Abstract
possible vulnerabilities. In this paper we present, and empirically validate, a
novel and more realistic attacker model. The intuition of our model is that an
attacker will optimally choose whether to act and weaponize a new
vulnerability, or keep using existing toolkits if there are enough vulnerable
users. The model predicts that attackers may i) exploit only one vulnerability
per software version, ii) include only vulnerabilities with low attack
complexity, and iii) be slow at introducing new vulnerabilities into their
arsenal. We empirically test these predictions by conducting a natural
experiment on attack data collected against more than one million real systems
from Symantec's WINE platform. Our analysis shows that mass attackers' fixed
costs are indeed significant and that substantial efficiency gains can be made
by individuals and organizations by accounting for this effect.
| Language | English |
|---|---|
| Number of pages | 36 |
| State | Published - Jun 2017 |
| Event | 16th Annual Workshop on the Economics of Information Security (WEIS 2017) - University of California San Diego, San Diego, United States Duration: 26 Jun 2017 → 27 Jun 2017 Conference number: 16 http://weis2017.econinfosec.org |
Conference
| Conference | 16th Annual Workshop on the Economics of Information Security (WEIS 2017) |
|---|---|
| Abbreviated title | WEIS 2017 |
| Country | United States |
| City | San Diego |
| Period | 26/06/17 → 27/06/17 |
| Internet address |
Fingerprint
Bibliographical note
Peer-reviewed version of the SSRN working paperKeywords
- Cyber Security
- Dynamic Programming
- Malware Production
- Risk management
Cite this
}
The work-averse cyber attacker model : theory and evidence from two million attack signatures. / Allodi, L.; Massacci, F.; Williams, J.
2017. Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States.Research output: Contribution to conference › Paper › Academic
TY - CONF
T1 - The work-averse cyber attacker model : theory and evidence from two million attack signatures
AU - Allodi,L.
AU - Massacci,F.
AU - Williams,J.
N1 - Peer-reviewed version of the SSRN working paper
PY - 2017/6
Y1 - 2017/6
N2 - The typical cyber attacker is assumed to be all powerful and to exploit allpossible vulnerabilities. In this paper we present, and empirically validate, anovel and more realistic attacker model. The intuition of our model is that anattacker will optimally choose whether to act and weaponize a newvulnerability, or keep using existing toolkits if there are enough vulnerableusers. The model predicts that attackers may i) exploit only one vulnerabilityper software version, ii) include only vulnerabilities with low attackcomplexity, and iii) be slow at introducing new vulnerabilities into theirarsenal. We empirically test these predictions by conducting a naturalexperiment on attack data collected against more than one million real systemsfrom Symantec's WINE platform. Our analysis shows that mass attackers' fixedcosts are indeed significant and that substantial efficiency gains can be madeby individuals and organizations by accounting for this effect.
AB - The typical cyber attacker is assumed to be all powerful and to exploit allpossible vulnerabilities. In this paper we present, and empirically validate, anovel and more realistic attacker model. The intuition of our model is that anattacker will optimally choose whether to act and weaponize a newvulnerability, or keep using existing toolkits if there are enough vulnerableusers. The model predicts that attackers may i) exploit only one vulnerabilityper software version, ii) include only vulnerabilities with low attackcomplexity, and iii) be slow at introducing new vulnerabilities into theirarsenal. We empirically test these predictions by conducting a naturalexperiment on attack data collected against more than one million real systemsfrom Symantec's WINE platform. Our analysis shows that mass attackers' fixedcosts are indeed significant and that substantial efficiency gains can be madeby individuals and organizations by accounting for this effect.
KW - Cyber Security
KW - Dynamic Programming
KW - Malware Production
KW - Risk management
M3 - Paper
ER -