消费者和企业环境中遭遇恶意软件的系统性和系统性风险的比较

IF 3 4区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS ACM Transactions on Privacy and Security Pub Date : 2022-10-03 DOI:10.1145/3565362
Savino Dambra, Leyla Bilge, D. Balzarotti
{"title":"消费者和企业环境中遭遇恶意软件的系统性和系统性风险的比较","authors":"Savino Dambra, Leyla Bilge, D. Balzarotti","doi":"10.1145/3565362","DOIUrl":null,"url":null,"abstract":"Malware is still a widespread problem, and it is used by malicious actors to routinely compromise the security of computer systems. Consumers typically rely on a single AV product to detect and block possible malware infections, while corporations often install multiple security products, activate several layers of defenses, and establish security policies among employees. However, if a better security posture should lower the risk of malware infections, then the actual extent to which this happens is still under debate by risk analysis experts. Moreover, the difference in risks encountered by consumers and enterprises has never been empirically studied by using real-world data. In fact, the mere use of third-party software, network services, and the interconnected nature of our society necessarily exposes both classes of users to undiversifiable risks: Independently from how careful users are and how well they manage their cyber hygiene, a portion of that risk would simply exist because of the fact of using a computer, sharing the same networks, and running the same software. In this work, we shed light on both systemic (i.e., diversifiable and dependent on the security posture) and systematic (i.e., undiversifiable and independent of the cyber hygiene) risk classes. Leveraging the telemetry data of a popular security company, we compare, in the first part of our study, the effects that different security measures have on malware encounter risks in consumer and enterprise environments. In the second part, we conduct exploratory research on systematic risk, investigate the quality of nine different indicators we were able to extract from our telemetry, and provide, for the first time, quantitative indicators of their predictive power. Our results show that even if consumers have a slightly lower encounter rate than enterprises (9.8% vs. 12.0%), the latter do considerably better when selecting machines with an increasingly higher uptime (89% vs. 53%). The two segments also diverge when we separately consider the presence of Adware and Potentially Unwanted Applications (PUA) and the generic samples detected through behavioral signatures: While consumers have an encounter rate for Adware and PUA that is 6 times higher than enterprise machines, those on average match behavioral signatures 2 times more frequently than the counterpart. We find, instead, similar trends when analyzing the age of encountered signatures, and the prevalence of different classes of traditional malware (such as Ransomware and Cryptominers). Finally, our findings show that the amount of time a host is active, the volume of files generated on the machine, the number and reputation of vendors of the installed applications, the host geographical location, and its recurrent infected state carry useful information as indicators of systematic risk of malware encounters. Activity days and hours have a higher influence in the risk of consumers, increasing the odds of encountering malware of 4.51 and 2.65 times. In addition, we measure that the volume of files generated on the host represents a reliable indicator, especially when considering Adware. We further report that the likelihood of encountering Worms and Adware is much higher (on average 8 times in consumers and enterprises) for those machines that already reported this kind of signature in the past.","PeriodicalId":56050,"journal":{"name":"ACM Transactions on Privacy and Security","volume":" ","pages":"1 - 30"},"PeriodicalIF":3.0000,"publicationDate":"2022-10-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise Environments\",\"authors\":\"Savino Dambra, Leyla Bilge, D. Balzarotti\",\"doi\":\"10.1145/3565362\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Malware is still a widespread problem, and it is used by malicious actors to routinely compromise the security of computer systems. Consumers typically rely on a single AV product to detect and block possible malware infections, while corporations often install multiple security products, activate several layers of defenses, and establish