1744 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO.
2, SECOND QUARTER 2019
Data-Driven Cybersecurity Incident Prediction:
A Survey
Nan Sun , Jun Zhang , Senior Member, IEEE, Paul Rimba, Shang Gao, Leo Yu Zhang , Member, IEEE,
and Yang Xiang , Senior Member, IEEE
Abstract—Driven by the increasing scale and high profile
cybersecurity incidents related public data, recent years we
have witnessed a paradigm shift in understanding and defend-
ing against the evolving cyber threats, from primarily reactive
detection toward proactive prediction. Meanwhile, governments,
businesses, and individual Internet users show the growing pub-
lic appetite to improve cyber resilience that refers to their
ability to prepare for, combat and recover from cyber threats
and incidents. Undoubtedly, predicting cybersecurity incidents
is deemed to have excellent potential for proactively advanc-
ing cyber resilience. Research communities and industries have
begun proposing cybersecurity incident prediction schemes by
utilizing different types of data sources, including organization’s
reports and datasets, network data, synthetic data, data crawled
from webpages, and data retrieved from social media. With a
focus on the dataset, this survey paper investigates the emerg-
ing research by reviewing recent representative works appeared
in the dominant period. We also extract and summarize the
data-driven research methodology commonly adopted in this fast-
growing area. In consonance with the phases of the methodology,
each work that predicts cybersecurity incident is comprehensively
studied. Challenges and future directions in this field are also
discussed.
Index Terms—Cybersecurity incidents, data mining, data-
driven, discovery, machine learning, prediction.
I. I NTRODUCTION
YBERSECURITY incident as an ever-present threat to
C organizations, governments, and enterprises is increas-
ing in frequency, scale, sophistication and severity [1]. Like
natural disasters (e.g., hurricanes, floods, and earthquakes)
and human-made disasters (e.g., military nuclear accidents
and financial crashes), cybersecurity incidents that involve
extreme events can lead to unintended consequences or
Manuscript received May 20, 2018; revised September 29, 2018; accepted
December 2, 2018. Date of publication December 7, 2018; date of current
version May 31, 2019. This paper was supported in part by the Australian
Research Council Discovery Project under Grant DP150103732 and in part
by the National Natural Science Foundation of China under Grant 61772405.
(Corresponding author: Jun Zhang.)
N. Sun, S. Gao, and L. Y. Zhang are with the School of Information
Technology, Deakin University (Waurn Ponds Campus), Geelong, VIC 3216,
Australia.
J. Zhang is with the School of Software and Electrical Engineering,
Swinburne University of Technology, Melbourne, VIC 3122, Australia
(e-mail: [email protected]).
P. Rimba is with Data61, CSIRO, Sydney, NSW 2015, Australia.
Y. Xiang is with the School of Software and Electrical Engineering,
Swinburne University of Technology, Melbourne, VIC 3122, Australia, and
also with the State Key Laboratory of Integrated Service Networks, Xidian
University, Xi’an, 710071 China.
Digital Object Identifier 10.1109/COMST.2018.2885561
1553-877X  c 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
even catastrophic damage [2]. A cybersecurity incident
can be defined as an event whereby an intruder employs
a tool to implement an action that exploits a vulnerability
on an objective, making an unauthorized outcome that
satisfies the attacker’s intentions [3]. According to the latest
Australia Cyber Security Center (ACSC) survey [4], 90%
organizations suffered from some form of attempted or
successful cybersecurity compromises during the 2015-2016
financial year. Furthermore, over half of the organizations
(58%) experienced at least one cybersecurity incident that
successfully compromised their data or system [4].
Under urgent threats from cybersecurity incidents, the
good news is that research communities and industries are
well aware of these cybersecurity threats and show great
foresight in building cyber resilience. The 2018 Annual
Cyber Security report [5] published by Cisco indicates
that organizations and enterprises have implemented cyber-
awareness programmes, including looking for outsourcing
service to strengthen defenses on cybersecurity incidents [6].
For instance, 49% global respondents outsourced monitoring
service as part of their cyber preparation strategy in 2017,
compared with 44% in 2015. Suppose the incidents can be pre-
dicted in advance, the governments, businesses, Information
and Communication Technology (ICT) providers, and even
individual users can be protected from damages caused by
security issues. Hence, proactively predicting cybersecurity
incident is deemed as a potential and immediate problem that
imperatively demands to solve. That is to say, cybersecurity
incident prediction is entirely an area of research that is in the
exciting early development.
At present, no system can be considered invulnerable. The
security community has begun to realize that the current evo-
lution is a never-ending competition between attackers and
defenders. Therefore, it is significant to foreshadow the threat
in advance, which prioritizes recommendations to organiza-
tions, and as such reduces damage from various kinds of cyber
attacks. To date, numerous works have extensively studied var-
ious aspects of cybersecurity incidents and threats. They focus
on analysis, detection, and prevention. However, few exhibited
prediction schemes that can provide proactive measures to avoid
the damage. These works utilized website features [7], [8],
incident reports [9], log files [10] or other security postures to
predict cybersecurity incidents. The corresponding techniques
are focused on machine learning (ML), data mining (DM), deep
learning, and graph mining, which are specifically illustrated in
Sections II and III. A representative result is that the RiskTeller
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
system proposed in [10] which can achieve 96% true positive
rates (TPRs, the proportion of actual positives that are correctly
identified as such) for predictions at a machine-level granular-
ity. The results of these studies are promising and suggest the
possibility of accurately anticipating cybersecurity incidents,
which is crucial to strengthen cyber resilience.
Furthermore, faced with the constant stream of news on
cybersecurity incidents, the industrial circles also actively seek
for proactive defenses. Usually, businesses adopt multiple lay-
ers of security protection to prioritize the entities which are
at high risk of being attacked and to minimize the damages
caused by incidents. As we observed, there are two kinds of
businesses that are dedicated to cybersecurity by deploying the
prediction model: one is to help companies find and stop cyber
attacks before they cause harm, another is to incorporate cyber
insurance after risk assessment. Both had been developing
steadily in recent years. For instance, Chronicle [11] is a new
business that is devoted to cybersecurity by utilizing machine
learning and cloud computing techniques. BizCover [12] is an
insurance company that will cover expenses on cybersecurity
incidents.
There are several survey papers which are devoted to inves-
tigating different kinds of security threats and attempting
to mitigate damage caused by security incidents reactively.
Jang-Jaccard and Nepal [13] studied the existing security vul-
nerabilities and critically analyzed the mitigation techniques
in their survey paper. Liu et al.’s survey [14] was the lat-
est one that identified cyber insider threats and looked into a
large number of systems and schemes against insider threats.
Moreover, Buczak and Guven [15] focused on data mining and
machine learning methods for cybersecurity intrusion detec-
tion. They provided thorough descriptions of the ML/DM
methods and their applications in cybersecurity to readers. All
of these works contribute to the understanding of the emerg-
ing cyber threats and supply comprehensive reactive detection
guides. However, when a cybersecurity threat is detected, there
is a high possibility that severe damages have already been
caused, such as data leakage, financial losses, and even reputa-
tion damages [4]. Proactively predicting cyber incidents based
on observed indicators of cybersecurity threats can fill the gap,
which motivates us to perform a literature review of existing
cybersecurity incident prediction work.
Different from existing arts that focus on detection, the
scope of this survey paper mainly emphasizes on cyberse-
curity incident prediction. To make it clear, one may think
that the distinction between detection and prediction can be
analogous to the circumstance of diagnosing the sickness of
a patient (e.g., by applying biopsy) and predicting whether
a currently healthy person will suffer from a specific disease
in future (e.g., by using genetic testing) [9]. In more detail,
detection usually leverages identified features of a target to
be detected, while prediction leans on the factors believed to
connect with the prediction objective [9]. From the conse-
quences and applications point of view, detection enables to
detect and mitigate threats while prediction understands the
riskiest parts of a given system, acts proactively and provides
the administrator with a vulnerability index used for defend-
ing and hardening their network. Furthermore, discovering an
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1745
unknown is also defined as a kind of prediction in this survey.
Compared to time-based prediction, discovery has a more gen-
eral goal, which utilizes numerous amount of data to extract
previously unknown or potentially useful new knowledge [16].
In a nutshell, this survey is based on 19 core papers which
utilize data from different domains to forecast and discover
cyber incidents. Paper selection focuses on English publica-
tions that meet specified inclusion criteria. Queries on four
cybersecurity top conferences were performed using “predict”
and “incident”, “forecast” and “incident”, and “discover” and
“incident”. The four conferences, including ACM Computer
and Communications Security (CCS), IEEE Symposium on
Security and Privacy (S&P), the Network and Distributed
System Security (NDSS) and Usenix Security Symposium, are
deemed as the top four cybersecurity conferences by security
research communities. However, it was recognized that this
emphasis might overlook papers appeared in other conferences
or journals. Based on the collected papers, we also distilled
the references of these papers and those that referenced the
collected papers. To catch up with the trend of cyber incident
prediction, as well as to cover new and emerging datasets,
we try our best to include representative works published in
recent years in this survey. In short, this survey is intended to
introduce the new rising topic to readers, attract and appeal for
more readers to begin research in this field. For this aim, great
emphasis is placed on a thorough description of existing work,
and references to primary datasets for each work are provided.
When trying to predict cybersecurity incidents, it should be
understood that data plays the crucial role in the process of
analyzing cyber threats, modeling prediction problems and dis-
covering security incidents. Driven by more and more publicly
available data, predicting security trend and discovering indi-
cators of cyber incidents seem to be much more feasible than
ever before. From the collected literature, the data sources
can be categorized as follows: (1) Organization reports and
datasets: some organizations regularly update their datasets or
reports to publish security-related information. For example,
VERIS Community Database (VCDB) [17] records secu-
rity incidents in a common format. Important examples that
leverage organization reports or datasets as their data source
include [9], [18], [19]. (2) Executables datasets: Executable
code, file or program that is able to run by a computer is
served as the dataset in work [20]–[22]. (3) Network datasets:
network datasets typically record the structure, properties, traf-
fic or symptoms of a network. Specifically, there are four
kinds of network datasets in this survey: log files [23], network
mismanagement symptoms [24], temporal networks from dif-
ferent domains [25] and network traffic [26]. (4) Synthetic
datasets: synthetic data is generated according to specific needs
and under certain conditions. In [25] and [27], the prediction
model was established and evaluated by using synthetic data.
(5) Webpage data: Web contents crawled from webpages can
also be used as data source as shown in [7], [8], and [28].
(6) Social media data: social media is a platform that cov-
ers up-to-date insights and information from users around
the world. Existing studies in [29]–[33] collected data
from Tweets, articles and reviews. (7) Mixed-type datasets:
some examples in [25], [32], and [33] made use of two or
1746
more of the above data sources as mixed-type datasets to
collect groundtruth, set up model and conduct validation.
Corresponding to the above six types of data sources, we
emphasize on the thorough description of the datasets and
provide references to seminal work for each dataset.
Our contributions:
• The principal contribution is the collection and investiga-
tion of state-of-the-art cybersecurity incident prediction
schemes, methods and datasets, which highlights the
existing work in this field.
• The collected works are novelty classified into six cate-
gories according to utilized datasets: organization reports
and dataset, network dataset, synthetic dataset, webpage
data, social media data, and mixed-type data. The datasets
used in each work are identified and referenced in minute
detail and depicted in the form of tables for clarification.
• The modeling methodology commonly adopted by cyber-
security incident prediction is summarized. As stated in
each phase of the methodology, challenges and future
directions are discussed.
This survey is organized as follows. Firstly, Section II sum-
marizes the overview of cybersecurity incident prediction,
including the definition of cybersecurity incident and research
methodology. Section III presents a detailed view of existing
work in the area of cybersecurity incident prediction according
to our categorized datasets. In line with the research method-
ology, Section IV discusses the challenges & future direction
in this area. Finally, Section V concludes the paper.
II. OVERVIEW OF C YBERSECURITY
I NCIDENT P REDICTION
In this section, an overview of cybersecurity incident
prediction is given in the following two specifications: the def-
inition of cybersecurity incident and the research methodology
for prediction. The definition aims to clarify the meaning of
cybersecurity incident prediction as well as to determine the
scope of this survey. Moreover, the definition contributes to the
explanation of the methodology deployed in this field, provid-
ing the roadmap for researchers who want to engage in related
fields.
A. Cybersecurity Incident Definition
here are many definitions of the term “cybersecurity inci-
dent” in the literature. This raises the challenge of giving
a standard definition and taxonomy for describing incidents
and limiting the scope of the survey paper. Particularly, the
definition of “incident” varies from team to team and from
project to project. Sample definitions in literature review
are as follows: (1) a general definition for a cybersecurity
incident might be “any real or suspected adverse event in
relation to the security of computer systems or computer
networks” [34]; (2) Australian Computer Emergency Response
Team (AusCERT) [35] defined an incident as “any type of
computer network attack, computer-related crime, and the mis-
use or abuse of network resources or access”; (3) the SANS
Institute [36] and Department of the Navy [37] described an
incident as “an adverse event in an information system and/or
network, or the threat of the occurrence of such an event”
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
in their incident response guidebooks; (4) Computer Security
Incident Response Team (CSIRT) [38] defined the incident
as “unauthorized activity against a computer or network that
results in a violation of a security policy”. Based on the
above definitions, one can conclude that although there are
many definitions of “incidents”, all of these show a substan-
tial content of similarities. Hence, in this survey, we define the
cybersecurity incident as actions/events/situations/collection of
data with bad intentions which lead to threats or damages on
cybersecurity.
Furthermore, the term “cybersecurity incident” has been
defined with appropriate taxonomy in [39]–[41]. A list of sin-
gle and defined terms is a popularly adopted taxonomy as a
simple and clear method. David and Karl [39] used a list that
includes 24 terms to define a cybersecurity incident, such as
“Viruses and Worms”, “Unauthorized Data Copying”, “Logic
Bombs” and “Denial-of-Service”. Although this classification
is easy to implement, for covering all types of cyber incidents,
the list needs to contain encyclopedic volumes of defined
terms. Besides, the definitions of some specific terms are hard
to accept. Consequently, some literature employed a list of
categories to define cyber incidents [40], [41]. According to
Computer Security Incident Handling Guide published by U.S.
National Institute of Standards and Technology (NIST) [40],
incidents are tagged into four types: Denial of Service (DoS),
malicious code, unauthorized access, or inappropriate usage.
Furthermore, some taxonomies focus on the action of cyberse-
curity incident [42] or the result triggered by the incidents [43].
Inspired by the above cyber incident taxonomies, we orga-
nize the incidents from the collected literature into our
proposed categorization method as shown in Figure 1, to better
analyze and define cybersecurity incident, as well as clarifying
the scope of incidents. The first hierarchy of indexes in our
category adopts the NIST cyber incident taxonomy that tags
each incident as either inappropriate usage, DoS, malicious
code or unauthorized access. Furthermore, we herein catego-
rize incident of each reviewed work in the manner of “list of
terms” by David and Karl [39], as well as providing references
to the relevant paper.
B. Research Methodology
The methodology, shown in Figure 2 illustrates common
steps to predict and discover cybersecurity incidents. The
model is composed of six steps, which constitutes a circle
as a continuous and incremental process: (1) cybersecurity
incident analysis; (2) security problem modeling; (3) data col-
lection and processing; (4) feature engineering/ representation
learning; (5) model customization; (6) evaluation.
1) Cybersecurity Incident Analysis: The first step is to
“know the enemy”. In the face of overwhelming cybersecu-
rity incidents, the first thing we have to do is to target one or
more specific cybersecurity incident types. In order to achieve
the goal of predicting and discovering cybersecurity incidents,
many efforts have been devoted to finding more indicators that
may relate to incidents by comprehensively analyzing an inci-
dent. Moreover, fully understanding a cybersecurity incident
is helpful to see some aspect of the problem at which to chip
away.
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
Fig. 1. Reviewed cybersecurity incidents categories.
Fig. 2. Methodology of data-driven cybersecurity incident prediction.
As referred to in Section II-A, cybersecurity incident is the
activity with evil intentions which results in threats or damages
on cybersecurity in general definition. Depending on different
perspectives, researchers discerned and analyzed cybersecu-
rity incidents in distinct ways as shown in Figure 1. In this
step, we provide ways on how to analyze cybersecurity inci-
dents. Generally, a type of incident can first be compared
and contrasted with similar events. From the technical level,
techniques, tools, and methods utilized to achieve the attack
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1747
are considered nontrivial for analyzing a cybersecurity inci-
dent. Besides, the infrastructure, environment and occurrence
time of the incidents are also worth analyzing. Last but least,
actors involved in the incident may affect the development of
incidents, which can be potential factors for prediction and
discovery objective [34], [38]. During the process of analysis,
a small number of samples may be required to extrapolate the
entire incident and reflected details of the case.
2) Security Problem Modeling: After profoundly analyz-
ing the previous target cybersecurity incidents, the research
problem shaped by project requirements should be determined
in this step. Roughly speaking, there are two ways of think-
ing about how to define cybersecurity incident prediction or
discovery problem: one way is to design a method that ulti-
mately aims to apply to all kinds of security incidents to
predict/discover security incidents and related information.
Such a method can demonstrate its feasibility by choosing
one or more specific incident types to conduct proof-of-
concept; the other way is to solve a particular prediction or
discovery problem investigated in the process of analyzing a
kind of cybersecurity incident, such as predicting whether a
currently benign website will become malicious [7] or dis-
covering black keywords used by the online underground
economy [28].
