The Work Averse Attacker Model: the *real* security model and the evidence from 2millions attack signatures
University of Trento, Italy
COM2 Level 4
Executive Classroom, COM2-04-02
Abstract:
Over 30years have passed from the Dolev & Yao's landmark paper on the attacker model, so it is time for a change!
Several attacker models have been proposed in the meanwhile (eg honest but curious, computationally bounded etc.) but they are all based on a common conceit: the cyber attacker is assumed to be all powerful (within its model) and able to exploit all possible vulnerabilities (within its capabilities) with almost equal likelihood. So she he can attack a vulnerability, she will likely will. From a defender's perspective this means that unless he secures all vulnerabilities he will be hacked.
We have identified, and empirically validated, a novel and more realistic attacker model building on the key economic idea that inaction can sometimes be more profitable than action (especially when many victims are involved and fixed costs for weaponizing an exploit might be high). The intuition of our Work Averse Attacker Model (or WAAM) is that a mass attacker will optimally choose whether to act and weaponize a new vulnerability, or keep using existing toolkits if there are enough vulnerable users.
The model predicts that mass attackers may
1. exploit only one vulnerability per software version,
2. include only vulnerabilities with low attack complexity, and
3. be slow at introducing new vulnerabilities into their arsenal.
We empirically test these predictions by analyzing the data collected on attacks against more than one million real systems by Symantec's WINE platform. Our analysis shows that WAAM is indeed the case. Substantial efficiency gains can be made by individuals and organizations by accounting for this effect when devising security countermeasures.
Joint work with Luca Allodi (TU/e) and Julian Williams (UDUR). More information on the paper here: http://securitylab.disi.unitn.it/doku.php?id=security_economics
Biodata:
Fabio Massacci is a full professor at the University of Trento (IT). He is a chartered engineer and has a Ph.D. in Computing from the University of Rome La Sapienza in 1998. In his career he has visited Cambridge (UK), Toulouse (FR), Siena (IT), Durham (UK), Leuven (BE). He has published more than 250 articles in peer reviewed journals and conferences and his h-index is 36+/- f(Scopus,Scholar,WOS).
In 2015 he also received the IEEE Requirements Engineering 10 years most influential paper award for his research on security requirements engineering.
His current research interest is in experimental methods for cyber security, from vulnerabilities to security economics. He was the European Coordinator of the project SECONOMICS (www.seconomics.org) on socio-economic aspects of security. Part of the ideas behind this research has been now incorporated by the Common Vulnerability Scoring Standard (CVSS) v3, just released in June 2015. He is currently working on an industrial project with CISCO on a secure supply chain for software.