Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security

Yan Shoshitaishvili, Luca Invernizzi, Adam Doupe, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations

Abstract

A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.

Original languageEnglish (US)
Title of host publicationProceedings of the 29th Annual ACM Symposium on Applied Computing, SAC 2014
PublisherAssociation for Computing Machinery
Pages1649-1656
Number of pages8
ISBN (Print)9781450324694
DOIs
StatePublished - Jan 1 2014
Externally publishedYes
Event29th Annual ACM Symposium on Applied Computing, SAC 2014 - Gyeongju, Korea, Republic of
Duration: Mar 24 2014Mar 28 2014

Publication series

NameProceedings of the ACM Symposium on Applied Computing

Other

Other29th Annual ACM Symposium on Applied Computing, SAC 2014
CountryKorea, Republic of
CityGyeongju
Period3/24/143/28/14

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security'. Together they form a unique fingerprint.

  • Cite this

    Shoshitaishvili, Y., Invernizzi, L., Doupe, A., & Vigna, G. (2014). Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security. In Proceedings of the 29th Annual ACM Symposium on Applied Computing, SAC 2014 (pp. 1649-1656). (Proceedings of the ACM Symposium on Applied Computing). Association for Computing Machinery. https://doi.org/10.1145/2554850.2554880