On the basis of the research problem, a model to solve the
problem will be set up. Several samples can be applied to
validate the feasibility and practicality of the implementation
alternatives to help determine whether the idea is worth taking
on to the next stage.
1748
Hereon, we will briefly introduce related modeling
approaches and techniques for cybersecurity incident
prediction. Typically, techniques in support of establishing
security models focus on ML and DM. As ML and DM
often employ the same methods, there is considerable overlap
between the two terms [15]. Regarding cybersecurity incident
prediction and discovery, ML concentrates on prediction,
based on the knowledge learned from the training data. The
task of predicting the elements in a given dataset should
belong to which one of two groups that can be cast as a
binary classification problem, using existing techniques, such
as those proposed in [9] and [18]. Similarly, where more than
two labels can be assigned to each observation, multi-label
classification is applied to solve a specific problem in [30].
Furthermore, when the prediction problem is designed to
explore the relationship between variables, regression is an
elective solution, as proposed in [27]. On the other side,
DM focuses on discovering previously unknown knowledge
in the datasets. To put it in practical terms, the task of
grouping a batch of objects in such an approach that objects
in the same group are more similar to each other than to
those in other groups is typically considered as a clustering
problem [8], [31].
Besides ML/DM, other techniques should be considered
when setting up model and dealing with specific issues. For
instance, as security incidents are normally recorded in natural
language, Natural Language Processing (NLP) is extensively
used to process data as in [24], [28], and [31]–[33]. In addi-
tion, some work unitizes statistical and graph mining [25]
approaches to achieve their goals. Note that we delay the
detailed analysis of how security problems of the selected
works are modeled to Section III. As an introduction, Table II
summarizes the research problems and techniques applied to
establish model in the reviewed works.
3) Data Collection and Processing: After the above two
steps, we need to obtain sufficient data. Predicting cybersecu-
rity incidents is firmly bound up with data. Collecting data
is a critical step, which forms a connecting link between
the preceding and following steps in this methodology. The
quality and quantity of data decide the feasibility of solv-
ing the research problem proposed in the last step. Also,
data can serve as the source for setting up groundtruth and
affect the performance of the prediction model. We have wit-
nessed the enormous increase of both the scope and variety
of security-related datasets in recent years, which provides us
with valuable resources to predict and discover cybersecurity
incidents.
So how to collect valuable and unique needs data from the
large volumes of different kinds of data sources? The gen-
eral steps to manage big data begin with gathering data from
diverse data sources according to the research problem and
project purpose. After collecting the vast amount of raw data,
we should consider how to store these data to perform fur-
ther processing. Physical foundation, as well as cloud storage
services, are usually required to put the data into appropriate
databases or storage services [44]. The third step is to organize
and process data before knowledge discovery from databases.
That includes cleaning up noisy data, mapping data sources to
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
each other, merging data and converting data to structured for-
mats. High quality label for data is necessary if the prediction
model is built by supervised learning, which is a process of
learning a function that maps an input to an output based on
example input-output pairs [45]. Some data may need to be
labeled by specialists and experts.
Last but least, by investigating the previous work on data
collection, we have some insights on the data collection for
cybersecurity incident prediction. We find that certain kinds
of data are easy to access; a few others are difficult to
obtain for researchers. To be specific, data published on the
Web are usually available for Web crawling. For instance,
we can readily obtain vulnerability records in the National
Vulnerability Database (NVD) [46] and find historical incident
reports in Verizon annual Data Breach Investigations Reports
(DBIR) [47]. Also, by leveraging APIs provided by various
kinds of social media, such as Twitter, we can mine social
media data. However, some data are relatively difficult to
acquire, especially when privacy information is involved. A
case example is that of log files that are utilized in the work
of [10].
4) Feature Engineering/Representation Learning: The
fourth crucial step of the methodology is to extract features
from the collected data, which is not only critical to achieving
ideal prediction results but also fundamental to the application
of machine learning. The performance of ML methods is heav-
ily contingent on the selection of features or representation
of data to which they are applied on [48]. Feature engineer-
ing refers to a process of relating domain knowledge of data
to manually create features, and thus relies heavily on spe-
cific domain knowledge. Feature engineering begins typically
with brainstorming by investigating data as well as considering
research problems. Sometimes, we can also use the experience
of other literature or projects. In general, both automatic fea-
ture extraction algorithms and manual construction methods
are severed for devising features.
However, sometimes, coming up with appropriate features
is challenging, time-consuming, and lacks expert knowl-
edge [49]. On the other hand, real-world data, such as image,
video and other sensory data, are hard to yield specific features
by traditional feature engineering methods. Representation
learning as an alternative way of feature engineering attempts
to recognize and disengage the potential explanatory factors
buried in the data [48]. In other words, learning representa-
tions of the data can aid in extracting valuable information
when developing classifiers or further predictors. Practically,
capturing the posterior distribution of the hidden factors for
the observed data is a good representation for the probabilis-
tic model. Additionally, efficient representation is beneficial
as input to supervised, unsupervised and deep learning pre-
dictors with suitable representation learning algorithms, such
as supervised dictionary learning [50] and principal component
analysis [51].
It is well-known that feature engineering or representation
learning is a typical process in machine learning and deep
learning. What should be especially considered in cyberse-
curity incident prediction? It is vital that features reflect the
condition before the incidents. In other words, the features may
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
not be necessarily directly related to the cybersecurity incident
but must be an indicator of the threat. To give an example,
when Liu et al. [9] forecasted cybersecurity incident on an
organization-level granularity, they made use of features that
revealed mismanagements on the network and infrastructure
instead of known characteristics of the incident. Based on the
special attributes of prediction, the representation learning has
the chance to enhance the potential for identifying indicators
of cybersecurity incidents and therefore to make a successful
prediction.
5) Model Customization: Generally, the prediction model is
built by applying data mining and machine learning algorithms
and optimizing parameters to fit the best model. Traditional
ML/DM methods can achieve acceptable performance on cer-
tain domains. However, the same performance cannot be
guaranteed when it comes to a specific research problem
related to cybersecurity incident prediction. To solve this
problem, if the traditional ML/DM algorithms can be cus-
tomized according to the specific research problem instead
of directly using packaged tools, the model will be effectively
implemented to achieve maximum data efficiency. Thus, the
efficiency (e.g., running speed) and efficacy (e.g., accuracy and
other performance measurements) of predictive model can also
improve significantly.
Deep learning (DL), a member of a broader family of
machine learning techniques that hinges on learning data rep-
resentations, is moving beyond its early breakthroughs in
pattern recognition and towards innovative applications in dis-
tinct domains and industries [52]. There is a promising trend
of applying DL to analyze tremendous volumes of data with
high computational efficiency [53]. For instance, in the field
of cybersecurity, researchers recently leveraged DL to detect
spam [54], to discover vulnerability [22] and have intro-
duced DL for IoT-based system [55], [56]. Therefore, it is
an opportunity to solve problems for cybersecurity incident
prediction if we rationally utilize and customize DL in this
field.
The ways and insights of customizing model can be
explored based on thoroughly understanding of traditional
ML/DM algorithms and data structures knowledge in classi-
cal computer science. Furthermore, combined with the specific
research problem, the improvements tend to be more problem
specialized.
6) Evaluation: The last step is the evaluation of the model
to determine whether the results meet our objective. That
is, evaluating the model with appropriate metrics to verify
research goals are reached.
In Section III, the evaluation method and metrics of each
work will be described in details. For earlier understanding,
we list the definitions of evaluation metrics used throughout
the paper.
The evaluation metrics are calculated from confusion matrix
that reports False Positives (FP), False Negatives (FN), True
Positives (TP) and True Negatives (TN), as shown in Table I.
The evaluation metrics frequently used for reviewed work are:
• Accuracy — it is defined as percentage of correctly pre-
dicted items among the total number of items, which is
calculated as (TP + TN)/(TP + TN + FP + FN).
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1749
TABLE I
C ONFUSION M ATRIX
• Recall — it also called sensitivity or TPR. It refers to
percentage of numbers of class X correctly predicted
as belonging to class X, which is calculated as TP/(TP
+ FP).
• Precision — it illustrates percentage of items correctly
predicted as X among all items classified as X, which is
calculated as TP/(TP + FN).
• False Positive Rate (FPR) — it indicates percentage
of items incorrectly classified as class X to all items
that belong to a class not X, which is calculated as
FP/(TN+FP).
• F-measure — it is another measurement of accuracy com-
bining precision and recall, which is calculated as 2 ·
Precision · Recall/(Precision+Recall).
Also, some work utilizes a graphical plot that is called
Receive Operating Characteristic (ROC) curve to illustrate the
prediction ability of a binary predictor. Specifically, a ROC
space is created by plotting TPR as y-axis against FPR as
x-axis, which demonstrates relative trade-offs between benefits
(TP) and costs (FP).
In addition, some work utilizes a graphical plot that is called
Receive Operating Characteristic (ROC) curve to illustrate the
prediction ability of a binary predictor. Specifically, a ROC
space is created by plotting TPR as y-axis against FPR as
x-axis, which demonstrates relative trade-offs between benefits
(TP) and costs (FP).
Regularly, the FPR is always a significant challenge to
cybersecurity, which hampers the effectiveness of security
tools [57], [58]. For the detection problem, FPs always result
in massive cost. For instance, a work which is used by one spe-
cific software must be interrupted if the software is detected as
malware. Therefore, the goal of the detection problem is usu-
ally to maximize the TPR while keeping the FPR minimize.
However, regarding the prediction problem, the cost of FPs
are more complicated to avoid, but the cost of FPs is lower
compared to the detection problem. This also agrees with the
goal of prediction: to discover all possible incidents for the
implementing of proactive measures, prioritize alerts and sup-
ply security training in advance. For an insurance company,
20% false positives can be entirely accepted, according to the
recent work [23].
By leveraging comprehensive evaluation methods and met-
rics, we can check whether the results are satisfactory. If the
goal failed to achieve, the circulation from analyzing cyber
incident should restart incrementally to find a better solution.
III. DATA -D RIVEN P REDICTION AND D ISCOVERY
In this section, we review the significant cybersecurity
incident prediction and discovery works by the category of
data sources as follows: (1) organization reports and datasets;
1750 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019

TABLE II
OVERVIEW OF R EVIEWED PAPERS ON C YBERSECURITY I NCIDENT P REDICTION

(2) executables datasets; (3) networks datasets; (4) synthetic
datasets; (5) webpage data; (6) social media data; (7) mixed-
type dataset.
Using the methodology of data-driven cyber incident
prediction proposed in Section II as the main line, we review
the critical points and details of each work in the following
subsections. Table II introduces the overall reviewed papers
concerning paper publication year, goals, incident types and
datasets addressed in each work. Furthermore, Table IX sum-
marizes, contrast and compare the reviewed work following
the proposed methodology step by step.
Besides the text description of the employed datasets in each
work, we also produce Table III to Table VIII to summarize
these datasets. This information can help the research prac-
tice with understanding, repeating and improving works in
cybersecurity incident prediction. Also, we provide more
details about relevant datasets on our GitHub repository,1 such
as release information and some sample data, which may
enlighten new researchers to find new solutions.
A. Organization Reports and Datasets
1) Predicting Data Breach Incidents: Data breach refers
to “a security incident in which sensitive, protected or
1 https://nansunsun.github.io/Cybersecurity-incident-prediction-and-
discovery-data/

Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
confidential data is copied, transmitted, viewed, stolen or
used by an individual unauthorized to do so” in [59]. It has
been a severe problem in the security field for a long time,
many researchers and communities are devoted to detecting
it. While, the fact is that, it is already too late when the
data breach is detected because the severe damage may have
already occurred. If a data breach incident can be forecasted in
advance, the organization may survive in, instead of suffering
from, a cybersecurity incident.
Liu et al. [9] presented a method to proactively predict orga-
nization’s breach incidents based on the externally observed
organization’s network symptoms data. Firstly, the authors
analyzed cybersecurity incidents referenced by Verizon annual
Data DBIR [17] and characterized the extent to which cyberse-
curity incidents could be predicted. Standing on observations
on cyber incidents, the author framed the research problem as
a binary prediction problem of identifying whether an organi-
zation will encounter a data breach incident in the near future
based upon externally observed organizations’ Internet data
instead of data from internal workings of an organization’s
network.
The authors adopted machine learning method to train
and test the classifiers by utilizing organization’s reports and
datasets data, including security incident data and security pos-
ture data. On one hand, security incident data comes from
VERIS community database [17], Hackmageddon [60] and the
Web Hacking Incidents Database [61], serve as groundtruth.
These three datasets cover the cyber incident events rang-
ing from mid-2013 to 2014. On the other hand, security
posture is quantitatively measured in the level of malicious
activities from an organization and five mismanagement symp-
toms. The malicious activities are measured in not only
the amounts of those but also their dynamic behaviors, by
applying various reputation blacklists, including CBL [62],
SBL [63], SpamCop [64], WPBL [65], UCEPROTECT [66],
SURBL [67], PhishTank [68], hpHosts [69], Darknet scanners
list, Dshield [70] and OpenBL [71]. Furthermore, mismanage-
ment symptoms are obtained based on observation from open
Recursive Resolvers, DNS Source Port Randomization, BGP
misconfiguration, Untrusted HTTPS Certificates, and Open
SMTP Mail Relays [24] via using databases that record and
assess the organization’s network. After pre-processing and
mapping, 258 externally measurable features are extracted
from security posture data. Also, each organization is labeled
as “victim” or “non-victim” according to the security incident
reports.
There are two prediction scenarios proposed in [9], namely
short-term prediction and long-term prediction. Experiments
were conducted by using random forest algorithm. In addition,
training datasets are composed of a random subset of victim
organizations and non-victim organizations. In the short-term
prediction scenario, features are extracted from the most up-
to-date time ahead of an incident. In the long-term prediction
scenario, features are extracted from the periods prior to the
first incident happened in the testing dataset.
As to the evaluation of the prediction performance, besides
of traditional evaluation metrics (including accuracy, true pos-
itive, false positive and ROC curve as defined in Section II),
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1751
the authors analyzed top data breaches incidents in 2014 to
illustrate the power of the prediction model. Their prediction
model can reach a combination of 90% TPR and 10% FPR.
Moreover, according to [72], the top five data breach inci-
dents in 2014 are separately happening in JP Morgan Chase,
Sony pictures, eBay, Home Depot and Target. The proposed
prediction model accurately forecasted most of the data breach
incidents, except the Target one.
Sometimes, the attackers may establish the fake network
with clean data (no malicious activities) but with counter-
feit reported incidents, or the opposite way, to mislead the
predictor. This is referred to as adversarial machine learn-
ing. In [9], Liu et al. assumed the data are uncompromisingly
real. In other words, they ignored the noise and error in the
dataset. The complete solution remains a direction for future
study.
2) Predicting Risk Distributions Over Fine-Grained Data
Breach Types: Nowadays, every business is facing various
kinds of security incidents, including targeted attacks and
internal errors. Once a security incident happens, the busi-
ness data involving private, as well as public information, has
the extremely high possibility to be leaked. Furthermore, the
business will be affected not only on its assets but also on its
reputation. Therefore, organizations are devoted to assigning
resources to prevent themselves from ever-changing security
incidents. If the risk distributions can be assessed and pre-
dicted, organizations can prioritize the protection, so as to
achieve more effective protection and save the more resources.
Sarabi et al. [18] leveraged the business details to train and
test a sequence of predictors, which can help organizations
prioritize the preventive resource allocation. When the authors
analyzed security incidents, they found that no business gravi-
tates toward a single sort of incident. Meanwhile, they noticed
that incidents reports usually provide security recommenda-
tions based individually on business sector information. Hence,
different from work in [18], the ultimate goal of the paper is
to employ business details about an organization to predict
a sparser set of incidents types compared with [9], so as to
provide protection resource allocation recommendations to an
arbitrary organization.
For the study, the incidents happened in 2013 and 2014,
including 1729 and 592 entries were collected respectively
from the VERIS Community Database [17] as groundtruth. In
order to achieve fine-grained cyber incident prediction, each
incident was labeled from three fields. The first field is the type
of the cyber incident, including environmental, error, hacking,
malware, misuse, physical or social. The second is the respon-
sible actor for the attack, labeled as the external, internal or
partner. The last is the compromised assets in the incident, con-
taining kiosk/terminal, media, social, network, people, server
and device.
Features gathered for training and testing the predictors are
business details from the organization’s profiles and websites,
which combine information obtained from the VCDB and
Alexa Web Information Service (AWIS). The industry code,
number of employees, and the region of operation of the vic-
tim organization are three business profiles features extracted
from VCDB. AWIS provides the organization’s website and
1752
statistics information, including the traffic volume of the web-
site, number of visitors, speed, number of pages linking to the
website, and information about the organization that maintains
the website (e.g., address, contact information and stock ticker
symbol).
To forecast the risk of various kinds of data breach incidents,
the authors designed multi-label classifiers by using random
forest algorithm. Specifically, each binary classifier predicted
a field of the incident signature, which is namely action type,
actor type or asset type, as mentioned above.
Concerning evaluation, predictors were trained on the 2013
incidents data and tested them using the 2014 data. The
prediction model was evaluated from the risk profiles of
the company and the accuracy of the risk assessment model.
