CAPTURE: Cyberattack Forecasting Using Non-Stationary Features with Time Lags

Forecasting cyberattacks before they occur is an important yet challenging task, as exploring early signs of an attack from a large volume of data is not trivial. This paper describes the design and evaluation of a novel automated system, CAPTURE, which uses a broad range of unconventional signals derived from various open sources to forecast cyberattacks towards a target organization anonymized as CorpX. It includes novel approaches to select relevant and significant, but not redundant, lagged signals and treat the non-stationary relationships between the unconventional signals and the cyberattack occurrences. Using cyber incidents recorded by a third party organization and 146 signals from a variety of sources, this paper demonstrates that CAPTURE performs significantly better than a baseline model with various configurations. Furthermore, CAPTURE offers insights to human analysts on which and how specific lagged signals contributed to the forecasts.