1 / 19

Using Economics to Quantify the Security of the Internet

Using Economics to Quantify the Security of the Internet. Jason Franklin. Internet Security (Availability). Claim 1: The security of the Internet is directly proportional to the number of compromised end-hosts

perrond
Download Presentation

Using Economics to Quantify the Security of the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Economics to Quantify the Security of the Internet Jason Franklin

  2. Internet Security (Availability) • Claim 1: The security of the Internet is directly proportional to the number of compromised end-hosts • As the total number of compromised machines grows, the potential for larger DDoS attacks grows • More compromised machines implies more resources available to attackers • Security of the Internet is directly tied to the security of end-hosts in aggregate

  3. Internet Security (Availability) • Claim 2: Given a sufficiently powerful adversary, any networked resource can be DoSed successfully • Defenders are fundamentally more resource constrained than attackers • Defenders are restricted to play/pay by the rules • Over-provisioning and DoS defenses cost money

  4. Measuring Internet Security • Two basic research questions: • (Number): How many of the Internet’s end-hosts are compromised at any one time? • 100 million, 200 million, more? • (Cost): What is the effort required to compromise the security (availability) of a networked resource? • A security metric for Internet availability • Prefer quantity directly related to how much work or effort need be spent

  5. Estimating Number of Compromised End-hosts • Approach 1 (Scanning): • Scan entire IP address space with vulnerability scanner • Pros: • Would give reasonable estimate of number of hosts with well-known easy-to-exploit vulnerabilities • Cons: • Scanning won’t reach Internet’s edge (NATs etc.) • Vulnerability scanning is slow and noisy • Hosts that are compromised then patched would be missed

  6. Estimating Number of Compromised End-host • Approach 2 (Economics): • Establish market for compromised hosts • Monitor supply and demand • Pros: • Inexpensive to monitor market • Learn more than just quantity supplied • Cons: • Difficult to establish public market for stolen goods • Hard to entice buyers and sellers to participate

  7. Hard, but not impossible • Introducing #ccpower • Active underground market for cyber contraband • Includes buyers and sellers specializing in spam, phishing, scamming, hacking, credit card fraud, and identity theft • Global market with thousands of active buyers and sellers • Responsible for ~$100 million in credit card fraud each year, numerous phishing scams, and hordes of other illegal activity

  8. S erver Key C lient Collecting Economic Data C • Passive monitoring and archival of Internet Relay Chat (IRC) channels • 50+ monitored servers • Over 7 months of data • Over 12 million individual messages from as many as 50k individuals • Limitations and Complexities • No private IRC messages • Complex underground dialect (slang) • Difficult to establish reputation S IRC S C S C C C

  9. Market at a Glance Percentage of Monitored Messages Number of Days Monitored

  10. Identifying Useful Data • Text classification problem: • Given 13+ million IRC messages • Including millions of useful messages • “I’ve got hacked hosts for $2, pm me for deal” • And millions of useless messages • “Screw you guys I’m out of here” • Built binary text classifiers to identify interesting classes of data • Hacked hosts sale ads • Hacked hosts want ads • Phishing and spam related ads • Used SVMs with 3k line train set and 1k line test set • Bag of words feature vectors with TFIDF feature representation • SVMs correctly recall over 85% of true positives with precision of around 50% • For each true positive, SVMs identify one false positive

  11. Law of Demand All other factors being equal, the higher the price of a good, the smaller is the quantity demanded Law of Supply All other factors being equal, the higher the price of a good, the greater is the quantity supplied Economic Measurements

  12. Price of Hacked Hosts over Time Price Time Period (Days)

  13. $10 $10 # Compromised End-hosts • Methodology: • Market equilibrium price for compromised hosts at time t=1 is $10 • Market equilibrium price for compromised hosts at time t=2 is $5 • More compromised hosts are available at a lower price • But how do we know that supply shifted rather than demand? ? $5 ?

  14. Ceteris Paribus Assumption • Laws of Supply and Demand only hold under ceteris paribus assumption • “All other factors being equal” • Law of Demand’s Other Factors • Size of market (population) • Measurements show this is fixed • Consumer preferences • Income • Price of related goods • Law of Supply’s Other Factors • Cost of required resources (inputs) • Search cost for time spent searching for vulnerable hosts • Cost of exploits (free) • Technology • Scripts and tools mainly • Price of substitute and complement • Bulletproof hosting services for spammers • Substitutes for bots? Population Days

  15. Cost to Buy as a Security Metric • Each networked server S has fixed amount of available resources R • S has sufficient resources to service k hosts at per time period • In our simple model, S is vulnerable to a complete DoS attack by >= k hosts • Natural question to ask is “How much effort is required of an attacker to compromise k hosts?” • Before markets, effort required was dependent on skills of attacker and level of tools available • After markets, effort required at time t can be measured by the Cost to Buy k hosts at time t

  16. Cost to Buy Metric • A simple example: • Server S has sufficient resources to service 30 hosts per time period • Security w.r.t. an adversary: • S is 20 (50-30) under provisioned against a $100 adversary at time t • S is 5 over provisioned against a $100 adversary at time t+1 • Independent of adversary: • S is $60 (30 * $2) secure at time t and $120 (30 * $4) secure at time t+1 • Measures resources required by adversary / measures risk

  17. Conclusion • We looked at how economics can be used to quantify the security of the Internet in a natural way • Asked how many of Internet end-hosts are compromised • Established trend suggesting that the number of compromised hosts is increasing rather than decreasing • Developed the cost to buy security metric to quantity resources of adversary necessary to effect the available of a resource • Price provides natural way to quantify resources

  18. Remaining Work • Use simultaneous equation models from econometrics to empirically estimate supply and demand curves • Allows for estimate of quantity supplied at a price • Use event study methodology to correlate Internet security “events” with the price of compromised hosts • New form of validation for security metrics

  19. Questions? • Acknowledgements: • Paul Bennett,John Bethencourt, Gaurav Kataria, Leonid Kontorovich, Pratyusa K. Manadhata, Vern Paxson, Adrian Perrig, Srini Seshan, Stefan Savage

More Related