Characterizing the Landscape of COVID-19 Themed Cyberattacks and Defenses
Mir Mehedi Ahsan Pritom, Kristin M. Schweitzer, Raymond M. Bateman, Min Xu, Shouhuai Xu
CCharacterizing the Landscape ofCOVID-19 Themed Cyberattacks and Defenses
Mir Mehedi Ahsan Pritom ∗ , Kristin M. Schweitzer † , Raymond M. Bateman † , Min Xu ‡ and Shouhuai Xu ∗∗ Department of Computer Science, University of Texas at San Antonio † U.S. Army Research Laboratory South - Cyber ‡ Mastercard
Abstract —COVID-19 (Coronavirus) hit the global society andeconomy with a big surprise. In particular, work-from-home hasbecome a new norm for employees. Despite the fact that COVID-19 can equally attack innocent people and cyber criminals, itis ironic to see surges in cyberattacks leveraging COVID-19 asa theme, dubbed
COVID-19 themed cyberattacks or COVID-19attacks for short, which represent a new phenomenon that hasyet to be systematically understood. In this paper, we make a firststep towards fully characterizing the landscape of these attacks,including their sophistication via the Cyber Kill Chain model. Wealso explore the solution space of defenses against these attacks.
Index Terms —COVID-19 Cyberattacks, Malicious Websites,Malicious Emails, Malicious Mobil Apps, Malicious Messaging,Misinformation, Cyber Kill Chain, Defense
I. I
NTRODUCTION
The COVID-19 (Cronavirus) pandemic has had a hugeimpact on the global society and economy. It attacks everyone,including both the innocent people and the cyber criminals.Ironically, we have witnessed surges in cyberattacks leveragingCOVID-19 as a theme, dubbed
COVID-19 themed cyberat-tacks or COVID-19 attacks for short. For example, there is a32X increase in the malware and phishing sites from February25, 2020 to March 25, 2020 [1]; Google has been blocking 240million COVID-19 related spam emails and 18 million phish-ing and malware emails daily [2]; there is a 148% increase inransomware attacks in March 2020 over February 2020 [3].The situation is further exacerbated by the new norm of work-from-home because employees’ home computers or devicesare often less protected than their enterprise counterparts.Indeed, a CheckPoint survey [4] shows that 55% of securityprofessionals are concerned with remote access and 47% areconcerned with their employees using shadow IT systems fromtheir home. Until now, COVID-19 attacks have mainly targetedthe finance, healthcare, government, media streaming, retailbusiness, and COVID-19 research sectors. In response, expertshave recommended using multi-factor authentication for crit-ical transactions, virtual private networks for remote access,and regularly patching and updating software as immediatesolutions [5]. However, given that COVID-19 attacks are a newphenomenon that is here to stay, it is important to understandthem thoroughly to pave a way for effective defense.
Our contributions . In this paper, we make a first step towardsunderstanding COVID-19 themed cyberattacks. Specifically,we explore five classes of them, namely malicious websites, malicious emails, malicious mobile apps, malicious messag-ing, and misinformation. In order to characterize these attacks,we map them to the Cyber Kill Chain model [6]. We show thatthey can use multiple attack techniques to achieve multipleattack goals. We find that COVID-19 attackers have beenprofessional rather than opportunistic and have been heavilyemploying social-engineering cyberattacks. We further explorethe solution space of defenses against COVID-19 attacks.Since COVID-19 attacks do have their counterparts that arenot specific to the COVID-19 incidents, our focus is onexploring the COVID-19 specific aspects. To the best ofour knowledge, this is the first systematic characterization ofCOVID-19 attacks and defenses, which can be adapted to copewith any “ X -themed cyberattacks” that may emerge in thefuture, where X can be any kind of social incidents (e.g.,election, natural or man-made disaster). Related work . The problem of COVID-19 attacks has startedto receive attention from the research community. There arestudies on the types of cyberattacks and their trends amidthe COVID-19 pandemic [7]–[9], studies on specific cyber-attacks related to COVID-19 (e.g., mobile malware ecosystem[10], [11], cybercrimes [12], fake news related to COVID-19 [13], and COVID-19 themed cryptocurrency scams [14]).When compared with these studies, we aim at systematicallycharacterizing the landscape of the COVID-19 attacks, includ-ing their sophistication through the the Kill Chain [6] andexploring the space of defenses against these attacks.
