**Elena Doynikova 1,\*, Evgenia Novikova 1,2 and Igor Kotenko <sup>1</sup>**


Received: 18 February 2020; Accepted: 16 March 2020; Published: 23 March 2020

**Abstract:** Early detection of the security incidents and correct forecasting of the attack development is the basis for the efficient and timely response to cyber threats. The development of the attack depends on future steps available to the attackers, their goals, and their motivation—that is, the attacker "profile" that defines the malefactor behaviour in the system. Usually, the "attacker profile" is a set of attacker's attributes—both inner such as motives and skills, and external such as existing financial support and tools used. The definition of the attacker's profile allows determining the type of the malefactor and the complexity of the countermeasures, and may significantly simplify the attacker attribution process when investigating security incidents. The goal of the paper is to analyze existing techniques of the attacker's behaviour, the attacker' profile specifications, and their application for the forecasting of the attack future steps. The implemented analysis allowed outlining the main advantages and limitations of the approaches to attack forecasting and attacker's profile constructing, existing challenges, and prospects in the area. The approach for attack forecasting implementation is suggested that specifies further research steps and is the basis for the development of an attacker behaviour forecasting technique.

**Keywords:** cyber attack; attacker; attacker profile; attacker behaviour; metrics; features; attributes; intelligent data analysis; attack forecasting; comparative review