The result showed that an organization can evade 90% inci-
dents by using 70% of incident types on average.
It is worth mentioning that the prediction results seem to
be too ambiguous to operate. That is, more practical recom-
mendations can be provided for a security ignorant business
operator. For instance, the SANS [73] contributes 20 kinds
of security controls that specify the operable guidance to the
business to increase their security level. Hence, transferring
the risk profiles to more actionable security recommendations
could be a future direction.
3) Discovering Previous Unknown Malware With
Downloader Graph Analytics: Malicious software, com-
monly known as malware, has been a vital threat to
cybersecurity for a long time. Reported by the PandaLabs,
18 million new malware samples were captured in the third
quarter of 2016, an average of 200,000 each day [74]. Due to
human error, zero-day exploits or other factors, it is possible
to be infected even for the most protected and state-of-the-art
system in the world. Hence, detecting the malware which are
previously unknown to the public as early as possible is an
effective way to minimize stress, time cost, and damage as
well as defeating incidents from its very beginning. However,
some malware are hard to be detected by using the traditional
malware detection methods that focus on analyzing the
content and behavior of software. Downloader graphs have
the potential of providing indicators of malicious activities
and discovering the vast majority of the malware download
activities that may otherwise remain undetected.
Kwon et al. [19] presented a malware early-detection system
based on the insights from analyzing downloader graphs. The
authors investigated that, due to social engineering or drive-by
attacks, users may download additional malware even if they
are downloading benign applications. Hence, they proposed
a graph-based abstraction model to describe the download
activities on end hosts. Based on the abstraction model, they
performed a large-scale measurement to investigate the differ-
ences in the growth patterns between malicious and benign
downloader graphs. Lastly, they employed features extracted
from measurements to build a malware early-detection system.
The dataset used to build for the malware early-detection
system consists of malicious and benign download activities
graphs. The graphs are generated by reconstructing download
events obtained by anti-virus (AV) telemetry and Symantec’s
intrusion prevention systems (IPS). To represent the download
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
activities, 19 million influence graphs, in which the down-
loaders have caused on 5 million real hosts, were included
in the dataset. Explicitly, the nodes of a graph indicated that
the Portable Executable (PE) files (including benign down-
loaders and malicious downloaders), and the edges of the
graph represented the download events. According to the
groundtruth of malicious and benign downloaders, 15 mil-
lion of the influence graphs (IG) were labeled as benign, and
0.25 million as malicious. The groundtruth was checked by
three data sources, containing the downloader records from
VirusTotal, the National Software Reference Library (NSRL),
and a supplementary groundtruth data derived from Symantec.
To explore the differences between malicious and benign
downloaders’ IGs, the authors conducted an extensive mea-
surement, providing the features to be utilized by malware
early-detection system. According to the analysis, there are
four apparent indicators of malicious activities: (1) IGs with a
large diameter are mostly malicious. (2) IGs with slow growth
rates are primarily malicious. (3) URL access patterns can
be distinguished between malicious and benign downloaders.
(4) Malware is more prone to download fewer files per domain.
Based on the observation, 16 features (including four internal
dynamic features, three domain properties features, two down-
loader score properties features, four life cycle features and
three globally behavior features) were calculated from the IGs.
Utilizing the features obtained from the measurements and
adopting random forest classifiers, the malware early detec-
tion system was built. To evaluate how early the detection
system can detect the previously unknown malicious executa-
bles, the authors defined “early detection” as “we can flag
unknown executables as malicious before their first submis-
sion to VirusTotal” according to [19]. On average, it is shown
that this early-detection system can detect unknown malware
9.24 days on average earlier than VirusTotal anti-virus prod-
uct. Besides, the authors attempted to perform online detection
experiments, simulating the early detection system employed
operationally. In the experiment, the training dataset contained
data collected before the year 2014, including 21,543 mali-
cious and 21,755 benign data. For the testing dataset, 12,299
malicious and 12,594 benign data were gathered from the year
2014. The resultant 99.8% TPR and 1.9% FPR demonstrate
the robustness of the system. Although there is a limita-
tion that droppers with rootkit functionality would escape
this technique, this method still provides a novel signal and
complementary to the current anti-virus mechanism.
As a concluding remark for this section, an overall descrip-
tion for organization’s reports and datasets is produced in
Table III.
B. Executables Datasets
1) Early-Stage Malware Prediction Using Recurrent Neural
Networks: In the face of rapidly increasing rate and the num-
ber of new malware, both research communities and industries
are devoted to detecting malware. Static malware analysis
derived from analyzing static code can be conducted quickly
and easily. However, static analysis is vulnerable to obfus-
cation techniques and performs poorly when facing entirely
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
TABLE III
O RGANIZATION ’ S R EPORTS AND DATASETS
new malware. Behavioral data generated from file execu-
tion for dynamic malware analysis is more difficult to be
obfuscated. But the process of file execution takes longer
time, which indicates the malware may have been delivered
before detection. The security protection personnel, instead of
repairing damage after detection, can block malicious pay-
loads if the prediction works before any damage taken place.
Rhode et al. [20] proposed an early-stage malware prediction
method, which can leverage the first five seconds of execution
behavioral data to predict whether a file is malicious or not
by using a recurrent neural network (RNN).
During the data collection process, the authors firstly gath-
ered 1,000 malicious and 600 benign Windows 7 executables
from VirusTotal [78] as well as 800 benign samples from a
fresh Windows 7 64-bit installation’s system files. The authors
also collected extra 4,000 Windows 7 applications from free
software sources (e.g., Softonic [79], PortableApps [80] and
SourceForge [81]) to better represent the real workload of the
anti-virus system. The 4,000 Windows 7 applications were
labeled as “malicious” or “benign” by around 60 anti-virus
engines from VirusTotal API [78]. Finally, the dataset included
2,345 benign samples and 2,286 malicious samples.
After collecting data, the executable samples were exe-
cuted using Cuckoo Sandbox [82]. During the execution, ten
sequential machine activity metrics were taken as features by
employing Python Pustul Library [83] and then applied as
input data to the neural network. The captured activities that
were recorded every second in the process of sample exe-
cution included system CPU usage, user CPU usage, packets
sent, packets received, bytes sent, bytes received, memory use,
swap use, the total number of processes currently running and
the maximum process ID assigned. Regarding setting up the
prediction model, the architecture of the model is based on
RNNs along with Gated Recurrent Units (GRUs). On one
hand, RNN has the capability of catching input features, pro-
cessing time-series data, as well as capturing information that
changes over time. On the other hand, GRUs cells are used
for quickening the speed of training process. Furthermore, to
face the rapid evolution of malware, the authors adopted a
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1753
random search of the hyperparameter space to adjust the hyper-
parameter of the model. Finally, the customized configuration
was the settings that achieve the best performance on 10-fold
cross-validation over the training set.
Malware prediction radically transforms the defensive strat-
egy from recovery to prevention. The performance of the
malware prediction method was evaluated from 3 aspects:
• The authors set the goal of prediction as “predict malware
quickly enough that user experience would not (signifi-
cantly) suffer from the time delay.” The testing dataset
only used samples that were first seen by VirusTotal after
an exact time on 10th October 2017. Also, they tested the
method against Random Forest, Support Vector Machine,
Naive Bayes, J48 Decision Tree, K-Nearest Neighbor
and Multi-layer Perceptron algorithms used in previous
research. The results showed that the RNN model out-
performed other algorithms after one second, achieved
91% accuracy after four seconds and 96% accuracy after
19 seconds of execution. The results demonstrated that
the few seconds of execution’s dynamic data was ade-
quate to forecast whether an executable file is malicious
or not.
• The authors explored the robustness of the model to
discover the malware families and variants which are
previously unknown. To simulate “zero-day”, the authors
collected variants listed as advanced persistent threats
(APTs). They found that during the first second of exe-
cution, the variant detection rate was over 89%, which
indicates the capability of the model to discover “zero-
day” malware.
• A case study on ransomware was conducted using 3,000
ransomware samples. The results showed that the accu-
racy of prediction reaches 94% after one second of exe-
cution without prior exposure to samples of ransomware.
As mentioned in [20], There are three main limitations
as well as future directions. Firstly, they only examined
Windows 7 executables. In this concern, checking if the
model is capable of detecting some other potential carriers
for malware or operating systems is essential. Secondly, due
1754
to the easiness of the first 5 seconds of the malicious file
tampering with adversaries, the robustness of the prediction
model should be evaluated by adversarially crafted samples.
Lastly, with good practical value, the model should have the
capability to block the malicious payload if the predictor deter-
mines the process is malicious or suspects the process might
be malicious.
2) Hidden Sensitive Operations Discovery in Android Apps:
Sensitive operations are only conducted on certain conditions
to hide from automated runtime analysis, which is called
Hidden Sensitive Operations (HSOs). HSOs are increasingly
used by malicious mobile apps or other potential-harmful apps
(PHAs) to evade detection. Finding previous unknown HSO
is critical to mitigating the emerging mobile threats. However,
existing static analysis approaches rely on known beforehand
trigger conditions and hidden behaviors. Therefore, discov-
ering unknown HSO is invaluable to understand the HSO
techniques evolving trends and provide insights about how to
defend against incidents caused by mobile security threats,
which encourages the researchers to devote themselves to this
trend.
The branching structure of an HSO usually consists of
one condition and multiple paths. From the observation on
HSO branch, Pan et al. [21] proposed machine learning based
approach that employed a set of lightweight features extracted
from an app to conduct a large-scale unknown HSO discovery.
There are three unique observations concerning an HSO
condition, its paths, and relations between condition and paths
as follows: (1) HSO trigger conditions are always only relevant
to system input (time, location, screen touches, etc.), rather
than the hosting app’s internal input. (2) Behaviors between
two paths are considerably different in HSO. (3) Data and
semantic dependency between conditions and paths in HSO
are remarkably weak. Inspired by the above unique obser-
vations, three sets of features were extracted from trigger
conditions and the corresponding paths: (1) System Input (SI)
is a binary feature indicates whether the trigger condition
contains system input. The system input refers to system prop-
erties (e.g., hardware traces of a mobile phone) or environment
parameters (e.g., time, location, user input etc.). (2) Activity
Distance (AD) and Data Distance (DD) are features used to
measure the similarity of two paths in an HSO branch state-
ment. Both of them werecalculated by Jaccard Distance.
Specifically, AD = 1 − ( O l  Or
Ol Or ), where Ol and Or represent
sets of sensitive operations on two paths of  an HSO branch.
 open-source projects’ codes from GitHub. The six projects are
While dealing with DD, it is set to 1 − 12 ( Vl  Vr
Vl Vr + Fl  Fr
Fl Fr ),
Vl , Vr and Fl , Fr are respectively sets of variables and refer-
ences class fields of a branch statement. (3) Data Dependency
(DF) and Implicit Relation (IR) are features that describe
the relationship between trigger conditions and behavior. DF
refers to the ratio of the variables on a path connected
to the condition through data flows; the latter is the num-
ber of variables, keys, and APIs implicitly related to the
condition.
Support vector machine (SVM) was chosen as the machine
learning algorithm for implementation of the approach.
The evaluation was conducted by leveraging three datasets:
(1) A labeled good dataset: This dataset contains 213 benign
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
apps with non-HSO branches from Google Play that have
never been flagged by VirusTotal [84]. (2) A labeled bad
dataset: This dataset includes 213 PHAs. Each of PHA has one
HSO branch. (3) An unknown dataset: This dataset comprises
124,207 apps downloaded from Google Play, and 214,147
collected from VirusTotal. The labeled dataset was used for
training, and the unlabeled dataset was applied to testing and
discover new knowledge.
Eventually, 63,372 apps with 70,660 branches were labeled
as HSO by implementing this approach. For evaluation of this
approach, the researchers in [21] randomly sampled 125 apps
and manually inspected each of app. It is shown that the new
approach can achieve 98% precision and over 94% coverage.
Furthermore, the approach was used in a measurement study,
which aims to discover the new knowledge on HSO. By apply-
ing the approach on 338,354 apps in the wild, the researchers
presented evolving trends and discoveries on HSO activities,
which contributes to more effective defense against the mobile
phone threats.
One point should be affirmed is that the work in [21] is sig-
nificant to understand and defeat HSO. However, this is still
a preliminary work in this field. A few limitations could be
observed. For instance, the accuracy and completeness could
be improved. Also, it should be validated whether the model
can evade carefully crafted HSO techniques. Lastly, the cur-
rent existing few heavyweight techniques can be optimized to
improve the scalability of the approach.
3) Code Vulnerability Discovery: Exploitable software vul-
nerabilities are one of the primary causes of security incidents
and data breaches [85], [86]. For instance, a recently disclosed
vulnerability in the Server Message Block (SMB) protocol that
was exploited by the WannaCry ransomware affected a large
number of users and systems worldwide. This resulted in not
only financial loss but also the companies and organizations
reputation damage.
Efficiently discovering previously unknown vulnerabili-
ties can be a feasible solution against potential attacks.
Lin et al. [22] proposed a framework to discover vulnerabil-
ities in function-level granularity. Besides that, by utilizing
the transfer representation learning based on a deep learn-
ing algorithm, the approach they proposed can be applied to
within-project and cross-project vulnerability discovery.
The authors claimed that the function level vulnerabili-
ties groundtruth dataset is scarce. Hence, they collected six
respectively LibTIFF, LibPNG, FFmpeg, Pidgin, VLC Media
Player, and Asterisk. For each project, the authors manually
labeled the vulnerabilities in the function level according to
Common Vulnerability and Exposures (CVE) and National
Vulnerability Database data repositories. Finally, they obtained
457 vulnerable functions and 32,531 non-vulnerable functions.
After setting up the groundtruth dataset, the authors need
to extract features from functions so as to discover vulnerabil-
ities at function level. Firstly, each function was converted
to Abstract Syntax Trees (ASTs) in a serialized form. All
of the serialized ASTs are processed in the same length
on the condition that preserves the structural and seman-
tic features. As usual, the second step is to craft feature.
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
It is worth mentioning that convention feature engineering
that requires specific domain knowledge was not adopted in
this framework. Instead, the authors applied a long short-
term memory (LSTM) [87] based on recurrent neural network
(RNN) with Word2vec [88] embeddings to learn represen-
tations of programming patterns that help to differentiate
between vulnerable and non-vulnerable functions. Besides, for
a target project with a small number of labeled data, same rep-
resentation learning method is applied and as a complementary
to feed into the pre-trained network. Lastly, a random forest
classifier is trained by leveraging these learned representations.
The evaluation was generally based on the comparison
with traditional code metrics (CMs) feature extraction method,
which is commonly adopted in finding vulnerabilities. On one
hand, top-k precision was applied to measure the performance
of the model. Top-k precision [89] is widely adopted in
information retrieval systems. For instance, when measuring
search engines performance, Top-k precision indicated that
how many relevant information is retrieved in all of the Top-
k information. In this work [22], top-k precision suggests
the percentage of functions that are vulnerable in the top-k
fetched functions. On the other hand, they defined Function
Inspection Reduction Rate (FIRER) to measure cost reduc-
tion. In other words, the effort saved by applying the proposed
method contrasted with traditional feature extraction approach
is calculated. The empirical results showed the transfer rep-
resentation learning for vulnerability discovery method was
more effective than the method based on CMs, both in the
within-project and the cross-project detection scenarios.
However, the classification is not fine-grained enough at the
function-level. As a future direction, code-gadget level and
statement level classification can be considered. Also, although
the imbalance problem was solved using the random forest
to a certain extent, it should be concerned about employ-
ing the oversampling and undersampling method to furtherly
addressing this problem.
As a concluding remark for this section, an overall descrip-
tion for executables datasets is produced in Table IV.
C. Network Datasets
1) Mismanagement and Maliciousness of Networks: There
is a hypothesis that mismanagement is correlated with mali-
ciousness. Mismanaged networks are more likely to expose
more attack vectors, resulting in bringing about more attackers
and infected hosts [105]. Moreover, mismanagement networks
have less opportunity to adopt reactive approaches to reduce
the bad impact of compromise.
In other words, mismanagement networks might take charge
of wide-ranging malicious networks and security incidents.
Hence, exploring the relationship between mismanagement
and maliciousness of a network is a stepping stone to dis-
cover security incidents. Zhang et al. [24] found a statistic
correlation between the mismanagement of networks and
maliciousness of the systems. By utilizing the information
drawn from mismanagement leading to maliciousness, proac-
tive protection could be applied to prevent compromises and
damages.
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1755
Mismanagement is defined as “the failure to adopt com-
monly accepted guidelines or policies when administrating and
operating networks” in [24]. Eight network mismanagement
symptoms are collected as follows:
• Open DNS recursive resolver: Open recursive queries
can be exploited in an amplification attack, which poses
a direct threat to the networks. The authors consid-
ered the hosts supporting open DNS recursive queries
as misconfigured. According to the data provided by the
Open Resolver Project [90] from June 2013, there were
27 million open DNS recursive resolvers.
• DNS source port randomization: Randomizing source
ports can prevent DNS cache poisoning to some extent.
The source ports without randomization are considered as
misconfigured. Data were collected by analyzing a series
of DNS queries against top-level domain (TLD) servers
on February 2013. Totally, 226,976 DNS resolvers with-
out being patched with source port randomization were
collected.
