Using honeynet data and a time series to predict the number of cyber attacks

Matej Zuzčák, Petr Bujok

A large number of cyber attacks are commonly conducted against home computers, mobile devices, as well as servers providing various services. One such prominently attacked service, or a protocol in this case, is the Secure Shell (SSH) used to gain remote access to manage systems. Besides human attackers, botnets are a major source of attacks on SSH servers. Tools such as honeypots allow an effective means of recording and analysing such attacks.However, is it also possible to use them to effectively predict these attacks? The prediction of SSH attacks, specifically the prediction of activity on certain subjects, such as autonomous systems, will be beneficial to system administrators, internet service providers, and CSIRT teams. This article presents multiple methods for using a time series, based on real-world data,to predict these attacks. It focuses on the overall prediction of attacks on the honeynet and the prediction of attacks from specific geographical regions. Multiple approaches are used, such as ARIMA, SARIMA, GARCH, and Bootstrapping. The article presents the viability, precision and usefulness of the individual approaches for various areas of IT security.