The work-averse cyber attacker model : theory and evidence from two million attack signatures

L. Allodi, F. Massacci, J. Williams

Research output: Contribution to conferencePaperAcademic

1038 Downloads (Pure)

Abstract

The typical cyber attacker is assumed to be all powerful and to exploit all
possible vulnerabilities. In this paper we present, and empirically validate, a
novel and more realistic attacker model. The intuition of our model is that an
attacker will optimally choose whether to act and weaponize a new
vulnerability, or keep using existing toolkits if there are enough vulnerable
users. The model predicts that attackers may i) exploit only one vulnerability
per software version, ii) include only vulnerabilities with low attack
complexity, and iii) be slow at introducing new vulnerabilities into their
arsenal. We empirically test these predictions by conducting a natural
experiment on attack data collected against more than one million real systems
from Symantec's WINE platform. Our analysis shows that mass attackers' fixed
costs are indeed significant and that substantial efficiency gains can be made
by individuals and organizations by accounting for this effect.
Original languageEnglish
Number of pages36
Publication statusPublished - Jun 2017
Event16th Annual Workshop on the Economics of Information Security (WEIS 2017) - University of California San Diego, San Diego, United States
Duration: 26 Jun 201727 Jun 2017
Conference number: 16
http://weis2017.econinfosec.org

Conference

Conference16th Annual Workshop on the Economics of Information Security (WEIS 2017)
Abbreviated titleWEIS 2017
CountryUnited States
CitySan Diego
Period26/06/1727/06/17
Internet address

Bibliographical note

Peer-reviewed version of the SSRN working paper

Keywords

  • Cyber Security
  • Dynamic Programming
  • Malware Production
  • Risk management

Cite this

Allodi, L., Massacci, F., & Williams, J. (2017). The work-averse cyber attacker model : theory and evidence from two million attack signatures. Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States.
Allodi, L. ; Massacci, F. ; Williams, J. / The work-averse cyber attacker model : theory and evidence from two million attack signatures. Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States.36 p.
@conference{db37e3ba98c9438990127619a954c7b9,
title = "The work-averse cyber attacker model : theory and evidence from two million attack signatures",
abstract = "The typical cyber attacker is assumed to be all powerful and to exploit allpossible vulnerabilities. In this paper we present, and empirically validate, anovel and more realistic attacker model. The intuition of our model is that anattacker will optimally choose whether to act and weaponize a newvulnerability, or keep using existing toolkits if there are enough vulnerableusers. The model predicts that attackers may i) exploit only one vulnerabilityper software version, ii) include only vulnerabilities with low attackcomplexity, and iii) be slow at introducing new vulnerabilities into theirarsenal. We empirically test these predictions by conducting a naturalexperiment on attack data collected against more than one million real systemsfrom Symantec's WINE platform. Our analysis shows that mass attackers' fixedcosts are indeed significant and that substantial efficiency gains can be madeby individuals and organizations by accounting for this effect.",
keywords = "Cyber Security, Dynamic Programming, Malware Production, Risk management",
author = "L. Allodi and F. Massacci and J. Williams",
note = "Peer-reviewed version of the SSRN working paper; 16th Annual Workshop on the Economics of Information Security (WEIS 2017), WEIS 2017 ; Conference date: 26-06-2017 Through 27-06-2017",
year = "2017",
month = "6",
language = "English",
url = "http://weis2017.econinfosec.org",

}

Allodi, L, Massacci, F & Williams, J 2017, 'The work-averse cyber attacker model : theory and evidence from two million attack signatures' Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States, 26/06/17 - 27/06/17, .

The work-averse cyber attacker model : theory and evidence from two million attack signatures. / Allodi, L.; Massacci, F.; Williams, J.

2017. Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States.

Research output: Contribution to conferencePaperAcademic

TY - CONF

T1 - The work-averse cyber attacker model : theory and evidence from two million attack signatures

AU - Allodi, L.

AU - Massacci, F.

AU - Williams, J.

N1 - Peer-reviewed version of the SSRN working paper

PY - 2017/6

Y1 - 2017/6

N2 - The typical cyber attacker is assumed to be all powerful and to exploit allpossible vulnerabilities. In this paper we present, and empirically validate, anovel and more realistic attacker model. The intuition of our model is that anattacker will optimally choose whether to act and weaponize a newvulnerability, or keep using existing toolkits if there are enough vulnerableusers. The model predicts that attackers may i) exploit only one vulnerabilityper software version, ii) include only vulnerabilities with low attackcomplexity, and iii) be slow at introducing new vulnerabilities into theirarsenal. We empirically test these predictions by conducting a naturalexperiment on attack data collected against more than one million real systemsfrom Symantec's WINE platform. Our analysis shows that mass attackers' fixedcosts are indeed significant and that substantial efficiency gains can be madeby individuals and organizations by accounting for this effect.

AB - The typical cyber attacker is assumed to be all powerful and to exploit allpossible vulnerabilities. In this paper we present, and empirically validate, anovel and more realistic attacker model. The intuition of our model is that anattacker will optimally choose whether to act and weaponize a newvulnerability, or keep using existing toolkits if there are enough vulnerableusers. The model predicts that attackers may i) exploit only one vulnerabilityper software version, ii) include only vulnerabilities with low attackcomplexity, and iii) be slow at introducing new vulnerabilities into theirarsenal. We empirically test these predictions by conducting a naturalexperiment on attack data collected against more than one million real systemsfrom Symantec's WINE platform. Our analysis shows that mass attackers' fixedcosts are indeed significant and that substantial efficiency gains can be madeby individuals and organizations by accounting for this effect.

KW - Cyber Security

KW - Dynamic Programming

KW - Malware Production

KW - Risk management

M3 - Paper

ER -

Allodi L, Massacci F, Williams J. The work-averse cyber attacker model : theory and evidence from two million attack signatures. 2017. Paper presented at 16th Annual Workshop on the Economics of Information Security (WEIS 2017), San Diego, United States.

Access to Document

    Related content

    Research Output

    The work-averse attacker model

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review