Predicting Cyber Security Incidents Using Feature-Based Characterization of Network-Level Malicious Activities

Liu, Yang; Zhang, Jing; Sarabi, Armin; Liu, Mingyan; Karir, Manish; Bailey, Michael

doi:10.1145/2713579.2713582

Cited by 31 publications

(31 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Zhang et al find that mismanagement of networks correlates with malicious behavior (measured using a quantity similar to our wickedness) in Autonomous Systems [82], but do not focus on how this behavior might evolve over time. Liu et al use support vector machines trained on data from reputation blacklists to predict security incidents [46]. These predictions could be incorporated into our model to better predict some of the large changes in wickedness over time.…”

Section: Related Workmentioning

confidence: 99%

Analyzing and Modeling Longitudinal Security Data

Edwards¹,

Hofmeyr

Forrest

et al. 2015

Proceedings of the 31st Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Many cybersecurity problems occur on a worldwide scale, but we lack rigorous methods for determining how best to intervene and mitigate damage globally, both short-and long-term. Analysis of longitudinal security data can provide insight into the effectiveness and differential impacts of security interventions on a global level. In this paper we consider the example of spam, studying a large high-resolution data set of messages sent from 260 ISPs in 60 countries over the course of a decade. The statistical analysis is designed to avoid common pitfalls that could lead to erroneous conclusions. We show how factors such as geography, national economics, Internet connectivity and traffic flow impact can affect local spam concentrations. Additionally, we present a statistical model to study temporal transitions in the dataset, and we use a simple extension of the model to investigate the effect of historical botnet takedowns on spam levels. We find that in aggregate most historical takedowns are beneficial in the short-term, but few have long-term impact. Further, even when takedowns are effective globally, they can be detrimental in specific geographic regions or countries. The analysis and modeling described here are based on a single data set. However, the techniques are general and could be adapted to other data sets to help improve decision making about when and how to deploy security interventions.

show abstract

Section: Related Workmentioning

confidence: 99%

Analyzing and Modeling Longitudinal Security Data

Edwards¹,

Hofmeyr

Forrest

et al. 2015

Proceedings of the 31st Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…Similar to that work, we have an internal view of enterprise security, but our study analyzes a time frame that is eight times longer and covers 28K enterprises across 67 industries. Other related works have studied the network hygiene and security posture of enterprises using an outside-in view based on Internet-wide scans and blacklists [16], [27], [28], [50]. The limitations of an outside-in view is that it only applies to externally reachable servers or is based on coarse-grained blacklists.…”

Section: Introductionmentioning

confidence: 99%

Mind Your Own Business: A Longitudinal Study of Threats and Vulnerabilities in Enterprises

Kotzias

Bilge

Vervier

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Enterprises own a significant fraction of the hosts connected to the Internet and possess valuable assets, such as financial data and intellectual property, which may be targeted by attackers. They suffer attacks that exploit unpatched hosts and install malware, resulting in breaches that may cost millions in damages. Despite the scale of this phenomenon, the threat and vulnerability landscape of enterprises remains under-studied. The security posture of enterprises remains unclear, and it's unknown whether enterprises are indeed more secure than consumer hosts. To address these questions, we perform the largest and longest enterprise security study so far. Our data covers nearly 3 years and is collected from 28K enterprises, belonging to 67 industries, which own 82M client hosts and 73M public-facing servers. Our measurements comprise of two parts: an analysis of the threat landscape and an analysis of the enterprise vulnerability patching behavior. The threat landscape analysis studies the encounter rate of malware and PUP in enterprise client hosts. It measures, among others, that 91%-97% of the enterprises, 13%-41% of the hosts, encountered at least one malware or PUP file over the length of our study; that enterprises encounter malware much more often than PUP; and that some industries like banks and consumer finances achieve significantly lower malware and PUP encounter rates than the most-affected industries. The vulnerability analysis examines the patching of 12 client-side and 112 server-side applications in enterprise client hosts and servers. It measures, among others, that it takes over 6 months on average to patch 90% of the population across all vulnerabilities in the 12 client-side applications; that enterprise hosts are faster to patch vulnerabilities compared to consumer hosts; and that the patching of server applications is much worse than the patching of clientside applications.

show abstract

“…2. Cyber attack prediction using social media data: There have been several attempts to use external social media data sources to predict real world cyber attacks [1,23,13,22]. However, the problem these studies focus on is to build predictive models to correlate the social media signals to attacks in the real world that are not observed for a specific organization.…”

Section: Related Work and Motivationmentioning

confidence: 99%

Mining user interaction patterns in the darkweb to predict enterprise cyber incidents

Sarkar

Almukaynizi

Shakarian³

et al. 2019

Soc. Netw. Anal. Min.

View full text Add to dashboard Cite

With rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real world organization cyber attacks of 3 different security events, suggest that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.

show abstract

Predicting Cyber Security Incidents Using Feature-Based Characterization of Network-Level Malicious Activities

Cited by 31 publications

References 2 publications

Analyzing and Modeling Longitudinal Security Data

Analyzing and Modeling Longitudinal Security Data

Mind Your Own Business: A Longitudinal Study of Threats and Vulnerabilities in Enterprises

Mining user interaction patterns in the darkweb to predict enterprise cyber incidents

Contact Info

Product

Resources

About