Predictive Analytics for Cyber Threat Intelligence
Project Objectives:
- Cyber threat intelligence is a critical part of enterprise security. Many vendors offer services of threat indicators, such as IP intelligence, based on observed malicious activities, collected from multiple sources around the world. However, such threat intelligence is a rear mirror view of the threat landscape. For example, attackers can easily bypass IP blacklists by using new IP addresses.
- This research seeks to predict threat indicators that are likely to be used in future malicious activities. Such threat indicators can be used to detect 0-day infections.
Project Activities
- Identified threat IP address features
- Developed a prediction model for future malicious IP addresses
- Evaluated the prediction model using GTMalware and Virustotal
- A daily predicted threat IP addresses is available
- Jan. 2017 5,000 randomly selected malware reports from GTMalware each day
- Unkonwn=hash unknown to Kaspersky, Macafee, Avg, Avast, and Symantec on the day
- True positive = hash positively identified by Symantec on 3/25/2017
- Predicted = Our prediction before hash was confirmed by one of the AV vendors above
- Average Prediction rate=88%
Low impact on normal business. For Jan 2017, 4 out of Alexa top 1,000 domains are blocked by our prediction: wordpress.com, yandex,ua, 163.com, wp.com