Dr. Nandi O. Leslie, part of an Army Research Laboratory team that studied empirical data on successful cyber intrusions. Source: Jhi Scott, U.S. Army PhotographerDr. Nandi O. Leslie, part of an Army Research Laboratory team that studied empirical data on successful cyber intrusions. Source: Jhi Scott, U.S. Army Photographer

Recent years have seen a rise in cyberattacks, which have frequently caught businesses, governments and consumers off-guard. But a new study from the U.S. Army Research Laboratory presents evidence that the number of such attacks can be predicted —a finding that could be of significant value to providers of cybersecurity and resilience services.

A cyber-defense service provider that defended a number of different organizations against actual attacks provided empirical data for the study. The Army researchers used that data to determine whether there was a correlation between successful attacks and certain organizational features.

The team looked at security incident reports containing detailed information about malicious activities, as well as computer security policy violations by users and operators; DNS traffic, collected with specialized and open source software; and data on other features of each organization's network topology and cyber footprint. Their analysis led them to propose four generalized linear models (GLMs) of prediction in which the rate of successful intrusions could be seen as a function of observable organizational characteristics.

The key research question was which of the initially-conjectured predictor variables should be included in the model—and it led to some surprising results, according to Dr. Nandi O. Leslie, a member of the research team.

"Several of the predictor variables that were recommended to the researchers by subject matter experts turned out to be lacking in influence or even misleading,” she said. These included the extent to which an organization is visible on the Internet, as measured by the number of records found on Google Scholar. “It turned out that such visibility alone is not a useful predictor of successful intrusions.”

Another variable that was expected to be influential—the number of hosts within an organizational network—also turns out to be a less significant predictor. On the other hand, the researchers found that the number of internal cybersecurity policy violations is a strong predictor of the number of intrusions.

The numbers of intrusions differ dramatically among different organizations. Some experience a large number within a given time frame; others may not experience any for a number of years. This sort of variability underscores the value of the research to managed security service providers (MSSPs), who must negotiate fees with prospective clients based on reliable predictive models.

The research will appear in a special issue of the Journal of Defense Modeling and Simulation in 2018. The text of the paper is now available online.