Attributing Hacks

TL;DR

This paper introduces a hazard regression algorithm to attribute website hacks to specific vulnerabilities and causes, effectively tracking their evolution over time with high accuracy and efficiency.

Contribution

The paper presents a novel hazard regression method with time-varying coefficients for attributing hacks, outperforming traditional models like Cox's proportional hazard model.

Findings

Method significantly outperforms Cox's model in experiments.

Fitted functions accurately recover vulnerabilities and real-life exploit events.

Efficient inference achieved through piecewise constant functions with finite knots.

Abstract

In this paper we describe an algorithm for estimating the provenance of hacks on websites. That is, given properties of sites and the temporal occurrence of attacks, we are able to attribute individual attacks to joint causes and vulnerabilities, as well as estimating the evolution of these vulnerabilities over time. Specifically, we use hazard regression with a time-varying additive hazard function parameterized in a generalized linear form. The activation coefficients on each feature are continuous-time functions over time. We formulate the problem of learning these functions as a constrained variational maximum likelihood estimation problem with total variation penalty and show that the optimal solution is a 0th order spline (a piecewise constant function) with a finite number of known knots. This allows the inference problem to be solved efficiently and at scale by solving a finite dimensional optimization problem. Extensive experiments on real data sets show that our method significantly outperforms Cox's proportional hazard model. We also conduct a case study and verify that the fitted functions are indeed recovering vulnerable features and real-life events such as the release of code to exploit these features in hacker blogs.