Culture & Cyber Behaviours - Char Sample
advertisement
Culture and Cyber Behaviors Dr. Char Sample csample@cert.org © 2012 Carnegie Mellon University Culture & Thought Is there common framework for examining Cyber Behaviors? Is it possible that attackers (and others) unwittingly leave behind traces? If so, can we learn anything from these traces? 1 Culture & Thought Thought processes are culturally restrained. Bargh & Morsella, 2008, Hofstede, Hofstede & Minkov 2010 Culture can be thought of as “software of the mind” Hofstede et al., 2010 If minds are programmed to think in certain patterns, why would cyber patterns be exempt? Can “patterns of thought” be characterized? Can we tap into these “patterns of thought”? If we understand these patterns of thought and can we influence them? 2 What is Culture? Definition: “The collective mental programming of the human mind that distinguishes one group of people from another”. Hofstede, Hofstede & Minkov, 2010. How is culture learned? Family Education System Society 3 Relationship between Culture and Psychology 4 How This Research Differs from Profiling Profiling works in a similar manner to “signatures” Attacker TTPs are collected and ordered. When the attacks match (“correlate”) the TTP attribution occurs. This research examines attack behaviors within Hofstede’s cultural framework. Attacks are collected and are examined by cultural dimensional values, quantitatively. Correlations are statistical correlations NOT pattern matches. 5 Purpose Statement Quantitatively determine if a relationship exists between culture and Cyber behaviors. • Use existing data for test and control groups. • Data is also publicly available. 6 Cultural Dimensions 4 cultural dimensions: • Power distance (pdi 11-104) • Individualism vs Collectivism (ivc 6-91) • Masculine vs feminine (m/f 5-110 ) • Uncertainty avoidance (uai 8 -112) 2 additional dimensions were added • Long Term Orientation( vs Short Term Orientation (ltovsto 0 - 100). Bond, 1980. • Indulgence vs restraint (ivr 0 - 100). Minkov 7 Issues, Concerns, Caveats Issues, concerns, caveats, etc. • “The study of culture and decision making is a relatively new and unexplored field.” Guss, 2004 • Must guard against stereotypes. • Hofstede’s work is not as precise as some would like but it does offer quantifiable data that is periodically updated. • Even the obvious, must be supported by data. Criticisms of Hofstede’s work • Participants are all engineers • As a measurement tool, the values are too rough Measures nations, groups within nations exists • 8 STUDIES Explained STUDY 1 Inferential study to determine if a relationship exists between any cultural dimension and nationalistic, patriotic themed website defacements(NPTWDs). STUDY 2 Correlational study to determine if the number of NPTWDs correlates with high PDI values, or any other dimension. STUDY 3 Correlational study to determine if social network adoption rates correlates with any cultural dimension. 9 Study 1 Hypothesis Hypothesis: There is no relationship between cultural values and NPTWDs. — H0 There is no relationship between culture and NPTWDs . — H1-6 A relationship exists between culture and NPTWDs. Data Collection • Nominal scoring: — Qualitative studies provided input. — Country is scored if verified evidence exists that shows that the country participated NPTWDs. • Collected data on the following countries: — Bangladesh, China, India, Indonesia, Iran, Israel*, Malaysia, Pakistan, Philippines, Portugal, Russia, Singapore, Taiwan, and Turkey. (Columbia, Brazil, and Morocco were dropped due to lack of verifying studies or reports in English.) Means tested the results for each dimension 10 Study 1 Results – PDI (Useable Data) 100-109 90-99 80-89 70-79 60-69 50-59 40-49 4 3 2 1 0 30-39 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 8 6 4 2 0 Actual PDI Results 20-29 Hofstede PDI Distribution Attack Data* ( 2.8% - 1.8% ) 10-19 Control Data 11 Study 1 Results – IVC (Useable Data) Control Data Attack Data ( 1.5% – 1.0% ) Actual IVC Results 6 Hofstede IVC Distribution 5 4 3 2 1 0 5 4 3 2 90-99 80-89 70-79 60-69 50-59 40-49 30-39 20-29 10-19 0 0-9 0-9 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 1 12 Study 1 Results – IVR (Useable Data) Control Data Hofstede IVR Distribution Attack Data Actual IVR Results 6 5 5 4 4 3 3 2 2 1 1 90-99 80-89 70-79 60-69 50-59 40-49 30-39 20-29 10-19 0 0-9 0-9 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 0 13 Study 1 Results – UAI (Useable Data) Control Data Sample Data Actual UAI Scores 6 4 2 0 3.5 3 2.5 2 1.5 1 0.5 0 0-9 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 110-119 Hofstede UAI Distribution 14 Study 2 RESULTS 15 Study 2 Research Plan Observational, correlational study that compares the number of NPTWDs against cultural dimension scores in order to determine, through observation, if a correlation exists. Data Collection – 2 months worth of attacks at http://www.zone-h.org H0: There is no statistical relationship between culture and NPTWDs. H1: A statistical relationship exists between culture and NPTWDs. 