Intrusion Detection Forecasting Using Time Series for Improving Cyber Defence

Öz

The strength of time series modeling is generally not used in almost all current intrusion detection and prevention systems. By having time series models, system administrators will be able to better plan resource allocation and system readiness to defend against malicious activities. In this paper, we address the knowledge gap by investigating the possible inclusion of a statistical based time series modeling that can be seamlessly integrated into existing cyber defense system. Cyber-attack processes exhibit long range dependence and in order to investigate such properties a new class of Generalized Autoregressive Moving Average (GARMA) can be used. In this paper, GARMA (1, 1; 1, ±) model is fitted to cyber-attack data sets. Two different estimation methods are used. Point forecasts to predict the attack rate possibly hours ahead of time also has been done and the performance of the models and estimation methods are discussed. The investigation of the case-study will confirm that by exploiting the statistical properties, it is possible to predict cyber-attacks (at least in terms of attack rate) with good accuracy. This kind of forecasting capability would provide sufficient early-warning time for defenders to adjust their defense configurations or resource allocations.

Anahtar Kelimeler

• Intrusion forecasting; Predictive modeling; Generalized Autoregressive Moving Average; Long range dependence

Kaynakça

1. Z. Zhan, M. Xu and S. Xu, Characterizing Honeypot-captured cyber- attacks: Statistical Framework and Case study, Information Forensics and Security, IEEE Transactions, 8(11): 1775-1789, November 2013.
2. Sang and S. Li, A predictability analysis of network traffic, Computer Networks, 2012.
3. M. Celenk, T. Conley, J. Graham and J. Willis, Anomaly Prediction in Network Traffic using Adaptive Wiener Filtering and ARMA Modeling, SMC 2008. IEEE International Conference on Systems, Man and Cybernetics, 3548-3553.
4. G. Frey, M. Manera, A. Markandya and E. Scarpa, Econometric models for oil price forecasting: A critical survey, CESifo Forum 1/2009.
5. D. Kwon, J. W. Hong and H. Ju, DDos Attack Forecasting System Architecture using Honeynet, dpnm.postech.ac.kr/papers/.../12/dwkwon/APNOMS2012-
6. Y. Hideshima and H. Koike , “STARMINE: A visualization system for cyber-attacks,” 2006 Asian-Pacific Symposium on Information Visualization, pp. 131-138, February 2006.
7. C. Ishida, Y. Arakawa, I. Sasase, and K. Takemori, “Forecast techniques for predicting increase or decrease of attacks using bayesian inference,” 2005 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, pp. 450-453, August 2005.
8. Y. Zhang, X. Tan, and H. Xi, “A novel approach to network security situation awareness based on multi-perspective analysis,” 2007 International Conference on Computational Intelligence and Security, pp. 768-772, December 2007.

9. D.-H. Kim, T. Lee, S.-O.D. Jung, H.-J. Lee, and H.P. In, “Cyber threat trend analysis model using HMM,” 2007 International Symposium on Information Assurance and Security, pp. 177-182, August 2007.
10. S.-H. Kim, S.-J. Shin, H.-W. Kim, K.-H. Kwon, and Y.-G. Han, “Hybrid intrusion forecasting framework for early warning system,” IEICE TRANS. INF. and SYST., vol. E91-D, no. 5, pp. 1234-1241, May 2008.
11. K. Takemori, Y. Miyake, C. Ishida, and I. Sasase, “A SOC framework for ISP federation and attack forecast by learning propagation patterns,” 2007 IEEE Intelligence and Security Informatics, pp. 172-179, May 2007.
12. S.S.S. Sindhu, S. Geetha, S.S. Sivanath, and A. Kannan, “A neurogenetic ensemble short term forecasting framework for anomaly intrusion prediction,” 2006 International Conference on Advanced Computing and Communications, pp. 187-190, December 2006.
13. S. Nanda and N. Deo, “A highly scalable model for network attack identification and path prediction,” 2007 IEEE Southeast Conference, pp. 663-668, March 2007.
14. S.E. Schechter, “Toward econometric models of the security risk from remote attacks,” IEEE Security and Privacy, vol. 3, issue 1, pp. 40-44, January-February 2005.
15. P. J. Brockwell and R. A. Davis, “Time Series: Theory and Methods,” New York: Springer-Verlag, 1991.
16. P. J. Brockwell and R. A. Davis, “Introduction to Time Series and Forecasting,” 2nd Edition. New York: Springer, 2002.
17. M. S. Peiris, “Improving the Quality of Forecasting using Generalized AR Models: An Application to Statistical Quality Control,” 2003, Statistical Methods, vol. 5, issue 2, pp. 156-171, 2003.
18. M. S. Peiris, D. Allen anf A. Thavaneswaran, “An Introduction to Generalized Moving Average Models and Applications,” Journal of Applied Statistical Science, vol. 13, issue 3, pp. 251-267, 2004.
19. T. R. Pillai, M. Shitan and M. S. Peiris, “Time Series Properties of the Class of First Order Autoregressive Processes with Generalized Moving Average Errors,”Journal of Statistics: Advances in Theory and Applications, vol. 2, issue 1, pp. 71-92, 2009.
20. M. Shitan and M. S. Peiris, “Time series Properties of the class of generalized first-order autoregressive processes with moving average errors,” Communication in Statistics-Theory and Methods, vol. 40, pp. 2259-2275, 2011.
21. T. R. Pillai, M. Shitan and M. S. Peiris, “Some Properties of the Generalized Autoregressive Moving Average (GARMA(1, 1; δ 1, δ 2)) model,” Communication and Statistics-Theory and Methods vol. 4, issue 41, pp. 699-716, 2012.
22. R. A. Fisher, “A Mathematical Examination of the methods determining accuracy of an observation by the mean error and by the mean square error,” Monthly Notices of the Royal Astronomical Society 80, vol. 1, pp. 758-770, CP12 in Bennett, 1971.