Paper outline . Section II characterizes COVID-19 attacks.Section III explores the defense solution space. Section IVconcludes the paper.II. C
HARACTERIZING
COVID-19 A
TTACKS
We characterize 5 classes of COVID-19 attacks: maliciouswebsites, malicious emails, malicious mobile apps, maliciousmessaging, and misinformation. For this purpose, we collectexisting news reports and blogs on relevant cyberattacks, man-ually verify them, and propose mapping them to the LockheedMartin’s Cyber Kill Chain [6], which is a model consisting ofthe following 7 stages. (i)
Reconnaissance , which correspondsto pre-attack plannings, finding vulnerabilities, collecting pos-sible victims, and setting attack goals. (ii)
Weaponization ,which corresponds to setting up attack propagation mediums,injecting malicious contents into the mediums, and setting a r X i v : . [ c s . CR ] F e b p traps to fool the identified victims. (iii) Delivery , whichcorresponds to the attacker’s penetration into a victim’s systemthrough some entry point. (iv)
Exploitation , which correspondsto the wage of actual attacks against a victim’s system. (v)
Installation , which corresponds to the installation of maliciouspayloads on a victim’s system. (vi)
Command-and-Control (C2), which corresponds to the attacker’s use of remote accessto the victims’ systems. (vii)
Objectives , which corresponds tothe accomplishment of the attacker’s pre-determined goal.
A. COVID-19 Themed Malicious Websites
Attackers have abused websites to wage COVID-19 attacksto steal login credentials, sell fake medications related toCOVID-19, and inject malicious payloads into these themedwebsites to distribute malware [7], [8], [15]. We map theseattacks to the Cyber Kill Chain model as follows.(i)
Reconnaissance:
An attacker selects target audience,chooses a COVID-19 related target theme, searches for cheapand unregulated domain registration and web hosting services,and sets attack goals. (ii)
Weaponization:
An attacker registersnew websites with COVID-19 related names. For example,an attacker may register websites with typo-squatting namesto mimic legitimate websites related to COVID-19 (e.g.,CDC, WHO, FDA) [16]; an attacker may register websites toimitate legit Virtual Private Network (VPN) software or remotecommunication software; an attacker may register domains tooffer fake legal services related to COVID-19; an attacker maychange an existing phishing website to accommodate COVID-19 themes; an attacker may register fake media streamingdomains; and an attacker may register fake donation websites.(iii)
Delivery:
An attacker hosts COVID-19 themed mali-cious websites mentioned above. (iv)
Exploitation:
Victimsvisit malicious websites, and then trust the fake forms ordownload malicious payloads to their devices. (v)
Installation:
A victim may provide sensitive information to a maliciouswebsite or intentionally/unintentionally install malware. (vi)
C2:
An attacker remotely controls victims’ infected computers,for example instructing its agents (e.g., malicious websites,downloaded malware) to send the stolen data/credentials tothe attacker. (vii)
Objectives:
An attacker gets sensitive creden-tials, encrypts a victim’s computer, or gets ransom payment.
B. COVID-19 Themed Malicious Emails
Attackers have abused emails to wage COVID-19 attacks tosend phishing, spamming, scamming, malicious attachments,and malicious websites [17]. We map these attacks to theCyber Kill Chain model as follows.(i)
Reconnaissance:
An attacker selects target audience,generates and profiles email lists, selects a target topicfor COVID-19 themed lures, and sets an attack goal. (ii)
Weaponization:
An attacker creates fake typo-squatting emailaddresses imitating legitimate entities (e.g., CEO, Netflixsupport team, medical doctors), writes malicious emails withlegitimate logo (e.g., WHO, hospital logo) and authoritynames, writes emails with COVID-19 related information andoffers, writes emails with malicious attachments [18], [19], writes fake COVID-19 donation scam emails [20], writesemails with fake financial relief payments [15], writes emailswith blackmailing schemes (e.g., threatening languages) [21],writes emails to lure victims to provide personal information orpay fees for false unemployment training and certification [22].(iii)
Delivery:
An attacker sends the aforementioned emailsto the target audience. (iv)
Exploitation:
A victim trusts anemail received from an attacker, clicks its malicious links,opens its attachments, or downloads its malicious contents.(v)
Installation:
A victim replies to the attacker with sensi-tive personal information or installs malicious content on itscomputer either intentionally or unintentionally. (vi)
C2:
Anattacker establishes connections with victim’s devices throughC2 channels, for example, to instruct the compromised com-puters to send back sensitive data. (vii)
Objectives:
An attackerencrypts a victim’s computer, receives ransom payment, orreceives sensitive information.