• Consistent A and PTR records: According to DNS config-
uration guidelines (RFC1912 [106]), every Address (A)
record should have a matching Pointer (PTR) record. By
utilizing the records stored in VeriSign zone files [91] and
the Alexa Top 1 Million popular websites [92], 27.4 mil-
lion A records without a corresponding PTR record were
gathered.
• BGP misconfiguration: According to
Mahajan et al. [107], 90% announcements made in
less than 24 hours are due to Border Gateway Protocol
(BGP) misconfiguration. By using this heuristic,
42.4 million short-lived routes were detected in the
Route Views project [93].
• Egress filtering: Networks without implementing egress
filtering is considered as misconfigured. By utilizing
data from Spoofer Project [94], 7,861 netblocks with-
out egress filtering were detected and gathered in the
misconfiguration symptoms dataset.
• Untrusted HTTPS certificates: 10.2 million HTTP servers
with untrusted certificates were found in the process of
ZMap network scanner project [95] scanning the HTTP
ecosystem.
• SMTP server relaying: Servers which use open mail
relays are easily abused by spammers since they do not
conduct any filtering before sending the messages to any
destination. By using ZMap in July 2013 to investigate
the popularity of open mail relays, 22,284 SMTP servers
that allow open mail relays were collected.
• Publicly available out-of-band management cards: Out-
of-band management cards are valuable for system
administrators. However, if management cards are pub-
licly available, devices will be riddled with vulnerabil-
ities, posing severe security risks. Based on the above
insight, 98,274 publicly accessible Intelligent Platform
Management Interface (IPMI) cards were collected.
Moreover, maliciousness in [24] indicates that an IP
address is labeled as sending SPAM messages, host-
ing phishing websites, or performing malicious port
scans by IP blacklists (including BRBL [96], CBL [97],
1756
E XECUTABLES DATASETS
SBL [98], SpamCop [99], WPBL [100], UCEPROTECT [101],
SURBL [102], PhishTank [68], hpHosts [69], Darknet
Scanners list, Dshield [70] and OpenBL [71]).
Zhang et al. [24] leveraged statistical analysis method to
demonstrate the relationship between mismanagement and
maliciousness. Autonomous system (AS) level was chosen as
aggregated granularity to quantify the mismanagement and
maliciousness of a network. On one hand, eight misman-
agement symptoms were normalized as eight corresponding
mismanagement metrics. The whole network mismanage-
ment metric was also considered by combining the individual
symptoms into an overall metric. On the other hand, the mali-
ciousness of an AS was normalized by malicious IPs based
on IP blacklists.
The hypothesis is that mismanagement is positively cor-
related with maliciousness. To prove it, firstly, Spearman’s
correlation was calculated between maliciousness and each
mismanagement symptom. The results showed that a statis-
tically significant positive relationship existing between all of
the symptoms and the network’s maliciousness. Given the
overall mismanagement metric, the mismanagement metric
has the strongest correlation with the maliciousness met-
ric, which encourages the researchers to consider the overall
network health instead of specific vulnerabilities or symptoms.
Furthermore, the authors explored whether the mismanage-
ment will lead to maliciousness if social and economic
elements are controlled. Ultimately, by using Fast Causal
Inference (FCI) algorithm [108], they found an inferred casual
relationship between mismanagement and maliciousness con-
sidering social and economics.
This paper [24] demonstrated that different kinds of mis-
management symptoms are profoundly correlated to the
network’s maliciousness and will ultimately lead to malicious-
ness. Security community should pay attention to the networks
with mismanagement symptoms in order to prevent security
incidents. For example, the symptoms of mismanagement can
be utilized to develop a prediction system that can proactively
predict which network has a high probability to be worked
maliciously instead of waiting to behave maliciously in future.
There are several limitations regarding data in this
work [24]. Firstly, not all symptoms that reveal network
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
TABLE IV
mismanagement are collected and observed. To be specific,
besides of the case of the Open DNS recursive resolver which
can be maliciously used for DDoS attacks by amplification,
there are other amplification vector attacks, such as UDP
Memcached servers, to be considered. More generally, servers
exposed to the Internet and accessible without authentication
can also be observed. Secondly, the collection methodology,
coverage and time frames are inconsistent, which may contain
biases. Thirdly, the data collection and processing focus on the
AS level, which may of independent interest to extend them
to a more granular level in future work.
2) Discovering Zero-Day Applications in Traffic
Classification Systems: Network traffic analytics as a
critical technology is widely applied in intrusion detec-
tion, malware analysis and botnet detection, according to
Miao et al. [109] recent review. By capturing abnormal
patterns in traffic data, traffic classification is fundamental
to cybersecurity and network management. Furthermore,
discovering past unknown zero-day traffic discrimination can
significantly improve the accuracy of traffic classification,
which is critical to improve incident response and mitigate
cybersecurity incidents.
To solve the zero-day applications problem,
Zhang et al. [26] proposed a Robust Traffic Classification
(RTC) scheme to discover previously unknown applications
in traffic classification systems by utilizing supervised and
unsupervised machine learning techniques.
RTC framework is composed of three modules, namely
unknown discovery, “bag of flows” (BoF)-based traffic classi-
fication and system update. In the unknown discovery module,
the k-means based clustering algorithm is first applied to unla-
beled and labeled mixed data. If a cluster does not include any
prelabeled samples, this cluster is a zero-day cluster. However,
the rough estimation can lead to high TP rate. Thus, the authors
set up a multiclass random forest classifier with various known
classes and one unknown class to purify zero-day samples. In
the “bag of flows” (BoF)-based traffic classification module,
Zhang et al. [110] proposed a novel classification method that
leverages flow correlation [110] in real-world traffic to con-
duct traffic classification and aggregated the prediction results.
Finally, the system update module was designed to learn
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
newly identified zero-day traffic as a complementary knowl-
edge to the system, by repeating k-means based clustering and
inspecting manually.
The datasets used for evaluation experiments combined
four disparate Internet traffic traces, in order to minimize
the effects of data bias caused by heterogeneous sampling
points. Specifically, three traces were gathered from the pub-
lic traffic data repository. And another one was captured by
using a probe from an Australia’s Internet service provider.
The groundtruth was set up by using previous experiences
and tools concerning the signatures of applications. Besides,
20 unidirectional flow statistical features were extracted to
represent traffic flows, including 2 features about packets,
2 features regarding bytes, 8 features describing packet size
and 8 features concerning inter-packet size.
Zhang et al. [26] designed comprehensive experiments to
evaluate the performance of the RTC framework. They com-
pared their method with four state-of-the-art traffic classifica-
tion methods, which are respectively random forest [111], the
BoF-based method [110], the semi-supervised method [112]
and one-class SVM [113]. Accuracy and F-measure were used
as evaluation metrics and 100-time experiments were con-
ducted to illustrate that the results are stable. Besides, they also
explored the robustness of their method when considering var-
ious training datasets, zero-day applications, and performance
with vs. without a system update module. All of the results
showed that the RTC framework significantly outperformed
the other four methods.
Network data in computer networks is usually encapsulated
in packets, each of which consists of the packet header and
packet payload. Moreover, network flow refers to a sequence
of packets that originate from a source computer and are des-
tined for a destination. This work [110] demonstrated traffic
data is capable of conducting intrusion detection and there-
fore for incident prediction as well. In general, the works
that inspect the traffic at the level of the packet payload
focus on textual-based protocols, while the work in [110] that
focuses on the statistics of network flow information is more
generic.
3) Predicting Which Machines Are at Risk of Infection:
The current situation of the cyber-threat ecosystem is that no
system seems to be invulnerable. Hence, the IT administra-
tors are progressively shifting to look for proactive measures
that can reduce the damage caused by cybersecurity incidents.
As discussed earlier, Liu et al. [9] utilized organizations’ his-
torical incident reports to predict cyber incidents. In a finer
grained, Bilge et al. [23] employed binary file appearance logs
to forecast whether an enterprise machine would be infected.
Bilge et al. [23] come from Symantec Research Labs [114],
which indicates that they can comparatively readily collect
data in respect to the binaries appearing on machines. In total,
the data was collected from 600K machines involving 18 enter-
prises. Based on the analysis, 4.4 billion binary file appearance
events were reported among these machines. 89 features were
designed to establish the profiles of the machines, includ-
ing file download statistics, vulnerability patching behavior,
application download behavior, and historical threat analysis.
These features were extracted from file appearance logs of
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1757
each machine, which captured the pattern of the usage and
user behavior of a device.
Each machine was identified as “clean” or “infected” by
using three different datasets, which were respectively a
labeled dataset obtained from the AV company about known
benign and malware, a dataset acquired from the AV product
concerning known malware, and a telemetry dataset gen-
erated by IPS product regarding infection records. On the
one hand, it is generally acknowledged that the quality of
groundtruth is vital to the quality of predictors. On the other
hand, the number of data waiting to be labeled is enormous. To
address these problems, Bilge et al. [23] introduced the semi-
supervised method that made use of profile similarity with
labeled machines to infer fuzzy labels for unlabeled machines.
Once the features and labels of machines were well pre-
pared, the predictive model was established by using random
forest machine learning algorithm. Followed by that, a com-
prehensive evaluation was conducted to evaluate the predictor.
As reported in [23], the prediction could reach 96% TPR with
only 5% FPR, which is the best result in a machine-level gran-
ularity up to now. Additionally, the semi-supervised learning
method proposed to estimate labels of the unlabeled dataset is
proved to enrich the groundtruth as well as remain consistently
accurate.
As a concluding remark for this section, an overall descrip-
tion for network datasets is produced in Table V.
D. Synthetic Dataset
1) Predicting the Resilience of Obfuscated Code Against
Automated Attacks: Code obfuscation applies transformations
to the original code with the intention of improving the diffi-
culty of analysis and tampering but maintaining the functional-
ity of the program. Obfuscating code transformation technique
is motivated by request to hide the particular implementation
of a program from the unauthorized reverse engineering pro-
cess [116]. If attackers exploit the hidden information/code,
not only will intellectual property be stolen, but also threats
and incidents may happen. However, it is known that attack-
ers can reverse engineer if given enough time and resources.
Therefore, estimating the period when an obfuscated pro-
gram can withstand a given reverse engineering attack is an
open challenge for software obfuscation. Banescu et al. [27]
proposed a framework to predict the resilience of different
obfuscated transformations against automated attacks.
Resilience is defined as a function of deobfuscator effort and
programmer effort, namely, the time spent on deobfuscation
process [117]. Banescu et al. [27] proposed an approach to
predict deobfuscation time given by software relevant features.
The groundtruth data was obtained by running automated
attacks on the obfuscation C code and recording the deob-
fuscation effort that was assessed by execution time needed
to complete an attack successfully. Ideally, the obfuscation
C code should be collected from real-world as presented
in [118]. However, the authors found that it was hard to
obtain enough amount of program data with security checks
required by the study from code sharing platforms (e.g.,
GitHub). Therefore, synthetic code datasets were generated
1758 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019

TABLE V
N ETWORK DATASETS

for the proposed approach as a substituted solution. A C pro- applying five obfuscating transformations [115] to each of
gram generator was designed, and 4608 C programs with raw C programs, 23,040 synthetic obfuscation programs were
various license checking algorithms were produced. After created. Afterward, the deobfuscation process based on the

Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
TABLE VI
S YNTHETIC DATASETS
symbolic execution attack was conducted by using free and
open source software tools (e.g., KLEE [119], angr [120],
etc.). Additionally, the time spent on completing the attack
was recorded.
After setting up groundtruth dataset, the next step is extract-
ing features. There were 64 features extracted from synthetic
programs, including 49 features characterizing the complexity
of symbolic variables and 15 program features characteriz-
ing the code. By utilizing two light-weight feature selec-
tion algorithms (Pearson correlation and variable importance
respectively), the top 15 most relevant features were selected.
For prediction, the approach utilized the top best 15 features
to construct a regression model via several machine learning
algorithms, including support vector machine (SVM), random
forest (RF), genetic programming (GP) and neural networks
(NNs). It can be found the authors directly used packages for
regression algorithms in R [121] to do statistical computing.
Lastly, the evaluation of the approach was conducted from
the following two aspects: (1) The accuracy of prediction was
calculated. (2) The Smart Obfuscation Engine (SObE) was
proposed to combine the approach with obfuscation tools.
The accuracy of predicting execution time of the symbolic
execution-based deobfuscation attacks could achieve 90% for
80% programs in their synthetic dataset. Also, the approach
could be applied to SObE, which compared the prediction of
deobfuscation time with the attacker’s budget. If the prediction
time is longer than the attacker’s budget, the obfuscated pro-
gram is the output. Otherwise, the developers should change
the obfuscation transformation method to protect their code
and withstand attack. Although this work is significant in
software protection as well as decrementing the risk of cyber-
security attacks, the real word programs should be considered
to add into the dataset to improve the robustness of the model.
As a concluding remark for this section, an overall descrip-
tion for synthetic datasets is produced in Table VI.
E. Webpage Data
1) Discovering Black Keywords Used by Underground
Economy: Yang et al. [28] developed Keyword Detection and
Expansion System (KDES) to discover black keywords used
by the underground economy automatically. The underground
economy is a kind of activity which transacts illegal prod-
ucts between buyers and merchants. Communicating online
with Black keywords is commonly used by the underground
economy to evade outsiders. Nonetheless, black keywords are
continually changing and updating. Consequently, capturing
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1759
black keywords without coming to the surface is significant
in predicting future online shady business and destroying the
underground economy.
KDES took advantages of blackhat search engine
optimization (SEO) Web pages as data source to extract
unknown black keywords. The reasons why the blackhat SEO
Web pages are appropriate to discover black keywords are
two-fold: first, due to the illegal transaction, the underground
merchants rely on using black keywords to present and pro-
mote their products; second, the underground merchants tend
to make use of blackhat SEO facilitating their websites rank-
ing for taking up online marketplace. Based on these two
reasons, the raw data collected in [28] was Web page data,
including 2,733,728 SEO pages, 60,000 porn pages and 3,424
gambling pages marked as “evil” by Baidu. KDES suggests
a new direction which is big data analytics in dealing with
security problems believed difficult by traditional strategies.
There are three components involved in the KDES archi-
tecture: (1) keywords extraction; (2) keywords expansion;
(3) core words identification. Keywords extraction module
extracted keywords from text inside the HTML tag a href.
After removing the duplicate words, a gigantic word list has
been left. By restricting the length of keywords and explor-
ing the consequences resulted in the keywords, the range
of keywords greatly narrowed down. The similar keywords
were added to the keywords list in the keyword expansion
system, which leveraged the functionality of related search.
However, the great amount of keywords is a heavy burden on
the security analysts. To solve this problem, core words identi-
fication module distinguished the “core word” (closely related
to underground economy) from “filter word” (less meaning-
ful words). The remaining keywords list was important for
analysts to investigate and understand the online underground
economy as well as prioritizing their tasks.
The performance of KDES system was evaluated on the
accuracy of identifying keywords as black. For those black
keywords, the security analysts queried them on popular online
underground economy communication channels, including
Baidu Tieba, QQ groups, and Baidu. They sampled 1000 key-
words and verified 943 keywords as black (94.3% accuracy).
Based on the obtained black keywords, an extensive mea-
surement regarding the online underground economy in China
was carried out regarding the underlying infrastructure, the
criminals behind, and the impact on the cyber environment,
which effectively provided solutions to prevent the illegal pro-
motion by the underground economy. However, the system
resilience can be strengthened. For instance, the attackers
1760
could relocate the black keywords in anchors to other sections
under the page, which can escape from the parser. Meanwhile,
the KDES can be advanced by defending evasion implemented
by adversaries.
2) Predicting Website Will Become Malicious or Not:
Successfully detecting whether a target website is malicious or
benign with high accuracy has been achieved with concerted
efforts by researchers. While, there is a more effective
and less passive method proposed, which is to forecast
whether the website will become malicious or not in advance.
Soska and Christin [7] proposed a classification system which
can predict whether a currently benign website has the high
risk of becoming malicious in future. This system is not only
beneficial to search engines but also useful to blacklists and
website operators.
The authors designed, implemented and evaluated a machine
learning classifier which could proactively identify whether
a website would be compromised or not within one year.
When it comes to the groundtruth, both the benign and mali-
cious websites were included in the dataset to set up machine
learning classifier. Two blacklists were used as groundtruth
for malicious websites: PhishTank [68] and a list of websites
that have been injected by “search-redirection attacks” [122],
[123]. 34,922 websites from PhishTank and 14,425 websites
from the “search-redirection attacks” list were archived as the
groundtruth for malicious websites. To collect benign web-
sites, the authors randomly sampled entire.com zone file and
yielded 337,191 website archives. Among these 337,191 web-
sites, 27 websites infected by “search-redirection attacks” and
72 websites matching PhishTank entries were discarded. In
addition, a complementary 421 sites collected from the DNS-
BH [124], Google SafeBrowsing [125], and hpHosts [126]
blacklists were removed from the benign corpus. Eventually,
the number of websites in benign corpus was 336,671.
