Forecasting of Information Security Related Incidents: Amount of Spam Messages as a Case Study


IEICE TRANSACTIONS on Communications   Vol.E93-B   No.6   pp.1411-1421
Publication Date: 2010/06/01
Online ISSN: 1745-1345
DOI: 10.1587/transcom.E93.B.1411
Print ISSN: 0916-8516
Type of Manuscript: Special Section PAPER (Special Section on Quality of Communication Networks and Services)
information security incidents,  forecasting,  planning,  

Full Text: PDF(1.6MB)>>
Buy this Article

With the increasing demand for services provided by communication networks, quality and reliability of such services as well as confidentiality of data transfer are becoming ones of the highest concerns. At the same time, because of growing hacker's activities, quality of provided content and reliability of its continuous delivery strongly depend on integrity of data transmission and availability of communication infrastructure, thus on information security of a given IT landscape. But, the amount of resources allocated to provide information security (like security staff, technical countermeasures and etc.) must be reasonable from the economic point of view. This fact, in turn, leads to the need to employ a forecasting technique in order to make planning of IT budget and short-term planning of potential bottlenecks. In this paper we present an approach to make such a forecasting for a wide class of information security related incidents (ISRI) -- unambiguously detectable ISRI. This approach is based on different auto regression models which are widely used in financial time series analysis but can not be directly applied to ISRI time series due to specifics related to information security. We investigate and address this specifics by proposing rules (special conditions) of collection and storage of ISRI time series, adherence to which improves forecasting in this subject field. We present an application of our approach to one type of unambiguously detectable ISRI -- amount of spam messages which, if not mitigated properly, could create additional load on communication infrastructure and consume significant amounts of network capacity. Finally we evaluate our approach by simulation and actual measurement.