Cybersecurity is a continuously evolving field of research that is experiencing frequent shifts in approaches and paradigms. The cybersecurity community acknowledged the fact that cyber threats cannot be fully eliminated and, thus, the research and development are focused on prevention and lowering the impact of security incidents. However, most of the existing approaches are, in essence, reactive. The topics of intrusion detection and incident response were studied intensively in recent years with solid results. Still, they only react to events that already happened [1]. There is a tendency to move towards more proactive approaches [2] that would allow us to prevent or mitigate security incidents before they do any harm. The way for this is paved by cyber threat intelligence [3], cyber situational awareness [4], collaboration and information sharing [5], and other promising directions of research and development.
Methods of predictive analytics are a promising research direction in cybersecurity that would allow for a more proactive approach to security operations [2]. Predictions may serve as an early warning so that the defenders may learn about the threats in advance, set up proper countermeasures, and preemptively mitigate or completely prevent security incidents [6]. Numerous methods and approaches were proposed in the previous work with wildly varying goals and results [1]. The network-wide security situation, such as an increase or decrease of attacks, might be forecasted [7], particular incidents can be predicted by various means [8], and even when an attack is taking place, it is possible to predict the next actions the adversary is going to undertake [4].
Nevertheless, due to the complexity of the continuously changing cyber environment, there are still many challenges that need to be approached, many of them are rooted deeply in the foundations of this research direction. It is challenging even to define what is being predicted and how to use the predictions. Making predictions by using the data from the past is a common approach, which, however, does not reflect the novel forms of attacks and zero-day exploits that appear on a daily basis. Forecasting the increase or decrease in the number of attacks typically does not say much about the actors of those attacks; projecting the next move of an adversary does not say much about the threat landscape [1]. Thus, we find it important to find common ground, on which we may compare and analyze different approaches and methods to learn about strong and weak aspects of each approach. Further, there are huge differences in experimental works and field studies due to the operational environment’s numerous problems, such as insufficient or erroneous data on the input, which results in a significant drop in prediction accuracy. This, together with poor evidence or explanation behind the predictive methods, namely in those backed by machine learning, may lead to practitioners’ reluctance to use them. Thus, it is also important to continuously evaluate technology readiness levels of the predictive methods and watch for the challenges related to their operational deployment.
To summarize the problems outlined above, we emphasize the following questions that we aim to answer:

1. What is the current state-of-the-art of predictive methods in the cybersecurity domain, such as predicting attacks, projecting the next move of an adversary, and forecasting cybersecurity situation?
2. What are the commonalities and differences between the methods, and how usable are their outputs concerning their use cases? For example, can they be used to mitigate an attack effectively or to prepare for an imminent threat?
3. How effective and efficient are these methods in practice, and how should the researchers learn from it?

To answer the questions, we examine selected examples of various predictive methods proposed in recent years. We selected a sample of substantially different methods that share the same or similar input data. Thus, we illustrate what outputs can various methods produce. Subsequently, we evaluate the outputs of the selected methods in terms of usability. We are especially interested in features such as the success rate of predictions, the timing of predictions, and the level of details that are crucial to the practical usability of the methods. For example, a highly usable predictive method would predict a type of event and its actors, such as IP addresses of attacker and victim, with high accuracy, while leaving enough time for the incident response capabilities to react. We also investigate the methods of predictive blacklisting, which utilizes recent research work while being highly convenient to practitioners.
This paper is structured into eight sections. After the introduction, we present the background and related work, structured by the use cases for predictive methods in cybersecurity, in Section 2. Subsequently, we delve into three examples of current approaches at using predictions in cyber defense. Section 3 briefly describes the environment for which the approaches were designed and in which they were evaluated. Section 4 presents an approach to attack projection based on extracting and matching frequent scenarios. Section 5 presents an approach to attack prediction based on a dynamic network entity reputation and scoring system. Section 6 presents an approach to forecasting based on the analysis of the time series of security events. The summary of each approach is provided at the end of the corresponding section. The final comparison and discussion are presented in Section 7. Finally, Section 8 concludes the paper and discusses the challenges for future research.