Statistical models for the number of successful cyber intrusions

We propose several generalized linear models (GLMs) to predict the number of successful cyber intrusions (or “intrusions”) into an organization’s computer network, where the rate at which intrusions occur is a function of the following observable characteristics of the organization: (i) domain name system (DNS) traffic classified by their top-level domains (TLDs); (ii) the number of network security policy violations; and (iii) a set of predictors that we collectively call the “cyber footprint” that is comprised of the number of hosts on the organization’s network, the organization’s similarity to educational institution behavior, and its number of records on scholar.google.com. In addition, we evaluate the number of intrusions to determine whether these events follow a Poisson or negative binomial (NB) probability distribution. We reveal that the NB GLM provides the best fit model for the observed count data, number of intrusions per organization, because the NB model allows the variance of the count dat...