Abstract
Targeted attacks consist of sophisticated malware developed by attackers having the resources and motivation to research targets in depth. Although rare, such attacks are particularly difficult to defend against and can be extremely harmful. We show in this work that data relating to the profiles of organisations and individuals subject to targeted attacks is amenable to study using epidemiological techniques. Considering the taxonomy of Standard Industry Classification (SIC) codes, the organization sizes and the public profiles of individuals as potential risk factors, we design case-control studies to calculate odds ratios reflecting the degree of association between the identified risk factors and the receipt of targeted attack. We perform an experimental validation with a large corpus of targeted attacks blocked by a large security company’s mail scanning service during 2013–2014, revealing that certain industry sectors and larger organizations –as well as specific individual profiles – are statistically at elevated risk compared with others. Considering targeted attacks as akin to a public health issue and adapting techniques from epidemiology may allow the proactive identification of those at increased risk of attack. Our approach is a first step towards developing a predictive framework for the analysis of targeted threats, and may be leveraged for the development of cyber insurance schemes based on accurate risk assessments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alberg, A.J., Ford, J.G., Samet, J.M.: Epidemiology of lung cancer: ACCP evidence-based clinical practice guidelines (2nd edition). Chest 132(3 Suppl), 29S–55S (2007)
BBC News.: Shamoon virus targets energy sector infrastructure, August 2012. http://www.bbc.co.uk/news/technology-19293797
Beliakov, G., Pradera, A., Calvo, T.: Aggregation Functions: A Guide for Practitioners. Springer, Berlin (2007)
Bland, J.M., Altman, D.G.: Statistics notes: the odds ratio. BMJ 320(7247), 1468 (2000)
Bland, M.: An Introduction to Medical Statistics (Oxford Medical Publications). Oxford University Press, USA (2000)
Bossler, A., Holt, T.: On-line activities, guardianship, and malware infection: an examination of routine activities theory. Int. J. Cyber Criminol. 3(1), 400–420 (2009)
Carlinet, Y., Mé, L., Debar, V., Gourhant, Y.: Analysis of computer infection risk factors based on customer network usage. In: Proceedings of the 2008 Second International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2008, pp. 317–325 IEEE Computer Society, Washington, DC (2008)
Chien, E., O’Gorman, G.: The nitro attacks, stealing secrets from the chemical industry. symantec security response. http://bit.ly/tDd3Jo
Dagon, D., Zou, C., Lee, W.: Modeling botnet propagation using time zones. In: Proceedings of the 13th Network and Distributed System Security Symposium (NDSS) (2006)
Daley, D.J., Gani, J.M.: Epidemic Modeling: An Introduction. Cambridge University Press, Cambridge (1999)
Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet Dossier, February 2011. http://www.symantec.com/security_response/whitepapers.jsp
Frauenthal, J.C.: Mathematical Modeling in Epidemiology. Springer, Heidelberg (1980)
Greenwood, P.E., Nikulin, M.S.: A Guide to Chi-Squared Testing. Wiley Series in Probability and Statistics. Wiley, New York (1996)
Grimes, D.A., Schulz, K.F.: Compared to what? finding controls for case-control studies. Lancet 365(9468), 1429–1433 (2005)
Kephart, J., White, S., Chess, D.: Computers and epidemiology. IEEE Spectr. 30(5), 20–26 (1993)
Kephart, J.O., White, S.R.: Directed-graph epidemiological models of computer viruses. In: IEEE Symposium on Security and Privacy, pp. 343–361 (1991)
Kephart, J.O., White, S.R.: Measuring and modeling computer virus prevalence. In: Proceedings of the 1993 IEEE Symposium on Security and Privacy, SP 1993, p. 2. IEEE Computer Society, Washington, DC (1993)
Lee, M.: Who’s next? identifying risk factors for subjects of targeted attacks. In: 22nd Virus Bulletin International Conference, pp. 301–306, September 2012
Levesque, F.L., Nsiempba, J., Fernandez, J.M., Chiasson, S., Somayaji, A.: A clinical study of risk factors related to malware infections. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and communications security (CCS 2013) (2013)
Mann, C.J.: Observational research methods. research design II: cohort, cross sectional, and case-control studies. Emerg. Med. J. 20(1), 54–60 (2003)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Secur. Priv. 1(4), 33–39 (2003)
Moore, D., Shannon, C., Brown, J.: Code-red: a case study on the spread and victims of an Internet worm. In: ACM SIGCOMM/USENIX Internet Measurement Workshop (IMW) 2002, pp. 273–284, Marseille, France, November 2002
Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: requirements for containing self-propagating code. In: wenty-Second Annual Joint Conference of the IEEE Computer and Communications INFOCOM 2003, vol. 3, pp. 1901–1910. IEEE Societies, March-April 2003
Morris, J.A., Gardner, M.J.: Calculating confidence intervals for relative risks (odds ratios) and standardised ratios and rates. Br. Med. J. (Clin. Res. Ed.) 296(6632), 1313–1316 (1988)
Occupational Safety & Health Administration. SIC Manual. http://www.osha.gov/pls/imis/sic_manual.html
Porras, P., Briesemeister, L., Skinner, K., Levitt, K., Rowe, J., Y.-C. A. Ting. A hybrid quarantine defense. In: Proceedings of the 2004 ACM workshop on Rapid malcode, WORM 2004, pp. 73–82. ACM, New York (2004)
