Software Engineering Institute

We segregate attacks into two categories—targeted and opportunistic—based on whether the attacker compromises a specific target (targeted) or a number of intermediate targets to fulfill his end goal (opportunistic). We assume that opportunistic attackers consider targets indistinguishable except for their vulnerabilities, and are interested in acquiring as many targets as possible. We therefore hypothesize that opportunistic attackers will develop attacks involving services which have the largest number of potential targets. We test this hypothesis in a limited way by correlating worm releases on P2P file sharing networks with the number of users on the networks being targeted. Our results demonstrate that this relationship exists only for variants of worms and not for new worms. We further demonstrate that the results are service specific, and that there is no general model that represents the entire file sharing vector.