Features are critical to the decisions of a classifier. To effec-
tively differentiate the websites that will become malicious,
features derived for the classifier should characterize the web-
sites from various perspectives, including the appearance of
the website, traffic information and textual contexts, and so
on. In [7], the classifier adopted two main features by ref-
erencing the Alexa Web Information Service (AWIS) [92]
and the content information of a website. AWIS information
covers the popularity ranking of a website, the number of
links to the website, load percentile, adult site or not and
the number of reach per million; the content information of
a website includes the lists of tags from all the pages sur-
vived from the acquisition and filtering process. To yield the
best classification performance, statistic-based dynamic feature
extraction was conducted. For each tag, the balanced accuracy
of a tag was calculated and ranked. When dealing with the
problem that the tags used for classification may change due to
the attacks against websites evolve, the windowing technique
was applied to the feature extraction process. However, the
limitations of dynamic features introduce the possibility that
adversarial machine learning approach affects the performance
of the system, which deserves further analysis.
C4.5 decision trees classifier was chosen as the prediction
model in this system. It is hard to evaluate whether the
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
prediction result is correct or not immediately, so the
alternative method is to use the past data to simulate the
prediction done in the past and evaluate the prediction results
by using the present data. A ROC curve was generated for the
evaluation of the classifier’s performance. Within a one-year
time horizon, the prediction model could achieve 66% true
positives and 17% false positives.
3) Automatic Identification of Unknown Web-Based
Infection Campaigns: While people enjoy various kinds
of wonderful services online and communicate globally,
software used to support the functionality of a website might
be vulnerable to attackers. The attackers inject malicious
code snippets by exploiting the server-side vulnerabilities.
If users download or install the malware deriving from the
client-side vulnerabilities, they will be infected. For the
attackers, finding a vulnerability and generating a malicious
code snippet need investing lots of time and effort. To save
resources, the attackers usually launch an infection campaign
throughout multiple websites (potentially thousands) by using
carefully crafted infection vectors. For this reason, it is a
great opportunity to discover probably thousands of malicious
websites if an unknown infection campaign is identified.
Borgolte et al. [8] proposed a δ-system that can auto-
matically identify Web-based infection campaigns. The
system adopted static analysis method to discover previously
unknown infection campaigns which may involve thousands
of malicious websites. In the prior work, researchers were
devoted to detecting the malicious activities based on single
website/URL detection by using dynamic analysis approach.
However, the δ-system is able to identify the infection cam-
paigns and predict malicious websites which are under surface
before.
The δ-system follows a four-step process. The first step
is to retrieve and normalize the website. The current ver-
sion and the base version of a website are retrieved, and
the source code is saved after normalization. The normaliza-
tion includes normalizing capitalization, reordering attributes,
discarding invalid attributes and normalizing attribute’s value.
Secondly, the similarity between the base and up-to-date ver-
sion of the website is measured. The similarities are computed
via fuzzy tree difference algorithm, which performs the com-
parison between the Domain Object Model (DOM) tree of
the base website and the DOM tree of the current website.
Thirdly, the similarity vector is clustered based on similar-
ity measurement. The density-based clustering algorithm is
applied for this step, named Ordering Points To Identify the
Clustering Structure, with Outlier Factors (OPTICS-OF) algo-
rithm proposed by Breunig et al. [127]. The outputs of the
clustering are defined as infection campaign, benign trend and
new campaign separately. The δ-system relies on an external
detection system instead of detecting the malicious behaviors
by itself. The last step is to generate the identifying signature.
A signature is simply generated by illustrating each node’s tex-
tual representation as a Deterministic Finite Automaton (DFA).
The identified signature can be served to security analysts and
intrusion detection/prevention system.
The dataset in [8] contains the websites being crawled from
January 2013 to May 2013 (4 months), counting as 26,459,103
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
TABLE VII
W EBPAGE DATA
distinct website pairs. Also, there are six main features
selected for clustering, including three kinds of binary fea-
tures (template propagation, script inclusion, and inline frames
respectively) and three categories of attribute values (Shannon
entropy, character count and Kolmogorov complexity
respectively).
The δ-system successfully identified the infection cam-
paigns that were previously unknown to the public. Once
a new infection campaign is identified, the websites in the
same clusters have the significantly high probability of being
infected by the same infection campaigns in the past or future.
For the potential malicious websites, the prediction is signifi-
cant to the websites and users for the preventative purpose.
A real case which was successfully identified by δ-system
was the cool exploit kit infections of Discuz!X. 15 differ-
ent websites in the same cluster were using the discussion
platform “Discuz!X” that redirected to a specific infection
campaign. It has been proved that the system significantly
improved the detection speed and reduced the evaluation
overheads compared with the previous work via in-depth
analysis and evaluation, which contributes to the real-world
deployment. Nevertheless, some limitations, such as rely-
ing on the external analysis system that utilizes dynamic
analysis, defending step-by-step injection, and countering
evolution of infection vectors, still exist in the detection
system.
As a concluding remark for this section, an overall descrip-
tion for webpage data is produced in Table VII.
F. Social Media Data
1) IOC Discovery: Cyber Threat Intelligence (CTI) is
defined as “evidence-based knowledge, including context,
mechanisms, indicators, implications and actionable advice,
about an existing or emerging menace or hazard to assets
that can be used to inform decisions regarding the sub-
ject’s response to that menace or hazard”, according to
Gartner [130]. CTI is usually collected in the manner of
indicators of compromise (IOC), which can be automatically
transformed and deployed to different kinds of security defense
mechanisms, such as intrusion detection system, when IOCs
are recorded in a format of a specific threat information sharing
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1761
standard. IOC is significant for an organization to gain visibil-
ity into ever-changing security threats, identify early indicators
of threats and change protection strategies. However, facing
the tremendous growth of information sources, discovering
and generating high-quality IOC is a challenge as well as an
opportunity.
Liao et al. [29] implemented iACE system to automatically
discover IOC and generate OpenIOC (a kind of IOC stan-
dard framework) compatible, semantic-rich intelligence from
popular technical blogs (including AlienVault, Malwarebytes,
Webroot, etc.). Furthermore, the insights gained from more
than 71,000 articles gathered from 45 popular technical blogs
shed light on the unknown relationships across different secu-
rity attack incidents, especially their shared infrastructure
resources, and the impacts on security protection and attack
evaluations.
The architecture of iACE consists of 5 modules: (1) Blog
Scraper (BS): BS is designed to crawl technical articles from
technical blogs. (2) Blog Preprocessor (BP): By leveraging
NLP techniques, the IOC-irrelevant articles are filtered out in
the BP. (3) Relevant-content Picker (RCP): RCP converts pic-
tures and other special contents in the articles to text, splits
sentences and selects the candidate sentences by allocating
with a kit of context terms and regexes. (4) The relation
checker (RC): RC parses the grammatical structure correlating
the context terms and the IOC candidates, and decides whether
the latter is indeed an IOC. (5) IOC Generator (IG): according
to the OpenIOC standard, IG automatically generates header
and definition parts for all identified IOCs.
There are two machine learning classifiers deployed in the
system. The first is a topic classifier used in RCP module,
separating the non-IOC articles from the IOC articles. The
classifier is trained on a dataset including 150 IOC articles
and 300 non-IOC articles by using support vector machine
(SVM) algorithm. It is worth mentioning that the IOC files
are from 2 public feeds, including iocbucket [131] and ope-
niocdb [132]. Topic words, article length and dictionary-word
density are calculated and used as features. The second clas-
sifier is a relation checker, confirming the presence of IOC
relationships between a context term and an IOC candidate
within a sentence. The classifier utilizes logistic regression
algorithm based on the features calculated from dependency
1762
graphs which are transformed from the candidate sentences
consisting of IOC candidates and context terms. 1,500 true
IOC sentences and 3,000 false IOC sentences constitute the
training dataset.
The dataset used for evaluation was collected from 45
security-related technical blogs between April 2003 and May
2016, counting as 71K articles. The system can achieve 98%
precision and 100% recall when dealing with finding IOC arti-
cles problem. In terms of identifying true IOCs and context
terms, the classifier can reach 98% precision and 92% recall.
On average, inspecting a real-world article cost about 0.25 sec-
onds. The accuracy and performance of the system can satisfy
the demand of discovering high-quality IOCs, which provides
immediate protection to organization security systems.
Eventually, the iACE system automatically discovered 900K
IOC with the context. By inspecting and analyzing the IOCs,
the authors reported unprecedented findings which gave valu-
able guides and warnings to protect organizations’ assets.
Some examples: (1) The authors found that unrelated attack
incidents were related, such as sharing the same infrastruc-
tures. (2) For the attackers, they might change the attack
strategies facing with the new release of exposed IOCs.
(3) But, for organizations, they usually react slowly to the
release of IOCs. (4) Regarding open-source intelligence’ qual-
ity, they found the Hexacorn and Naked Security can provide
timely and comprehensive messages about an emerging attack.
These findings uncovered the security insights that were never
known before, as well as providing profound suggestions on
security defense and protection.
The limitations of NLP techniques and presentation meth-
ods affect the discovery results. How to design and develop
domain- and topic-specific tools is crucial in this field. On the
other hand, other intelligence sources, such as research papers,
can be considered to gather to extend this system.
2) Extracting and Encoding Cyber Attacks: Social media
as a gold mine of information is popularly used as a
sensor for different kinds of events, such as earthquake
prediction, disease outbreak forecast, and presidential elections
prediction [133]–[135]. It is an opportunity to make use of
social media as the crowdsourced sensor of cyber attacks (e.g.,
data breaches, distributed denial of service (DDoS) attacks,
and account hijacking). Gaining insights into cyber incidents
is helpful to prevent the individuals, organizations and nations
from the losses and threats coming from various cyber attacks.
Khandpur et al. [31] proposed a dynamic event trig-
ger expansion (DETE) approach to extract cyber events
accordingly providing situational awareness into cybersecurity
events. Compared with [33], this approach extracted and fur-
thermore characterized the security events evolving over time
in a weakly supervised method.
The approach consists of three modules, including target
domain generation, dynamic typed query expansion, and event
extraction. The module of target domain generation is designed
for filtering related tweets which serve as the source of cyber
event extraction. Given a limited and fixed seed query for
cyber attack events and the collection of tweets, the tweets
most related to the seed query are retrieved in this step. After
converting the tweets and given seed query into dependency
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
tree form, the convolution tree kernel [136] algorithm is used
to calculate the similarities between seed query and all col-
lected tweets based on shared longest common paths. Both the
semantic and syntactic constraints are considered when mea-
suring the similarities between seed queries and tweets, to filter
out noise tweets. Secondly, the authors proposed a dynami-
cally typed query expansion method by leveraging convolution
kernels as well as dependency parses. A set of expanded
queries are generated which represent the relevant concepts
delivered by tweets from the target domain. The final step is
event extraction. The query expansions are clustered by using
affinity propagation [137] algorithm. The representatives of
the clusters are extracted as exemplars and annotated to the
type of cyber attack. The representative of the clusters comes
from the expanded queries with the highest similarity value
matching seed query. Finally, an event is represented by the
representative (discovered event), date and seed query (event
type).
A large stream of tweets was gathered from August
2014 to October 2016. After removing retweets, the num-
ber of collected tweets is 5,146,666,178. To evaluate the
approach, the authors used the Gold Standard Reports (GSR)
on cybersecurity incidents to severe as groundtruth, including
Hackmageddon [128] and Privacy rights [129]. From the above
two sources, the security event type, date, victim organization
as well as description can be checked.
Regarding the performance evaluation, the experiments
focused on three high impact security incidents, which are
namely data breach, DDoS and account hijacking. Two highly-
cited previous work were chosen as baselines for comparison,
specifically, using expectation regularization to generate tar-
get domain [33] and using bursty keywords to discover cyber
event [138]. The approach can achieve around 80% precision
for data breach and DDoS events, and 66% precision for
account hijacking respectively, outperforming the two base-
lines. The authors also used case studies to illustrate the
performance of their method. It is shown that this approach
not only discovered typical security events (e.g., targeted
DDoS attacks on Sony and Dyn, Ashley Madison website
data breach and Twitter account hijacking) but also success-
fully extracted the cybersecurity attack events that haven’t
been recorded in the GSR, by validating the results using
Google search. The class of attacks can be broadened in
future work. Besides, the sequential dependencies of a kind
of attack can be modeled to characterize the prevalence of the
cybercrime.
3) Predicting Mobile App Security-Related Behaviors:
As the popularity of mobile phones, the security and pri-
vacy of mobile apps become a concern to end users, app
developers and app market [139]. Google Play provides a
platform on which users can post valuable reviews from end
users’ perspective. Kong et al. [30] designed a system named
AUTOREB, which leveraged the reviews from Google Play
to predict the app security behaviors. Although the security-
related behaviors are restricted to spamming, financial issue,
over-privileged permission and data leakage in this work. This
is the first work that infers the security-related behaviors of
an app according to users’ reviews.
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
TABLE VIII
S OCIAL M EDIA DATA
The goal of the system is to automatically predict the
security-related behaviors based on the numerous users’
reviews. Due to one review can be assigned to more
than one security behavior categories, the prediction model
should be set up by using multi-label classifier. The authors
proposed to predict the security behavior of an app from
review-level as well as app-level. The review-level secu-
rity behavior inference engine aims to label a review to
a particular behavior category automatically. The latter one
utilizes crowdsourcing technique to predict the security behav-
ior of an app, by assigning more credit to trustworthy
users.
Each review is treated as a sample, being fed into machine
learning model after labeled manually corresponding to
security-related behaviors and extracted security-related fea-
tures. In respect to review-level security behavior inference,
three annotators are working together to decide the label of
each user review. The security-related features are extracted
from each review, including words and phrases closely related
to the four security concerned categories. In addition, the fea-
tures are augmented and expanded by adopting “relevance
feedback” information retrieval technique [140] to add more
“relevant” words and phrases. Each review is abstracted into
a feature vector denoted by a bag-of-words (BOW). The fea-
tures and labels of instances are fed into sparse SVM machine
learning classifier to train a multi-label classifier. For the
app-level security behavior inference engine, crowdsourcing
technique [141] is applied to aggregate the security labels
from review-level to app-level. By considering the credibility
of different users, the trustworthy users are given more credit
based on two-coin model [141] instead of majority voting
model [141].
The dataset includes reviews clawed from Google Play. One
dataset L was collected for validating review-level security
behaviors inference during November 2014, which contains
19,413 user reviews on 3,174 apps. Each review was labeled
by three workers reaching a consensus. The other dataset
D was collected for validating the effectiveness of app-level
security behavior inference during December 2013 to May
2014, which includes 12,783 apps with 13,129,783 reviews
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1763
from 2,614,186 users. The authors did not hire enough labors
to label security behaviors of each app in dataset D.
For review-level security behavior inference, the dataset
L is evenly split into training set and testing set. The met-
rics used for evaluation are precision, recall and F1 value.
The accuracies of the classifier for identifying “spamming”,
“over-privileges permission”, and “data leakage” are 91.96%,
95.99% and 93.46% respectively. The exceptional case is
that regardless of “financial issue”, the classifier labeled
the reviews as “financial issues”, while the users did not
complain about the “financial issues”. Besides, a base-line
using keyword-based method was compared with AUTORBF.
AUTORBF exceeded a large margin with 51.36% in accuracy.
For app-level security behavior inference, due to the lack of
groundtruth, the authors listed 50 apps that existed user com-
plaints about security issues. The security-related behaviors
predicted by AUTOREB can be regarded as cyber threats indi-
cators to alert users, mobile app developers, and app market
administrators.
In general, this is the first work leveraging user reviews to
analyze the security risk of an app. The four kinds of security
behaviors intuitively come from common sense, which can be
extended to other categories of risk behaviors.
As a concluding remark for this section, an overall descrip-
tion for synthetic datasets is produced in Table VIII.
G. Mixed-Type Data
1) Vulnerability Exploits Prediction: The number of soft-
ware vulnerabilities is dramatically growing in these years.
Certain vulnerabilities might be exploited after a long time,
while numerous vulnerabilities need to be quickly responded.
Hence, it is of great importance to prioritize the response to
the vulnerabilities.
Before the vulnerabilities being exploited, hackers, secu-
rity vendors and system administrators frequently discuss the
vulnerabilities on social media, such as Twitter, to discuss
technical details and sharing experiences. Sabottke et al. [32]
designed an exploit detector based on Twitter, which can
predict the vulnerabilities to be exploited in real-world.
1764
Based on the groundtruth about exploits and the information
posted on the Twitter before vulnerabilities being exploited,
the exploit detector was set up by using supervised machine
learning techniques. The authors collected 287,717 tweets in
total which included explicit CVE IDs. The groundtruth about
exploits comes from three data sources, according to CVE
IDs mentioned in the descriptions of Symantec’s anti-virus
(AV) and intrusion-protection (IPS) signatures [142]:
(1) public proof-of-concept exploits by querying
ExploitDB [75]; (2) private proof-of-concept exploits
by querying Microsoft security advisories’ Exploitability
Index [76]; (3) real-world exploits by querying Symantec’s
Worldwide Intelligence Network Environment (WINE) [77].
The dates of each vulnerability known to the security
community and vulnerability exploited were both recorded.
Furthermore, the vulnerabilities are labeled as “real-world
exploits” or “not exploited”.
Features selected for the classifiers include Twitter features
and database information features. Twitter features are
extracted from the word distributions of tweets containing
the keyword “CVE” and the Twitter traffic data (e.g., num-
ber of tweets) involving the corresponding CVEs. In order
to improve the performance and robustness of the detector,
Common Vulnerability Scoring System (CVSS) (e.g., CVSS
score) and database (including National Vulnerability Database
(NVD), and Open Sourced Vulnerability Database (OSVDB))
features (e.g., NVD last modified date and OSVDB cate-
gory) are considered in this study, which are proven useful in
previous work for predicting exploits [143]. After the mutual
information-based feature selection process, 67 features are
reserved for training and testing the exploits classifier.
