Abstract
The typical cyber attacker is assumed to be all powerful and to exploit all
possible vulnerabilities. In this paper we present, and empirically validate, a
novel and more realistic attacker model. The intuition of our model is that an
attacker will optimally choose whether to act and weaponize a new
vulnerability, or keep using existing toolkits if there are enough vulnerable
users. The model predicts that attackers may i) exploit only one vulnerability
per software version, ii) include only vulnerabilities with low attack
complexity, and iii) be slow at introducing new vulnerabilities into their
arsenal. We empirically test these predictions by conducting a natural
experiment on attack data collected against more than one million real systems
from Symantec's WINE platform. Our analysis shows that mass attackers' fixed
costs are indeed significant and that substantial efficiency gains can be made
by individuals and organizations by accounting for this effect.
possible vulnerabilities. In this paper we present, and empirically validate, a
novel and more realistic attacker model. The intuition of our model is that an
attacker will optimally choose whether to act and weaponize a new
vulnerability, or keep using existing toolkits if there are enough vulnerable
users. The model predicts that attackers may i) exploit only one vulnerability
per software version, ii) include only vulnerabilities with low attack
complexity, and iii) be slow at introducing new vulnerabilities into their
arsenal. We empirically test these predictions by conducting a natural
experiment on attack data collected against more than one million real systems
from Symantec's WINE platform. Our analysis shows that mass attackers' fixed
costs are indeed significant and that substantial efficiency gains can be made
by individuals and organizations by accounting for this effect.
Original language | English |
---|---|
Number of pages | 36 |
Publication status | Published - Jun 2017 |
Event | 16th Annual Workshop on the Economics of Information Security (WEIS 2017) - University of California San Diego, San Diego, United States Duration: 26 Jun 2017 → 27 Jun 2017 Conference number: 16 http://weis2017.econinfosec.org |
Conference
Conference | 16th Annual Workshop on the Economics of Information Security (WEIS 2017) |
---|---|
Abbreviated title | WEIS 2017 |
Country | United States |
City | San Diego |
Period | 26/06/17 → 27/06/17 |
Internet address |
Bibliographical note
Peer-reviewed version of the SSRN working paperKeywords
- Cyber Security
- Dynamic Programming
- Malware Production
- Risk management