Abstract
A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.
| Original language | English (US) |
|---|---|
| Title of host publication | Proceedings of the ACM Symposium on Applied Computing |
| Publisher | Association for Computing Machinery |
| Pages | 1649-1656 |
| Number of pages | 8 |
| ISBN (Print) | 9781450324694 |
| DOIs | |
| State | Published - 2014 |
| Externally published | Yes |
| Event | 29th Annual ACM Symposium on Applied Computing, SAC 2014 - Gyeongju, Korea, Republic of Duration: Mar 24 2014 → Mar 28 2014 |
Other
| Other | 29th Annual ACM Symposium on Applied Computing, SAC 2014 |
|---|---|
| Country | Korea, Republic of |
| City | Gyeongju |
| Period | 3/24/14 → 3/28/14 |
Fingerprint
ASJC Scopus subject areas
- Software
Cite this
Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security. / Shoshitaishvili, Yan; Invernizzi, Luca; Doupe, Adam; Vigna, Giovanni.
Proceedings of the ACM Symposium on Applied Computing. Association for Computing Machinery, 2014. p. 1649-1656.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security
AU - Shoshitaishvili, Yan
AU - Invernizzi, Luca
AU - Doupe, Adam
AU - Vigna, Giovanni
PY - 2014
Y1 - 2014
N2 - A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.
AB - A crucial part of a cyber-criminal's job is to balance the risks and rewards of his every action. For example, an expert spammer will tune a bot's email-sending rate to achieve a good throughput with an acceptable risk of being detected. Then, such a cyber-criminal has to choose how to launder the money he made with spamming, and he will have to consider many options (money mules, Bitcoin, etc.) that will offer different returns and risks. Although understanding these trade-offs and coming as close as possible to their optimum is what discriminates winners and losers in the cyber-crime world, there has been little study on this matter, as setting up a large-scale study to study how cyber-criminals deal with these risk-reward trade-offs is challenging. Computer security competitions provide a great opportunity both to educate students and to study realistic cyber-security scenarios in a controlled environment. Looking to study the risk-reward trade-offs seen in real cyber-security incidents, we designed and hosted a novel format for a Capture the Flag cyber-security contest, involving 89 teams comprising over 1,000 students across the globe. In this paper, we describe the intuition, intent, and design of the contest. Additionally, we present an analysis of the data set collected, evaluate its effectiveness in modeling risk-reward behavior, examine the strategies of the competing teams, and estimate the effectiveness of such strategies.
UR - http://www.scopus.com/inward/record.url?scp=84905671252&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84905671252&partnerID=8YFLogxK
U2 - 10.1145/2554850.2554880
DO - 10.1145/2554850.2554880
M3 - Conference contribution
AN - SCOPUS:84905671252
SN - 9781450324694
SP - 1649
EP - 1656
BT - Proceedings of the ACM Symposium on Applied Computing
PB - Association for Computing Machinery
ER -