A comparison of systemic and systematic risks of malware encounters in consumer and enterprise environments

Dambra, Savino; Bilge, Leyla; Balzarotti, Davide
ACM Transactions on Privacy and Security, 3 October 2022

Malware is still a widespread problem and it is used by malicious actors to routinely compromise the security of computer systems. Consumers typically rely on a single AV product to detect and block possible malware infections, while corporations often install multiple security products, activate several layers of defenses, and establish security policies among employees. However, if a better security posture should lower the risk of malware infections, the actual extent to which this happens is still under debate by risk analysis experts. Moreover, the diference in risks encountered by consumers and enterprises has never been empirically studied by using real-world data. In fact, the mere use of third-party software, network services, and the interconnected nature of our society necessarily exposes both classes of users to undiversiiable risks: independently from how careful users are and how well they manage their cyber hygiene, a portion of that risk would simply exist because of the fact of using a computer, sharing the same networks, and running the same software. In this work, we shed light on both systemic (i.e., diversiiable and dependent on the security posture) and systematic (i.e., undiversiiable and independent of the cyber hygiene) risk classes. Leveraging the telemetry data of a popular security company, we compare, in the irst part of our study, the efects that diferent security measures have on malware encounter risks in consumer and enterprise environments. In the second part, we conduct exploratory research on systematic risk, investigate the quality of nine diferent indicators we were able to extract from our telemetry, and provide, for the irst time, quantitative indicators of their predictive power. Our results show that even if consumers have a slightly lower encounter rate than enterprises (9.8% vs 12.0%), the latter do considerably better when selecting machines with an increasingly higher uptime (89% vs 53%). The two segments also diverge when we separately consider the presence of Adware and Potentially Unwanted Applications (PUA), and the generic samples detected through behavioral signatures: while consumers have an encounter rate for Adware and PUA that is 6 times higher than enterprise machines, those on average match behavioral signatures two times more frequently than the counterpart. We ind, instead, similar trends when analyzing the age of encountered signatures, and the prevalence of diferent classes of traditional malware (such as Ransomware and Cryptominers). Finally, our indings show that the amount of time a host is active, the volume of iles generated on the machine, the number and reputation of vendors of the installed applications, the host geographical location and its recurrent infected state carry useful information as indicators of systematic risk of malware encounters. Activity days and hours have a higher inluence in the risk of consumers, increasing the odds of encountering malware of 4.51 and 2.65 times. In addition, we measure that the volume of iles generated on the host represents a reliable indicator, especially when considering Adware. We further report that the likelihood of encountering Worms and Adware is much higher (on average 8 times in consumers and enterprises) for those machines that already reported this kind of signatures in the past. 

Digital Security
Eurecom Ref:
© ACM, 2022. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Transactions on Privacy and Security, 3 October 2022 https://doi.org/10.1145/3565362

PERMALINK : https://www.eurecom.fr/publication/7067