Table 5.
The validation results of univariate and multivariate approach using B-LSTM to forecast 42 attacks next 36 months.
| Attack | M-SMAPE (univariate) | M-SMAPE (multivariate) | Best features (multivariate) |
|---|---|---|---|
| Adware | 0.35 | 0.29 | ACA |
| Backdoor | 0.10 | 0.03 | ACA |
| Cryptojacking | 0.40 | 0.34 | ACA |
| Data Poisoning | 0.47 | 0.46 | ACA |
| Defacement | 0.36 | 0.06 | ACA |
| DNS Tunneling | 0.48 | 0.42 | ACA |
| Keylogger | 0.17 | 0.14 | ACA |
| Pharming | 0.59 | 0.27 | ACA |
| Trojan | 0.31 | 0.30 | ACA |
| Vulnerability | 0.33 | 0.25 | ACA |
| WannaCry | 0.58 | 0.57 | ACA |
| Wiper | 0.43 | 0.14 | ACA |
| Worms | 0.50 | 0.37 | ACA |
| XSS | 0.47 | 0.17 | ACA |
| Advanced Persistent | 0.84 | 0.32 | PH |
| DNS Spoofing | 0.48 | 0.36 | PH |
| Drive-by | 0.46 | 0.27 | PH |
| Insider Threat | 0.17 | 0.07 | PH |
| Malvertising | 0.38 | 0.25 | PH |
| Session Hijacking | 0.39 | 0.34 | PH |
| URL manipulation | 0.47 | 0.36 | PH |
| Data Breach | 0.27 | 0.24 | NoM |
| Disinformation | 0.45 | 0.36 | NoM |
| Phishing | 0.22 | 0.21 | NoM |
| SQL Injection | 0.53 | 0.06 | NoM |
| Targeted Attack | 0.25 | 0.22 | NoM |
| Password Attack | 0.59 | 0.52 | NoM, ACA, PH |
| Rootkit | 0.19 | 0.15 | NoM, ACA, PH |
| Spyware | 0.63 | 0.48 | NoM, ACA, PH |
| Account Hijacking | 0.09 | 0.49 | ACA |
| Adversarial Attack | 0.37 | 0.63 | NoM, ACA, PH |
| Botnet | 0.03 | 0.17 | PH |
| Brute Force Attack | 0.13 | 0.28 | ACA |
| DDoS | 0.22 | 0.23 | PH |
| Deepfake | 0.17 | 0.52 | PH |
| Dropper | 0.12 | 0.37 | PH |
| IoT device attack | 0.16 | 0.21 | PH |
| Malware | 0.12 | 0.27 | PH |
| MITM | 0.14 | 0.32 | PH |
| Ransomware | 0.26 | 0.53 | NoM |
| Supply chain | 0.15 | 0.33 | PH |
| Zero-day | 0.30 | 0.63 | NoM |
For each attack, the best feature(s) when using the multivariate model are displayed in the last column. NoM stands for the number of attack mentions in the scientific literature. ACA stands for the number of tweets related to armed conflict areas/wars. PH stands for the number of public holidays.