connects cybersecurity knowledge
NCSRA-III objective: 3
Time: 11:15 – 12:30
Chaired by Dr. Wim Hafkamp, Rabobank
- Inferring the Security Performance of Providers from Noisy Abuse Data and the Role of Providers
Dr. Arman Noroozian, TUD
Abuse data offers one of the very few empirical measurements of the security performance of defenders. As such, it can play an important role in strengthening and aligning the security incentives in a variety of markets. Using abuse data to measure security performance suffers from a number of problems, however. Abuse data is notoriously noisy, highly heterogeneous, often incomplete, biased, and driven by a multitude of causal factors that are hard to disentangle.
We present the first comprehensive approach to measure defender security performance from a combination of heterogeneous abuse datasets, taking all of these issues into account. We present a causal model of incidents, test for biases across seven abuse datasets and then propose a new modeling approach. Using Item Response Theory, we estimate the security performance of providers as a latent, unobservable trait. The approach also allows us to quantify the uncertainty of the performance estimates. Despite the uncertainties, we demonstrate the effectiveness of the approach by using the security performance estimates to predict a large portion of the variance in the abuse counts observed in independent datasets, after controlling for various exposure effects such as the size and business type of the providers.
- Quantifying risk of attack against an organization’s infrastructure
Dr. Luca Allodi, TU/e
Current industry standards for estimating cyber security risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (for example Basel II in Finance). In this talk we present a model and methodology to leverage on the large amount of data available from the IT infrastructure of an organization’s Security Operation Center to quantitatively estimate the probability of (untargeted) attacks.
Our methodology factors in the power of the attacker as the number of ‘weaponized’ vulnerabilities he/she can exploit, and can be adjusted to match the risk appetite of the organization. We illustrate our methodology by using data from a large financial institution, and discuss the significant mismatch between traditional qualitative risk-assessments and our quantitative approach.
- Booters: DDoS attacks as a Paid Service
Jair Santanna, UT
Jair Santanna is an Assistant Professor at University of Twente and he will talk about "Booters -- DDoS Attacks as a Paid Service." Jair will focus his presentation on revealing findings of public Websites that offer DDoS attacks. Large network security companies (e.g., Akamai and Incapsula) have pointed these Websites as the primary reason for the increase of attacks, both in occurrences and in power. Jair will give us an enthusiastic presentation on what he has observed over four years of research and discuss future directions to address the problem.
Related Research Projects