nach oben

Erschienen in:

2016 | OriginalPaper | Buchkapitel

Revenue Maximizing Markets for Zero-Day Exploits

verfasst von : Mingyu Guo, Hideaki Hata, Ali Babar

Erschienen in: PRIMA 2016: Principles and Practice of Multi-Agent Systems

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Markets for zero-day exploits (software vulnerabilities unknown to the vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). Our model is more than a single-item auction. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If one defender wins, then the exploit becomes worthless to the offenders. Third, if we disclose the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if we do not disclose the details, then it is difficult for the buyers to come up with their private valuations. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders before the auction. The offenders then pay to delay the exploit being disclosed to the defenders.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Sequence Semantics for Normative Agents

Nächstes Kapitel Distant Group Responsibility in Multi-agent Systems

Example such companies include ZeroDium and Vupen [6].

Algarni, A.M., Malaiya, Y.K.: Software vulnerability markets: discoverers and buyers. Int. J. Comput. Electr. Autom. Control Inf. Eng. 8(3), 71–81 (2014)

Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 833–844. ACM, New York (2012). http://doi.acm.org/10.1145/2382196.2382284

Brams, S.J., Jones, M.A., Klamler, C.: Better ways to cut a cake - revisited. In: Brams, S., Pruhs, K., Woeginger, G. (eds.) Fair Division. No. 07261 in Dagstuhl Seminar Proceedings, Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany, Dagstuhl, Germany (2007)

Chen, Y., Lai, J., Parkes, D., Procaccia, A.: Truth, justice, and cake cutting. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), Atlanta, GA, USA (2010)

Egelman, S., Herley, C., van Oorschot, P.C.: Markets for zero-day exploits: ethics and implications. In: Proceedings of 2013 Workshop on New Security Paradigms Workshop, NSPW 2013, pp. 41–46. ACM, NewYork (2013). http://doi.acm.org/10.1145/2535813.2535818

Fisher, D.: Vupen founder launches new zero-day acquisition firm zerodium, 24 July 2015. https://threatpost.com/vupen-launches-new-zero-day-acquisition-firm-zerodium/113933/

Goemans, M., Skutella, M.: Cooperative facility location games. J. Algorithms 50, 194–214 (2004). Early version: SODA 2000, 76–85MathSciNetCrossRefMATH

Greenberg, A.: Shopping for zero-days: a price list for hackers’ secret software exploits, 23 March 2012. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

Guo, M., Conitzer, V.: Computationally feasible automated mechanism design: general approach and case studies. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), Atlanta, GA, USA, pp. 1676–1679 (2010). Nectar Track

10.

Likhodedov, A., Sandholm, T.: Methods for boosting revenue in combinatorial auctions. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), San Jose, CA, USA, pp. 232–237 (2004)

11.

Likhodedov, A., Sandholm, T.: Approximating revenue-maximizing combinatorial auctions. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), Pittsburgh, PA, USA (2005)

12.

Myerson, R.: Optimal auction design. Math. Oper. Res. 6, 58–73 (1981)MathSciNetCrossRefMATH

13.

Procaccia, A.D., Tennenholtz, M.: Approximate mechanism design without money. In: Proceedings of the ACM Conference on Electronic Commerce (EC), Stanford, CA, USA, pp. 177–186 (2009)

14.

Projects, T.C.: Severity guidelines for security issues (2015). https://www.chromium.org/developers/severity-guidelines. Accessed 15 Sept 2015

Titel: Revenue Maximizing Markets for Zero-Day Exploits
verfasst von: Mingyu Guo
Hideaki Hata
Ali Babar
Verlag: Springer International Publishing
Buch: PRIMA 2016: Principles and Practice of Multi-Agent Systems
Print ISBN: 978-3-319-44831-2

Electronic ISBN: 978-3-319-44832-9

Copyright-Jahr: 2016
DOI: https://doi.org/10.1007/978-3-319-44832-9_15

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"