C. COVID-19 Themed Malicious Mobile Apps
Attackers have abused mobile apps to wage COVID-19attacks to distribute malware and steal information from thevictims [10]. Google and Apple have taken steps during thispandemic to reject publishing of COVID-19 related mobileapps from unauthorized entities [23]. Despite these efforts tosecure reputed app stores, malicious apps could still get pub-lished and remain undetected as many third party app storesdo not have proper reviewing and regulation for publishingapps. Reports showing third-party app stores are eight timesmore likely to contain malicious apps than than Google Playstore [24]. We map the attack of COVID-19 themed maliciousmobile apps to the Cyber Kill Chain model as follows.(i)
Reconnaissance:
An attacker selects target audience(e.g., based on geographical region), selects a COVID-19themed topic/service (e.g., tracing, tracking, maps, VPN, re-mote meeting, COVID-19 guidelines, COVID-19 test infor-mation), finds and selects profitable unregulated app stores,and sets attack goals. (ii)
Weaponization:
An attacker createsfake mobile apps with typo-squatted app names and legitimatelogos to imitate authentic apps, repackages existing COVID-19 themed legitimate apps with malware or ransomware (e.g.,banking Trojan, spyware) to trick users [10]. (iii)
Delivery:
An attacker uploads malicious apps into the unregulated appstores or code repositories, and advertises these mobile appsthrough websites pop-ups. (iv)
Exploitation:
A victim trustsan malicious app and downloads the app. (v)
Installation:
Avictim installs the downloaded malicious app on an mobiledevice. (vi)
C2:
An attacker remotely controls victims’ com-promised mobile devices to send sensitive user data to the C2server. (vii)
Objectives:
An attacker encrypts a victim’s mobiledevice, gets a ransom payment, or steals a victim’s privateinformation (e.g., login credentials, crypto wallet passwords),breaches user privacy (e.g., location).
D. COVID-19 Themed Malicious Messaging
Attackers have abused messaging services to wage COVID-19 attacks (e.g., phishing, malware, spamming, and scamming)29]. COVID-19 has increased the usage of mobile deviceswhich create more incentives for attackers. These attacks aresimilar to malicious email attacks, but are unique in thatmessaging can offer more emotional and persuasive live chats.We map them to the Cyber Kill Chain model as follows.(i)
Reconnaissance:
An attacker selects target audience(e.g., based on demography, geography, severity of COVID-19infections), collects phone and social media contacts, selectstarget platform (e.g., Facebook, WhatsApp, Twitter), chooses aCOVID-19 themed topic (e.g., fake cures, products, services),and sets attack goals. (ii)
Weaponization:
An attacker writespersuasive and emotional messages (e.g., asking for COVID-19 donations) to trick victims, creates fake social media pro-files, and creates social media groups to lure target audience.(iii)
Delivery:
An attacker sends malicious messages, websitelinks, and attachments through messaging to targeted victims,sends scams mentioning fines for leaving home during stay-at-home orders [9], sends fraud messages with free subscriptionlures for media streaming services [7], sends messages tosell low-quality supplies (e.g., masks, gloves, fake cures,and illegal chemical materials) [25], sends COVID-19 relatedlucrative offers (e.g., giveaways, loans, lawyer help, foodstamps, stimulus check updates, news guidelines), and sendscrafted misinformation messages with fake claims and madeup evidence. (iv)
Exploitation:
A victim trusts a receivedmessage and falls victim to it by clicking its malicious links,downloading its malicious contents, and forwarding it to otherusers. (v)
Installation:
A victim intentionally or unintention-ally installs the malicious payload on an messaging device(e.g. Android mobile phone). (vi)
C2:
An attacker establisheschannels (e.g., reply messages, servers connected to a phishingwebpage) to remotely control the compromised messagingdevices, for example, to receive victims’ sensitive information.(vii)
Objectives:
An attacker gets victims’ sensitive informa-tion or makes lateral movements in victims’ networks.
