Subscribe

Issue No.01 - Jan.-Feb. (2014 vol.11)

pp: 2-15

Hannes Holm , The Royal Institute of Technology, Stockholm

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2013.21

ABSTRACT

A frequent assumption in the domain of cybersecurity is that cyberintrusions follow the properties of a Poisson process, i.e., that the number of intrusions is well modeled by a Poisson distribution and that the time between intrusions is exponentially distributed. This paper studies this property by analyzing all cyberintrusions that have been detected across more than 260,000 computer systems over a period of almost three years. The results show that the assumption of a Poisson process model might be unoptimalâthe log-normal distribution is a significantly better fit in terms of modeling both the number of detected intrusions and the time between intrusions, and the Pareto distribution is a significantly better fit in terms of modeling the time to first intrusion. The paper also analyzes whether time to compromise (TTC) increase for each successful intrusion of a computer system. The results regarding this property suggest that time to compromise decrease along the number of intrusions of a system.

INDEX TERMS

Malware, Computational modeling, Statistical distributions, Workstations,network management, Invasive software (viruses, worms, Trojan horses), risk management

CITATION

Hannes Holm, "A Large-Scale Study of the Time Required to Compromise a Computer System",

*IEEE Transactions on Dependable and Secure Computing*, vol.11, no. 1, pp. 2-15, Jan.-Feb. 2014, doi:10.1109/TDSC.2013.21REFERENCES

