1 / 19

Using Economics to Quantify the Security of the Internet

Claim 1: The security of the Internet is directly proportional to the number of compromised end-hosts ... Passive monitoring and archival of Internet Relay Chat (IRC) channels ...

Philip
Download Presentation

Using Economics to Quantify the Security of the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    Slide 1:Using Economics to Quantify the Security of the Internet

    Jason Franklin

    Slide 2:Internet Security (Availability)

    Claim 1: The security of the Internet is directly proportional to the number of compromised end-hosts As the total number of compromised machines grows, the potential for larger DDoS attacks grows More compromised machines implies more resources available to attackers Security of the Internet is directly tied to the security of end-hosts in aggregate

    Slide 3:Internet Security (Availability)

    Claim 2: Given a sufficiently powerful adversary, any networked resource can be DoSed successfully Defenders are fundamentally more resource constrained than attackers Defenders are restricted to play/pay by the rules Over-provisioning and DoS defenses cost money

    Slide 4:Measuring Internet Security

    Two basic research questions: (Number): How many of the Internet’s end-hosts are compromised at any one time? 100 million, 200 million, more? (Cost): What is the effort required to compromise the security (availability) of a networked resource? A security metric for Internet availability Prefer quantity directly related to how much work or effort need be spent

    Slide 5:Estimating Number of Compromised End-hosts

    Approach 1 (Scanning): Scan entire IP address space with vulnerability scanner Pros: Would give reasonable estimate of number of hosts with well-known easy-to-exploit vulnerabilities Cons: Scanning won’t reach Internet’s edge (NATs etc.) Vulnerability scanning is slow and noisy Hosts that are compromised then patched would be missed

    Slide 6:Estimating Number of Compromised End-host

    Approach 2 (Economics): Establish market for compromised hosts Monitor supply and demand Pros: Inexpensive to monitor market Learn more than just quantity supplied Cons: Difficult to establish public market for stolen goods Hard to entice buyers and sellers to participate

    Slide 7:Hard, but not impossible

    Introducing #ccpower Active underground market for cyber contraband Includes buyers and sellers specializing in spam, phishing, scamming, hacking, credit card fraud, and identity theft Global market with thousands of active buyers and sellers Responsible for ~$100 million in credit card fraud each year, numerous phishing scams, and hordes of other illegal activity

    Slide 8:Collecting Economic Data

    Passive monitoring and archival of Internet Relay Chat (IRC) channels 50+ monitored servers Over 7 months of data Over 12 million individual messages from as many as 50k individuals Limitations and Complexities No private IRC messages Complex underground dialect (slang) Difficult to establish reputation S S S C C C C C IRC

    Slide 9:Market at a Glance

    Number of Days Monitored Percentage of Monitored Messages

    Slide 10:Identifying Useful Data

    Text classification problem: Given 13+ million IRC messages Including millions of useful messages “I’ve got hacked hosts for $2, pm me for deal” And millions of useless messages “Screw you guys I’m out of here” Built binary text classifiers to identify interesting classes of data Hacked hosts sale ads Hacked hosts want ads Phishing and spam related ads Used SVMs with 3k line train set and 1k line test set Bag of words feature vectors with TFIDF feature representation SVMs correctly recall over 85% of true positives with precision of around 50% For each true positive, SVMs identify one false positive

    Slide 11:Economic Measurements

    Law of Demand All other factors being equal, the higher the price of a good, the smaller is the quantity demanded Law of Supply All other factors being equal, the higher the price of a good, the greater is the quantity supplied

    Slide 12:Price of Hacked Hosts over Time

    Price Time Period (Days)

    Slide 13:# Compromised End-hosts

    Methodology: Market equilibrium price for compromised hosts at time t=1 is $10 Market equilibrium price for compromised hosts at time t=2 is $5 More compromised hosts are available at a lower price But how do we know that supply shifted rather than demand? ? $5 ?

    Slide 14:Ceteris Paribus Assumption

    Laws of Supply and Demand only hold under ceteris paribus assumption “All other factors being equal” Law of Demand’s Other Factors Size of market (population) Measurements show this is fixed Consumer preferences Income Price of related goods Law of Supply’s Other Factors Cost of required resources (inputs) Search cost for time spent searching for vulnerable hosts Cost of exploits (free) Technology Scripts and tools mainly Price of substitute and complement Bulletproof hosting services for spammers Substitutes for bots? Days Population

    Slide 15:Cost to Buy as a Security Metric

    Each networked server S has fixed amount of available resources R S has sufficient resources to service k hosts at per time period In our simple model, S is vulnerable to a complete DoS attack by >= k hosts Natural question to ask is “How much effort is required of an attacker to compromise k hosts?” Before markets, effort required was dependent on skills of attacker and level of tools available After markets, effort required at time t can be measured by the Cost to Buy k hosts at time t

    Slide 16:Cost to Buy Metric

    A simple example: Server S has sufficient resources to service 30 hosts per time period Security w.r.t. an adversary: S is 20 (50-30) under provisioned against a $100 adversary at time t S is 5 over provisioned against a $100 adversary at time t+1 Independent of adversary: S is $60 (30 * $2) secure at time t and $120 (30 * $4) secure at time t+1 Measures resources required by adversary / measures risk

    Slide 17:Conclusion

    We looked at how economics can be used to quantify the security of the Internet in a natural way Asked how many of Internet end-hosts are compromised Established trend suggesting that the number of compromised hosts is increasing rather than decreasing Developed the cost to buy security metric to quantity resources of adversary necessary to effect the available of a resource Price provides natural way to quantify resources

    Slide 18:Remaining Work

    Use simultaneous equation models from econometrics to empirically estimate supply and demand curves Allows for estimate of quantity supplied at a price Use event study methodology to correlate Internet security “events” with the price of compromised hosts New form of validation for security metrics

    Slide 19:Questions?

    Acknowledgements: Paul Bennett,John Bethencourt, Gaurav Kataria, Leonid Kontorovich, Pratyusa K. Manadhata, Vern Paxson, Adrian Perrig, Srini Seshan, Stefan Savage

More Related