E. COVID-19 Themed Misinformation
Attackers have waged COVID-19 attacks to spread mis-information, which includes false or inaccurate information(e.g., hoaxes, rumors, or propaganda [26]). Examples include:“COVID-19 is invented in a Chinese lab [27]”; “5G is spread-ing COVID-19 [28]”, “Black are immune to COVID-19 [29]”,“ X can cure COVID-19” where X can be a drug or fooditems (i.e., Ginger) [30], or “Wearing a mask causes you toinhale too much carbon dioxide, which can make you sick” or“Wearing a mask can result in getting pneumonia” [31]. Socialmedia and messaging platforms further increase the impactof such misinformation. The term Infodemic has even beencoined because of this [32]. We map the COVID-19 themedmisinformation attack to the Cyber Kill Chain as follows.(i)
Reconnaissance:
An attacker analyzes the characteristicsof targeted audience (e.g., ethnicity, demography or national-ity), identifies vulnerable divisions in society, selects themedtopics, and sets attack goals. (ii)
Weaponization:
An attackerwrites fake COVID-19 themed statements and mix them withfalse evidence and out-of-context truths, creates fake groups in social networking platforms, creates themed memes, createsbots in social media (e.g., Twitter) to propagate misinfor-mation, and infiltrates into social media groups containingtargeted ethnic audience. (iii)
Delivery:
An attacker postsand shares COVID-19 related misinformation (e.g., narratives,memes, images, and hashtags through social media groupsand messaging apps) and publishes fake news on paid onlinenews/tabloids, and/or keeps posting to a larger audience withbots to amplify the impact. (iv)
Exploitation:
A victims(e.g., social media user) reads and forwards misinformationmessages. (v)
Installation:
A victims gets to believe themisinformation which goes viral. (vi)
C2:
An attacker maygenerate fake real-life incidents/experience posts on socialmedia related to COVID-19. (vii)
Objectives:
An attackersucceeds when bringing more division, mistrust, health crisis,and chaos in society, and possibly earns money from the crisis.
F. Systematizing COVID-19 Themed Cyberattacks
We systematize COVID-19 attacks by mapping them to theirattack techniques and attack goals, and by contrasting theirCyber Kill Chain models.
1) Mapping Attacks, Techniques and Goals:
Figure 1 de-picts the mapping between the COVID-19 attacks, the attacktechniques they use, and their attack goals. We observe thatone attack may use multiple attack techniques. For example,a COVID-19 themed malicious website attack may use arange of attack techniques, including phishing, malware, ran-somware, vaccine scams, donation scams, masks scams, test-ing scams, and VPN scams. Moreover, a COVID-19 themedmalicious website attack may have multiple goals. On theother hand, one goal can be achieved by using various kindsof attack techniques, which may be waged through multipleclasses of attacks. This means that when an attacker attemptto achieve an attack goal, the attacker can choose attacks andattack techniques in a cost-effective, if not optimal, fashion.For example, each attack may incur some cost or risk (e.g.,the cost for using phishing via COVID-19 themed maliciouswebsites and COVID-19 themed malicious emails may bedifferent), and may have different success probabilities (e.g.,phishing via COVID-19 themed malicious websites may bemore or less successful than phishing via COVID-19 themedmalicious emails). This would allow an intelligent attacker towage the cost-effective or event optimal attack. A systematicframework for achieving this type of attacker decision-makingis beyond the scope of the present paper.
Insight 1:
A COVID-19 attack may use multiple attacktechniques to achieve multiple attack goals, and an attackgoal may be achieved by using multiple attack techniquesthat can correspond to multiple attacks. This flexibility allowsthe attacker to choose cost-effective, if not optimal, attacks inorder to achieve a certain attack goal.