- [1] B. Schroeder and G. Gibson, "A Large-Scale Study of Failures in High-Performance Computing Systems,"
IEEE Trans. Dependable and Secure Computing, vol. 7, no. 4, pp. 337-351, Feb. 2010.- [2] D. Nurmi, J. Brevik, and R. Wolski, "Modeling Machine Availability in Enterprise and Wide-Area Distributed Computing Environments,"
Proc. 11th Int'l Euro-Par Conf. Parallel Processing, pp. 612-612, 2005.- [3] T. Heath, R. Martin, and T. Nguyen, "Improving Cluster Availability Using Workstation Validation,"
ACM SIGMETRICS Performance Evaluation Rev., vol. 30, no. 1, pp. 217-227, 2002.- [4] D. Nicol, W. Sanders, and K. Trivedi, "Model-Based Evaluation: From Dependability to Security,"
IEEE Trans. Dependable and Secure Computing, vol. 1, no. 1, pp. 48-65, Oct. 2004.- [5] J. Conrad, "Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations,"
Proc. Fourth Workshop the Economics of Information Security, pp. 2-3, 2005.- [6] B. Madan, K. Goševa-Popstojanova, K. Vaidyanathan, and K. Trivedi, "A Method for Modeling and Quantifying the Security Attributes of Intrusion Tolerant Systems,"
Performance Evaluation, vol. 56, no. 1, pp. 167-186, 2004.- [7] J. Ryan, T. Mazzuchi, D. Ryan, J.L. de la Cruz, and R. Cooke, "Quantifying Information Security Risks Using Expert Judgment Elicitation,"
Computers and Operations Research, vol. 39, no. 4, pp. 774-784, 2012.- [8] N. Schneidewind, "Cyber Security Prediction Models,"
R & M Eng. J. Am. Soc. for Quality, vol. 25, no. 4, 2005.- [9] M. McQueen, W. Boyer, M. Flynn, and G. Beitel, "Time-to-Compromise Model for Cyber Risk Reduction Estimation,"
Quality of Protection, vol. 23, pp. 49-64, 2006.- [10] D. Leversage and E. James, "Estimating a System's Mean Time-to-Compromise,"
IEEE Security and Privacy, vol. 6, no. 1, pp. 52-60, Feb. 2008.- [11] E. Jonsson and T. Olovsson, "A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior,"
IEEE Trans. Software Eng., vol. 23, no. 4, pp. 235-245, Aug. 1997.- [12] H. Okamura, T. Dohi, and S. Osaki, "Software Reliability Growth Model with Normal Distribution and Its Parameter Estimation,"
Proc. Int'l Conf. Quality, Reliability, Risk, Maintenance, and Safety Eng. (ICQR2MSE '11), pp. 411-416, 2011.- [13] P. Kapur, H. Pham, S. Anand, and K. Yadav, "A Unified Approach for Developing Software Reliability Growth Models in the Presence of Imperfect Debugging and Error Generation,"
IEEE Trans. Reliability, vol. 60, no. 1 pp. 331-340, Jan. 2011.- [14] J. Zheng, "Predicting Software Reliability with Neural Network Ensembles,"
Expert Systems with Applications, vol. 36, no. 2, pp. 2116-2122, 2009.- [15] C. Harteis, J. Bauer, and H. Gruber, "The Culture of Learning From Mistakes: How Employees Handle Mistakes in Everyday Work,"
Int'l J. Educational Research, vol. 47, no. 4, pp. 223-231, 2008.- [16] H. Holm, M. Ekstedt, and D. Andersson, "Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks,"
IEEE Trans. Dependable and Secure Computing, vol. 9, no. 6, pp. 825-837, Nov./Dec. 2012.- [17] B. Schneier,
Secrets and Lies: Digital Security in a Networked World. Wiley, 2011.- [18] B. Fischhoff, P. Slovic, and S. Lichtenstein, "Fault Trees: Sensitivity of Estimated Failure Probabilities to Problem Representation,"
J. Experimental Psychology: Human Perception and Performance, vol. 4, no. 2, pp. 330-344, 1978.- [19] R. Ortalo, Y. Deswarte, and M. Kaâniche, "Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security,"
IEEE Trans. Software Eng., vol. 25, no. 5, pp. 633-650, Aug. 1999.- [20] D. Long, A. Muir, and R. Golding, "A Longitudinal Survey of Internet Host Reliability,"
Proc. 14th Symp. Reliable Distributed Systems, pp. 2-9, 1995.- [21] S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. Cranor, J. Hong, and E. Nunge, "Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People not to Fall for Phish,"
Proc. Third Symp. Usable Privacy and Security, pp. 88-99, 2007.- [22] J. Downs, M. Holbrook, and L. Cranor, "Behavioral Response to Phishing Risk,"
Proc. Anti-Phishing Working Groups Second Annual eCrime Researchers Summit (eCrime '07), pp. 37-44, 2007.- [23] R. Shaw, C. Chen, A. Harris, and H. Huang, "The Impact of Information Richness on Information Security Awareness Training Effectiveness,"
Computers and Education, vol. 52, no. 1, pp. 92-100, 2009.- [24] J. Stanton, K. Stam, P. Mastrangelo, and J. Jolton, "Analysis of End User Security Behaviors,"
Computers and Security, vol. 24, no. 2, pp. 124-133, 2005.- [25] M. Workman, "A Test of Interventions for Security Threats from Social Engineering,"
Information Management and Computer Security, vol. 16, no. 5, pp. 463-483, 2008.- [26] K. Cai, D. Hu, C. Bai, H. Hu, and T. Jing, "Does Software Reliability Growth Behavior Follow a Non-Homogeneous Poisson Process,"
Information and Software Technology, vol. 50, no. 12, pp. 1232-1247, 2008.- [27] M. Vineyard, K. Amoako-Gyampah, and J. Meredith, "Failure Rate Distributions for Flexible Manufacturing Systems: An Empirical Study,"
European J. Operational Research, vol. 116, no. 1, pp. 139-155, 1999.- [28] J. Plank and W. Elwasif, "Experimental Assessment of Workstation Failures and Their Impact on Checkpointing Systems,"
Proc. 28th Ann. Int'l Symp. Fault-Tolerant Computing, Digest of Papers, pp. 48-57, 1998.- [29] R. Warner,
Applied Statistics: From Bivariate through Multivariate Techniques. Sage, 2007.- [30] H. Akaike, "Factor Analysis and AIC,"
Psychometrika, vol. 52, pp. 317-332, 1987.- [31] K. Burnham and D. Anderson,
Model Selection and Multimodel Inference: A Practical Information-Theoretic Approach. Springer Verlag, 2002.- [32] S. Gokhale and R. Mullen, "A Multiplicative Model of Software Defect Repair Times,"
Empirical Software Eng., vol. 15, pp. 296-319, 2010.- [33] I. Myung, "Tutorial on Maximum Likelihood Estimation,"
J. Math. Psychology, vol. 47, no. 1, pp. 90-100, 2003.- [34] S. Konishi and G. Kitagawa,
Information Criteria and Statistical Modeling. Springer Verlag, 2008.- [35] Y. Sakamoto, M. Ishiguro, and G. Kitagawa,
Akaike Information Criterion Statistics. KTK Scientific, 1986.- [36] "Symantec Enterprise Protection,"
Symantec, http://www. symantec.comprotection-suite-enterprise-edition , Sept. 2012.- [37] "Symantec Online Encyclopedia," http://www.symantec.com security_response , Sept. 2012.
- [38] J. Caballero, C. Grier, C. Kreibich, and V. Paxson, "Measuring Pay-Per-Install: The Commoditization of Malware Distribution,"
Proc. USENIX Security, 2011.- [39] R. Mullen, "The Lognormal Distribution of Software Failure Rates: Origin and Evidence,"
Proc. Ninth Int'l Symp. Software Reliability Eng., pp. 124-133, 1998.- [40] R. Dodge and A. Ferguson, "Using Phishing for User Email Security Awareness,"
Security and Privacy in Dynamic Environments, vol. 201, pp. 454-459, 2006.- [41] D. Barroso, "Botnets—The Silent Threat," European Network and Information Security Agency, 2007.
- [42] S. Stamm, Z. Ramzan, and M. Jakobsson, "Drive-By Pharming,"
Proc. Ninth Int'l Conf. Information and Comm. Security, pp. 495-506, 2007.- [43] N. Provos, P. Mavrommatis, M. Rajab, and F. Monrose, "All Your iFRAMES Point to Us,"
Proc. 17th Conf. Security Symp., pp. 1-15, 2008.- [44] J. Milletary and C. Center, "Technical Trends in Phishing Attacks," http://www.csc.gatech.edu/~copeland/6612/ infoPhishing_Trends_US-CERT0903.pdf, 2005.
- [45] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A Taxonomy of Computer Worms,"
Proc. ACM Workshop Rapid Malcode, pp. 11-18, 2003. |