Information Technology Reference
In-Depth Information
2.3
Loss as a Function of the Time of the Discovery
The 0-delay model may be applied also to compute
Aver(I(na, nd, t))
the aver-
age loss as a function of the time
t
when a defender discovers V. This loss is
interesting because it defines an upper bound on the owner investment in the
checks to be executed to discover attacks that may have occurred before
t
, i.e.
before patching the infrastructure [22]. These checks are the first step to recover
the loss due to the attacks but, since they may be rather expensive, an estimate
of the loss enable the owner to choose whether it is more convenient to simply
accept any loss that may be occurred before
t
.
Because of the assumptions of the 0-delay model, we have that
Aver
(
I
(
na, nd, t
)) =
Uloss
A
·
ns
A
·
Aver
(
Svw
(
k
|
t, na, nd
))
where
Uloss
A
and
ns
A
have the usual meaning and
Svw
(
k
t, na, nd
) is the prob-
ability that the size of the vulnerability window is
k
provided that the defenders
have discovered V at time t.
Aver(Svw(k
|
|
t, na, nd))
, the average size of the windows depends upon
P
(
vw
=
k>
0
td
=
t, na, nd
), the probability that
vw = k
provided that there
are
na
attackers,
nd
defenders and
td=t
.Since
td=t
and
vw=k
jointly imply
ta=t-k
, because if the attackers discover V at t-k and the size of the vulnera-
bility window is k, then the attackers have discovered V at time
t-k
,wehave
that
|
td
=
t, na, nd
) (2)
Since the probability that the attackers finds V is independent of the one
that the defenders finds V, the following equality holds:
P
(
vw
=
k
|
td
=
t, na, nd
)=
P
(
ta
=
t
−
k
|
P
(
ta
=
t
−
k
|
td
=
t, na, nd
)=
P
(
ta
=
t
−
k
|
na, nd
)
·
P
(
td
=
t
|
na, nd
)
By replacing the equality in the right hand size of (2), we have that
Pd
(
nd
))
t−
1
Pa
(
na
))
t−k−
1
Pa
(
na
)
P
(
ta
=
t
−
k
|
td
=
t, na, nd
)=(1
−
·
Pd
(
nd
)
·
(1
−
.
We apply now the 0-delay model to compute the average size of the vulner-
ability window. According to the model,
Aver
(
Svw
(
k|t, na, nd
)) is equal to
t−
1
1
Pd
(
nd
))
t−
1
(1
−
Pa
(
na
))
·
(1
−
·
Pa
(
na
)
·
Pd
(
nd
)
·
k
·
(1
−
Pa
(
na
))
k
k
=1
To simplify this expression, we exploit the fact that an estimate of the impact
is important only when V has been discovered after a fairly long time from the
infrastructure deployment. In fact, if the infrastructure is patched shortly after
being deployed, the loss cannot be very large because the size of the window is
bounded by the time from the deployment. Hence, we are interested in the loss
if the value of
ta
is large and, in this case, the following approximation holds