The work-averse cyber attacker model : theory and evidence from two million attack signatures

L. Allodi, F. Massacci, J. Williams

Research output: Contribution to conferencePaperAcademic

Abstract

The typical cyber attacker is assumed to be all powerful and to exploit all
possible vulnerabilities. In this paper we present, and empirically validate, a
novel and more realistic attacker model. The intuition of our model is that an
attacker will optimally choose whether to act and weaponize a new
vulnerability, or keep using existing toolkits if there are enough vulnerable
users. The model predicts that attackers may i) exploit only one vulnerability
per software version, ii) include only vulnerabilities with low attack
complexity, and iii) be slow at introducing new vulnerabilities into their
arsenal. We empirically test these predictions by conducting a natural
experiment on attack data collected against more than one million real systems
from Symantec's WINE platform. Our analysis shows that mass attackers' fixed
costs are indeed significant and that substantial efficiency gains can be made
by individuals and organizations by accounting for this effect.

Conference

Conference16th Annual Workshop on the Economics of Information Security (WEIS 2017)
Abbreviated titleWEIS 2017
CountryUnited States
CitySan Diego
Period26/06/1727/06/17
Internet address

Fingerprint

Arsenals
Costs
Experiments

Bibliographical note

Peer-reviewed version of the SSRN working paper

Keywords

  • Cyber Security
  • Dynamic Programming
  • Malware Production
  • Risk management

Cite this

Allodi, L., Massacci, F., & Williams, J. (2017). The work-averse cyber attacker model : theory and evidence from two million attack signatures. Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States.
Allodi, L. ; Massacci, F. ; Williams, J./ The work-averse cyber attacker model : theory and evidence from two million attack signatures. Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States.36 p.
@conference{db37e3ba98c9438990127619a954c7b9,
title = "The work-averse cyber attacker model : theory and evidence from two million attack signatures",
abstract = "The typical cyber attacker is assumed to be all powerful and to exploit allpossible vulnerabilities. In this paper we present, and empirically validate, anovel and more realistic attacker model. The intuition of our model is that anattacker will optimally choose whether to act and weaponize a newvulnerability, or keep using existing toolkits if there are enough vulnerableusers. The model predicts that attackers may i) exploit only one vulnerabilityper software version, ii) include only vulnerabilities with low attackcomplexity, and iii) be slow at introducing new vulnerabilities into theirarsenal. We empirically test these predictions by conducting a naturalexperiment on attack data collected against more than one million real systemsfrom Symantec's WINE platform. Our analysis shows that mass attackers' fixedcosts are indeed significant and that substantial efficiency gains can be madeby individuals and organizations by accounting for this effect.",
keywords = "Cyber Security, Dynamic Programming, Malware Production, Risk management",
author = "L. Allodi and F. Massacci and J. Williams",
note = "Peer-reviewed version of the SSRN working paper; 16th Annual Workshop on the Economics of Information Security (WEIS 2017), WEIS 2017 ; Conference date: 26-06-2017 Through 27-06-2017",
year = "2017",
month = "6",
language = "English",
url = "http://weis2017.econinfosec.org",

}

Allodi, L, Massacci, F & Williams, J 2017, 'The work-averse cyber attacker model : theory and evidence from two million attack signatures' Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States, 26/06/17 - 27/06/17, .

The work-averse cyber attacker model : theory and evidence from two million attack signatures. / Allodi, L.; Massacci, F.; Williams, J.

2017. Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States.

Research output: Contribution to conferencePaperAcademic

TY - CONF

T1 - The work-averse cyber attacker model : theory and evidence from two million attack signatures

AU - Allodi,L.

AU - Massacci,F.

AU - Williams,J.

N1 - Peer-reviewed version of the SSRN working paper

PY - 2017/6

Y1 - 2017/6

N2 - The typical cyber attacker is assumed to be all powerful and to exploit allpossible vulnerabilities. In this paper we present, and empirically validate, anovel and more realistic attacker model. The intuition of our model is that anattacker will optimally choose whether to act and weaponize a newvulnerability, or keep using existing toolkits if there are enough vulnerableusers. The model predicts that attackers may i) exploit only one vulnerabilityper software version, ii) include only vulnerabilities with low attackcomplexity, and iii) be slow at introducing new vulnerabilities into theirarsenal. We empirically test these predictions by conducting a naturalexperiment on attack data collected against more than one million real systemsfrom Symantec's WINE platform. Our analysis shows that mass attackers' fixedcosts are indeed significant and that substantial efficiency gains can be madeby individuals and organizations by accounting for this effect.

AB - The typical cyber attacker is assumed to be all powerful and to exploit allpossible vulnerabilities. In this paper we present, and empirically validate, anovel and more realistic attacker model. The intuition of our model is that anattacker will optimally choose whether to act and weaponize a newvulnerability, or keep using existing toolkits if there are enough vulnerableusers. The model predicts that attackers may i) exploit only one vulnerabilityper software version, ii) include only vulnerabilities with low attackcomplexity, and iii) be slow at introducing new vulnerabilities into theirarsenal. We empirically test these predictions by conducting a naturalexperiment on attack data collected against more than one million real systemsfrom Symantec's WINE platform. Our analysis shows that mass attackers' fixedcosts are indeed significant and that substantial efficiency gains can be madeby individuals and organizations by accounting for this effect.

KW - Cyber Security

KW - Dynamic Programming

KW - Malware Production

KW - Risk management

M3 - Paper

ER -

Allodi L, Massacci F, Williams J. The work-averse cyber attacker model : theory and evidence from two million attack signatures. 2017. Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States.