16 Study 2 Results – PDI Control Data Attack Data (1.8%) Hofstede Distribution Actual Attack Distribution ( r = 0.681 ) 7 6 600 5 500 4 400 3 2 1 0 300 200 100 0 17 Study 1 Results – IVC Control Data Attack Data (9.0%) Hofstede IVC Distribution 5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 Actual Attack Distribution ( r = -0.666 ) 800 700 600 500 400 300 200 100 0 18 Study 2 LTOvSTO Results Actual Attack Distribution 3.2% Hofstede Distribution 4.5 ( r = -0.633 ) 8 4 3.5 7 3 6 2.5 5 2 4 1.5 3 1 2 0.5 0 1 0 19 Study 2 – Correlational Results 20 Study 3 RESULTS 21 Study 3 Research Plan Observational, correlational study that compares the adoption rate of FB, LinkedIn and Twitter against cultural dimension scores in order to determine, through observation, if a correlation exists. Data Collection –Most recent results at http://www.internetworldstats.com H0: There is no statistical relationship between culture and social networking adoption rates. H1: A statistical relationship exists between culture and social networking adoption rates. 22 Study 3 Results PDI – FB, LinkedIn & Twitter Facebook Rates LinkedIn Rates ( r = -0.2364) ( r = -0.73) 100 90 80 70 60 50 40 30 20 10 0 30 25 20 15 10 5 0 Hofstede Distribution 20 18 16 14 12 10 8 6 4 2 0 Twitter Countries 6 5 4 3 2 1 0 23 Study 3 Results IVC – FB, LinkedIn & Twitter Facebook LinkedIn ( r = -0.503) 90 80 70 60 50 40 30 20 10 0 ( r = 0.3939) 35 30 25 20 15 10 5 0 Hofstede - Distribution Twitter Countries 14 12 10 8 6 4 2 0 7 6 5 4 3 2 1 0 24 Study 3 Results M/F – FB, LinkedIn & Twitter Facebook LinkedIn ( r = -0.7) ( r = -0.8636) 100 25 20 15 10 5 0 80 60 40 20 0 Hofstede Distribution 25 20 15 Twitter Countries 12 10 8 6 10 4 5 2 0 0 25 Study 3 Results UAI – FB, LinkedIn & Twitter LinkedIn Facebook ( r = -0.2727 ) ( r = -0.2 ) 35 30 25 20 15 10 5 0 90 80 70 60 50 40 30 20 10 0 Hofstede Distribution 20 15 10 5 0-9 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 >100 0 Twitter Countries 9 8 7 6 5 4 3 2 1 0 26 Study 3 Results LTOvSTO – FB, LinkedIn & Twitter Facebook LinkedIn ( r = -0.1818 ) ( r = -0.2818 ) 70 60 50 40 30 20 10 0 25 20 15 10 5 0 Hofstede Distribution 18 16 14 12 10 8 6 4 2 0 Twitter Countries 9 8 7 6 5 4 3 2 1 0 27 Study 3 Results IVR – FB, LinkedIn & Twitter LinkedIn ( r = 0.6909 ) Facebook ( r = 0.5364) 30 100 25 80 20 60 15 40 10 20 5 0 0 Hofstede Distribution 18 16 14 12 10 8 6 4 2 0 Twitter Countries 9 8 7 6 5 4 3 2 1 0 28 Anecdotes Things That Make You Say Hmmmm? 29 Anecdotal Support DNS fast flux registrations report. Konte, Feamster, & Jung 2008 Top 10 countries by number IPs Listed 3 activities A record advertising NS record record advertising Spamvertising 30 Anecdotal Support – A Record Dimension r Evaluation (Cohen) PDI 0.1534 Weak IVC -0.1169 Weak M/F 0.1716 Weak UAI 0.2838 Weak LTOvSTO 0.5816 Strong IVR -0.3369 Moderate 31 Anecdotal Support – NS Record Dimension r Evaluation (Cohen) PDI 0.3252 Moderate IVC -0.2516 Weak MF 0.2002 Weak UAI 0.1768 Weak LTOvSTO 0.6097 Strong IVR -0.3295 Moderate 32 Anecdotal Support – Spamvertising Dimension PDI r 0.8605 Evaluation (Cohen) Strong IVC -0.226 Weak MF 0.096 None UAI 0.4363 Moderate LTOvSTO 0.0204 None IVR -0.0636 None 33 Anecdotal UAI Example(s) Flame’s collision (probabilistic) – US(46) low UAI Precision of Stuxnet – Israel high UAI (81) Brute Force attacks – Bank fraud investigator T. Trusty’s talk: Romania (90), Russia (95), Spain (86), Mexico (82) and Italy (75) 34 Why do we care? “So what!” Attribution assistance, potential forensics tool. Understanding “patterns of thought” may point to “patterns of weaknesses”. If we can apply to software: We can provide insight into coding “blind spots”. We can target attacks based on attacker cultural “blind spots”. Persona development based on culture. 