After feature engineering, these features are fed into a sup-
port vector machine (SVM) classifier. The output of the binary
classifier is whether the vulnerability mentioned in tweets
will be exploited or not. Samples are randomly selected from
the dataset after shuffling ten times. For each round of sam-
pling, 50% of the available data is used for training, and the
remaining 50% data is used for testing.
The detector is evaluated for the precision and recall, and
assessed by the detection time leading up to the real-world
existing time recorded in the dataset. The detector can detect
the exploits in advance of the existing datasets two days
in median. It is shown that the Twitter-based detector has
fewer false positive compared with Common Vulnerability
Scoring System (CVSS) detector and increases the precision
by one order of magnitude. Moreover, the authors intro-
duced three kinds of adversary machine learning attacks to
the exploit detector, which are randomly posting tweets with-
out knowledge of features (blabbering adversary), mirroring
words’ statistic information according to exploited vulnerabil-
ities (word copycat adversary) and manipulating all Twitter
features (full copycat adversary). They also simulated the
above three types of adversaries and presented the bounds
for the damage to their Twitter-based exploits detector for the
evaluation, which illustrates the robustness of their method.
Lastly, it should be mentioned that there are still two
limitations in the above method. Firstly, the training and testing
data are randomly split, which results in temporal mixing of
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
future and past data. Secondly, although the authors evaluated
the utility of tweets data, they never compared it with those
utilizing readily available summary on the vulnerability.
2) Predicting the Future Structural Changes of the
Network: Network datasets include abundant data record-
ing the interactions and/or communications among differ-
ent activities (for example, personal communications via
phone or e-mail, interactions on social media, network traffic
information between hosts and servers, and so on).
The structure of an active network has a notable pattern
and will change as time goes on. The temporal dynamics are
critical to a system, which facilitates finding anomalies in the
system, detecting fraud and intrusions and allocating increas-
ing resources. Rossi et al. [25] proposed a dynamic behavioral
mixed-membership (DBMM) model to capture the “roles” of
individual nodes in the network graph and predict how they
change over time.
Given a sequence of time-evolving network snapshots, the
authors proposed a DBMM framework that can investigate
the property of the network, understand behaviors of the
network, detect anomalies in the system and predict future
structural changes through the following steps: (1) The first
step is to automatically learn representative feature that rep-
resents each node in a given graph by leveraging method
proposed in [144]. (2) The second step is to extract features
from each graph. (3) The third step is to discover behav-
ioral roles that represent the common patterns of behaviors
based on extracted features by assigning a probability dis-
tribution to each node in the network. (4) Next step is to
extract these roles according to the network snapshots iter-
atively. (5) Finally, a predictive model which depicts these
time-varying behaviors is learned. Therefore, abnormal behav-
ior can be found from unusual structural changes. In a nutshell,
DBMN has four main advantages: (1) User-defined parameters
are not required in this algorithm. (2) By parallel comput-
ing, the features, roles and transition models are learned
individually, improving the scalability of the model. (3) The
behavior representation is interpretable. (4) The model is flex-
ible and applicable to all kinds of networks which change
over time.
In order to validate the DBMM, real-world datasets and
synthetic datasets were both applied to the model. Nine
real-world datasets were respectively Twitter “who-follows-
whom” network dataset, Twitter “reply-to-messages” network
dataset, University emails network dataset, enterprise network
traces, Facebook network dataset [103], Enron Inc. email
communications network dataset [104], Oregon RouteViews
project Internet dataset [93], Internet movie database and MIT
mobile-phone communications network dataset. Besides, the
synthetic data was generated in the form of graphs that were
probabilistically constructed with four main patterns: “cen-
ter of a star”, “edge of a star”, “bridge nodes” (connecting
stars/cliques), and “clique nodes”. Based on the above real-
world and synthetic datasets, the performance of predicting
future behavior of nodes was evaluated in two ways: (1) using
loss function to compare the predicted behavioral snapshot
to true behavioral snapshot; (2) using predicted behavioral
snapshot to predict the role of each node in the network,
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
and then evaluating the predictions by using Area Under
the ROC curve (AUC). The result showed that the model
could outperform the sensible baseline models with few
exceptions. When using the synthetic dataset to validate the
model, the accuracy in detecting anomalous behavior could
achieve 88.5%.
3) Discovering Security Events on a Specific Event
Category: Twitter, as a popular social media platform, con-
tains rich and timely information including the events hap-
pening in the world. Abundant information from social media
not only facilitates people’s life but also boosts the economy.
However, information overload has become more and more
common as ever-increasing amounts of information spread
online. When it comes to security events, most users prefer
to get a simple indicator (e.g., breaking news) or prediction
of a specific attack rather than receiving a great number of
aimless security-related information. For the security analysts,
the enormous amount of messages spread in social media are
hard to monitor and analyze.
Faced with the overload security-related social media
information, Ritter et al. [33] proposed an approach to discover
cybersecurity-related events by using a weakly supervised
method. This approach is the beginning work to discover and
look into security-related incidents from social media. The
approach automatically extracts and defines the new security
event category based on the raw Twitter stream by given a
handful of historical seed event samples.
The architecture of the approach consists of two modules:
extracting event candidates from Twitter, and training a clas-
sifier with positive seed and unlabeled event candidate data
to determine whether the event candidate can describe a new
instance of the event category.
Three traditional security event categories were studied in
this work as a proof-of-concept, namely, Denial of Service
(DoS) attacks, account hijacking and data breach. The his-
torical seed event was symbolised by the entity involved in
the event, as well as the event date. The number of seeds
for each category of events as mentioned above is respec-
tively 15 (e.g., (Spamhaus, 2013/03/18)), 10 (e.g., (associated
press, 2013/04/23)) and 11 (e.g., (citi, 2011/06/09)). The unla-
beled event candidates were collected from January 17, 2014,
until February 20 by tracking user-provided keywords asso-
ciated with the event type. In their experiment, keywords
were respectively DDoS, hacked and breach for DoS attacks,
account hijacking and data breaches. Candidate events match-
ing keywords associated with the event type were gathered by
using Twitter API. Finally, there were 570 candidate DDoS
attacks events, 4,014 extracted candidate account hijacking
events, and 1,728 data breach events being gathered during
the data collection process.
For feature engineering, two collections of binary features
were considered for identifying event type. The first feature
set defined the entity by extracting the contextual words and
parts of speech nearby the entity. The second set consisted
of contextual features around the tracked keyword. In total,
there were 3,790 features for DDoS attacks, 52,995 features
for account hijacking and 11,271 features for data breach being
extracted.
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1765
Due to the fact that not all of the event candidate will fit
the event category, the classifier was designed to determine
which event candidate fits the event category and remove dis-
tractors. For example, some event candidates only present a
general knowledge of an event category or promote a prod-
uct, which should be filtered out. In traditional information
extraction, the approach is to require substantial annotation
effort to create a comprehensive event triggers and arguments
corpus by security experts. According to the annotations, a
supervised machine learning classifier was set up to extract
new event instances. In this paper, the authors customized the
learning problem by using positive and unlabeled examples
and proposed a new strategy that regularized the label distribu-
tion over unlabeled samples in the direction of a user-specified
expectation of label distribution for the keyword.
To evaluate the performance of the model, the authors
manually sampled candidate events for each event cate-
gory and compared the model’s prediction results against
expert judgments. Furthermore, the confirmation of a discov-
ered event was also validated and confirmed by measuring
computer network traffic. The precision and recall curves
of the model were presented and observed compared with
three baselines (including heuristically labeling negative exam-
ples [145], one-class SVMs [146] and semi-supervised EM). It
was demonstrated that the approach dramatically outperforms,
compared with the other two novel and competitive base-
lines. Aggregating multiple sources of social media to discover
security events should be considered as a future direction.
We put the description of datasets mentioned in this Section
in corresponding Table III to Table IV.
IV. C HALLENGES AND F UTURE D IRECTIONS
In the preceding section, we have surveyed the state-of-the-
art systems/schemes of predicting and discovering cybersecu-
rity incidents. Nevertheless, the progress is still in the infant
stage, and many critical issues might have been overlooked for
simplicity. In the following, we discuss crucial research chal-
lenges that need to be addressed and propose future directions
for researchers who are interested in this area, in line with the
research methodology described in Section II.
A. Cybersecurity Incident Analysis
The first step of predicting and discovering cybersecurity
incident is to analyze cybersecurity incident from the different
point of view as illustrated in Section II. The security model
is set up based on observations from cyber incident analysis.
From Table IX, we find that most of the work analyzed cyber
incidents in different perspectives, except [25] which proposed
a model to detect anomalies in extensive network data instead
of targeting a specific cyber incident.
To thoroughly analyze a cybersecurity incident, some ana-
lysts attempted to find information that reflects cybersecurity
incident from the side. In [30], the researchers found few of the
mobile apps reviews may relate to security and privacy issues
when trying to utilize reviews from Google Play to discover
potentially malicious apps. Also, some researchers [31]–[33]
1766 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019

TABLE IX
A S UMMARY OF R EVIEWED PAPERS ON M ODEL M ETHODOLOGY

made an attempt to get indirect evidence on cybersecurity inci-
dents from Twitter, however, they found that only a small
subset of Twitter users discuss vulnerability exploits [32]
and security incidents [31], [33]. Although these kinds of
information are valuable, relevant information is hard to
extract with high quality and sufficient number, which chal-
lenges to infer security incident related characteristics. Hence,
expanding the way of thinking rather than focusing on a sin-
gle angle can be helpful to analyze a security incident. As
a complementary solution, Howard and Longstaff’s security
incident taxonomy provides us a future direction to com-
prehensively analyze an incident. Specifically, as shown in
Figure 3, an incident can be analyzed through observation by
seven viewpoints, including types of attackers, exploit tools,
vulnerabilities that have been exploited, attackers’ actions,
targets, unauthorized results of incident and objectives of
attackers step by step [147], [148]. Also, the taxonomy gives
some tips for collecting data related to cyber incidents.
B. Security Problem Modeling
It is worth mentioning that the ultimate objective of
cybersecurity incident prediction and discovery is to protect
organizations, governments, business operators, even end users
from incident instead of generating an ambiguous prediction
result. If the result of prediction or discovery is unable to act
upon for a security unaware operator, there seems to be little
point in the forecast.
Although the existing work has defined and modeled
prediction/discovery problems, in accordance with different
kinds of incidents, as summarized in Table II, there is still
a long way to make the problem refined, as well as mak-
ing it possible to improve cyber resilience defined as “the
ability to continuously deliver the intended outcome despite
adverse cyber events” [149]. For example, translating risk pro-
files into actionable security recommendations is a direction
for future work [10], [18]. Also, by obtaining information
on the monetary impact of each incident type, the prediction
can provide more economically-informed recommendations.
Recent work has shown that developing new technical solu-
tions may be less efficient than giving social or finan-
cial incentives for improving overall security [150], [151].
It is shown that proper incentives to encourage man-
agement that one may reduce incident is worthwhile to
study.

Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
Fig. 3. Howard and Longstaff’s security incident taxonomy.
C. Data Collection and Processing
Predicting and discovering cybersecurity incident is a data-
driven problem. Forecasting future incident with high accuracy
rises with the assumption that the dataset is representative,
authentic and comprehensive. Hence, how to guarantee that the
collected data satisfying the above three criteria is a challenge.
Firstly, the representative data refers to the samples with no
biases and are typical of the incident to which they belong can
be described. Whether the results of the model can generalize
for incidents that were not reported, depends on how represen-
tative their incident samples are, as stated in [18]. Specifically,
Sarabi et al. [18] clarified that self-reporting incidents exter-
nally detected by a third party usually have high biases. In
the reviewed work, the researchers attempted to employ dif-
ferent ways to collect vast amounts of data. However, the
representativeness of data may not be promised. For instance,
in [27], the researchers cannot find representative real-world
programs containing the sorts of security checks required by
their study. To resolve this problem, they designed a C program
generator which produced a large number of programs with
various license checking algorithms. Nonetheless, compared
with real-world data, synthetic programs seem to be question-
able when facing with the new and existing obfuscation and
deobfuscation techniques.
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1767
Secondly, the comprehensive data indicates that the dataset
includes everything needed or relevant. In the existing
work [9], [18], when dealing with the problem that forecasts
whether an organization meets data breach incident in future,
both of the authors leverage VERIS community database [17]
to collect previous incident records. Actually, the reports from
the VERIS community database mainly focus on U.S. inci-
dents. A possible solution is to utilize more comprehensive
sources of data breaches (e.g., Hackmageddon [60], Web
Hacking Incidents Database [61] and incidents reports from
Australia Cyber Security Centre [152]) and aggregate together
by the granularity of organization. Another case is in [24].
Facing many symptoms that reflect poor management, the
authors attempt to comprehensively describe all manners in
which a network could be mismanaged. Combining eight mis-
configured symptoms into one mismanagement metric and
aggregating these symptoms at autonomous system level might
be a solution to capture mismanagement characteristics as
comprehensive as possible.
Thirdly, the authentic data represents the data that needs
to be reliable and accurate. That is to say, the quality
of groundtruth determines the performance of prediction.
Filtering and validating samples by using multiple criteria
might be able to confirm the authenticity of data to a certain
1768
degree. For example, benign websites are validated by five rep-
utation blacklists in [7], which must have never been issued in
any blacklist. Moreover, Kong et al. [30] adopt crowdsourc-
ing approach to pay more credits to trustworthy users, which
proposes a solution to distinguish and sort out more reliable
samples.
D. Feature Engineering/Representation Learning
The performance of machine learning algorithm heavily
depends on the choice of features or data representation. On
this account, lots of efforts are directed towards data prepro-
cessing and transformations that can lead to a representation of
data to support efficient machine learning. From Table IX, it is
shown that most of the work adopted feature engineering relies
on human ingenuity to extract discriminative features from
data, which is essential but requires domain-specific expert
knowledge, human resources and wealth. Sometimes, critical
underlying factors hidden behind the data are even overlooked
by the human. Representation learning is highly desirable and
has achieved remarkable success both in academia and in
industry, including speech recognition and signal processing,
object recognition, natural language processing, and transfer
learning. Bengio et al. [48] summarized the recent work in
representation learning, providing multiple solutions for gen-
erating a good representation. Using representation learning
that identifies and disentangles the underlying explanatory fac-
tors hidden in the observed data, significant advances could
be made to cybersecurity incident prediction and discovery. If
successful, tremendous breakthroughs are possible.
E. Model Customization
When dealing with security incident related problems, the
existing DM/ML algorithms and models, and NLP tools are
seemed hard to use without customization, let alone achieving
satisfied performance directly.
When it comes to DM/ML algorithms and models, except
that few work customizes the model according to the research
problem, features, and outcome as shown in Table IX, most of
the work directly uses machine learning model as a black-box
by running packages in Python or R.
The challenge is also pretty apparent when processing
security-related text. On the one hand, it is known that NLP is
highly domain-specific. Those NLP systems designed for one
domain hardly work with high quality on the other domains.
On the other hand, the cybersecurity-related vocabularies (e.g.,
online underground black keywords [28] and IOCs [29]) are
rapidly evolving and significantly different from the commonly
used vocabularies.
In a nutshell, customizing model according to the project
requirement and designing domain-specific NLP tools are pos-
sible to be a stepping stone to achieve higher performance
cybersecurity incident prediction and discovery approach.
F. Evaluation
The output of prediction should be a fact about future. No
one can give the right answers until the day really comes.
Similarly, the outcome of discovery is supposed to be a
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
previously unknown issue. Due to lack of knowledge of the
future and significant amount of new findings, challenges
are risen from how to evaluate the results of prediction and
discovery properly.
In respect to verifying prediction result, the alternative
approach for waiting for the arrival of future is to use past
data to simulate a prediction done in the past. That is, past
data is applied to the training phase to set up prediction model,
and data at present is used to validate prediction result. This
approach is commonly adopted in the existing cybersecurity
incident prediction work [7], [9], [18], [32].
For the discovery of problem, the results of discovery
are supposed to be a previously unknown issue. Performing
manual check on the results of discovery seems to be unre-
alistic and time-consuming. Hence, the solution is to sample
discovered results and then validate manually. For example,
in [28], after finding new black keywords, the authors sampled
1,000 keywords randomly and manually validated by querying
forums, chat groups and search engines to determine their real
meanings.
After performing the above processes, the traditional eval-
uation metrics can be applied to evaluate the designed model.
Table IX addresses the evaluation metrics used in the reviewed
work. It can be found that most of the work presently applied
simple evaluation metrics to evaluate the model. There is still
a lot of space for further research in this step. For example,
while most of the models can achieve high accuracy on sam-
ple data, the models’ usability needs to be carefully evaluated.
Besides, with the passing of time and the development of tech-
nology, whether the performance of the models remains stable
worths investigation. Furthermore, to achieve the ultimate goal
that enhances the cyber resilience for governments, enterprises
and individual users, time, speed, deployment requirements,
and other considerations are also required to assess.
