The dark side of vulnerability exploitation: a proposal for a research analysis. ?

Software security research has put much eort in evaluat- ing security as a function of the expected number of vulnerabilities and their criticality. As hackers become more sophisticated and economically- driven, I argue that exploitation activities are a much more interesting index of risk than the number of vulnerabilities: the economics of the black market can shed light on attacking processes and trends, and can be very useful in better assessing security and re-thinking patching be- havior and patches priority.

[1]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[2]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[3]  Christopher Krügel,et al.  Is the Internet for Porn? An Insight Into the Online Adult Industry , 2010, WEIS.

[4]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[5]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[6]  Dawn Xiaodong Song,et al.  Suspended accounts in retrospect: an analysis of twitter spam , 2011, IMC '11.

[7]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[8]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[9]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[10]  Stefan Savage,et al.  An analysis of underground forums , 2011, IMC '11.

[11]  Manfred Kochen,et al.  On the economics of information , 1972, J. Am. Soc. Inf. Sci..

[12]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[13]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[14]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[15]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[16]  Jens Grossklags,et al.  An Economic Map of Cybercrime , 2009 .

[17]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[18]  Igor V. Kotenko,et al.  Attack Graph Based Evaluation of Network Security , 2006, Communications and Multimedia Security.

[19]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[20]  Brent Byunghoon Kang,et al.  Peer-to-Peer Botnets: Overview and Case Study , 2007, HotBots.

[21]  Charles Miller,et al.  The Legitimate vulnerability market: the secretive world of 0-day exploit sales , 2007, WEIS.