The work-averse cyber attacker model : theory and evidence from two million attack signatures

L. Allodi, F. Massacci, J. Williams

Research output: Contribution to conferencePaperAcademic

1078 Downloads (Pure)

Abstract

The typical cyber attacker is assumed to be all powerful and to exploit all
possible vulnerabilities. In this paper we present, and empirically validate, a
novel and more realistic attacker model. The intuition of our model is that an
attacker will optimally choose whether to act and weaponize a new
vulnerability, or keep using existing toolkits if there are enough vulnerable
users. The model predicts that attackers may i) exploit only one vulnerability
per software version, ii) include only vulnerabilities with low attack
complexity, and iii) be slow at introducing new vulnerabilities into their
arsenal. We empirically test these predictions by conducting a natural
experiment on attack data collected against more than one million real systems
from Symantec's WINE platform. Our analysis shows that mass attackers' fixed
costs are indeed significant and that substantial efficiency gains can be made
by individuals and organizations by accounting for this effect.
Original languageEnglish
Number of pages36
Publication statusPublished - Jun 2017
Event16th Annual Workshop on the Economics of Information Security (WEIS 2017) - University of California San Diego, San Diego, United States
Duration: 26 Jun 201727 Jun 2017
Conference number: 16
http://weis2017.econinfosec.org

Conference

Conference16th Annual Workshop on the Economics of Information Security (WEIS 2017)
Abbreviated titleWEIS 2017
CountryUnited States
CitySan Diego
Period26/06/1727/06/17
Internet address

Bibliographical note

Peer-reviewed version of the SSRN working paper

Keywords

  • Cyber Security
  • Dynamic Programming
  • Malware Production
  • Risk management

Fingerprint Dive into the research topics of 'The work-averse cyber attacker model : theory and evidence from two million attack signatures'. Together they form a unique fingerprint.

Cite this