.  Some Properties of the Generalized Autoregressive Moving Average (GARMA (1, 1; δ1, δ2)) Model , 2012 .

[5]  Heejo Lee,et al.  Cyber Threat Trend Analysis Model Using HMM , 2007, Third International Symposium on Information Assurance and Security.

[6]  S. Nanda,et al.  A highly scalable model for network attack identification and path prediction , 2007, Proceedings 2007 IEEE SoutheastCon.

[7]  Ki Hoon Kwon,et al.  Hybrid Intrusion Forecasting Framework for Early Warning System , 2008, IEICE Trans. Inf. Syst..

[8]  R. Fisher A mathematical Examination of the Methods of determining the Accuracy of Observation by the Mean Error, and by the Mean Square Error , 1920 .

[9]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[10]  I. Sasase,et al.  Forecast techniques for predicting increase or decrease of attacks using Bayesian inference , 2005, PACRIM. 2005 IEEE Pacific Rim Conference on Communications, Computers and signal Processing, 2005..

[11]  Richard A. Davis,et al.  Introduction to time series and forecasting , 1998 .

[12]  San-qi Li,et al.  A predictability analysis of network traffic , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[13]  Xi Hongsheng,et al.  A Novel Approach to Network Security Situation Awareness Based on Multi-Perspective Analysis , 2007 .

[14]  James Won-Ki Hong,et al.  DDoS attack forecasting system architecture using Honeynet , 2012, 2012 14th Asia-Pacific Network Operations and Management Symposium (APNOMS).

[15]  Shouhuai Xu,et al.  Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study , 2013, IEEE Transactions on Information Forensics and Security.

[16]  Richard A. Davis,et al.  Time Series: Theory and Methods , 2013 .

[17]  Hideki Koike,et al.  STARMINE: a visualization system for cyber attacks , 2006, APVIS.

[18]  Hongsheng Xi,et al.  A Novel Approach to Network Security Situation Awareness Based on Multi-Perspective Analysis , 2007, 2007 International Conference on Computational Intelligence and Security (CIS 2007).

[19]  Iwao Sasase,et al.  A SOC Framework for ISP Federation and Attack Forecast by Learning Propagation Patterns , 2007, 2007 IEEE Intelligence and Security Informatics.

[20]  A. Kannan,et al.  A Neuro-genetic ensemble Short Term Forecasting Framework for Anomaly Intrusion Prediction , 2006, 2006 International Conference on Advanced Computing and Communications.

[21]  S. Peiris,et al.  Time Series Properties of the Class of Generalized First-Order Autoregressive Processes with Moving Average Errors , 2011 .

[22]  Aerambamoorthy Thavaneswaran,et al.  An Introduction to Generalized Moving Average Models and Applications , 2004 .