Information Technology Reference
In-Depth Information
2The0-D yMod l
After discussing its main underlying assumptions and constraints, we present
the 0-delay model in some details, Then, the model is generalized by removing
some of the initial constraints.
2.1
Underlying Assumptions
Besides the one implied by its name, the most important assumptions underlying
the 0-delay model concerns the existence of one vulnerability, denoted by V,
and that the billing infrastructure is deployed even if V has not been removed.
The former will be discussed in the next section. The latter, in general, it is
satisfied because it may be not cost effective to deploy the infrastructure only
after removing any vulnerability. Furthermore, the infrastructure owner has a
proactive attitude towards the search for vulnerabilities. Given the existence of
V and the proactive owner attitude, two sets of people are searching for V, the
attackers and the defenders. The attackers search for V to define and implement
an attack, the defenders, instead to patch the infrastructure.
In the 0-delay model, time is considered as a sequence of intervals with the
same size
δ
t, in the following
at time t
means
during the t-th interval
.Ifa
defender finds V, in the same interval, the patch is defined and applied to the
infrastructure. We assume that the time to develop a patch is independent of the
number of defenders and that
δ
t is larger than the time to start and complete the
patching process. If a defender finds V at time t, any attack implemented after
t fails. If, instead, an attacker finds V at time t before any defender, then at the
same time the attack occurs and the loss begins. The loss ends only when, and
if, the defender finds V and patches the infrastructure. Notice that
δ
t depends
upon the considered infrastructure and that it cannot be reduced at pleasure
because it should suce both to define and execute an attack and to define and
apply the patch. The probability of discovering V is the same for any interval,
although it may be different for an attacker and for a defender. This problem
will be detailed in the following.
A further assumption concerns the absence of information exchange between
the attackers and the defenders or within each set during the search. Hence, no
information from other people is available to speed up the search. However, as
soon as the attack has been discovered, it is immediately broadcast to anyone
that can implement it and all the attacks are immediately executed. This is a
worst-case for the defenders because any delay in the execution of attacks reduces
the loss. Furthermore, if the attacks are not simultaneous, the detection of one
attack may simplify the search of the defenders.
The model assumes that the impact of an attack is proportional to the size
of the vulnerability window and that lifetime of the infrastructure is unbounded,
i.e. the infrastructure is updated only to remove any vulnerability. The latter
is realistic only for the long-term components of the infrastructure, such as the
hardware of an ATM or a meter in the user house. Hence, the model should