V. C ONCLUSION
In this survey, we presented an overview and research
outlook of the emerging field that is cybersecurity incident
prediction. Firstly, we summarized the research methodol-
ogy on critical phases of predicting cybersecurity incident,
which is an incremental circular process composed of cyber-
security incident analysis, security problem modeling, data
collection and processing, feature engineering/representation
learning, model customization and evaluation. Based on the
research methodology, a thorough literature review is con-
ducted on recent research efforts on schemes and methods
of cybersecurity incident prediction. Furthermore, since data
is an essential and indispensable element, which drives secu-
rity problems, determines representation methods, and sup-
ports model setup, we categorized all of the reviewed work
into six data types. They are respectively the organization’s
report and dataset, network dataset, synthetic dataset, webpage
data, social media data, and mixed-type dataset. References
and crucial information of each dataset are organized and
made public. Finally, conforming to research methodology,
many challenges existing in the infant stage research area
were addressed, as well as future directions were elaborated.
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
Hopefully, cybersecurity incident prediction can raise concern
among academia and industry. Also, the survey can help to
characterize the latency and serve as a useful reference and
valuable guideline for further research.
ACKNOWLEDGMENT
The authors wish to acknowledge the anonymous review-
ers for their valuable comments and special thanks to
Xiaoxing Mo (Deakin University) for helping to prepare this
manuscripts.
R EFERENCES
[1] Australia Cyber Security Centre. Australia Cyber Security Centre
Threat Report 2017. Accessed: Apr. 2, 2018. [Online]. Available:
https://www.acsc.gov.au/publications/ACSC_Threat_Report_2017.pdf
[2] M. A. Kuypers, T. Maillart, and E. Pate-Cornell, An Empirical
Analysis of Cyber Security Incidents at a Large Organization,
Dept. Manag. Sci. Eng., Stanford Univ., Stanford, CA, USA,
and School Inf., Univ. California at Berkeley, Berkeley, CA,
USA, 2016. Accessed: Jul. 30, 2016. [Online]. Available:
http://fsi.stanford.edu/sites/default/files/kuypersweis_v7.pdf
[3] C. Blackwell, “A security ontology for incident analysis,” in Proc. 6th
Annu. Workshop Cyber Security Inf. Intell. Res., 2010, p. 46.
[4] Australian Cyber Security Centre. Australian Cyber Security
Centre Survey 2016. Accessed: Apr. 2, 2018. [Online].
Available: https://www.acsc.gov.au/publications/ACSC_Cyber_Security
_Survey_2016.pdf
[5] Cisco. Cisco 2018 Annual Cybersecurity Report. Accessed: Apr. 2,
2018. [Online]. Available: https://www.cisco.com/ c/dam/m/digital/elq-
cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc
000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d3449
4fa27ff73da9690a5b&elqaid=9452&elqat=2
[6] J. Li, X. Huang, J. Li, X. Chen, and Y. Xiang, “Securely outsourc-
ing attribute-based encryption with checkability,” IEEE Trans. Parallel
Distrib. Syst., vol. 25, no. 8, pp. 2201–2210, Aug. 2014.
[7] K. Soska and N. Christin, “Automatically detecting vulnerable websites
before they turn malicious,” in Proc. USENIX Security Symp., 2014,
pp. 625–640.
[8] K. Borgolte, C. Kruegel, and G. Vigna, “Delta: Automatic identification
of unknown Web-based infection campaigns,” in Proc. ACM SIGSAC
Conf. Comput. Commun. Security, 2013, pp. 109–120.
[9] Y. Liu et al., “Cloudy with a chance of breach: Forecasting cyber secu-
rity incidents,” in Proc. USENIX Security Symp., 2015, pp. 1009–1024.
[10] Y. Liu, M. Dong, K. Ota, and A. Liu, “ActiveTrust: Secure and trustable
routing in wireless sensor networks,” IEEE Trans. Inf. Forensics
Security, vol. 11, no. 9, pp. 2013–2027, Sep. 2016.
[11] Chronicle. Accessed: Sep. 13, 2018. [Online]. Available:
https://chronicle.security/
[12] BizCover: Compare Small Business Insurance Quotes
Australia. Accessed: Sep. 13, 2018. [Online]. Available:
https://www.bizcover.com.au
[13] J. Jang-Jaccard and S. Nepal, “A survey of emerging threats in
cybersecurity,” J. Comput. Syst. Sci., vol. 80, no. 5, pp. 973–993, 2014.
[14] L. Liu, O. De Vel, Q.-L. Han, J. Zhang, and Y. Xiang, “Detecting and
preventing cyber insider threats: A survey,” IEEE Commun. Surveys
Tuts., vol. 20, no. 2, pp. 1397–1417, 2nd Quart., 2018.
[15] A. L. Buczak and E. Guven, “A survey of data mining and
machine learning methods for cyber security intrusion detection,” IEEE
Commun. Surveys Tuts., vol. 18, no. 2, pp. 1153–1176, 2nd Quart.,
2016.
[16] Y. Kodratoff, “Knowledge discovery in texts: A definition, and appli-
cations,” in Proc. Int. Symp. Methodol. Intell. Syst., 1999, pp. 16–29.
[17] VERIS. VERIS Community Database (VCDB). Accessed:
Sep. 13, 2018. [Online]. Available: http://veriscommunity.net/
index.html
[18] A. Sarabi, P. Naghizadeh, Y. Liu, and M. Liu, “Prioritizing security
spending: A quantitative analysis of risk distributions for different busi-
ness profiles,” in Proc. Workshop Econ. Inf. Security (WEIS), 2015,
pp. 1–12.
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1769
[19] B. J. Kwon, J. Mondal, J. Jang, L. Bilge, and T. Dumitras, “The dropper
effect: Insights into malware distribution with downloader graph ana-
lytics,” in Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Security,
2015, pp. 1118–1129.
[20] M. Rhode, P. Burnap, and K. Jones, “Early-stage malware prediction
using recurrent neural networks,” Comput. Security, vol. 77,
pp. 578–594, Aug. 2018.
[21] X. Pan, X. Wang, Y. Duan, X. Wang, and H. Yin, “Dark hazard:
Learning-based, large-scale discovery of hidden sensitive operations
in Android apps,” in Proc. Symp. Netw. Distrib. Syst. Security (NDSS),
2017, pp. 1–15.
[22] G. Lin et al., “Cross-project transfer representation learning for vul-
nerable function discovery,” IEEE Trans. Ind. Informat., vol. 14, no. 7,
pp. 3289–3297, Jul. 2018.
[23] L. Bilge, Y. Han, and M. Dell’Amico, “RiskTeller: Predicting the risk
of cyber incidents,” in Proc. ACM SIGSAC Conf. Comput. Commun.
Security, 2017, pp. 1299–1311.
[24] J. Zhang, Z. Durumeric, M. Bailey, M. Liu, and M. Karir, “On the
mismanagement and maliciousness of networks,” in Proc. Symp. Netw.
Distrib. Syst. Security (NDSS), 2014, pp. 1–12.
[25] R. A. Rossi, B. Gallagher, J. Neville, and K. Henderson, “Modeling
dynamic behavior in large evolving graphs,” in Proc. 6th ACM Int.
Conf. Web Search Data Min., 2013, pp. 667–676.
[26] J. Zhang, X. Chen, Y. Xiang, W. Zhou, and J. Wu, “Robust
network traffic classification,” IEEE/ACM Trans. Netw., vol. 23, no. 4,
pp. 1257–1270, Aug. 2015.
[27] S. Banescu, C. Collberg, and A. Pretschner, “Predicting the resilience
of obfuscated code against symbolic execution attacks via machine
learning,” in Proc. 26th USENIX Security Symp., 2017, pp. 661–678.
[28] H. Yang et al., “How to learn Klingon without a dictionary: Detection
and measurement of black keywords used by the underground econ-
omy,” in Proc. IEEE Symp. Security Privacy (SP), 2017, pp. 751–769.
[29] X. Liao et al., “Acing the IOC game: Toward automatic discovery
and analysis of open-source cyber threat intelligence,” in Proc. ACM
SIGSAC Conf. Comput. Commun. Security, 2016, pp. 755–766.
[30] D. Kong, L. Cen, and H. Jin, “AUTOREB: Automatically under-
standing the review-to-behavior fidelity in Android applications,” in
Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Security, 2015,
pp. 530–541.
[31] R. P. Khandpur et al., “Crowdsourcing cybersecurity: Cyber attack
detection using social media,” in Proc. ACM Conf. Inf. Knowl. Manag.,
2017, pp. 1049–1057.
[32] C. Sabottke, O. Suciu, and T. Dumitraş, “Vulnerability disclosure in
the age of social media: Exploiting Twitter for predicting real-world
exploits,” in Proc. USENIX Security Symp., 2015, pp. 1041–1056.
[33] A. Ritter, E. Wright, W. Casey, and T. Mitchell, “Weakly supervised
extraction of computer security events from Twitter,” in Proc. 24th Int.
Conf. World Wide Web, 2015, pp. 896–905.
[34] CD Team. Cert/cc. Computer Security Incident Response Team
Frequently Asked Questions. Accessed: Apr. 3, 2018. [Online].
Available: https://resources.sei.cmu.edu/asset_files/WhitePaper/2017_
019_001_485654.pdf
[35] AusCERT Team. Auscert Is a Leading Cyber Emergency Response
Team (CERT) in Australia and the Asia/Pacific Region. Accessed:
Apr. 3, 2018. [Online]. Available: http://www.auscert.org.au/
[36] TS Institute. Computer Security Incident Handling Step-by-Step.
Accessed: Apr. 3, 2018. [Online]. Available: https://www.sans.org/
reading-room/whitepapers/incident/incident-handlers-handbook-33901
[37] Department of the Navy. Computer Incident Response
Guidebook. Accessed: Apr. 3, 2018. [Online]. Available:
http://www.csirt.org/publications/navy.htm
[38] G. Killcrece, K.-P. Kossakowski, R. Ruefle, and M. Zajicek,
“State of the practice of computer security incident response
teams (CSIRTs),” CSIRT Develop. Team, Waldorf, MD, USA,
Rep. CMU/SEI-2003-TR-001, 2003.
[39] I. David and S. Karl, Computer Crime: A Crime Fighter’s Handbook.
Sebastopol, CA, USA: O’Reilly Assoc., 1995.
[40] T. Grance, K. Kent, and B. Kim, “Computer security incident handling
guide,” document SP 800-61, NIST, Gaithersburg, MD, USA, 2004.
[41] W. R. Cheswick, S. M. Bellovin, and A. D. Rubin, Firewalls and
Internet Security: Repelling the Wily Hacker. Boston, MA, USA:
Addison-Wesley, 2003.
[42] W. Stallings, Network and Internetwork Security: Principles and
Practice, vol. 1. Englewood Cliffs, NJ, USA: Prentice-Hall, 1995.
[43] F. B. Cohen and F. B. Cohen, Protection and Security on the
Information Superhighway. New York, NY, USA: Wiley, 1995.
1770 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019
[44] J. Li, Y. Zhang, X. Chen, and Y. Xiang, “Secure attribute-based
data sharing for resource-limited users in cloud computing,” Comput.
Security, vol. 72, pp. 1–12, Jan. 2018.
[45] S. J. Russell and P. Norvig, Artificial Intelligence: A Modern Approach.
Kuala Lumpur, Malaysia: Pearson Edu. Ltd., 2016.
[46] National Vulnerability Database. Accessed: Sep. 13, 2018. [Online].
Available: https://nvd.nist.gov/vuln
[47] 2018 Verizon Annual Data Breach Investigations Report. Accessed:
Sep. 13, 2018. [Online]. Available: https://www.verizonenterprise.com/
verizon-insights-lab/dbir/
[48] Y. Bengio, A. Courville, and P. Vincent, “Representation learning: A
review and new perspectives,” IEEE Trans. Pattern Anal. Mach. Intell.,
vol. 35, no. 8, pp. 1798–1828, Aug. 2013.
[49] A. Ng. (2013). Machine Learning and AI Via Brain
Simulations. Accessed: May 3, 2018. [Online]. Available:
http://ai.stanford.edu/Ëoeang/slides/DeepLearning-Mar2013.pptx
[50] J. Mairal, J. Ponce, G. Sapiro, A. Zisserman, and F. R. Bach,
“Supervised dictionary learning,” in Proc. Adv. Neural Inf. Process.
Syst., 2009, pp. 1033–1040.
[51] S. Wold, K. Esbensen, and P. Geladi, “Principal component analysis,”
Chemometrics Intell. Lab. Syst., vol. 2, nos. 1–3, pp. 37–52, 1987.
[52] S. Tokui, K. Oono, S. Hido, and J. Clayton, “Chainer: A next-
generation open source framework for deep learning,” in Proc.
Workshop Mach. Learn. Syst. (LearningSys) 29th Annu. Conf. Neural
Inf. Process. Syst. (NIPS), vol. 5, 2015, pp. 1–6.
[53] M. M. Najafabadi et al., “Deep learning applications and challenges
in big data analytics,” J. Big Data, vol. 2, no. 1, p. 1, 2015.
[54] B. Feng, Q. Fu, M. Dong, D. Guo, and Q. Li, “Multistage and elastic
spam detection in mobile social networks through deep learning,” IEEE
Netw., vol. 32, no. 4, pp. 15–21, Jul./Aug. 2018.
[55] H. Li, K. Ota, and M. Dong, “Learning IoT in edge: Deep learning
for the Internet of Things with edge computing,” IEEE Netw., vol. 32,
no. 1, pp. 96–101, Jan./Feb. 2018.
[56] L. Li, K. Ota, and M. Dong, “When weather matters: IoT-based elec-
trical load forecasting for smart grid,” IEEE Commun. Mag., vol. 55,
no. 10, pp. 46–51, Oct. 2017.
[57] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and
E. Vázquez, “Anomaly-based network intrusion detection: Techniques,
systems and challenges,” Comput. Security, vol. 28, nos. 1–2,
pp. 18–28, 2009.
[58] S. Axelsson, “The base-rate fallacy and its implications for the dif-
ficulty of intrusion detection,” in Proc. 6th ACM Conf. Comput.
Commun. Security, 1999, pp. 1–7.
[59] Administration for Children and Families. (2015). United
States Department of Health and Human Services, Information
Memorandum. Accessed: May 3, 2018. [Online]. Available:
https://www.acf.hhs.gov/sites/default/files/cb/im1504.pdf
[60] Oregon Route Views Project. Accessed: Sep. 13, 2018. [Online].
Available: http://www. routeviews.org/
[61] VERIS. T.W.A.S. Web-Hacking-Incident-Database. Accessed:
Sep. 13, 2018. [Online]. Available: http://projects.webappsec.org/
w/page/13246995/Web-Hacking-Incident-Database
[62] Composite Blocking List. Accessed: Sep. 13, 2018. [Online]. Available:
http://cbl.abuseat.org/
[63] The SPAMHAUS Project: SBL, XBL, PBL, ZEN Lists. Accessed:
Sep. 13, 2018. [Online]. Available: http://www.spamhaus.org/
[64] SpamCop Blocking List. Accessed: Sep. 13, 2018. [Online]. Available:
http://www.spamcop.net/
[65] WPBL: Weighted Private Block List. Accessed: Sep. 13, 2018. [Online].
Available: http://wpbl.info/
[66] UCEPROTECTOR Network. Accessed: Sep. 13, 2018. [Online].
Available: http://uceprotect.net/
[67] SURBL: URL Reputation Data. Accessed: Sep. 13, 2018. [Online].
Available: http://www.surbl.org/
[68] PhishTank. Accessed: Sep. 13, 2018. [Online]. Available:
http://www.PhishTank.com/
[69] hpHosts for Your Pretection. Accessed: Sep. 13, 2018. [Online].
Available: http://hosts-file.net/
[70] DShield. Accessed: Sep. 13, 2018. [Online]. Available:
http://www.dshield.org/
[71] OpenBL. Accessed: Sep. 13, 2018. [Online]. Available:
http://www.openbl.org/
[72] B. Prince. Top Data Breaches of 2014. Accessed: May 3, 2018.
[Online]. Available: www.securityweek.com/top-data-breaches-2014
[73] T.S. Institute. CSANS Institute Critical Security Controls. Accessed:
Aug. 20, 2018. [Online]. Available: https://www.sans.org/critical-
security-controls
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
[74] PandaLabs. (2015). Cybercrime Reaches New Heights in the
Third Quarter. Accessed: May 3, 2018. [Online]. Available:
https://www.pandasecurity.com/mediacenter/pandalabs/pandalabs-q3/
[75] (Dec. 2014). Exploits Database by Offensive Security. [Online].
Available: https:http://exploit-db.com/
[76] Microsoft Exploitability Index. Accessed: Dec. 15, 2018. [Online].
Available: https://www.microsoft.com/en-us/msrc/exploitability-index
[77] T. Dumitras and D. Shou, “Toward a standard benchmark for computer
security research: The worldwide intelligence network environment
(WINE),” in Proc. 1st Workshop Build. Anal. Datasets Gathering Exp.
Returns Security, 2011, pp. 89–96.
[78] B. Quintero et al. (2004). Virustotal. [Online]. Available:
https://virustotal.com/
[79] (2017). Softonic. [Online]. Available: https://en.softonic.com/
[80] (2017). Portableapps. [Online]. Available: https://portableapps.com/
[81] (2017). Sourceforge. [Online]. Available: https://sourceforge.net/
[82] C. Guarnieri, A. Tanasi, J. Bremer, and M. Schloesser. (2012).
