Sam Curry from RSA recently posted some thoughts on a paper we have been working on and presented at Source Boston (here)…in the coming weeks we will detail the research and the modifications we have made since first presenting the draft over a month ago.
Last week, Amrit Williams and I presented the results of our research paper at SOURCE Conference that we’ve been working on and thinking about for over a decade now. It started when I did Malware research at a previous company, and watching the ebb and flow of malware (and the related FUD). This reminded me of watching the tide rise on a shore, or perhaps a slightly more intelligent phenomenon like the movement of a flock of birds or a school of fish. We’ve all seen flocks of birds, and the sudden changes come about that cause a curtain-like ripple throughout the flock. I couldn’t escape the feeling that there was a pattern here among the samples that could be both modeled and predicted.
Years later in 2007, Amrit and I had the pleasure of working together again, this time with me at a different company and he was sitting in the analyst seat. A critical mass had been reached 2-3 years earlier where the majority of malware samples had a financial “motivation” and were backed by fraudsters structured with almost corporate-like entities. We got to talking about how Game Theory could apply to this and the reason is simple: when you have (a) intelligent players and (b) can quantify gains and losses, you can build the elusive predictive model. And the greater the percentage of malware that fit these two criteria, the more the model would hold true.
Abstract (version 2.x coming soon):
This paper proposes a set of formulas for assessing the likelihood of a given method of security attack’s launch over the Internet and the relative probability that an exploit will occur. Understanding these formulas and their component variables lead to a proposed Law of Malware Probability. Basically, the Law of Malware Probability states that as the attractiveness of a set of computers and the data they contain to a potential attacker increases, the likelihood of an attack against these resources increases. By contrast, as the costs and risks of an attack to the attacker increase, however, the likelihood of an exploit decreases. The paper then discusses the factors and variables that make up the formula, the relationship of the attractiveness of an infrastructure to an attacker versus the costs and difficulties of carrying out an attack, considerations in assigning values to variables, validating the Law against observed real-world behaviors and implications of the Law for owners and managers of computing resources. The paper also proposes area of further investigation that could contribute to improving understanding of attacker and malware behavior.