Predicting cyber security incidents using feature-based characterization of network-level malicious activities

Yang Liu, Jing Zhang, Armin Sarabi, Mingyan Liu, Manish Karir, Michael Bailey

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

This study offers a first step toward understanding the extent to which we may be able to predict cyber security incidents (which can be of one of many types) by applying machine learning techniques and using externally observed malicious activities associated with network entities, including spamming, phishing, and scanning, each of which may or may not have direct bearing on a specific attack mechanism or incident type. Our hypothesis is that when viewed collectively, malicious activities originating from a network are indicative of the general cleanness of a network and how well it is run, and that furthermore, collectively they exhibit fairly stable and thus predictive behavior over time. To test this hypothesis, we utilize two datasets in this study: (1) a collection of commonly used IP address-based/host reputation blacklists (RBLs) collected over more than a year, and (2) a set of security incident reports collected over roughly the same period. Specifically, we first aggregate the RBL data at a prefix level and then introduce a set of features that capture the dynamics of this aggregated temporal process. A comparison between the distribution of these feature values taken from the incident dataset and from the general population of prefixes shows distinct differences, suggesting their value in distinguishing between the two while also highlighting the importance of capturing dynamic behavior (second order statistics) in the malicious activities. These features are then used to train a support vector machine (SVM) for prediction. Our preliminary results show that we can achieve reasonably good prediction performance over a forecasting window of a few months. Copyright is held by the owner/author(s).

Original languageEnglish (US)
Title of host publicationIWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015
PublisherAssociation for Computing Machinery, Inc
Pages3-9
Number of pages7
ISBN (Electronic)9781450333412
DOIs
StatePublished - Mar 4 2015
Externally publishedYes
Event2015 ACM International Workshop on Security and Privacy Analytics, IWSPA 2015 - San Antonio, United States
Duration: Mar 4 2015 → …

Publication series

NameIWSPA 2015 - Proceedings of the 2015 ACM International Workshop on Security and Privacy Analytics, Co-located with CODASPY 2015

Other

Other2015 ACM International Workshop on Security and Privacy Analytics, IWSPA 2015
Country/TerritoryUnited States
CitySan Antonio
Period3/4/15 → …

Keywords

  • Network reputation
  • Network security
  • Prediction
  • Temporal pattern
  • Time-series data

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Software
  • Computational Theory and Mathematics
  • Computer Science Applications

Fingerprint

Dive into the research topics of 'Predicting cyber security incidents using feature-based characterization of network-level malicious activities'. Together they form a unique fingerprint.

Cite this