Abstract
The 0-delay is a mathematical model to evaluate the average impact of attacks on a billing infrastructure, that is an infrastructure that supports the billing of a set of users for some service. The model describes the search for vulnerabilities as a competition between a set of attackers and one of defenders, that are interested, respectively, in attacking and patching the infrastructure. As implied by its name, the model assumes that both the attack and the patching occur as soon as the vulnerability is discovered. The model assumes that the impact increases with the size of the vulnerability window, the time in between the discovery of the vulnerability by an attacker and by a defender and it relates this size to the numbers of attackers and of defenders. After describing the model, we describe some applications and generalizations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Acquisti, A.: Privacy and security of personal information. Economic incentives and technological solutions. In: Workshop on Economics of Information Security, University of California, Berkley (2002)
Adkins, R.: An Insurance Style Model for Determining the Appropriate Investment Level against Maximum Loss arising from an Information Security Breach. In: Workshop on Economics of Information Security, University of Minnesota (2004)
Alberts, C.J., Dorofee, A.J.: An introduction to the OCTAVE method, http://www.cert.org/octave/methodintro.html
Anderson, R.J.: Why Information Security is Hard-An Economic Perspective. In: 17th Applied Computer Security Applications Conference (2001)
Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, 1st edn. John Wiley & Sons, Inc., Chichester (2001)
Anderson, R.: Security in Open versus Closed Systems - The Dance of Boltzmann, Coase and Moore. In: Conf. on Open Source Software Economics, Toulouse, France (2002)
Anton, P.S., Anderson, R.H., Mesic, R., Scheiern, M.: Finding and fixing vulnerabilities in information systems: the vulnerability assessment and mitigation methodology, MR-1601, Rand Corporation (2003)
Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of Vulnerability: A Case Study Analysis. IEEE Computer, 52–59 (2000)
Arora, A., Telang, R., Xu, H.: Optimal Policy for Software Vulnerability Disclosure. In: Workshop on Economics of Information Security, University of Minnesota (2004)
Beattie, S., Arnold, S., Cowan, C., et al.: Timing the Application of Security Patches for Optimal Uptime. In: 16th USENIX Sys. Administration Conf. (LISA 2002) (2002)
Burke, D.A.: Towards a game theory model of information warfare, Master Thesis, Air Force Institute of Technology (1999)
Carini, B.: Dynamics and Equilibria of Information Security Investments. In: Workshop on Economics of Information Security, University of California, Berkley (2002)
Deraison, R.: The Nessus Attack Scripting Language Reference Guide, http://www.nessus.org
Frey, B.S., Luechinger, S., Stulzer, A.: Calculating Tragedy: Assessing the Cost of Terrorism. Inst. for Empirical Research in Economics, University of Zurich (2004)
Gordon, L.A., Loeb, M.P.: The Economics of Information Security Investment. ACM Trans. on Information and System Security 5(4), 438–457 (2002)
Hamilton, S.N., Miller, W.L., Ott, A., Saydjari, O.S.: The Role of Game Theory in Information Warfare. In: 4th Information Survivability Workshop, Vancouver, B.C., Canada (2002)
Hoo, K.S.: How Much Is Enough? A Risk Management Approach to Computer Security, Ph.D. Thesis, Standford University (2000)
Kannan, K., Telang, R.: An Economic Analysis of Market for Software Vulnerabilities. In: Workshop on Economics of Information Security, University of Minnesota (2004)
Krsul, I.V.: Software Vulnerability Analysis, Ph.D. Thesis, Purdue University (1998)
Major, J.A.: Advanced Techniques for Modelling Terrorism Risk. Journal of Risk Finance (Fall 2002)
Mercer, L.C.: Fraud detection via regression analysis. Computers & Security 9(4) (1990)
Owen, G.: Game Theory, 3rd edn. Academic Press, London (1995)
Rescorla, E.: Is Finding Security Holes a Good Idea? In: Workshop on Economics of Information Security, University of Minnesota (2004)
Schechter, S.E.: Quantitatively differentiating system security. In: Workshop on Economics of Information Security, University of California, Berkley (2002)
Schechter, S.E.: Computer Security Strength & Risk: A Quantitative Approach, Ph.D. thesis, Harvard University (2004)
Schneier, B.: Full disclosure and the window of vulnerability, Crypto-Gram (2000), http://www.counterpane.com/crypto-gram-0009.html
Schneier, B.: Closing the Window of Exposure: Reflections on the Future of Security, Securityfocus.com (2000), http://www.securityfocus.com
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems, NIST, Special Publication 800–30 (2001)
Schudel, G., Wood, B.: Adversary work factor as a metric for information assurance. In: Workshop on New security paradigms, Ballycotton, County Cork, Ireland, pp. 23–30 (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Baiardi, F., Telmon, C. (2005). A Theoretical Model for the Average Impact of Attacks on Billing Infrastructures. In: Gorodetsky, V., Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2005. Lecture Notes in Computer Science, vol 3685. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11560326_23
Download citation
DOI: https://doi.org/10.1007/11560326_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29113-8
Online ISBN: 978-3-540-31998-6
eBook Packages: Computer ScienceComputer Science (R0)