Quantitive Time Series Analysis of Malware and Vulnerability Trends - Craig Wright

1. By Craig S Wright, DTh LLM (Cand.) MNSA MMIT CISA CISM CISSP ISSMP ISSAP G7799 GCFA CCE MSDBA AFAIM MACS And a partridge in a pear tree… A QUANTITATIVE TIME SERIES ANALYSIS OF MALWARE AND VULNERABILITY TRENDS

12. Wildlist ACF

13. Wildlist Partial ACF

15. Model Comparison -685.5491 0.985 -675.5562 -681.5908 0.010813 149 IMA(1, 2) No Intercept -685.5822 0.985 -675.5899 -681.6245 0.0108106 149 ARI(2, 1) No Intercept -685.5343 0.985 -680.5581 -683.5753 0.010742 150 IMA(1, 1) No Intercept -685.3136 0.985 -680.3351 -683.3524 0.0107579 150 ARI(1, 1) No Intercept -2LogLH RSquare SBC AIC Variance DF Model

23. ACF

24. PACF

25. Model Comparison -79.10179 0.908 -55.38593 -69.83768 0.5700881 128 ARI(5, 1) No Intercept -74.54214 0.904 -55.46153 -67.02293 0.5865218 129 ARI(4, 1) No Intercept -2LogLH RSquare SBC AIC Variance DF Model

26. ARI (5, 1) Model Model: ARI (5, 1) Parameter Estimates 0.0326 -2.16 0.0973837 -0.2103974 5 AR5 0.0003 -3.74 0.0965763 -0.3610897 4 AR4 0.0025 -3.09 0.0883067 -0.272786 3 AR3 0.0235 -2.29 0.0887335 -0.2034253 2 AR2 <.0001 -4.57 0.0850698 -0.3886438 1 AR1 Prob>|t| t Ratio Std Error Estimate Lag Term

27. The residual plot of the ARI (5, 1) model for the fitted value v the actual value shows no recognisable pattern

29. Prediction

30. The ARI (5, 1) model supports predictions for the 5 month period with all the observed values falling into the confidence limits Forecast Values

36. Bibliography Or a day in the life of an academic junkie… Berman (1992) “Sojourns and Extremes of Stochastic Processes”, Wadsworth. Box, P., Jenkins, G. (1976) “Time-Series Analysis”, Rev. Ed. Holden-Day, US Bridwell, L.M. & Tibbet, P. (2000) “Sixth annual ICSA Labs Computer Virus Prevalance Survey 2000”, ICSA Labs US Brillinger, David (1975) “Time Series: Data Analysis and Theory (context)” Priestley Brockwell, P.J. & Davis, R.A. (1991). “ITSM: An Interactive Time Series Modelling Package for the PC”, Springer-Verlag. New York Brockwell, P.J. & Davis, R.A. (1991) “Time series: Theory and Methods”, Springer-Verlag. Brockwell, P.J., & Davis, R.A. (1996) “Introduction to Time Series and Forecasting”, 1996, Springer Brown , Lawrence D. (2003) “Estimation and Prediction in a Random Effects Point-process Model Involving Autoregressive Terms” Statistics Department, U. of Penn. Butler, S.A. (2001), “Improving Security Technology Selections with Decision Theory”. Emerald Cox, D. R, & Isham, V., (1985) “Point Processes”, Chapman & Hall. Cox, D. & Miller, H. (1965) “The Theory of Stochastic Processes”. Chapman and Hall, London, 1965. Chatfield, C. (1996) “The Analysis of Time Series : An Introduction”. 5th Ed, Chapman and Hall Chen, Z., Gao, L. & Kwiat. K, (2003) “Modeling the spread of active worms”. In IEEE INFOCOM Coulthard, A. Vuori, T. A. (2002) “Computer Viruses: a quantitative analysis” Logistics Information Management, Volume 15, Number 5/96, 2002 pp 400-409 Figueiredo Daniel R., Liu, Benyuan, Misra, Vishal, & Towsley, Don (200) “On the autocorrelation structure of TCP traffic”, Department of Computer Science, University of Massachusetts, Amherst, MA 01003-9264, USA, 2002 Elsevier Science B.V. Forgionne, G.A. (1999), “Management Science”, Wiley Custom Services, USA. Giles. K.E. (2004) “On the spectral analysis of backscatter data”. In GMP - Hawai 2004, URL:http://www.mts.jhu.edu/ priebe/FILES/-gmp hawaii04.pdf. Garetto, M., Gong, W., Towsley, D., (2003) “Modeling Malware Spreading Dynamics,” in Proc. of INFOCOM 2003, San Francisco, April, 2003. Harder, Uli, Johnson, Matt W., Bradley, Jeremy T. & Knottenbelt William J. (200x) “Observing Internet Worm and Virus Attacks with a Small Network Telescope”, Department of Computing, Imperial College London, South Kensington Campus, London SW7 2AZ, United Kingdom Electronic Notes in Theoretical Computer Science Hipel, K. W., & A.I. McLeod, A. I., (1994) “Time Series Modelling of Water Resources and Environmental Systems”, Elsevier, Amsterdam Kephart, J. O. & White, S. R. (1993) “Measuring and Modeling Computer Virus Prevalence”, Proc. of the 1993 IEEE Computer Society Symposium on Research in Security and Privacy, 2-15, May. 1993 Leadbetter, M.R., Lindgren, G. and Rootzen, H. (1983) “Extremes and Related Properties of Random Sequences and Processes”. Springer. Berlin. Pouget, F., Dacier, M., & Pham V.H. (200) “Understanding Threats: a Prerequisite to Enhance Survivability of Computing Systems” Institut Eur_ecom B.P. 193, 06904 Sophia Antipolis, FRANCE Rohloff, K., & Basar, T., (2005) “Stochastic Behaviour of Random Constant Scanning Worms,” in Proc. of IEEE Conference on Computer Communications and Networks 2005 (ICCCN 2005), San Diego, CA, Oct., 2005. Spafford, Eugene (1989) “The Internet Worm: Crisis and Aftermath” Communications of the ACM 32, 6 pp.678-687 June 1989 Shumway, R. H & Stoffer, D.S, (2000), “Time Series Analysis and its Applications, Springer-Verlag New York Tong (1990) “Non-linear Time Series: A Dynamical Systems Approach”, Oxford Univ. Press. Valentino, Christopher C. (2003) “Smarter computer intrusion detection utilizing decision modelling” Department of Information Systems, The University of Maryland, Baltimore County, Baltimore, MD, USA Yegneswaran, V., Barford, P., & Ullrich J. (2003) “Internet Intrusions: Global Characteristics and Prevalence”, SIGMETRICS 2003. Zou, C. C., Gong, W., & Towsley, D. (2003) “Worm propagation modelling and analysis under dynamic quarantine defense”. In ACM WORM 03, October 2003. Zou, C. C., Gong, W., Towsley, D., & Gao, L., (2005) “The Monitoring and Early Detection of Internet Worms,” IEEE/ACM Transactions on Networking, 13(5), 961- 974, October 2005. Zou, C. C., Gong, W., & Towsley, D. (2003) “Monitoring and Early Warning for Internet Worms”, Umass ECE Technical Report TR-CSE-03-01, 2003. Zou, C. C., Gong, W., & Towsley, D. “On the Performance of Internet Worm Scanning Strategies,” to appear in Journal of Performance Evaluation.