TY - GEN
T1 - Harnessing uncertainty in vulnerability market
AU - Li, Zhen
AU - Liao, Qi
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/10/9
Y1 - 2018/10/9
N2 - Zero-day vulnerabilities pose significant threats in computer and network security, and have attracted attentions in recent years not only to malicious attackers but government and law enforcement users who need to control (e.g., for forensics purpose) the computer systems which otherwise are inaccessible through traditional channels. Based on the observation that vulnerabilities are acquired and traded in a different way than commodities, we study and propose a vulnerability market model by taking into consideration cheating and uncertainty in the market. The paper illustrates the interactions between the vulnerability sellers and buyers in a game theoretic framework. By modeling the economic aspects of the vulnerability market with a focus on information asymmetry and distinctive incentives of malicious and defensive buyers, we propose active and strategic market participation by defenders to obtain vulnerability information from the marketplace in a cost-effective way. Rather than killing the market, defenders can take advantage of the incomplete information feature of the vulnerability market to improve cyber-security. To further maximize the uncertainty, defenders may also play in the supply side of the vulnerability market to provide low or no value vulnerabilities to dilute the market.
AB - Zero-day vulnerabilities pose significant threats in computer and network security, and have attracted attentions in recent years not only to malicious attackers but government and law enforcement users who need to control (e.g., for forensics purpose) the computer systems which otherwise are inaccessible through traditional channels. Based on the observation that vulnerabilities are acquired and traded in a different way than commodities, we study and propose a vulnerability market model by taking into consideration cheating and uncertainty in the market. The paper illustrates the interactions between the vulnerability sellers and buyers in a game theoretic framework. By modeling the economic aspects of the vulnerability market with a focus on information asymmetry and distinctive incentives of malicious and defensive buyers, we propose active and strategic market participation by defenders to obtain vulnerability information from the marketplace in a cost-effective way. Rather than killing the market, defenders can take advantage of the incomplete information feature of the vulnerability market to improve cyber-security. To further maximize the uncertainty, defenders may also play in the supply side of the vulnerability market to provide low or no value vulnerabilities to dilute the market.
KW - Asymmetric Information
KW - Computer Security
KW - Economics
KW - Game Theory
KW - Uncertainty
KW - Zero-day Vulnerability Market
UR - http://www.scopus.com/inward/record.url?scp=85060496750&partnerID=8YFLogxK
U2 - 10.1109/ICCCN.2018.8487368
DO - 10.1109/ICCCN.2018.8487368
M3 - Conference contribution
AN - SCOPUS:85060496750
T3 - Proceedings - International Conference on Computer Communications and Networks, ICCCN
BT - ICCCN 2018 - 27th International Conference on Computer Communications and Networks
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 27th International Conference on Computer Communications and Networks, ICCCN 2018
Y2 - 30 July 2018 through 2 August 2018
ER -