**6. Conclusion**

120 Earthquake Research and Analysis – Statistical Studies, Observations and Planning

Fig. 11 illustrates the forecasting for cyber-attacks before the use the EAS, specifically for P2P events. Thus Fig. 11 takes into account the same scenario of Fig. 10. The ellipse spots the high volume of FP at the beginning of the experience with the prototype, consequently it is possible to notice three false thresholds for the forecasting, as shown by points (1), (2) and

Fig. 12 represents the graph after applying EAS filtering. Notice there are just 8 alerts (nodes) with 22 correlations among them (connections between alerts represented by arrows). Fig. 12 denotes the second scenario for comparisons: the DIFS level 3 (gateway level) working with the EAS filtering. As a result by the use of EAS, it was possible to track FP, filtering them, in order to improve forecasts, as the false thresholds for the predictions

Fig. 13. True Positives for the P2P Attack – After the Correlation Filtering (Pontes et al, 2009)

(3). Forecasting was done by the use of diverse EWMA.

Fig. 12. P2P Graph Attack (only TP alerts) (Pontes et al, 2009)

were eliminated as well.

As a conclusion, this chapter has introduced the Distributed Intrusion Forecasting System (DIFS) (Pontes et al, 2009), approaching cyber attacks and UIT in the cyber space context. The DIFS also presented the two stage system with the EAS implemented for making the multi-correlation (step 1) (Pontes et al, 2009), afterwards the application of the forecasting techniques over the generated data by the EAS (step 2). The forecasting model presented in this chapter could be analogously employed for earthquake prediction, due the following aspects: a) DIFS, with the Two Stage System and the EAS, was able to track in advance the increasing and decreasing rates of cyber attacks and UIT; hence such methodology may be employed as an early warning system; b) DIFS considers just frequency and temporal characteristics (timestamp) of events (UIT and cyber attacks), thus this approach can be similarly used in other areas.

Even though only 4,95% of the thresholds for UIT's increasing and decreasing were not detectable, the value of the outcome is still questionable, as this early warning system still has 34,74% of warnings being lately reported. The use of two forecasting techniques represented better results if compared to the use of only one prediction technique. The reason for the accuracy using two forecasting techniques, according to (Pretcher and Frost, 2002), is due to the fact Fibonacci sequence depends on EWMA for marking the first wave. Thus, it was possible to observe just some of the trends drew by the Fibonacci sequence. Another characteristic for predictions with Fibonacci sequence is forecasts in the long term (2, 3 days): EWMAs don't have this feature, so, predictions using only EWMA lack in long term predictions. Employing both of the techniques aggregates the positive of either techniques, making the forecast more accurate.

For the EAS, it was suggested a standard to define causes and consequences within the PCcorrelation method combined with multi-correlation criteria, correlation analysis (ascending/descending) and identification of FP alerts through tables and graphs. It was done an experiment with a prototype, in a LAN, with diverse machines and OS, which used a gateway to get access to the Internet. The obtained results from the tests in our prototype indicate that level 3 of DIFS was improved, as some FPs were treated and predictions concerning cyber-attacks were more accurate. It is possible to come to this conclusion by verifying that, despite high FP rates of FP1 (21.08%) and FP3 (44.72%) – see Table III -; during the whole experiment, no TP alert was correlated exclusively as result of an FP alert. As a suggestion for improving the work, it is suggested to automate analysis' processes that require user interpretation (table correlation and mapping) for using the EAS in real time.

The accuracy of the results can be improved whether the multi-correlation is extended to entire LAN. Regarding the forecast's result, among the suggestions for future works there are the aggregation of the fractal approaches (according to (Mandelbrot & Hudson, 2006)), and the use of other kinds of forecasting techniques (as Markov chains and neural networks) to follow (Armstrong, 2002)'s advices. It is also suggested to extend the employment of the EAS for the

Earthquake Prediction: Analogy with Forecasting

Spain, October 14-20, 2007

reward", John Willey, 2006.

and C. Kruegel (Eds.).

2002. p. 16.

Models for Cyber Attacks in Internet and Computer Systems 123

Leu, F.; Yang, W.; Chang, W. "IFTS : Intrusion Forecast and Traceback based on Union

Lorenz, E. N. "Designing chaotic models", Journal of the Atmospheric Sciences: Vol. 62, No.

