Evaluating Attacker Risk Behavior in an Internet of Things Ecosystem

TL;DR

This paper investigates how attacker risk preferences influence their success against defenders in IoT cybersecurity, revealing that risk-seeking attackers perform better in certain scenarios and that attacker behavior impacts overall security dynamics.

Contribution

It introduces a game-theoretic evaluation framework incorporating real malware and attacker risk behaviors to analyze cybersecurity interactions in IoT environments.

Findings

Risk-seeking attackers gain more utility when defenders choose a single strategy.

High-risk scenarios favor risk-seeking attackers like cybercriminals.

Low-risk scenarios are more advantageous for risk-averse attackers like APTs.

Abstract

In cybersecurity, attackers range from brash, unsophisticated script kiddies and cybercriminals to stealthy, patient advanced persistent threats. When modeling these attackers, we can observe that they demonstrate different risk-seeking and risk-averse behaviors. This work explores how an attacker's risk seeking or risk averse behavior affects their operations against detection-optimizing defenders in an Internet of Things ecosystem. Using an evaluation framework which uses real, parametrizable malware, we develop a game that is played by a defender against attackers with a suite of malware that is parameterized to be more aggressive and more stealthy. These results are evaluated under a framework of exponential utility according to their willingness to accept risk. We find that against a defender who must choose a single strategy up front, risk-seeking attackers gain more actual utility than risk-averse attackers, particularly in cases where the defender is better equipped than the two attackers anticipate. Additionally, we empirically confirm that high-risk, high-reward scenarios are more beneficial to risk-seeking attackers like cybercriminals, while low-risk, low-reward scenarios are more beneficial to risk-averse attackers like advanced persistent threats.