The Work Averse Attacker Model: the *real* attacker model and its evidence from 2 million attack signatures

Wednesday, August 2, 2017, 2:00 pm - 3:00 pm PSTiCal
ISI MDR, 11th Floor Conference Room 1135
Cyber Security Seminar
Prof. Fabio Massacci

Hosted by Terry Benzel


Over 30 years have passed from the Dolev & Yao's landmark paper on the attacker model, so it is time for a change!

Several attacker models have been proposed in the meantime (e.g. honest but curious, computationally bounded, etc.) but they are all based on a common conceit: the cyber attacker is assumed to be all powerful (within its model) and able to exploit all possible vulnerabilities (within its capabilities) with almost equal likelihood. So she/he can attack a vulnerability, she likely will. From a defender's perspective this means that unless he secures all vulnerabilities he will be hacked.

We have identified, and empirically validated, a novel and more realistic attacker model building on the key economic idea that inaction can sometimes be more profitable than action (especially when many victims are involved and fixed costs for weaponizing an exploit might be high). The intuition of our Work Averse Attacker Model (or WAAM) is that a mass attacker will optimally choose whether to act and weaponize a new vulnerability, or keep using existing toolkits if there are enough vulnerable users. 

The model predicts that mass attackers may 

  1. exploit only one vulnerability per software version,
  2. include only vulnerabilities with low attack complexity, and
  3. be slow at introducing new vulnerabilities into their arsenal.

We empirically test these predictions by analyzing the data collected on attacks against more than one million real systems by Symantec's WINE platform. Our analysis shows that WAAM is indeed a good approximation of reality. Substantial efficiency gains can be made by individuals and organizations by accounting for this effect when devising security countermeasures,

Joint work with Luca Allodi (TU/e) and Julian Williams (UDUR). More information on the paper here.


Fabio Massacci is a full professor at the University of Trento (IT). He is a chartered engineer and has a Ph.D. in Computing from the University of Rome La Sapienza in 1998. In his career he has visited Cambridge (UK), Toulouse (FR) and Siena (IT). He has published more than 250 articles in peer reviewed journals and conferences and his h-index is 36+/- f(Scopus,Scholar,WOS).

In 2015 he also received the IEEE Requirements Engineering 10 years most influential paper award for his research on security requirements engineering.

His current research interest is in experimental methods for cyber security, from security testbeds to security economics. He was the European Coordinator of the project SECONOMICS ( on socio-economic aspects of security. Part of the ideas behind this research has been now incorporated by the Common Vulnerability Scoring Standard (CVSS) v3, just released in June 2015. He is currently working on an industrial project with CISCO on a secure supply chain for software.

« Return to Upcoming Events