2) Systematizing Attacks via Their Cyber Kill Chains:
Figure 2 depicts the Cyber Kill Chain mappings of theaforementioned 5 classes of COVID-19 attacks, which arerepresented by different colors. We observe that in each stageof the Cyber Kill Chain, there can be multiple tactics (e.g.,3 alicious WebsitesMalicious EmailsMalicious Mobile AppsMalicious MessagesMisinformation PhishingMalware RansomwareVaccine ScamsFake Cure ScamsDonation ScamsMask Scams Steal CredentialsSteal Banking InfoGet Ransom/Money Exfiltrate DataLateral MovementEncrypt Data/DeviceBring Division/Chaos Identity TheftVPN ScamsBreach of PrivacyCOVID-19 Themed Cyberattacks GoalsTechniquesMedical Equipment ScamsCOVID Testing ScamsFalse Transmission
Fig. 1. Systematizing COVID-19 attacks (red), attack techniques (blue), and attack goals (green)
Victim shares with other neutral users Attacker resells stolen credentials on dark webAttacker gets ransomAttacker reuses credential for identity theftAttacker cracks personal informationExfiltrate dataAttacker encrypts victim data/networkAttacker gets control of victim machine remotelyVictim Installs malicious payloadsVictim trusts malicious contentsVictim downloads malicious payloadsVictim visits malicious links/websitesCollect malicious payloads from dark webSet end goalsChoose COVID-19 theme topicSelect target audience
Distribute with various communication channels
Reconnaissance Weaponization Delivery Exploitation Installation ObjectiveC&C (C2)
Register COVID themed mimic websites
Host malicious website with unregulated registrars
Find unregulated Registrars Inject fake forms in websitesInject malicious payloads in websites Victim submits sensitive information, paymemntsGenerate Email list for target audience
Create spoofing and masquerading email addressCreate malicious attachments by injecting malicious payloads
Create fake new/mimic apps
Malicious Website Malicious Email Malicious Mobile apps Malicious Messages Misinformation
Find unregulated App storesCollect social media target profiles/mobile contacts Create fake social identity/profilesCreate false statements and mix with truthsCreate social media bots Send persuasive and tempting textsInject malicious links/attachmentsUpload malicious apps in app storesSend pop-ups on malicious apps in 3rd-party websitesShare fake social media posts, tabloids Victim replies with sensitive informationVictim forms biases and strongly believe the misinformation Victim installs malicious apps without looking into app permissions Attacker generates fake real-life incidentsLegend Attacker brings more division and mistrust in society
Fig. 2. Systematizing the Cyber Kill Chains for COVID-19 themed cyberattacks, which are coded in colors (see Legend). exploitation stage almost always leverages victims’mistrust in social engineering, which highlights that humanfactor remains to be a critical vulnerability in COVID-19attacks, which reinforces the importance of seeking effectivedefenses against such attacks [33].
Insight 2:
COVID-19 attacks can be very sophisticated,rather than only opportunistic, which means that effectivedefense must be designed on a deeper understanding aboutthe attack tactics that can be used in each stage of the attack(i.e., knowing the attacker better).III. E
XPLORING THE D EFENSE S PACE
The preceding characterization of COVID-19 attacks guidesus to explore defense strategies against them, with an emphasison what-to-leverage when designing defense systems. Theinvestigation of these proposed approaches is beyond the scopeof the present paper. This is because each approach needs tobe investigated separately, with corresponding experiments.
A. COVID-19 Malicious Websites Defense
We propose four approaches to defending against COVID-19 themed malicious websites. The first approach is to lever-age various website contents pertinent to COVID-19. Whatis unique to content-based detection of COVID-19 themedmalicious websites is the COVID-19 related features, such asthe presence or absence of keywords in website names (e.g., coronavirus , COVID-19 , masks , n95 , and test ). The secondapproach is to leverage website environment, including URLs’information. For example, typo-squatting URLs or mimickingfake websites can be detected by analyzing URLs informationand website screenshots. The third approach is to leveragewebsites’ age information. Since COVID-19 themed maliciouswebsites would be created after the outbreak of the COVID-19 pandemic, hinting that the lifetime of many such websiteswould be short. The fourth approach is to leverage effectivetraining to make users more skeptical about website contents. B. COVID-19 Malicious Emails Defense
We propose three approaches to defending against COVID-19 themed malicious emails. The first approach is to filteremails by searching COVID-19 themed keywords in theirsubject lines and contents. Examples of such keywords in-clude:
COVID-19 cures , COVID-19 guidelines , and
COVID-19 offers . The second approach is to verify the sender emailaddress to detect email masquerading [34]. The third approachis to leverage email content, for example by analyzing theirattachments, links and texts.
C. COVID-19 Malicious Mobile Apps Defense
We propose four approaches to defending against COVID-19 themed malicious apps. The first approach is to leveragecomputer vision to proactively examine newly published app’slogos, especially when they are similar to, if not exactly thesame as, the logos of some popular legitimate apps. Thesecond approach is to analyze the content of apps to detectthe malicious ones (e.g., repackaged apps). For this purpose,static analysis, dynamic analysis, and their combinations maybe utilized. The third approach is to examine the string editdistance of app names with respect to some popular ones. Thefourth approach is to train users to improve their awarenessof malicious apps according to some best practices in usingmobile apps securely [35].