Mandelbrot, B.; Hudson, R. L. "The behavior of markets: a fractal view of risk, ruin and

Manikopoulos, Constantine; Papavassiliou; Symeon, Network Intrusion and Fault

Mizoguchi, Fumio, Anomaly Detection using Visualization and Machine Learning. In the

Morin, Benjamin; Debar, Hervé. Correlation of Intrusion Symptoms: An Application of

Ning, Peng; Cui, Yun. "An intrusion alert correlator based on prerequisites of intrusions".

Ning, Peng; Cui, Yun; Reeves S., Douglas; Analyzing Intensive Intrusion Alerts via

NIST – National Institute of Standards and Technology, (2007). Guide to Intrusion Detection

Pietraszek, Tadeusz; Tanner, Axel. Data mining and Machine Learning – Towards Reducing

Suécia, 2005. Information Security Technical Report, Vol. 10, ed. 3, pp 169-183. Pontes, E.; Guelfi, A. E., "Third generation for intrusion detection: applying forecasts and

Pontes, E.; Guelfi, A. E.; Alonso, E. "Forecasting for return on security information investment:

Journal Latin America Transactions, 2009, Vol 7, ISSN 1548-0992, pp 438-445. Pontes, E.; Guelfi, A., (2009). IFS – Intrusion forecasting system based on collaborative

Pontes, E.; Zucchi, W. L. "Fibonacci sequence and EWMA for intrusion forecasting system".

Pontes, E.; Guelfi, A. E., Silva, A. A. A., Kofuji, S. T. "Applying Multi-Correlation for

NIST/SEMATECH, e-Handbook of Statistical Methods, 2009, www.itl.nist.gov/.

London, UK, November 2009, ISBN 978-1-4244-5647-5, pp. 1-6.

2002, pp. 76-82 New Jersey Institute of Technology, NJ, EUA, 2002. p. 7. McPherson, D.; Labovitz, C. "5th Worldwide Infrastructure Sec. Report", 2010, [Online].

Available: http://seclists.org/funsec/2010/q1/295 /, 2010.

Information Media Center; Noda, Japan, 2000. p. 6.

on RAID, 2002, p. 21. Raleigh, NC, EUA, .

from: <http://csrc.nist.gov/publications/>

Michigan, USA, Nov 1-4, 2009

978-1-4244-7571-1, pp. 1-6.

Defense Environment", In the IEEE ICPADS, 2005.

5, ISSN 1520-0469, 2005, pp. 1574–1587.

Technologies and Applications, pp. 469-474, ISBN 978-0-7695-2988-2, Valencia,

Detection: A Statistical Anomaly Approach. In IEEE Communications Magazine 40,

IEEE 9th International WET ICE, 2000, pp. 76-82. Science University of Tokyo –

Chronicles. France Télécom R&D; In the 6th International Conference on RAID, 2003, PP. 94-112. Springer-Verlag - Berlin Heidelberg , 2003, G. Vigna, E. Jonsson,

Technical Report TR-2002-01 North Carolina State University; Raleigh, NC, USA,

Correlation. North Carolina State University; In the 5th International Symposium

and Prevention Systems (IDPS), In: NIST SP 800-94, December, 2010, Available

False Positives in Intrusion Detection. IBM Zuurich Research Laboratory, Ruschlikon,

ROSI to cope with unwanted traffic". In Proceedings of 4th IEEE ICITST 09,

new approach on trends in intrusion detection and unwanted traffic". In IEEE

architecture, Proceedings of the IEEE ICDIM 2009 4th International Conference on Digital Information Management, pp. 1-4, ISBN 978-1-4244-4253-9, Ann Arbor,

In 5th ICDIM 2010, Lakehead University, Thunder Bat, Canada, July 2010, ISBN

Improving Forecasting in Cyber Security". In 6th ICDIM 2011, Melbourne University, Thunder Bat, Canada, July 2010, ISBN 978-1-4244-7571-1, pp. 1-6.

four levels of DIFS, so levels 1, 2 and 4 may be approached in future works. The EAS/DIFS has not yet undergone extensive training enough to be used in commercial applications.
