Abstract: One variation of a method for predicting and characterizing cyber attacks includes: receiving, from a sensor implementing deep packet inspection to detect anomalous behaviors on the network, a first signal specifying a first anomalous behavior of a first asset on the network at a first time; representing the first signal in a first vector representing frequencies of anomalous behaviors—in a set of behavior types—of the first asset within a first time window; calculating a first malicious score representing proximity of the first vector to malicious vectors defining sets of behaviors representative of security threats; calculating a first benign score representing proximity of the first vector to a benign vector representing an innocuous set of behaviors; and in response to the first malicious score exceeding the first benign score and a malicious threshold score, issuing a first alert to investigate the network for a security threat.

Abstract: One variation of a method for detecting a cyber attack includes: recording representations of network events occurring on a network over a period of time to a network accounting log; writing metadata values of network events in the accounting log to a compressed log file; in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a set of metadata values of a threat element defined in the new threat intelligence; in response to detecting the set of metadata values of the threat element in the compressed log file, querying the network accounting log for a set of threat elements defined in the new threat intelligence; and in response to detecting the set of threat elements in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.