**5. Results**

Table 4 depicts the results of forecasting UIT in the first prototype. The UIT hit 4.320 thresholds from site A to site A' and, gradually, it increased with propagation of the UIT among the three sites. The total amount of the UIT thresholds among the three sites was about 16.416. In Table 4, correct forecasts are the number of times that it was possible to foresee the increasing and/or decreasing UIT's phases, without any delay. The correct predictions' rates were about 60,71%. Forecast with delay are the number of the times the increasing and decreasing thresholds were identified lately. In this prototype, forecasts' rates with delay were about 34,74%. During the prototype tests, sometimes it was not possible to identify thresholds for of UIT decreasing or increasing. The rate for the times we could not predict was about 4,95%.


Table 4. Results of Forecasting the UIT Propagation Using EWMA and Fibonacci Sequence (Pontes et al, 2009)

Table 5 depicts the results of forecasting UIT with only one forecasting technique (Fibonacci sequence) to the same experiments. The correct predictions' rates were among 5,21% and 7,55%. Forecasts with delay were among 3,92% and 4,68%.


Table 5. Results of Forecasting the UIT Propagation Using Only Fibonacci Sequence (Pontes et al, 2009)

In the second prototype, for the first step (EAS), results are achieved by analyzing consecutive graphs and tables from each phase. Quantity of alerts and correlations are independently accounted, according to the registered route (source and destination). In case the alerts and correlation regards the gateway, whether for source or destination), they are registered as Gateway; the alerts and correlation which disregard the gateway are registered as Non-Gateway. Table 6 summarizes the prototype and some results. Correlation shows a range of attack strategies. In each strategy a number of different alerts are connected sequentially as they were a single attack. A peer-to-peer (P2P) attack performed on machine 23 was chosen for the analysis of forecasting (Fig. 10, Fig. 11, Fig. 12 and Fig. 13).

employed, considering the DIFS architecture, as the prototype deals with more refined sets of attacks. Details regarding the EAS and the IFS tasks are not reported in this chapter due space limitations, but the reader may consult (Silva & Guelfi, 2010), (Silva, 2010) and (Pontes et al, 2008), (Pontes & Guelfi, 2009a), (Pontes & Guelfi, 2009b), (Pontes & Zucchi, 2010) for

Table 4 depicts the results of forecasting UIT in the first prototype. The UIT hit 4.320 thresholds from site A to site A' and, gradually, it increased with propagation of the UIT among the three sites. The total amount of the UIT thresholds among the three sites was about 16.416. In Table 4, correct forecasts are the number of times that it was possible to foresee the increasing and/or decreasing UIT's phases, without any delay. The correct predictions' rates were about 60,71%. Forecast with delay are the number of the times the increasing and decreasing thresholds were identified lately. In this prototype, forecasts' rates with delay were about 34,74%. During the prototype tests, sometimes it was not possible to identify thresholds for of UIT decreasing or increasing. The rate for the times we

Overall UIT thresholds 4.320 8.208 16.416 Correct forecast 2.623 4.984 9.967 Forecast with delay 1.483 2.818 5.635 Times not predict 214 406 814

Overall UIT thresholds 4.320 8.208 16.416 Correct forecast 326 534 855 Forecast with delay 195 384 643 Times not predict 3.799 7.290 14.918

23 was chosen for the analysis of forecasting (Fig. 10, Fig. 11, Fig. 12 and Fig. 13).

Table 4. Results of Forecasting the UIT Propagation Using EWMA and Fibonacci Sequence

Table 5 depicts the results of forecasting UIT with only one forecasting technique (Fibonacci sequence) to the same experiments. The correct predictions' rates were among 5,21% and

Table 5. Results of Forecasting the UIT Propagation Using Only Fibonacci Sequence (Pontes

In the second prototype, for the first step (EAS), results are achieved by analyzing consecutive graphs and tables from each phase. Quantity of alerts and correlations are independently accounted, according to the registered route (source and destination). In case the alerts and correlation regards the gateway, whether for source or destination), they are registered as Gateway; the alerts and correlation which disregard the gateway are registered as Non-Gateway. Table 6 summarizes the prototype and some results. Correlation shows a range of attack strategies. In each strategy a number of different alerts are connected sequentially as they were a single attack. A peer-to-peer (P2P) attack performed on machine

**A →A' A →A' →A" A →A' →A" →A** 

**A →A' A →A' →A" A →A' →A" →A** 

more information relating to EAS and IFS, respectively.

7,55%. Forecasts with delay were among 3,92% and 4,68%.

**5. Results** 

could not predict was about 4,95%.

(Pontes et al, 2009)

et al, 2009)


Table 6. Prototype Results (Pontes et al, 2009)

Fig. 10 depicts the amount of FP which was detected, considering a preliminary correlation without FP filters. Notice there are 17 alerts (nodes) with 69 correlations among them (connections between alerts represented by arrows). Fig. 10 denotes the first scenario for comparisons: the DIFS level 3 work\ing without EAS.

