**1.2 Analogy with forecasting in cyber security**

Cyber attacks can be classified as a set of actions with the purpose of compromising the integrity, confidentiality or availability of computer systems. Cyber attacks can be caused by users or malicious software, which try either to obtain access, to use systems in an unauthorized way, or to enumerate privileges (NIST SP800-94, 2010).

(Internet Crime Complaint Center [IC3], 2010) published a study in the United States about losses in 2009 concerning cyber-attacks: frauds in cyber space caused about \$559.7 million of losses in 336,655 organizations. This was a 111,5% increase for the losses and a 22.3% increase for the complaints, as compared to 2008 when 275,284 complaints were received, reporting \$264.6 million in total losses. According to (McPherson & Labovitz, 2010), in 2009 the largest reported volumetric Distributed Denial of Service (DDoS) attack exceeded 49 Gbps sustained towards a single target in Europe.

Beyond sheer attack size, (McPherson & Labovitz, 2010) indicated that cyber-attacks become more sophisticated, with attackers expressly aiming to exhaust resources other than bandwidth, such as firewalls, load-balancers, back-end database infrastructure and associated transaction capacity, cached data serving algorithms, etc. This increasing sophistication is a trend that has been captured in previous editions of the survey of (McPherson & Labovitz, 2010) as well. Regarding DDoS attacks, it is expected these attacks to become more common against independent media and human rights sites in 2011, as the recent highly publicized DDoS attacks on Wikileaks, and "Operation Payback" attacks by "Anonymous" on sites perceived to oppose Wikileaks (Zuckerman et al, 2010).

According to (Pontes et al, 2008), (Pontes & Guelfi, 2009a), (Pontes & Guelfi, 2009b), (Pontes & Zucchi, 2010), an early warning system showing a future trend outlook with an increasing number of cyber-attacks, exposed by forecasting analysis, may influence decisions on the security devices adoption (e.g. rules in IDPS combined with rules in firewalls) before incidents happen, according to the needs. Although, three major gaps lie in the studies about forecasting of cyber attacks: a) the use of few sensors and/or sensors employed locally; b) the use of just one forecasting technique; and c) lack of information sharing among sensors to be used for correlation (Pontes & Guelfi, 2009a). Correlation of information between IDPS and forecasters means looking for similar characteristics that may be related (Pontes & Guelfi, 2009a) (Abad et al, 2003). Throughout correlation it is possible to eliminate redundant and false data, to discover attack patterns and understand attack strategies (Zhay et al, 2006).

The connection between large earthquakes and electromagnetic phenomena in the ground and in the ionosphere is becoming increasingly solid. Researchers in many countries, including China, France, Greece, Italy, Japan, Taiwan, and the United States, are now

Some correlations between historical data can be traced as well: monitoring 144 earthquakes (1997-1999), Taiwanese researches noticed significant changes in the electron content of the

Therefore, the integration of: (1) several types of sensors (ground and space-based), (2) a network to bring together those signals, (3) a good distribution of the sensors (several sensors in a large area), (4) several types of detection (Ultral Low Frequency (ULF), ELF and magnetic-field changes, ionospheric changes, infrared luminescence, and air-conductivity changes--along with traditional mechanical and GPS monitoring of movements of the earth's crust and (5) the correlation of all data gathered, could make forecast more reliable.

Cyber attacks can be classified as a set of actions with the purpose of compromising the integrity, confidentiality or availability of computer systems. Cyber attacks can be caused by users or malicious software, which try either to obtain access, to use systems in an

(Internet Crime Complaint Center [IC3], 2010) published a study in the United States about losses in 2009 concerning cyber-attacks: frauds in cyber space caused about \$559.7 million of losses in 336,655 organizations. This was a 111,5% increase for the losses and a 22.3% increase for the complaints, as compared to 2008 when 275,284 complaints were received, reporting \$264.6 million in total losses. According to (McPherson & Labovitz, 2010), in 2009 the largest reported volumetric Distributed Denial of Service (DDoS) attack exceeded 49

