Maochao Xu

Mingyue Zhang Wu, Jinzhu Luo, Xing Fang et al.

Modeling cyber risks has been an important but challenging task in the domain of cyber security. It is mainly because of the high dimensionality and heavy tails of risk patterns. Those obstacles have hindered the development of statistical modeling of the multivariate cyber risks. In this work, we propose a novel approach for modeling the multivariate cyber risks which relies on the deep learning and extreme value theory. The proposed model not only enjoys the high accurate point predictions via deep learning but also can provide the satisfactory high quantile prediction via extreme value theory. The simulation study shows that the proposed model can model the multivariate cyber risks very well and provide satisfactory prediction performances. The empirical evidence based on real honeypot attack data also shows that the proposed model has very satisfactory prediction performances.

Maochao Xu, Gaofeng Da, Shouhuai Xu

Studying models of cyber epidemics over arbitrary complex networks can deepen our understanding of cyber security from a whole-system perspective. In this paper, we initiate the investigation of cyber epidemic models that accommodate the {\em dependences} between the cyber attack events. Due to the notorious difficulty in dealing with such dependences, essentially all existing cyber epidemic models have assumed them away. Specifically, we introduce the idea of Copulas into cyber epidemic models for accommodating the dependences between the cyber attack events. We investigate the epidemic equilibrium thresholds as well as the bounds for both equilibrium and non-equilibrium infection probabilities. We further characterize the side-effects of assuming away the due dependences between the cyber attack events, by showing that the results thereof are unnecessarily restrictive or even incorrect.

Gaofeng Da, Maochao Xu, Shouhuai Xu

Modeling and analyzing security of networked systems is an important problem in the emerging Science of Security and has been under active investigation. In this paper, we propose a new approach towards tackling the problem. Our approach is inspired by the {\em shock model} and {\em random environment} techniques in the Theory of Reliability, while accommodating security ingredients. To the best of our knowledge, our model is the first that can accommodate a certain degree of {\em adaptiveness of attacks}, which substantially weakens the often-made independence and exponential attack inter-arrival time assumptions. The approach leads to a stochastic process model with two security metrics, and we attain some analytic results in terms of the security metrics.

Maochao Xu, Shouhuai Xu

Quantitative security analysis of networked computer systems is one of the decades-long open problems in computer security. Recently, a promising approach was proposed in \cite{XuTDSC11}, which however made some strong assumptions including the exponential distribution of, and the independence between, the relevant random variables. In this paper, we substantially weaken these assumptions while offering, in addition to the same types of analytical results as in \cite{XuTDSC11}, methods for obtaining the desired security quantities in practice. Moreover, we investigate the problem from a higher-level abstraction, which also leads to both analytical results and practical methods for obtaining the desired security quantities. These would represent a significant step toward ultimately solving the problem of quantitative security analysis of networked computer systems.

Zhenxin Zhan, Maochao Xu, Shouhuai Xu

Data-driven understanding of cybersecurity posture is an important problem that has not been adequately explored. In this paper, we analyze some real data collected by CAIDA's network telescope during the month of March 2013. We propose to formalize the concept of cybersecurity posture from the perspectives of three kinds of time series: the number of victims (i.e., telescope IP addresses that are attacked), the number of attackers that are observed by the telescope, and the number of attacks that are observed by the telescope. Characterizing cybersecurity posture therefore becomes investigating the phenomena and statistical properties exhibited by these time series, and explaining their cybersecurity meanings. For example, we propose the concept of {\em sweep-time}, and show that sweep-time should be modeled by stochastic process, rather than random variable. We report that the number of attackers (and attacks) from a certain country dominates the total number of attackers (and attacks) that are observed by the telescope. We also show that substantially smaller network telescopes might not be as useful as a large telescope.

Zhenxin Zhan, Maochao Xu, Shouhuai Xu

Rigorously characterizing the statistical properties of cyber attacks is an important problem. In this paper, we propose the {\em first} statistical framework for rigorously analyzing honeypot-captured cyber attack data. The framework is built on the novel concept of {\em stochastic cyber attack process}, a new kind of mathematical objects for describing cyber attacks. To demonstrate use of the framework, we apply it to analyze a low-interaction honeypot dataset, while noting that the framework can be equally applied to analyze high-interaction honeypot data that contains richer information about the attacks. The case study finds, for the first time, that Long-Range Dependence (LRD) is exhibited by honeypot-captured cyber attacks. The case study confirms that by exploiting the statistical properties (LRD in this case), it is feasible to predict cyber attacks (at least in terms of attack rate) with good accuracy. This kind of prediction capability would provide sufficient early-warning time for defenders to adjust their defense configurations or resource allocations. The idea of "gray-box" (rather than "black-box") prediction is central to the utility of the statistical framework, and represents a significant step towards ultimately understanding (the degree of) the {\em predictability} of cyber attacks.

Zhenxin Zhan, Maochao Xu, Shouhuai Xu

It is important to understand to what extent, and in what perspectives, cyber attacks can be predicted. Despite its evident importance, this problem was not investigated until very recently, when we proposed using the innovative methodology of {\em gray-box prediction}. This methodology advocates the use of gray-box models, which accommodate the statistical properties/phenomena exhibited by the data. Specifically, we showed that gray-box models that accommodate the Long-Range Dependence (LRD) phenomenon can predict the attack rate (i.e., the number of attacks per unit time) 1-hour ahead-of-time with an accuracy of 70.2-82.1\%. To the best of our knowledge, this is the first result showing the feasibility of prediction in this domain. We observe that the prediction errors are partly caused by the models' incapability in predicting the large attack rates, which are called {\em extreme values} in statistics. This motivates us to analyze the {\em extreme-value phenomenon}, by using two complementary approaches: the Extreme Value Theory (EVT) and the Time Series Theory (TST). In this paper, we show that EVT can offer long-term predictions (e.g., 24-hour ahead-of-time), while gray-box TST models can predict attack rates 1-hour ahead-of-time with an accuracy of 86.0-87.9\%. We explore connections between the two approaches, and point out future research directions. Although our prediction study is based on specific cyber attack data, our methodology can be equally applied to analyze any cyber attack data of its kind.