In this paper we present and validate a novel attacker model based on the \ economic notion that the attacker has limited resources to forge a new \ attack. We focus on the vulnerability exploitation case, whereby the \ attacker has to choose whether to exploit a new vulnerability or keep an old \ one. We postulate that most vulnerabilities remain unattacked, and that the \ exploit development cycle relates to software updates rather than to the \ disclosure of new vulnerabilities. We develop a simple mathematical model to \ show the mechanisms underlying our observations and name it ``The Work-Averse Attacker Model''. \ We then leverage Symantec's data sharing \ platform WINE to validate our model by analysing records of attacks against \ more than 1M real systems. We find the `Model of the Work-Averse Attacker' \ to be strongly supported by the data and, in particular, that: (a) the great \ majority of attacks per software version is driven by one vulnerability \ only; (b) an exploit lives two years before being substituted by a new one; \ (c) the exploit arrival rate depends on the software's update rate rather \ than on time or knowledge of the vulnerability.

The Work-Averse Attacker Model / Massacci, Fabio; Allodi, Luca. - (2015). (Intervento presentato al convegno ECIS 2015 tenutosi a Munster nel 26th May-29th May 2015) [10.18151/7217264].

The Work-Averse Attacker Model

Massacci, Fabio;Allodi, Luca
2015-01-01

Abstract

In this paper we present and validate a novel attacker model based on the \ economic notion that the attacker has limited resources to forge a new \ attack. We focus on the vulnerability exploitation case, whereby the \ attacker has to choose whether to exploit a new vulnerability or keep an old \ one. We postulate that most vulnerabilities remain unattacked, and that the \ exploit development cycle relates to software updates rather than to the \ disclosure of new vulnerabilities. We develop a simple mathematical model to \ show the mechanisms underlying our observations and name it ``The Work-Averse Attacker Model''. \ We then leverage Symantec's data sharing \ platform WINE to validate our model by analysing records of attacks against \ more than 1M real systems. We find the `Model of the Work-Averse Attacker' \ to be strongly supported by the data and, in particular, that: (a) the great \ majority of attacks per software version is driven by one vulnerability \ only; (b) an exploit lives two years before being substituted by a new one; \ (c) the exploit arrival rate depends on the software's update rate rather \ than on time or knowledge of the vulnerability.
2015
ECIS 2015 -Twenty-Third European Conference on Information Systems
Munster
AIS
Massacci, Fabio; Allodi, Luca
The Work-Averse Attacker Model / Massacci, Fabio; Allodi, Luca. - (2015). (Intervento presentato al convegno ECIS 2015 tenutosi a Munster nel 26th May-29th May 2015) [10.18151/7217264].
File in questo prodotto:
File Dimensione Formato  
ecis_work-averse.pdf

Solo gestori archivio

Descrizione: Articolo
Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 274.37 kB
Formato Adobe PDF
274.37 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/117168
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? ND
social impact