security policies among employees. However, if a better security posture should lower the risk of malware infections, then the actual extent to which this happens is still under debate by risk analysis experts. Moreover, the difference in risks encountered by consumers and enterprises has never been empirically studied by using real-world data. In fact, the mere use of third-party software, network services, and the interconnected nature of our society necessarily exposes both classes of users to undiversifiable risks: Independently from how careful users are and how well they manage their cyber hygiene, a portion of that risk would simply exist because of the fact of using a computer, sharing the same networks, and running the same software. In this work, we shed light on both systemic (i.e., diversifiable and dependent on the security posture) and systematic (i.e., undiversifiable and independent of the cyber hygiene) risk classes. Leveraging the telemetry data of a popular security company, we compare, in the first part of our study, the effects that different security measures have on malware encounter risks in consumer and enterprise environments. In the second part, we conduct exploratory research on systematic risk, investigate the quality of nine different indicators we were able to extract from our telemetry, and provide, for the first time, quantitative indicators of their predictive power. Our results show that even if consumers have a slightly lower encounter rate than enterprises (9.8% vs. 12.0%), the latter do considerably better when selecting machines with an increasingly higher uptime (89% vs. 53%). The two segments also diverge when we separately consider the presence of Adware and Potentially Unwanted Applications (PUA) and the generic samples detected through behavioral signatures: While consumers have an encounter rate for Adware and PUA that is 6 times higher than enterprise machines, those on average match behavioral signatures 2 times more frequently than the counterpart. We find, instead, similar trends when analyzing the age of encountered signatures, and the prevalence of different classes of traditional malware (such as Ransomware and Cryptominers). Finally, our findings show that the amount of time a host is active, the volume of files generated on the machine, the number and reputation of vendors of the installed applications, the host geographical location, and its recurrent infected state carry useful information as indicators of systematic risk of malware encounters. Activity days and hours have a higher influence in the risk of consumers, increasing the odds of encountering malware of 4.51 and 2.65 times. In addition, we measure that the volume of files generated on the host represents a reliable indicator, especially when considering Adware. We further report that the likelihood of encountering Worms and Adware is much higher (on average 8 times in consumers and enterprises) for those machines that already reported this kind of signature in the past.\",\"PeriodicalId\":56050,\"journal\":{\"name\":\"ACM Transactions on Privacy and Security\",\"volume\":\" \",\"pages\":\"1 - 30\"},\"PeriodicalIF\":3.0000,\"publicationDate\":\"2022-10-03\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Transactions on Privacy and Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1145/3565362\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Privacy and Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3565362","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

恶意软件仍然是一个普遍存在的问题,恶意行为者经常利用它来危害计算机系统的安全。消费者通常依靠单一的AV产品来检测和阻止可能的恶意软件感染,而公司通常安装多个安全产品,激活多层防御,并在员工中建立安全策略。然而,如果更好的安全态势应该降低恶意软件感染的风险,那么这种情况发生的实际程度仍在风险分析专家的争论中。此外,消费者和企业遇到的风险差异从未通过使用真实世界的数据进行过实证研究。事实上,仅仅使用第三方软件、网络服务和我们社会的互联性质就必然会使这两类用户面临不可逆转的风险:与用户的谨慎程度和他们对网络卫生的管理程度无关,部分风险的存在只是因为使用计算机、共享相同的网络,并运行相同的软件。在这项工作中,我们揭示了系统性(即多样性和依赖于安全态势)和系统性(如不可逆性和独立于网络卫生)风险类别。在研究的第一部分,我们利用一家流行安全公司的遥测数据,比较了不同安全措施对消费者和企业环境中恶意软件遭遇风险的影响。在第二部分中,我们对系统风险进行了探索性研究,调查了我们能够从遥测中提取的九个不同指标的质量,并首次提供了它们预测能力的定量指标。我们的研究结果表明,即使消费者的遭遇率略低于企业(9.8%对12.0%),后者在选择正常运行时间越来越高的机器时也会做得更好(89%对53%)。当我们分别考虑广告软件和潜在不需要的应用程序(PUA)的存在以及通过行为签名检测到的一般样本时,这两个部分也会出现分歧:虽然消费者对广告软件和PUA的遭遇率是企业机器的6倍,但这些人平均匹配行为签名的频率是同类机器的2倍。相反,我们在分析遇到的签名的年龄和不同类型的传统恶意软件(如勒索软件和加密矿工)的流行率时发现了类似的趋势。最后,我们的研究结果表明,主机处于活动状态的时间、机器上生成的文件量、安装的应用程序的供应商数量和声誉、主机的地理位置及其反复感染的状态都提供了有用的信息,作为恶意软件遭遇系统风险的指标。活动日和时间对消费者的风险影响更大,遇到恶意软件的几率分别增加了4.51和2.65倍。此外,我们衡量主机上生成的文件量是否代表了一个可靠的指标,尤其是在考虑Adware时。我们进一步报告说,对于那些过去已经报告过这种签名的机器来说,遇到蠕虫和广告软件的可能性要高得多(在消费者和企业中平均为8次)。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise Environments
