In this paper we present and validate a novel attacker model based on the \ economic notion that the attacker has limited resources to forge a new \ attack. We focus on the vulnerability exploitation case, whereby the \ attacker has to choose whether to exploit a new vulnerability or keep an old \ one. We postulate that most vulnerabilities remain unattacked, and that the \ exploit development cycle relates to software updates rather than to the \ disclosure of new vulnerabilities. We develop a simple mathematical model to \ show the mechanisms underlying our observations and name it ``The Work-Averse Attacker Model''. \ We then leverage Symantec's data sharing \ platform WINE to validate our model by analysing records of attacks against \ more than 1M real systems. We find the `Model of the Work-Averse Attacker' \ to be strongly supported by the data and, in particular, that: (a) the great \ majority of attacks per software version is driven by one vulnerability \ only; (b) an exploit lives two years before being substituted by a new one; \ (c) the exploit arrival rate depends on the software's update rate rather \ than on time or knowledge of the vulnerability.
The Work-Averse Attacker Model / Massacci, Fabio; Allodi, Luca. - (2015). (Intervento presentato al convegno ECIS 2015 tenutosi a Munster nel 26th May-29th May 2015) [10.18151/7217264].
The Work-Averse Attacker Model
Massacci, Fabio;Allodi, Luca
2015-01-01
Abstract
In this paper we present and validate a novel attacker model based on the \ economic notion that the attacker has limited resources to forge a new \ attack. We focus on the vulnerability exploitation case, whereby the \ attacker has to choose whether to exploit a new vulnerability or keep an old \ one. We postulate that most vulnerabilities remain unattacked, and that the \ exploit development cycle relates to software updates rather than to the \ disclosure of new vulnerabilities. We develop a simple mathematical model to \ show the mechanisms underlying our observations and name it ``The Work-Averse Attacker Model''. \ We then leverage Symantec's data sharing \ platform WINE to validate our model by analysing records of attacks against \ more than 1M real systems. We find the `Model of the Work-Averse Attacker' \ to be strongly supported by the data and, in particular, that: (a) the great \ majority of attacks per software version is driven by one vulnerability \ only; (b) an exploit lives two years before being substituted by a new one; \ (c) the exploit arrival rate depends on the software's update rate rather \ than on time or knowledge of the vulnerability.| File | Dimensione | Formato | |
|---|---|---|---|
|
ecis_work-averse.pdf
Solo gestori archivio
Descrizione: Articolo
Tipologia:
Versione editoriale (Publisher’s layout)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
274.37 kB
Formato
Adobe PDF
|
274.37 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
