A Large-Scale Study of the Time Required to Compromise a Computer System

Author

Holm, Hannes

Author_Institution

Dept. of Ind. Inf. & Control Syst., R. Inst. of Technol., Stockholm, Sweden

Volume

11

Issue

1

fYear

2014

fDate

Jan.-Feb. 2014

Firstpage

2

Lastpage

15

Abstract

A frequent assumption in the domain of cybersecurity is that cyberintrusions follow the properties of a Poisson process, i.e., that the number of intrusions is well modeled by a Poisson distribution and that the time between intrusions is exponentially distributed. This paper studies this property by analyzing all cyberintrusions that have been detected across more than 260,000 computer systems over a period of almost three years. The results show that the assumption of a Poisson process model might be unoptimal - the log-normal distribution is a significantly better fit in terms of modeling both the number of detected intrusions and the time between intrusions, and the Pareto distribution is a significantly better fit in terms of modeling the time to first intrusion. The paper also analyzes whether time to compromise (TTC) increase for each successful intrusion of a computer system. The results regarding this property suggest that time to compromise decrease along the number of intrusions of a system.

Keywords

Pareto distribution; Poisson distribution; exponential distribution; log normal distribution; security of data; stochastic processes; Pareto distribution; Poisson distribution; Poisson process; TTC; computer system; cyberintrusions; cybersecurity; exponential distribution; intrusion detection; log-normal distribution; time to compromise; Computational modeling; Malware; Statistical distributions; Workstations; Invasive software (viruses; Trojan horses); network management; risk management; worms;

fLanguage

English

Journal_Title

Dependable and Secure Computing, IEEE Transactions on

Publisher

ieee

ISSN

1545-5971

Type

jour

DOI

10.1109/TDSC.2013.21

Filename

6506084