Beyond sheer attack size, (McPherson & Labovitz, 2010) indicated that cyber-attacks become more sophisticated, with attackers expressly aiming to exhaust resources other than bandwidth, such as firewalls, load-balancers, back-end database infrastructure and associated transaction capacity, cached data serving algorithms, etc. This increasing sophistication is a trend that has been captured in previous editions of the survey of (McPherson & Labovitz, 2010) as well. Regarding DDoS attacks, it is expected these attacks to become more common against independent media and human rights sites in 2011, as the recent highly publicized DDoS attacks on Wikileaks, and "Operation Payback" attacks by

According to (Pontes et al, 2008), (Pontes & Guelfi, 2009a), (Pontes & Guelfi, 2009b), (Pontes & Zucchi, 2010), an early warning system showing a future trend outlook with an increasing number of cyber-attacks, exposed by forecasting analysis, may influence decisions on the security devices adoption (e.g. rules in IDPS combined with rules in firewalls) before incidents happen, according to the needs. Although, three major gaps lie in the studies about forecasting of cyber attacks: a) the use of few sensors and/or sensors employed locally; b) the use of just one forecasting technique; and c) lack of information sharing among sensors to be used for correlation (Pontes & Guelfi, 2009a). Correlation of information between IDPS and forecasters means looking for similar characteristics that may be related (Pontes & Guelfi, 2009a) (Abad et al, 2003). Throughout correlation it is possible to eliminate redundant and false data, to discover attack patterns and understand

"Anonymous" on sites perceived to oppose Wikileaks (Zuckerman et al, 2010).

contributing to the data by monitoring known earthquake zones.

ionosphere some days before the quakes higher than 6-magnitude.

unauthorized way, or to enumerate privileges (NIST SP800-94, 2010).

**1.2 Analogy with forecasting in cyber security** 

Gbps sustained towards a single target in Europe.

attack strategies (Zhay et al, 2006).

Nevertheless, forecasts and alert correlation may be challenging as they depend on the reliability of the source of the security alerts (Silva & Guelfi, 2010). Therefore, the precision level of the detection tools is an important issue for validating correlations. Multi-correlation or integration of alerts with information from different sources, e.g. tools for monitoring or operating system logs, can allow a new classification for alerts, improving accuracy of the results (Abad et al, 2003), (Zhay et al, 2006). References (Abad et al, 2003), (Zhay et al, 2006), (Zhay et al, 2004) employed multi-correlation; however neither a detailed analysis concerning influence of isolated alerts in the FP rates, nor forecasting techniques were not applied for predicting future attacks (forecasting).

Forecasting analysis in the information security area can be similar to forecasting methodologies used in any other fields: meteorology, for instance, use sensors to capture data about temperature, humidity, etc (Lajara et al, 2007), (Lorenz, 2005); seismology employs sensors to capture electromagnetic emissions from the rocks (Bleier & Freund, 2005); for economics, specifically stock market, data is collected from diverse companies (annual profit, potential customers, assets, etc) to draw trends about shares of companies (Prechter & Frost, 2002), (Mandelbrot & Hudson, 2006). For any field formal models can be applied to predict events over the collected data. But, before applying formal models, data regarding different kind of variables should be correlated (Armstrong, 2002). According to (Armstrong, 2002), to obtain a more accurate and realistic result about predictions it is suggested: (1) to use diverse forecasting techniques; (2) to analyze information regarding diverse variables and acquired data, from sensors for instance; (3) to employ diverse kind of employed forecasting models.

Concerning cyber attacks, (Lai-Chenq, 2007), (Yin et al 2004) employed forecasting models, however they used just one formal method for predicting events and they did not make use of any kind of correlation process. In this chapter, security events for cyber security are actions, processes that have an effect on the system, disregarding the kind of the effect – in other words, actions that could result in positive or negative effects on the system. In other hand, security alerts are types of security events, indicating anomalous activities or cyber attacks (Silva & Guelfi, 2010). In our earlier works we proposed the Distributed Intrusion Forecasting System (DIFS) (Pontes & Guelfi, 2009), (Pontes & Zucchi, 2010), which covered the following gaps of today's forecasting techniques in IDPS: a) the use of few sensors and/or sensors employed locally for capturing data; b) the use of just one forecasting technique; and c) lack of information sharing among sensors to be used for correlation. Notwithstanding, we faced huge amount of alerts which could have negative influence over forecasting results.