The Cuckoo Sandbox. Accessed: Dec. 16, 2018. [Online]. Available:
https://media.readthedocs.org/pdf/cuckoo/latest/cuckoo.pdf
[83] Psutil Python Library, PS Found., Mumbai, India, 2017.
[84] Virustotal-Free Online Virus, Malware and URL Scanner. Accessed:
Sep. 13, 2018. [Online]. Available: https://www.virustotal.com
[85] I. Chowdhury and M. Zulkernine, “Using complexity, coupling, and
cohesion metrics as early indicators of vulnerabilities,” J. Syst. Archit.,
vol. 57, no. 3, pp. 294–313, 2011.
[86] F. Yamaguchi, C. Wressnegger, H. Gascon, and K. Rieck, “Chucky:
Exposing missing checks in source code for vulnerability discov-
ery,” in Proc. ACM SIGSAC Conf. Comput. Commun. Security, 2013,
pp. 499–510.
[87] S. Hochreiter and J. Schmidhuber, “Long short-term memory,” Neural
Comput., vol. 9, no. 8, pp. 1735–1780, 1997.
[88] T. Mikolov, K. Chen, G. Corrado, and J. Dean, “Efficient estimation
of word representations in vector space,” in Proc. Int. Conf. Learn.
Represent. (ICLR), 2013, pp. 313–317.
[89] R. R. Larson, “Introduction to information retrieval,” J. Amer. Soc. Inf.
Sci. Technol., vol. 61, no. 4, pp. 852–853, 2010.
[90] Open Resolver Project. Accessed: Sep. 13, 2018. [Online]. Available:
http://openresolverproject.org/
[91] Verisign. Inc. Accessed: Sep. 13, 2018. [Online]. Available:
www.verisigninc.com
[92] Alexa Web Information Service. Accessed: Sep. 13, 2018. [Online].
Available: http://aws.amazon.com/awis
[93] University of Oregon RouteViews Project. Accessed: Sep. 13, 2018.
[Online]. Available: http://www.routeviews.org/
[94] Spoofer Project. Accessed: Sep. 13, 2018. [Online]. Available:
http://spoofer.cmand.org/index.php
[95] Z. Durumeric, E. Wustrow, and J. A. Halderman, “Zmap: Fast Internet-
wide scanning and its security applications,” in Proc. USENIX Security
Symp., vol. 8, 2013, pp. 605–620.
[96] Barracuda Reputation Blocklist. Accessed: Sep. 13, 2018. [Online].
Available: http://www.barracudacentral.org/
[97] CBL: Composite Blocking List. Accessed: Sep. 13, 2018. [Online].
Available: http://cbl.abuseat.org/
[98] The SPAMHAUS Project: SBL, XBL, PBL, ZEN Lists. Accessed:
Sep. 13, 2018. [Online]. Available: http://www.spamhaus.org/
[99] SpamCop Blocking List. Accessed: Sep. 13, 2018. [Online]. Available:
http://www.spamhaus.org/
[100] WPBL: Weighted Private Block List. Accessed: Sep. 13, 2018. [Online].
Available: http://www.wpbl.info/
[101] UCEPROTECTOR Network. Accessed: Sep. 13, 2018. [Online].
Available: http://www.uceprotect.net/
[102] SURBL: URL REPUTATION DATA. Accessed: Sep. 13, 2018. [Online].
Available: http://www.surbl.org/
[103] B. Viswanath, A. Mislove, M. Cha, and K. P. Gummadi, “On the evo-
lution of user interaction in Facebook,” in Proc. 2nd ACM Workshop
Online Soc. Netw., 2009, pp. 37–42.
[104] Enron Email Dataset. Accessed: Sep. 28, 2018. [Online]. Available:
http://www.cs.cmu.edu/ enron/
[105] Hackers Focus on Misconfigured Networks. Accessed: May 3,
2018. [Online]. Available: http://forums.cnet.com/7726-6132102-
3366976.html
[106] D. Barr, “Common DNS operational and configuration errors,” Internet
Eng. Task Force, Fremont, CA, USA, RFC 1912, 1996.
[107] R. Mahajan, D. Wetherall, and T. Anderson, “Understanding BGP
misconfiguration,” in Proc. ACM SIGCOMM Comput. Commun. Rev.,
vol. 32, 2002, pp. 3–16.
SUN et al.: DATA-DRIVEN CYBERSECURITY INCIDENT PREDICTION: SURVEY
[108] P. Spirtes, C. Meek, and T. Richardson, “Causal inference in the
presence of latent variables and selection bias,” in Proc. 11th Conf.
Uncertainty Artif. Intell., 1995, pp. 499–506.
[109] Y. Miao et al., “Automated big traffic analytics for cyber security,”
Comput. Res. Repository, vol. abs/1804.09023, 2018.
[110] J. Zhang et al., “Network traffic classification using correlation
information,” IEEE Trans. Parallel Distrib. Syst., vol. 24, no. 1,
pp. 104–117, Jan. 2013.
[111] L. Breiman, “Random forests,” Mach. Learn., vol. 45, no. 1, pp. 5–32,
2001.
[112] J. Erman, A. Mahanti, M. Arlitt, I. Cohen, and C. Williamson,
“Offline/realtime traffic classification using semi-supervised learning,”
Perform. Eval., vol. 64, nos. 9–12, pp. 1194–1213, 2007.
[113] A. Este, F. Gringoli, and L. Salgarelli, “Support vector machines
for TCP traffic classification,” Comput. Netw., vol. 53, no. 14,
pp. 2476–2490, 2009.
[114] Symantec Research Labs. Accessed: Sep. 28, 2018.
[Online]. Available: https://www.symantec.com/about/corporate-
profile/technology/research-labs
[115] C. Collberg, S. Martin, J. Myers, and J. Nagra, “Distributed application
tamper detection via continuous software updates,” in Proc. 28th Annu.
Comput. Security Appl. Conf., 2012, pp. 319–328.
[116] S. Schrittwieser, S. Katzenbeisser, J. Kinder, G. Merzdovnik, and
E. Weippl, “Protecting software through obfuscation: Can it keep pace
with progress in code analysis?” ACM Comput. Surveys, vol. 49, no. 1,
p. 4, 2016.
[117] C. Collberg, C. Thomborson, and D. Low, “A taxonomy of obfuscat-
ing transformations,” Dept. Comput. Sci., Univ. Auckland, Auckland,
New Zealand, Rep. 148, 1997.
[118] S. Banescu, C. Collberg, V. Ganesh, Z. Newsham, and A. Pretschner,
“Code obfuscation against symbolic execution attacks,” in Proc. 32nd
Annu. Conf. Comput. Security Appl., 2016, pp. 189–200.
[119] C. Cadar, D. Dunbar, and D. R. Engler, “Klee: Unassisted and
automatic generation of high-coverage tests for complex systems pro-
grams,” in Proc. USENIX Symp. Oper. Syst. Design Implement., vol. 8,
2008, pp. 209–224.
[120] Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna,
“Firmalice—Automatic detection of authentication bypass vulnerabil-
ities in binary firmware,” in Proc. Symp. Netw. Distrib. Syst. Security
(NDSS), 2015, pp. 1–15.
[121] The R Project for Statistical Computing. Accessed: Sep. 28, 2018.
[Online]. Available: https://www.r-project.org/
[122] N. Leontiadis, T. Moore, and N. Christin, “Measuring and analyzing
search-redirection attacks in the illicit online prescription drug trade,”
in Proc. USENIX Security Symp., vol. 11, 2011, p. 19.
[123] L. Lu, R. Perdisci, and W. Lee, “SURF: Detecting and measur-
ing search poisoning,” in Proc. 18th ACM Conf. Comput. Commun.
Security, 2011, pp. 467–476.
[124] DNS-BH: Malware Domain Blocklist. Accessed: Sep. 28, 2018.
[Online]. Available: http:// www.malwaredomains.com/
[125] Google. Google Safe Browsing API. Accessed: Sep. 28, 2018. [Online].
Available: https://code.google.com/apis/safebrowsing/
[126] MalwareBytes. hpHosts Online. Accessed: Sep. 28, 2018. [Online].
Available: http://www. hosts-file.net/
[127] M. Breunig, H.-P. Kriegel, R. Ng, and J. Sander, “OPTICS-OF:
Identifying local outliers,” in Proc. Principles Data Min. Knowl. Disc.,
1999, pp. 262–270.
[128] Hackmageddon. Accessed: Sep. 28, 2018. [Online]. Available:
https://www.hackmageddon.com
[129] Privacy Rights. Accessed: Sep. 28, 2018. [Online]. Available:
https://www.privacyrights.org/data-breaches
[130] R. McMillan. (2013). Open Threat Intelligence. [Online]. Available:
https://www.gartner.com/doc/2487216/definition-threat-intelligence
[131] (2016). IOCbucket. [Online]. Available: https://www.iocbucket.com/
[132] A Community OpenIOC Resource. Accessed: Sep. 28, 2018. [Online].
Available: https://openiocdb.com/
[133] T. Sakaki, M. Okazaki, and Y. Matsuo, “Earthquake shakes twitter
users: Real-time event detection by social sensors,” in Proc. 19th Int.
Conf. World Wide Web, 2010, pp. 851–860.
[134] A. Signorini, A. M. Segre, and P. M. Polgreen, “The use of Twitter to
track levels of disease activity and public concern in the U.S. during
the influenza A H1N1 pandemic,” Public Library Sci. (PLoS) ONE,
vol. 6, no. 5, 2011, Art. no. e19467.
[135] A. Tumasjan, T. O. Sprenger, P. G. Sandner, and I. M. Welpe,
“Predicting elections with Twitter: What 140 characters reveal about
political sentiment,” in Proc. Int. Conf. Weblogs Soc. Media (ICWSM),
vol. 10, 2010, pp. 178–185.
Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.
1771
[136] R. J. Kate, “A dependency-based word subsequence kernel,” in Proc.
Conf. Empir. Methods Nat. Lang. Process., 2008, pp. 400–409.
[137] B. J. Frey and D. Dueck, “Clustering by passing messages between
data points,” Science, vol. 315, no. 5814, pp. 972–976, 2007.
[138] J. Kleinberg, “Bursty and hierarchical structure in streams,” Data Min.
Knowl. Disc., vol. 7, no. 4, pp. 373–397, 2003.
[139] W. Z. Khan, Y. Xiang, M. Y. Aalsalem, and Q. Arshad, “Mobile phone
sensing systems: A survey,” IEEE Commun. Surveys Tuts., vol. 15,
no. 1, pp. 402–427, 1st Quart., 2013.
[140] J. Xu and W. B. Croft, “Query expansion using local and global
document analysis,” in Proc. 19th Annu. Int. ACM SIGIR Conf. Res.
Develop. Inf. Retrieval, 1996, pp. 4–11.
[141] V. C. Raykar et al., “Learning from crowds,” J. Mach. Learn. Res.,
vol. 11, pp. 1297–1322, Jan. 2010.
[142] Symantec Attack Signatures. Accessed: Sep. 28, 2018.
[Online]. Available: http://www.symantec.com/security_response/
attacksignatures/
[143] B. E. Boser, I. M. Guyon, and V. N. Vapnik, “A training algorithm
for optimal margin classifiers,” in Proc. 5th Annu. Workshop Comput.
Learn. Theory, 1992, pp. 144–152.
[144] K. Henderson et al., “It’s who you know: Graph mining using recursive
structural features,” in Proc. 17th ACM SIGKDD Int. Conf. Knowl.
Disc. Data Min., 2011, pp. 663–671.
[145] M. Mintz, S. Bills, R. Snow, and D. Jurafsky, “Distant supervision
for relation extraction without labeled data,” in Proc. Joint Conf. 47th
Annu. Meeting ACL 4th Int. Joint Conf. Nat. Lang. Process. (AFNLP),
vol. 2, 2009, pp. 1003–1011.
[146] B. Schölkopf, J. C. Platt, J. Shawe-Taylor, A. J. Smola, and
R. C. Williamson, “Estimating the support of a high-dimensional
distribution,” Neural Comput., vol. 13, no. 7, pp. 1443–1471, 2001.
[147] J. D. Howard, “An analysis of security incidents on the Internet
1989–1995,” Ph.D. dissertation, Carnegie Mellon Univ., Pittsburgh, PA,
USA, 1997.
[148] J. D. Howard and T. A. Longstaff, “A common language for computer
security incidents,” Sandia Nat. Lab., Albuquerque, NM, USA, and
Sandia Nat. Lab., Livermore, CA, USA, Rep. SAND98-8667, 1998.
[149] F. Björck, M. Henkel, J. Stirna, and J. Zdravkovic, “Cyber resilience—
Fundamentals for a definition,” in New Contributions in Information
Systems and Technologies. Cham, Switzerland: Springer, 2015,
pp. 311–316.
[150] L. Jiang, V. Anantharam, and J. Walrand, “How bad are selfish invest-
ments in network security?” IEEE/ACM Trans. Netw., vol. 19, no. 2,
pp. 549–560, Apr. 2011.
[151] J. Wu, K. Ota, M. Dong, and C. Li, “A hierarchical security framework
for defending against sophisticated attacks on wireless sensor networks
in smart cities,” IEEE Access, vol. 4, pp. 416–424, 2016.
[152] Australia Cyber Security Centre. Accessed: Sep. 28, 2018. [Online].
Available: https://www.acsc.gov.au/incident.html
Nan Sun received the bachelor’s degree (Hons.)
in information technology from Deakin University,
Geelong, VIC, Australia, in 2016, where she is
currently pursuing the Ph.D. degree. Her current
research interests include cybersecurity and social
network security.
1772 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 21, NO. 2, SECOND QUARTER 2019

Jun Zhang (M’12–SM’18) received the Ph.D. Leo Yu Zhang (S’14–M’17) received the B.S. and
degree in computer science from the University M.S. degrees in computational mathematics from
of Wollongong, Wollongong, Australia, in 2011. Xiangtan University in 2009 and 2012, respectively,
He is an Associate Professor with the School and the Ph.D. degree from the City University of
of Software and Electrical Engineering and the Hong Kong in 2016. He is currently a Lecturer
Deputy Director of Swinburne Cybersecurity Lab, with the School of Information Technology, Deakin
Swinburne University of Technology, Australia. He University, Australia. He held various research posi-
has published over 90 research papers in refer- tions with the City University of Hong Kong, the
eed international journals and conferences, such University of Macau, the University of Ferrara, and
as the IEEE C OMMUNICATIONS S URVEYS AND the University of Bologna. His research interests
T UTORIALS, the IEEE/ACM T RANSACTIONS ON include cloud security, multimedia security, and
N ETWORKING, the IEEE T RANSACTIONS ON I MAGE P ROCESSING, the compressed sensing.
IEEE T RANSACTIONS ON PARALLEL AND D ISTRIBUTED S YSTEMS, the
IEEE T RANSACTIONS ON I NFORMATION F ORENSICS AND S ECURITY, the
ACM Conference on Computer and Communications Security, and the ACM
Asia Conference on Computer and Communications Security. His research
interests include cybersecurity and applied machine learning. He has been
internationally recognized as an Active Researcher in cybersecurity, evidenced
by his chairing (PC Chair, Workshop Chair, or Publicity Chair) of eight inter-
national conferences since 2013, and presenting of invited keynote addresses
in two conferences and an invited lecture in IEEE SMC Victorian Chapter.

Paul Rimba received the Ph.D. degree in soft-

ware engineering from the University of New South
Wales, Australia, in 2016, focused on building high
assurance secure applications using security patterns.
He is a Research Scientist with the Software and
Computational Systems Group of Data61, CSIRO.
He specializes security patterns for capability-based
Yang Xiang (M’07–SM’12) received the Ph.D.
platforms and provides assurances about the spe-
degree in computer science from Deakin University,
cialized patterns through formal verification. His
Australia. He is currently a Full Professor and the
research focuses on empirical and security analysis
Dean of Digital Research and Innovation Capability
of blockchain systems.
Platform, Swinburne University of Technology,
Australia. His research interests include cyber secu-
rity, which covers network and system security, data
analytics, distributed systems, and networking. In
particular, he is currently leading his team devel-
Shang Gao received the Ph.D. degree in computer
oping active defense systems against large-scale dis-
science from Northeastern University, Shenyang,
tributed network attacks. He is the Chief Investigator
China, in 2000. She was a Post-Doctoral Research
of several projects in network and system security, funded by the Australian
Fellow with the University of Technology Sydney
Research Council. He has published over 200 research papers in many interna-
and an Associate Lecturer with Central Queensland
tional journals and conferences. He served as an Associate Editor for the IEEE
University, Australia. She is currently a Lecturer
T RANSACTIONS ON C OMPUTERS, the IEEE T RANSACTIONS ON PARALLEL
with the School of IT, Deakin University, Geelong,
AND D ISTRIBUTED S YSTEMS , and Security and Communication Networks
Australia. Her research interests include networking,
(Wiley), and an Editor for the J OURNAL OF N ETWORK AND C OMPUTER
adaptive learning, big data processing, cyber secu-
A PPLICATIONS. He is the Coordinator (Asia) for IEEE Computer Society
rity, and cloud computing.
Technical Committee on Distributed Processing.

Authorized licensed use limited to: Central Institute of Technology - Kokrajhar. Downloaded on July 12,2022 at 10:01:32 UTC from IEEE Xplore. Restrictions apply.