Evaluating Attacker Risk Behavior in an Internet of Things Ecosystem

In cybersecurity, attackers range from brash, unsophisticated script kiddies and cybercriminals to stealthy, patient advanced persistent threats. When modeling these attackers, we can observe that they demonstrate different risk-seeking and risk-averse behaviors. This work explores how an attacker’s risk seeking or risk averse behavior affects their operations against detection-optimizing defenders in an Internet of Things ecosystem. Using an evaluation framework which uses real, parametrizable malware, we develop a game that is played by a defender against attackers with a suite of malware that is parameterized to be more aggressive and more stealthy. These results are evaluated under a framework of exponential utility according to their willingness to accept risk. We find that against a defender who must choose a single strategy up front, risk-seeking attackers gain more actual utility than risk-averse attackers, particularly in cases where the defender is better equipped than the two attackers anticipate. Additionally, we empirically confirm that high-risk, high-reward scenarios are more beneficial to risk-seeking attackers like cybercriminals, while low-risk, low-reward scenarios are more beneficial to risk-averse attackers like advanced persistent threats.

[1]  Charles A. Holt,et al.  Risk Aversion and Incentive Effects , 2002 .

[2]  Colin Camerer,et al.  Ambiguity-aversion and Non-additive Beliefs in Non-Cooperative Games: Experimental evidence , 1994 .

[3]  Ross Anderson,et al.  Security Engineering , 2020 .

[4]  Colin Camerer,et al.  Advances in behavioral economics , 2004 .

[5]  Evan M. Calford Uncertainty aversion in game theory: Experimental evidence , 2020, Journal of Economic Behavior & Organization.

[6]  L. Blume,et al.  Behavioural Game Theory , 2010 .

[7]  Milind Tambe,et al.  Approximation methods for infinite Bayesian Stackelberg games: modeling distributional payoff uncertainty , 2011, AAMAS.

[8]  Colin F. Camerer behavioural game theory , 2010 .

[9]  Ilangko Balasingham,et al.  Risk-based adaptive security for smart IoT in eHealth , 2012, BODYNETS.

[10]  J. Friedrich,et al.  Security Engineering: a Guide to Building Dependable Distributed Systems Banking and Bookkeeping , 2022 .

[11]  A. Tversky,et al.  Advances in prospect theory: Cumulative representation of uncertainty , 1992 .

[12]  Malcolm J. Beynon,et al.  The Dempster-Shafer Theory , 2009, Encyclopedia of Artificial Intelligence.

[13]  Ramakrishna Tipireddy,et al.  Propagating mixed uncertainties in cyber attacker payoffs: Exploration of two-phase Monte Carlo sampling and probability bounds analysis , 2016, 2016 IEEE Symposium on Technologies for Homeland Security (HST).

[14]  Ulrike Goldschmidt Advances In Behavioral Economics , 2016 .

[15]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[16]  Ramakrishna Tipireddy,et al.  Quantifying mixed uncertainties in cyber attacker payoffs , 2015, 2015 IEEE International Symposium on Technologies for Homeland Security (HST).