Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State

Sarabi, Armin; Zhu, Zijue; Xiao, Chaowei; Liu, Mingyan; Dumitraş, Tudor

doi:10.1007/978-3-319-54328-4_9

Cited by 14 publications

(13 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Predicting Security Incidents. Prior work studied the feasibility of predicting future computer-security incidents [34,42,51,69,71,72,76]. Soska and Christin showed that, using publicly available indicators, they could reliably predict whether websites would be compromised within one year [76].…”

Section: Related Workmentioning

confidence: 99%

Predicting Impending Exposure to Malicious Content from User Behavior

Sharif

Urakawa

Christin

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Many computer-security defenses are reactive-they operate only when security incidents take place, or immediately thereafter. Recent efforts have attempted to predict security incidents before they occur, to enable defenders to proactively protect their devices and networks. These efforts have primarily focused on long-term predictions. We propose a system that enables proactive defenses at the level of a single browsing session. By observing user behavior, it can predict whether they will be exposed to malicious content on the web seconds before the moment of exposure, thus opening a window of opportunity for proactive defenses. We evaluate our system using three months' worth of HTTP traffic generated by 20,645 users of a large cellular provider in 2017 and show that it can be helpful, even when only very low false positive rates are acceptable, and despite the difficulty of making "on-the-fly" predictions. We also engage directly with the users through surveys asking them demographic and security-related questions, to evaluate the utility of self-reported data for predicting exposure to malicious content. We find that self-reported data can help forecast exposure risk over long periods of time. However, even on the long-term, self-reported data is not as crucial as behavioral measurements to accurately predict exposure. CCS CONCEPTS• Security and privacy → Network security; Human and societal aspects of security and privacy; • Computing methodologies → Neural networks; KEYWORDS Exposure prediction; network security; proactive security ACM Reference Format:

show abstract

Section: Related Workmentioning

confidence: 99%

Predicting Impending Exposure to Malicious Content from User Behavior

Sharif

Urakawa

Christin

et al. 2018

Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Whereas some exploits do appear quickly after disclosure in RuMarket, most exploits take around four months from disclosure date to be published. This may indicate that other factors such as effectiveness of older exploits [10], or delays in user system updates [55,64], may affect timing of appearance of a marketed exploit. To evaluate the rate of change in time of arrival of new exploits, Figure 10 reports the exploit age distribution by year of publication.…”

Section: Exploit Arrivalmentioning

confidence: 99%

Economic Factors of Vulnerability Trade and Exploitation

Allodi

2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table

show abstract

“…We also found that one particular application (i.e., YUI) has no more versions supported [21]. 4. Supported means that we were able to conclude that the application used was using the version number still supported by the maintainer.…”

Section: Compare Version Between Current Usage and Supported Versionsmentioning

confidence: 96%

“…However, studies found that even with such ease, many users are unwilling to upgrade to a more recent version of applications. Reference [4] studied such behavior in four client-side applications (i.e., Chrome, Firefox, Flash Player, and Thunderbird) and found several factors that affect user behavior in deploying such patches:…”

Section: Introductionmentioning

confidence: 99%

Measurement of Unsupported Applications used in Indonesia Popular Websites

Nugroho

Steven²

2021

Jurnal Ilmiah Teknik Elektro Komputer Dan Informatika

View full text Add to dashboard Cite

A security vulnerability exists in unsupported systems, and using applications supported by their maintainer help to reduce attacks based on such vulnerabilities. However, website administrators may ignore this exercise due to various reasons. This research measures the top 1,500 websites in Indonesia on how much of them are using supported applications to prevent such attacks, based on the application version number. The measurement is performed automatically using the Wappalyzer tool. From such measurement, we found that most of the applications detected do not contain version information (70%) or invalid version number (11%). We also found that more than half of the websites measured contain at least one unsupported application. In terms of the applications used, we found that many Nginx users worryingly do not keep their server version updated, while Apache and WordPress did a good job in keeping their users using the most recent version. This study highlights the need for website administrators to have their applications up to date to the supported versions, as well as for application developers to promote application updates to their users.

show abstract

Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State

Cited by 14 publications

References 17 publications

Predicting Impending Exposure to Malicious Content from User Behavior

Predicting Impending Exposure to Malicious Content from User Behavior

Economic Factors of Vulnerability Trade and Exploitation

Measurement of Unsupported Applications used in Indonesia Popular Websites

Contact Info

Product

Resources

About