Malware in the Future? Forecasting Analyst Detection of Cyber Events

Cyber attacks endanger physical, economic, social, and political security. We use a Bayesian state space model to forecast the number of future cyber attacks. Cyber attacks were defined as malware detected by cyber analysts over seven years using cyber events (i.e., reports of malware attacks supported by evidence) at a large Computer Security Service Provider (CSSP). This CSSP protects a variety of computers and networks, which are critical infrastructure, for the U.S. Department of Defense and affiliated organizations. We find that cyber events from the previous week predict the number of events one week ahead. Unlike past work on predicting cyber attacks, our dataset was from an operational CSSP and based on analyst detection rather than logs or automated systems. Our finding of non-randomness in attacks is consistent with previous work reporting systematicity in attacks detected from logs and automated systems. Advanced information provided by a forecast may help with threat awareness for future cyber events similar to a weather forecast. Potential applications for cyber event forecasting include proactive allocation of resources and capabilities for cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs. Consequently, enhanced threat awareness may improve cyber security by helping to optimize human and technical capabilities.