Skip to main content

Research Repository

Advanced Search

The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures

Allodi, Luca; Massacci, Fabio; Williams, Julian

Authors

Luca Allodi

Fabio Massacci



Abstract

A common presumption is that the typical cyber attacker is assumed to exploit all possible vulnerabilities with almost equal likelihood. That is, the probability of an attack on a given vulnerability is at maximum entropy, one cannot importance sample which vulnerability will be exploited rst, hence decision making is purely a function of criticality. In this paper we present, and empirically validate, a novel and more realistic attacker model. The intuition of our model is that a mass attacker will optimally choose whether to act and weaponize a new vulnerability, or keep using existing toolkits if there are enough vulnerable users. The model predicts that mass attackers may i) exploit only one vulnerability per software version, ii) include only vulnerabilities with low attack complexity, and iii) be slow at introducing new vulnerabilities into their arsenal. We empirically test these predictions by analysing data collected on attacks against more than one million real systems by Symantec's WINE platform. Our analysis shows that mass attackers' xed costs are indeed signicant. Signicant eciency gains can be made by individuals and organizations by accounting for this effect.

Citation

Allodi, L., Massacci, F., & Williams, J. The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures

Working Paper Type Working Paper
Publication Date Jun 27, 2017
Deposit Date Feb 5, 2021
Publicly Available Date Feb 8, 2021
Public URL https://durham-repository.worktribe.com/output/1167746
Publisher URL https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2862299
Related Public URLs https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2862299

Files






You might also like



Downloadable Citations