A review of timeseries analysis for cyber security analytics: from intrusion detection to attack prediction

Understanding the current threat landscape as well as timely detection of imminent attacks are primary objectives of cyber security. Through timeseries modeling of security data, such as event logs, alerts, or incidents, analysts take a step towards these goals. On the one hand, extrapolating timeseries to predict future occurrences of attacks and vulnerabilities is able to support decisionmaking and preparation against threats. On the other hand, detection of model deviations as anomalies can point to suspicious outliers and thereby disclose cyber attacks. However, since the set of available techniques for timeseries analysis is just as diverse as the research domains in the area of cyber security analytics, it can be difficult for analysts to understand which approaches fit the properties of security data at hand. This paper therefore conducts a broad literature review in research domains that leverage timeseries analysis for cyber security analytics, with focus on available techniques, data sets, and challenges imposed by applications or feature properties. The results of our study indicate that relevant approaches range from detective systems ingesting shortterm and lowlevel events to models that produce longterm forecasts of highlevel attack cases.