Fig. 10. P2P Graph Attack (TP + FP alerts) (Pontes et al, 2009)

Fig. 11. True Positives + False Positves for P2P Attack (Pontes et al, 2009)

Earthquake Prediction: Analogy with Forecasting

**6. Conclusion** 

similarly used in other areas.

techniques, making the forecast more accurate.

Models for Cyber Attacks in Internet and Computer Systems 121

Fig. 13, in the next page, depicts the application of forecasting techniques (diverse EWMA), i.e. the IFS, after the employment of EAS filtering. In Fig. 13 it is possible to verify two thresholds pointing out the increasing of events (as indicated by the red arrows, and one threshold point out the decreasing of events (as shown by black arrow). Notice there is no significant occurrence of alerts at the beginning of the experiment and two false thresholds regarding forecasts were eliminated. It is also important to observe that the second ellipse with the FP were eliminated after the EAS filtering, hence, another false threshold was wipe out as consequence. More details regarding results can be found in (Pontes et al 2011).

As a conclusion, this chapter has introduced the Distributed Intrusion Forecasting System (DIFS) (Pontes et al, 2009), approaching cyber attacks and UIT in the cyber space context. The DIFS also presented the two stage system with the EAS implemented for making the multi-correlation (step 1) (Pontes et al, 2009), afterwards the application of the forecasting techniques over the generated data by the EAS (step 2). The forecasting model presented in this chapter could be analogously employed for earthquake prediction, due the following aspects: a) DIFS, with the Two Stage System and the EAS, was able to track in advance the increasing and decreasing rates of cyber attacks and UIT; hence such methodology may be employed as an early warning system; b) DIFS considers just frequency and temporal characteristics (timestamp) of events (UIT and cyber attacks), thus this approach can be

Even though only 4,95% of the thresholds for UIT's increasing and decreasing were not detectable, the value of the outcome is still questionable, as this early warning system still has 34,74% of warnings being lately reported. The use of two forecasting techniques represented better results if compared to the use of only one prediction technique. The reason for the accuracy using two forecasting techniques, according to (Pretcher and Frost, 2002), is due to the fact Fibonacci sequence depends on EWMA for marking the first wave. Thus, it was possible to observe just some of the trends drew by the Fibonacci sequence. Another characteristic for predictions with Fibonacci sequence is forecasts in the long term (2, 3 days): EWMAs don't have this feature, so, predictions using only EWMA lack in long term predictions. Employing both of the techniques aggregates the positive of either

For the EAS, it was suggested a standard to define causes and consequences within the PCcorrelation method combined with multi-correlation criteria, correlation analysis (ascending/descending) and identification of FP alerts through tables and graphs. It was done an experiment with a prototype, in a LAN, with diverse machines and OS, which used a gateway to get access to the Internet. The obtained results from the tests in our prototype indicate that level 3 of DIFS was improved, as some FPs were treated and predictions concerning cyber-attacks were more accurate. It is possible to come to this conclusion by verifying that, despite high FP rates of FP1 (21.08%) and FP3 (44.72%) – see Table III -; during the whole experiment, no TP alert was correlated exclusively as result of an FP alert. As a suggestion for improving the work, it is suggested to automate analysis' processes that require user interpretation (table correlation and mapping) for using the EAS in real time. The accuracy of the results can be improved whether the multi-correlation is extended to entire LAN. Regarding the forecast's result, among the suggestions for future works there are the aggregation of the fractal approaches (according to (Mandelbrot & Hudson, 2006)), and the use of other kinds of forecasting techniques (as Markov chains and neural networks) to follow (Armstrong, 2002)'s advices. It is also suggested to extend the employment of the EAS for the

Fig. 11 illustrates the forecasting for cyber-attacks before the use the EAS, specifically for P2P events. Thus Fig. 11 takes into account the same scenario of Fig. 10. The ellipse spots the high volume of FP at the beginning of the experience with the prototype, consequently it is possible to notice three false thresholds for the forecasting, as shown by points (1), (2) and (3). Forecasting was done by the use of diverse EWMA.

Fig. 12 represents the graph after applying EAS filtering. Notice there are just 8 alerts (nodes) with 22 correlations among them (connections between alerts represented by arrows). Fig. 12 denotes the second scenario for comparisons: the DIFS level 3 (gateway level) working with the EAS filtering. As a result by the use of EAS, it was possible to track FP, filtering them, in order to improve forecasts, as the false thresholds for the predictions were eliminated as well.

Fig. 12. P2P Graph Attack (only TP alerts) (Pontes et al, 2009)

Fig. 13. True Positives for the P2P Attack – After the Correlation Filtering (Pontes et al, 2009)

Fig. 13, in the next page, depicts the application of forecasting techniques (diverse EWMA), i.e. the IFS, after the employment of EAS filtering. In Fig. 13 it is possible to verify two thresholds pointing out the increasing of events (as indicated by the red arrows, and one threshold point out the decreasing of events (as shown by black arrow). Notice there is no significant occurrence of alerts at the beginning of the experiment and two false thresholds regarding forecasts were eliminated. It is also important to observe that the second ellipse with the FP were eliminated after the EAS filtering, hence, another false threshold was wipe out as consequence. More details regarding results can be found in (Pontes et al 2011).
