ABSTRACT

Rigorously characterizing cyber attacks is an important aspect of cyber security research. The importance can be appreciated not only from a theoretic perspective (the characterizations are a necessary step before we can build faithful cyber security models), but also from a practical perspective (the characterizations can lead to insights for proactive adaptive defense). This motivates us to introduce the novel concept of stochastic cyber attack processes, a new kind of mathematical objects for describing cyber attacks. We also present a statistical framework for analyzing the properties of stochastic cyber attack processes. To demonstrate the usefulness of the new concept and the statistical framework, we conduct a case study based on some cyber attack data collected by honeypots. One particular finding is that the stochastic cyber attack processes exhibit the so-called Long-Range Dependence (LRD), a phenomenon that was not known to be relevant in the cyber security domain until now. We show that knowing the presence of LRD facilitates “Gray-Box” model fitting and attack prediction, which are significantly more accurate than “Black-box” fitting and prediction.