Cyber Baselining: Statistical properties of cyber time series and the search for stability

Many predictive cyber analytics assume, implicitly or explicitly, that the underlying statistical processes they treat have simple properties. Often statistics predicated on Wiener processes are used, but even if not, assumptions on statistical stationarity, ergodicity, and memorylessness are often present. We present here empirical observations of several common network time series, and demonstrate that these assumptions are false; the series are non-stationary, non-ergodic, and possess complicated correlation structures. We compute several statistical tests, borrowed from other disciplines, for the evaluation of network time series. We discuss the implications of these results on the larger goal of constructing a meaningful cyber baseline of a network or host, intended to establish the bounds of “normal” behavior. For many common network observables used in defensive cyber operations, it may prove to be unrealistic to establish such a baseline, or detect significant deviations from it.