TY - GEN
T1 - Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security
AU - Shoshitaishvili, Yan
AU - Invernizzi, Luca
AU - Doupe, Adam
AU - Vigna, Giovanni
PY - 2014/1/1
Y1 - 2014/1/1
N2 - A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.
AB - A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.
UR - http://www.scopus.com/inward/record.url?scp=84905671252&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84905671252&partnerID=8YFLogxK
U2 - 10.1145/2554850.2554880
DO - 10.1145/2554850.2554880
M3 - Conference contribution
AN - SCOPUS:84905671252
SN - 9781450324694
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 1649
EP - 1656
BT - Proceedings of the 29th Annual ACM Symposium on Applied Computing, SAC 2014
PB - Association for Computing Machinery
T2 - 29th Annual ACM Symposium on Applied Computing, SAC 2014
Y2 - 24 March 2014 through 28 March 2014
ER -