Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security

Yan Shoshitaishvili, Luca Invernizzi, Adam Doupe, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM Symposium on Applied Computing
PublisherAssociation for Computing Machinery
Pages1649-1656
Number of pages8
ISBN (Print)9781450324694
DOIs
StatePublished - 2014
Externally publishedYes
Event29th Annual ACM Symposium on Applied Computing, SAC 2014 - Gyeongju, Korea, Republic of
Duration: Mar 24 2014Mar 28 2014

Other

Other29th Annual ACM Symposium on Applied Computing, SAC 2014
CountryKorea, Republic of
CityGyeongju
Period3/24/143/28/14

Fingerprint

Spamming
Students
Crime
Electronic mail
Security of data
Throughput

ASJC Scopus subject areas

  • Software

Cite this

Shoshitaishvili, Y., Invernizzi, L., Doupe, A., & Vigna, G. (2014). Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security. In Proceedings of the ACM Symposium on Applied Computing (pp. 1649-1656). Association for Computing Machinery. https://doi.org/10.1145/2554850.2554880

Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security. / Shoshitaishvili, Yan; Invernizzi, Luca; Doupe, Adam; Vigna, Giovanni.

Proceedings of the ACM Symposium on Applied Computing. Association for Computing Machinery, 2014. p. 1649-1656.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Shoshitaishvili, Y, Invernizzi, L, Doupe, A & Vigna, G 2014, Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security. in Proceedings of the ACM Symposium on Applied Computing. Association for Computing Machinery, pp. 1649-1656, 29th Annual ACM Symposium on Applied Computing, SAC 2014, Gyeongju, Korea, Republic of, 3/24/14. https://doi.org/10.1145/2554850.2554880
Shoshitaishvili Y, Invernizzi L, Doupe A, Vigna G. Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security. In Proceedings of the ACM Symposium on Applied Computing. Association for Computing Machinery. 2014. p. 1649-1656 https://doi.org/10.1145/2554850.2554880
Shoshitaishvili, Yan ; Invernizzi, Luca ; Doupe, Adam ; Vigna, Giovanni. / Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security. Proceedings of the ACM Symposium on Applied Computing. Association for Computing Machinery, 2014. pp. 1649-1656
@inproceedings{65c8c178112b40be801429eac26f2763,
title = "Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security",
abstract = "A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.",
author = "Yan Shoshitaishvili and Luca Invernizzi and Adam Doupe and Giovanni Vigna",
year = "2014",
doi = "10.1145/2554850.2554880",
language = "English (US)",
isbn = "9781450324694",
pages = "1649--1656",
booktitle = "Proceedings of the ACM Symposium on Applied Computing",
publisher = "Association for Computing Machinery",

}

TY - GEN

T1 - Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security

AU - Shoshitaishvili, Yan

AU - Invernizzi, Luca

AU - Doupe, Adam

AU - Vigna, Giovanni

PY - 2014

Y1 - 2014

N2 - A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.

AB - A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.

UR - http://www.scopus.com/inward/record.url?scp=84905671252&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84905671252&partnerID=8YFLogxK

U2 - 10.1145/2554850.2554880

DO - 10.1145/2554850.2554880

M3 - Conference contribution

AN - SCOPUS:84905671252

SN - 9781450324694

SP - 1649

EP - 1656

BT - Proceedings of the ACM Symposium on Applied Computing

PB - Association for Computing Machinery

ER -