D. COVID-19 Malicious Messaging Defense
We propose three approaches to defending against COVID-19 themed malicious messaging. The first approach is toleverage message content to check if a message containssuspicious content (e.g., the presence of URLs, emoticons,special characters, and COVID-19 themed keywords). The sec-ond approach is to detect persuasive messages waging socialengineering cyberattacks. This may be achieved by analyzingtexts and leveraging human factors and psychological means[33]. The third approach is to train users to improve theirawareness of COVID-19 themed malicious messages.
E. COVID-19 Misinformation Defense
We propose four approaches to defending against COVID-19 themed misinformation attacks. The first approach is touse fact-checking to detect fake news (or social media posts),perhaps using similar news reports from credible sources andAI or machine learning techniques. The second approach isto use central repositories to host COVID-19 related informa-tion and resources (e.g., Facebook’s COVID-19 InformationCenter). The third approach is to train and educate users toimprove their skills and capabilities in recognizing fake misin-formation. The fourth approach is to leverage crowdsourcing,namely encouraging or incentivizing users to report COVID-19 suspicious misinformation posts and links.IV. C
ONCLUSION
We have explored the landscape of COVID-19 themedcyberattacks and defenses. We discussed 5 classes of attacksand mapped them to the Cyber Kill Chain model. We ex-plored defense strategies against these attacks. Although thestudy is geared towards COVID-19 themed cyberattacks, theexploration and landscape can be adapted to future X -themedcyberattacks exploiting future events (e.g., election, naturalor man-made disasters). It is also interesting to rigorouslymodel these attack-defense interactions in the CybersecurityDynamics framework [36]–[39]. Acknowledgement . We thank the reviewers for their usefulcomments. This work was supported in part by ARO Grant
Leading Issues in Information Warfare &Security Research
Eubios Journal of Asian andInternational Bioethics , vol. 30, no. 4, pp. 161–165, 2020.[9] B. Collier, S. Horgan, R. Jones, and L. A. Shepherd, “The implicationsof the covid-19 pandemic for cybercrime policing in scotland: a rapidreview of the evidence and future considerations,” 2020.[10] R. He, H. Wang, P. Xia, L.-L. Wang, Y. Li, L. Wu, Y. Zhou, X. Luo,Y. Guo, and G. Xu, “Beyond the virus: A first look at coronavirus-themed mobile malware,”
ArXiv , vol. abs/2005.14619, 2020.[11] H. S. Lallie, L. A. Shepherd, J. R. C. Nurse, A. Erola, G. Epiphaniou,C. Maple, and X. Bellekens, “Cyber security in the age of covid-19:A timeline and analysis of cyber-crime and cyber-attacks during thepandemic,” 2020.[12] R. Naidoo, “A multi-level influence model of covid-19 themed cyber-crime,”
European Journal of Information Systems , pp. 1–16, 2020.[13] K. Grado˜n, “Crime in the time of the plague: Fake news pandemic andthe challenges to law-enforcement and intelligence community,”
SocietyRegister
Frontiers in Psychology , 2020.[34] S. Baki, R. Verma, A. Mukherjee, and O. Gnawali, “Scaling andeffectiveness of email masquerade attacks: Exploiting natural languagegeneration,” in
Proc. ACM AsiaCCS
Proc. HotSoS’14 , 2014, pp. 14:1–14:2.[37] J. Mireles, E. Ficke, J. Cho, P. Hurley, and S. Xu, “Metrics towardsmeasuring cyber agility,”
IEEE T-IFS , vol. 14, no. 12, pp. 3217–3232,2019.[38] Y. Chen, Z. Huang, S. Xu, and Y. Lai, “Spatiotemporal patterns andpredictability of cyberattacks,”
PLoS One , vol. 10, no. 5, p. e0124472,05 2015.[39] M. Xu, K. M. Schweitzer, R. M. Bateman, and S. Xu, “Modeling andpredicting cyber hacking breaches,”
IEEE T-IFS , vol. 13, no. 11, pp.2856–2871, 2018., vol. 13, no. 11, pp.2856–2871, 2018.