Schulz, K.F., Grimes, D.A.: Case-control studies: research in reverse. Lancet 359(9304), 431–434 (2002)
Shannon, C., Moore, D.: The spread of the witty worm. IEEE Secur. Priv. 2(4), 46–50 (2004)
Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, pp. 149–167. USENIX Association, Berkeley (2002)
Symantec.: Stuxnet 0.5: The Missing Link, February 2013. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf
Symantec.: Internet Security Threat Report, vol. 19, April 2014. http://www.symantec.com/threatreport/
Symantec Security Response.: The Luckycat Hackers, White paper. http://www.symantec.com/security_response/whitepapers.jsp
Thonnard, O., Bilge, L., O’Gorman, G., Kiernan, S., Lee, M.: Industrial espionage and targeted attacks: understanding the characteristics of an escalating threat. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 64–85. Springer, Heidelberg (2012)
Torra, V.: The weighted OWA operator. Int. J. Intell. Syst. 12(2), 153–166 (1997)
Trend Micro.: Luckycat redux, Inside an APT Campaign with Multiple Targets in India and Japan. Trend Micro Research Paper (2012). http://www.trendmicro.co.uk/media/wp/luckycat-redux-whitepaper-en.pdf
Wang, C., Knight, J.C., Elder, M.C.: On computer viral infection and the effect of immunization. In: Proceedings of the 16th Annual Computer Security Applications Conference, ACSAC 2000, p. 246. IEEE Computer Society, Washington, DC (2000)
Yager, R.: On ordered weighted averaging aggregation operators in multicriteria decision-making. IEEE Trans. Syst. Man Cybern. 18(1), 183–190 (1988)
Zou, C., Towsley, D., Gong, W.: Email worm modeling and defense. In: Proceedings of the 13th International Conference on Computer Communications and Networks (ICCCN 2004), pp. 409–414, October 2004
Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on Computer and communications security, CCS 2002, pp. 138–147. ACM, New York (2002)
Zou, C.C., Gong, W., Towsley, D.: Worm propagation modeling and analysis under dynamic quarantine defense. In: Proceedings of the 2003 ACM workshop on Rapid malcode, WORM 2003, pp. 51–60. ACM, New York (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A: Detailed Odds Ratio (OR) Results
Appendix B: Combining Odds Ratios using Multi-Criteria Decision Analysis
We use Multi-Criteria Decision Analysis (MCDA) to design an aggregation model for the calculation of combined risk scores, taking as input all odds ratio associated with the individual features. A typical MCDA problem consists to evaluate a set of alternatives w.r.t. different criteria using an aggregation function [3]. The outcome of this evaluation is a global score obtained with a well-defined aggregation model that incorporates a set of constraints reflecting the preferences and expectations of the decision-maker (Table 4).
An aggregation function is defined as a monotonically increasing function of n arguments \((n > 1)\): \(f_{aggr}: {\left[ 0,1\right] }^n \longrightarrow \left[ 0,1\right] \) (Table 5).
In the family of averaging aggregation functions, the Ordered Weighted Average (OWA) operator extends these functions by combining two characteristics: (i) a weighting vector (like in a classical weighted mean), and (ii) sorting the inputs (usually in descending order). OWA is defined as [37]:
where \(\mathbf {x}_{\searrow }\) is used to represent the vector \(\mathbf {x}\) arranged in decreasing order: \(x_{(1)} \ge x_{(2)} \ge \ldots \ge x_{(n)}\). This allows a decision-maker to design more complex decision modeling schemes, in which we can ensure that only a portion of criteria is satisfied without any preference on which ones precisely (e.g., “at least” k criteria satisfied out of n). OWA differs from a classical weighted means in that the weights are not associated with particular inputs, but rather with their magnitude. It can thus emphasize a subset of largest, smallest or mid-range values (Table 6).
It might be useful sometimes to also take into account the reliability of each information source in the aggregation model, like in Weighted Mean (WM). Torra [34] proposed thus a generalization of OWA, called Weighted OWA (WOWA). This aggregation function quantifies the reliability of the information sources with a vector \(\mathbf p \) (as the weighted mean does), and at the same time, allows to weight the values in relation to their relative ordering with a second vector \(\mathbf w \) (as the OWA operator). It is defined by [34]:
where \(x_{(i)}\) is the \(i^{th}\) largest component of \(\mathbf {x}\) and the weights \(u_i\) are defined as
where the set \(H_i = \lbrace j \vert x_j \ge x_i \rbrace \) is the set of indices of the i largest elements of \(\mathbf {x}\), and G is a monotone non-decreasing function that interpolates the points \((i/n, \sum _{j \le i} w_j)\) together with the point (0, 0). Moreover, G is required to have the two following properties:
-
1.
\(G(i/n) = \sum _{j \le i} w_j\), \(i = 0, \ldots , n\);
-
2.
G is linear if the points \((i/n, \sum _{j \le i} w_j)\) lie on a straight line.
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Thonnard, O., Bilge, L., Kashyap, A., Lee, M. (2015). Are You at Risk? Profiling Organizations and Individuals Subject to Targeted Attacks. In: Böhme, R., Okamoto, T. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47854-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-662-47854-7_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47853-0
Online ISBN: 978-3-662-47854-7
eBook Packages: Computer ScienceComputer Science (R0)