« Processing ported to Javascript. | Main | Bay to Breakers == Success »

Game Theory of Malware article online.

I wrote an article on the game theory of emergent threats that is now online. It is based on presentations from earlier this year. You can grab the article here.

As a sidenote, Amrit thinks that security people like to talk about game theory because they like to play video games. I of course strongly disagree. I will have you know the only video game I still like to play is portfolio explosion on e-trade.

Comments (3)

Lol - You're a scientist dude, you can use game theory all day long if you like :-)

This seems like a deeply flawed analysis based on a misunderstanding of game theory (there is no real game theory here).

1) Game theory will not dictate which strategy to use 100% of the time, but how often to use each strategy. If you use the matrix as suggested your strategy will be completely predictable and you will always lose.

2) The game as described is so oversimplistic as to be irrelevant. If a computer is unprotected then it is probably infected -- it follows that you're torn between attacking unprotected machines that are infected (likely to be low value) or protected machines that are not infected (high value, lower probability of success).

All of this is by way of an attempt to show that Windows (with real live malware varieties in the hundreds of thousands) might actually be more secure than Mac OS (with, basically, no live malware to speak of) because probability of success x size of target is bigger for Windows. What 10,000+ times bigger? Really?

If you consider that Mac OS targets are more homogeneous (Windows is after all divided into many different subgenres) and less likely to already be hosting malware, this makes it a disproportionately juicy target for its size. But that doesn't suit your conclusion.

Is Windows Vista really more secure than Mac OS X? The fundamental killer these days is Trojans. Apple nags you once when you launch a downloaded app or script and gives you easily readable and intelligible information about it. Windows confuses you with all kinds of false alarms. In the end the determining factor will be -- how likely is a distracted user to click "OK" on the wrong dialog, and this is clearly a huge problem for Windows.

A trojan with user-level privileges can simply destroy everything in user space if destructive, or run in the background if not. Nothing you do in admin space matters ... the user's data is the valuable asset, and the ability to execute is the valuable asset to bots.

Adam J. O'Donnell:

In response to the previous commenter:

1) Game theory will not dictate...

---

1) This statement is incorrect for multiple reasons. Game theory doesn't dictate anything, it provides a means of analysis. There are many situations which arise in such analyses where only one strategy is appropriate, such as when a strictly dominant strategy exists. What you are referring to is a mixed-strategy equilibria.

---

2) The game as described is so oversimplistic as to be irrelevant...

---
Attackers optimize between attacking large populations of defended systems or attacking small populations of undefended systems. The current state of infection has nothing to do with which one is a better system to attack, but if you wish, it could be incorporated into the probability of success metric. Data has shown that malware often happily coexists on systems. Please refer to data collected by WebRoot and presented by Dan Geer here.

---

All of this is by way of an attempt to show that Windows...

---
Why does hundreds of thousands of pieces of windows malware exist for one platform and not the other when malware writers have been depending upon social engineering for new infections? The work is an attempt to explain exactly that market anomaly.

---

If you consider that Mac OS targets are more homogeneous...
---

I don't see how one leads to the other. Also, Microsoft strives to allow one binary to run on multiple versions of Windows.

---

Is Windows Vista really more secure than Mac OS X?

---

As I said in the work, in a small number of experiments, attackers were able to break into OSX machines far more quickly than Vista machines. Why are there more Windows attacks than Mac OSX attacks? Again, it comes down to an issue of market share.

---

A trojan with user-level privileges can simply destroy everything in user space...

---

I agree with that statement, but what is the point?

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

About

This page contains a single entry from the blog posted on May 22, 2008 5:59 PM.

The previous post in this blog was Processing ported to Javascript..

The next post in this blog is Bay to Breakers == Success.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.33