Malware is still a widespread problem, and it is used by malicious actors to routinely compromise the security of computer systems. Consumers typically rely on a single AV product to detect and block possible malware infections, while corporations often install multiple security products, activate several layers of defenses, and establish security policies among employees. However, if a better security posture should lower the risk of malware infections, then the actual extent to which this happens is still under debate by risk analysis experts. Moreover, the difference in risks encountered by consumers and enterprises has never been empirically studied by using real-world data. In fact, the mere use of third-party software, network services, and the interconnected nature of our society necessarily exposes both classes of users to undiversifiable risks: Independently from how careful users are and how well they manage their cyber hygiene, a portion of that risk would simply exist because of the fact of using a computer, sharing the same networks, and running the same software. In this work, we shed light on both systemic (i.e., diversifiable and dependent on the security posture) and systematic (i.e., undiversifiable and independent of the cyber hygiene) risk classes. Leveraging the telemetry data of a popular security company, we compare, in the first part of our study, the effects that different security measures have on malware encounter risks in consumer and enterprise environments. In the second part, we conduct exploratory research on systematic risk, investigate the quality of nine different indicators we were able to extract from our telemetry, and provide, for the first time, quantitative indicators of their predictive power. Our results show that even if consumers have a slightly lower encounter rate than enterprises (9.8% vs. 12.0%), the latter do considerably better when selecting machines with an increasingly higher uptime (89% vs. 53%). The two segments also diverge when we separately consider the presence of Adware and Potentially Unwanted Applications (PUA) and the generic samples detected through behavioral signatures: While consumers have an encounter rate for Adware and PUA that is 6 times higher than enterprise machines, those on average match behavioral signatures 2 times more frequently than the counterpart. We find, instead, similar trends when analyzing the age of encountered signatures, and the prevalence of different classes of traditional malware (such as Ransomware and Cryptominers). Finally, our findings show that the amount of time a host is active, the volume of files generated on the machine, the number and reputation of vendors of the installed applications, the host geographical location, and its recurrent infected state carry useful information as indicators of systematic risk of malware encounters. Activity days and hours have a higher influence in the risk of consumers, increasing the odds of encountering malware of 4.51 and 2.65 times. In addition, we measure that the volume of files generated on the host represents a reliable indicator, especially when considering Adware. We further report that the likelihood of encountering Worms and Adware is much higher (on average 8 times in consumers and enterprises) for those machines that already reported this kind of signature in the past.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
ACM Transactions on Privacy and Security
ACM Transactions on Privacy and Security Computer Science-General Computer Science
CiteScore
5.20
自引率
0.00%
发文量
52
期刊介绍: ACM Transactions on Privacy and Security (TOPS) (formerly known as TISSEC) publishes high-quality research results in the fields of information and system security and privacy. Studies addressing all aspects of these fields are welcomed, ranging from technologies, to systems and applications, to the crafting of policies.
期刊最新文献
ZPredict: ML-Based IPID Side-channel Measurements ZTA-IoT: A Novel Architecture for Zero-Trust in IoT Systems and an Ensuing Usage Control Model Security Analysis of the Consumer Remote SIM Provisioning Protocol X-squatter: AI Multilingual Generation of Cross-Language Sound-squatting Toward Robust ASR System against Audio Adversarial Examples using Agitated Logit
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1