No plan survives contact: Experience with cybercrime measurement

Chris Kanich; Neha Chachra; Damon McCoy; Chris Grier; David Y. Wang; Marti Motoyama; Kirill Levchenko; Stefan Savage; Geoffrey M. Voelker

No plan survives contact: Experience with cybercrime measurement

Chris Kanich, Neha Chachra, Damon McCoy, Chris Grier, David Y. Wang, Marti Motoyama, Kirill Levchenko, Stefan Savage, Geoffrey M. Voelker

Research output: Contribution to conference › Paper › peer-review

Abstract

An important mode of empirical security research involves analyzing the behavior, capabilities, and motives of adversaries. By definition, such measurements cannot be conducted in controlled settings and require “engagement” directly with adversaries, their infrastructure or their ecosystem. However, the operational complexities required to successfully carry out such measurements are significant and rarely documented; blacklisting, payment instruments, fraud controls and contact management all represent real challenges in such studies. In this paper, we document our experiences conducting such measurements over five years (covering a range of distinct studies) and distill effective operational practices for others who might conduct similar experiments in the future.

Original language	English (US)
State	Published - 2011
Event	4th Workshop on Cyber Security Experimentation and Test, CSET 2011 - San Francisco, United States Duration: Aug 8 2011 → …

Conference

Conference	4th Workshop on Cyber Security Experimentation and Test, CSET 2011
Country/Territory	United States
City	San Francisco
Period	8/8/11 → …

ASJC Scopus subject areas

Computer Networks and Communications
Safety, Risk, Reliability and Quality

Cite this

@conference{c4380e8296aa416bad805ff891569daf,

title = "No plan survives contact: Experience with cybercrime measurement",

abstract = "An important mode of empirical security research involves analyzing the behavior, capabilities, and motives of adversaries. By definition, such measurements cannot be conducted in controlled settings and require “engagement” directly with adversaries, their infrastructure or their ecosystem. However, the operational complexities required to successfully carry out such measurements are significant and rarely documented; blacklisting, payment instruments, fraud controls and contact management all represent real challenges in such studies. In this paper, we document our experiences conducting such measurements over five years (covering a range of distinct studies) and distill effective operational practices for others who might conduct similar experiments in the future.",

author = "Chris Kanich and Neha Chachra and Damon McCoy and Chris Grier and Wang, {David Y.} and Marti Motoyama and Kirill Levchenko and Stefan Savage and Voelker, {Geoffrey M.}",

note = "Funding Information: We would like to thank the anonymous reviewers and Steve Schwab, our shepherd, for their helpful feedback and comments. In the various projects supported and enabled by the efforts described in this paper, many individuals and organizations aided our work over the years and we wish to gratefully acknowledge their contributions, support, and feedback. In particular, we would like Chris Fleizach and David Anderson who, early on, were willing to chip away at understanding the spam business model. This work was supported in part by National Science Foundation grants NSF-0433668, NSF-0831138 and CNS-0905631, by the Office of Naval Research MURI grant N000140911081, and by generous research, operational and/or in-kind support from Google, Microsoft, Yahoo, Cisco, HP and the UCSD Center for Networked Systems (CNS). McCoy was supported by a CCC-CRA-NSF Computing Innovation Fellowship.; 4th Workshop on Cyber Security Experimentation and Test, CSET 2011 ; Conference date: 08-08-2011",

year = "2011",

language = "English (US)",

}

TY - CONF

T1 - No plan survives contact

T2 - 4th Workshop on Cyber Security Experimentation and Test, CSET 2011

AU - Kanich, Chris

AU - Chachra, Neha

AU - McCoy, Damon

AU - Grier, Chris

AU - Wang, David Y.

AU - Motoyama, Marti

AU - Levchenko, Kirill

AU - Savage, Stefan

AU - Voelker, Geoffrey M.

N1 - Funding Information: We would like to thank the anonymous reviewers and Steve Schwab, our shepherd, for their helpful feedback and comments. In the various projects supported and enabled by the efforts described in this paper, many individuals and organizations aided our work over the years and we wish to gratefully acknowledge their contributions, support, and feedback. In particular, we would like Chris Fleizach and David Anderson who, early on, were willing to chip away at understanding the spam business model. This work was supported in part by National Science Foundation grants NSF-0433668, NSF-0831138 and CNS-0905631, by the Office of Naval Research MURI grant N000140911081, and by generous research, operational and/or in-kind support from Google, Microsoft, Yahoo, Cisco, HP and the UCSD Center for Networked Systems (CNS). McCoy was supported by a CCC-CRA-NSF Computing Innovation Fellowship.

PY - 2011

Y1 - 2011

N2 - An important mode of empirical security research involves analyzing the behavior, capabilities, and motives of adversaries. By definition, such measurements cannot be conducted in controlled settings and require “engagement” directly with adversaries, their infrastructure or their ecosystem. However, the operational complexities required to successfully carry out such measurements are significant and rarely documented; blacklisting, payment instruments, fraud controls and contact management all represent real challenges in such studies. In this paper, we document our experiences conducting such measurements over five years (covering a range of distinct studies) and distill effective operational practices for others who might conduct similar experiments in the future.

AB - An important mode of empirical security research involves analyzing the behavior, capabilities, and motives of adversaries. By definition, such measurements cannot be conducted in controlled settings and require “engagement” directly with adversaries, their infrastructure or their ecosystem. However, the operational complexities required to successfully carry out such measurements are significant and rarely documented; blacklisting, payment instruments, fraud controls and contact management all represent real challenges in such studies. In this paper, we document our experiences conducting such measurements over five years (covering a range of distinct studies) and distill effective operational practices for others who might conduct similar experiments in the future.

UR - http://www.scopus.com/inward/record.url?scp=85084163631&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85084163631&partnerID=8YFLogxK

M3 - Paper

AN - SCOPUS:85084163631

Y2 - 8 August 2011

ER -

No plan survives contact: Experience with cybercrime measurement

Abstract

Conference

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this