Transcript Using Economics to Quantify the Security of the Internet Jason Franklin Internet Security (Availability) • Claim 1: The security of the Internet is.

Using Economics to Quantify the
Security of the Internet
Jason Franklin
Internet Security (Availability)
• Claim 1: The security of the Internet is directly
proportional to the number of compromised endhosts
– As the total number of compromised machines grows,
the potential for larger DDoS attacks grows
– More compromised machines implies more resources
available to attackers
– Security of the Internet is directly tied to the security
of end-hosts in aggregate
Internet Security (Availability)
• Claim 2: Given a sufficiently powerful adversary,
any networked resource can be DoSed
successfully
– Defenders are fundamentally more resource
constrained than attackers
– Defenders are restricted to play/pay by the rules
• Over-provisioning and DoS defenses cost money
Measuring Internet Security
• Two basic research questions:
– (Number): How many of the Internet’s endhosts are compromised at any one time?
• 100 million, 200 million, more?
– (Cost): What is the effort required to
compromise the security (availability) of a
networked resource?
• A security metric for Internet availability
• Prefer quantity directly related to how much work
or effort need be spent
Estimating Number of
Compromised End-hosts
• Approach 1 (Scanning):
– Scan entire IP address space with
vulnerability scanner
• Pros:
– Would give reasonable estimate of number of hosts with
well-known easy-to-exploit vulnerabilities
• Cons:
– Scanning won’t reach Internet’s edge (NATs etc.)
– Vulnerability scanning is slow and noisy
– Hosts that are compromised then patched would be
missed
Estimating Number of
Compromised End-host
• Approach 2 (Economics):
– Establish market for compromised hosts
– Monitor supply and demand
• Pros:
– Inexpensive to monitor market
– Learn more than just quantity supplied
• Cons:
– Difficult to establish public market for stolen goods
– Hard to entice buyers and sellers to participate
Hard, but not impossible
• Introducing #ccpower
– Active underground market for cyber
contraband
• Includes buyers and sellers specializing in spam,
phishing, scamming, hacking, credit card fraud,
and identity theft
• Global market with thousands of active buyers and
sellers
• Responsible for ~$100 million in credit card fraud
each year, numerous phishing scams, and hordes
of other illegal activity
Collecting Economic Data
• Passive monitoring and archival of
Internet Relay Chat (IRC) channels
– 50+ monitored servers
C
S
– Over 7 months of data
C
C
– Over 12 million individual messages from as
many as 50k individuals
• Limitations and Complexities
– No private IRC messages
– Complex underground dialect (slang)
– Difficult to establish reputation
C
S
IRC
S
C
Key
S erver
C lient
Percentage of Monitored Messages
Market at a Glance
Number of Days Monitored
Identifying Useful Data
• Text classification problem:
– Given 13+ million IRC messages
• Including millions of useful messages
– “I’ve got hacked hosts for $2, pm me for deal”
• And millions of useless messages
– “Screw you guys I’m out of here”
• Built binary text classifiers to identify interesting classes of data
– Hacked hosts sale ads
– Hacked hosts want ads
– Phishing and spam related ads
• Used SVMs with 3k line train set and 1k line test set
– Bag of words feature vectors with TFIDF feature representation
– SVMs correctly recall over 85% of true positives with precision of
around 50%
– For each true positive, SVMs identify one false positive
Economic Measurements
• Law of Demand
– All other factors being
equal, the higher the price
of a good, the smaller is
the quantity demanded
• Law of Supply
– All other factors being
equal, the higher the price
of a good, the greater is the
quantity supplied
Price
Price of Hacked Hosts over Time
Time Period (Days)
# Compromised End-hosts
• Methodology:
– Market equilibrium price for
compromised hosts at time
t=1 is $10
– Market equilibrium price for
compromised hosts at time
t=2 is $5
– More compromised hosts
are available at a lower
price
– But how do we know that
supply shifted rather than
demand?
$10
?
$10
$5
?
Ceteris Paribus Assumption
Laws of Supply and Demand only hold
under ceteris paribus assumption
–
•
“All other factors being equal”
Law of Demand’s Other Factors
–
Size of market (population)
•
–
–
–
•
Measurements show this is fixed
Consumer preferences
Income
Price of related goods
Law of Supply’s Other Factors
–
Cost of required resources (inputs)
•
•
–
Search cost for time spent searching for
vulnerable hosts
Cost of exploits (free)
Technology
•
–
Population
•
Scripts and tools mainly
Price of substitute and complement
•
•
Bulletproof hosting services for spammers
Substitutes for bots?
Days
Cost to Buy as a Security Metric
• Each networked server S has fixed amount of available
resources R
– S has sufficient resources to service k hosts at per time period
– In our simple model, S is vulnerable to a complete DoS attack by
>= k hosts
• Natural question to ask is “How much effort is required of
an attacker to compromise k hosts?”
– Before markets, effort required was dependent on skills of
attacker and level of tools available
– After markets, effort required at time t can be measured by the
Cost to Buy k hosts at time t
Cost to Buy Metric
• A simple example:
– Server S has sufficient resources to
service 30 hosts per time period
– Security w.r.t. an adversary:
• S is 20 (50-30) under provisioned
against a $100 adversary at time t
• S is 5 over provisioned against a
$100 adversary at time t+1
Time:
Cost to
buy(1)
Adversary
Adversary
Resources
t
$2
$100
50
t+1
$4
$100
25
– Independent of adversary:
• S is $60 (30 * $2) secure at time t
and $120 (30 * $4) secure at time
t+1
• Measures resources required by
adversary / measures risk
Conclusion
• We looked at how economics can be used to
quantify the security of the Internet in a natural
way
• Asked how many of Internet end-hosts are
compromised
• Established trend suggesting that the number of
compromised hosts is increasing rather than
decreasing
• Developed the cost to buy security metric to
quantity resources of adversary necessary to
effect the available of a resource
• Price provides natural way to quantify resources
Remaining Work
• Use simultaneous equation models from
econometrics to empirically estimate
supply and demand curves
– Allows for estimate of quantity supplied at a
price
• Use event study methodology to correlate
Internet security “events” with the price of
compromised hosts
– New form of validation for security metrics
Questions?
• Acknowledgements:
– Paul Bennett,John Bethencourt, Gaurav
Kataria, Leonid Kontorovich, Pratyusa K.
Manadhata, Vern Paxson, Adrian Perrig, Srini
Seshan, Stefan Savage