Evaluating Attacker Risk Behavior in an Internet of Things Ecosystem
It addresses cybersecurity modeling for IoT by analyzing attacker risk behavior, but is incremental as it applies known game theory concepts to a specific domain.
This work investigates how attackers' risk-seeking or risk-averse behaviors impact their operations against defenders in an Internet of Things ecosystem, finding that risk-seeking attackers gain more utility than risk-averse ones, especially when defenders are better equipped than expected.
In cybersecurity, attackers range from brash, unsophisticated script kiddies and cybercriminals to stealthy, patient advanced persistent threats. When modeling these attackers, we can observe that they demonstrate different risk-seeking and risk-averse behaviors. This work explores how an attacker's risk seeking or risk averse behavior affects their operations against detection-optimizing defenders in an Internet of Things ecosystem. Using an evaluation framework which uses real, parametrizable malware, we develop a game that is played by a defender against attackers with a suite of malware that is parameterized to be more aggressive and more stealthy. These results are evaluated under a framework of exponential utility according to their willingness to accept risk. We find that against a defender who must choose a single strategy up front, risk-seeking attackers gain more actual utility than risk-averse attackers, particularly in cases where the defender is better equipped than the two attackers anticipate. Additionally, we empirically confirm that high-risk, high-reward scenarios are more beneficial to risk-seeking attackers like cybercriminals, while low-risk, low-reward scenarios are more beneficial to risk-averse attackers like advanced persistent threats.