35 Summary “This dominance of technology over culture is an illusion. The software of the machines may be globalized, but the software of the minds that use them is not” (Hofstede, Hofstede & Minkov, 2010) 36 Conclusions This line of research holds significant promise. Results are promising Extensibility of the framework needs further testing. Further investigation is needed. PDI & IVC have shown results in all studies. Activity in additional dimensions suggests the need for additional studies with questions focused on dimensional behaviors. Even the lack of activity on dimensional poles is significant but requires further investigation. 37 Future Research Correlational study of defacements and level of aggression Correlational study of defacements and kinetic activity Examination of fast flux behaviors. Studies can be broken down by users & creators. Numerous studies on UAI and attack preferences. Numerous studies on UAI, PDI, IVR and coding preferences. Numerous studies on IVR and attack preferences. 38 Thank you! Dr. Char Sample © 2012 Carnegie Mellon University References Baumeister, R.F., and Masicampo, E.J., (2010) “Conscious Thought is for Facilitating Social and Cultural Interactions: How Mental Simulations Serve the Animal-Culture Interface”, Psychological Review, Volume 117, No. 5, pp. 945-971. Buchtel, E.E. and Norenzayan, A., (2008). “Which Should You Use, Intuition or Logic? Cultural Differences in Injunctive Norms About Reasoning”, Asian Journal of Social Psychology, Volume II No.4, pp. 264-273. doi:10.1111/j.1467_839x.2008.00266.x. Cohen, J. (1988). Statistical Power Analysis for the Behavioral Sciences 2nd Edition, Lawrence Erlbaum Associates, Publishers: New York, NY. Evans, J.S.B.T. (2008). Dual-processing Accounts of Reasoning, Judgement and Social Cognition, Annual Review Psychology, Volume 59, pp. 255-278, doi: 10.1146/annurev.psych.59.103006.093629. Geert-hofstede website (2013). Retrieved from http://www.geert-hofstede.com. Guess, C.D. (2004). “Decision Making in Individualistic and Collectivist Cultures”, Online Readings in Psychology and Culture, Volume 4, Retrieved from http://scholarworks.gvsu.edu/orpc/vol4/issl/3 Guss, C.D. and Dorner, D. (2011), “Cultural Differences in Dynamic Decision-Making Strategies in a Non-linear, Time-delayed Task”, Cognitive Systems Research, Volume 12, No.3, pp. 365-376 Retrieved from http://dx.doi.org/10.1016/j.cogsys.2010.12.003 40 References Hofstede, G., Hofstede, G.J., and Minkov, M. (2010). Cultures and Organizations, McGraw-Hill Publishing: New York, NY. Internet World Stats website (2014). Retrieved from http://www.internetworldstats.com Konte, M., Feamster, N. and Jung, J. (2008). Fast flux service networks: Dynamics and roles in hosting online scams. ACM Internet Measurements Conference. Retrieved from Georgia Tech on October 16, 2012. Minkov, M. (2013). Cross-cultural Analysis, Sage Publications: Thousand Oaks, CA. Minkov, M. (2011) Cultural differences in a globalizing world. WA, UK: Emerald Group Publishing Limited. Nakashima, E., Miller, G., and Tate, J. (2012, June 19). U.S., Israel developed flame computer virus t slow Iranian nuclear efforts, officials say. The Washington Post. Sample, C. (2013). “Applicability of Cultural Markers in Computer Network Attack Attribution”, Proceedings of the 12th European Conference on Information Warfare and Security, University of Jyvaskyla, Finland, July 11-2, 2013, pp. 361-369. Sample, C., Karamanian, A., (2014, March). Hofstede’s Cultural Markers in Computer Network Attack Behaviours, International Conference of Cyberwar and Security (ICCWS 2014). Lafayette, Indiana March 24-25, 2014. Trusty, T., (2013, October). ‘The wit, wisdom and policies of vapidbank,”20TH International Computer Security Symposium and 5th SABSA World Congress, September 29-October 3, 2013, Naas, Ireland. 41 References Woo, H.,J., Kim and Dominick, J. (2004). “Hackers: Militants or merry pranksters? A content analysis defaced web pages. Media Psychology, 6, 63-82. Zone-h website (2013). Retrieved from http://www.zone-h.org. 42 Back-up slides © 2012 Carnegie Mellon University Tom Trusty’s Talk Brute force (exhaust all possibilities.. High UAI?) • Romania: 90, 30, 42, 90, 52, 20 • Spain: 57, 51, 42, 86, 48, 44 • Mexico: 81, 30, 69, 82, 24, 97 • Italy: 50, 76, 70, 75, 61, 30 44 Indulgence vs Restraint UK pdi 35 idv 89 m/f 66 ua 35 ltovssto 51 ivr 69 US pdi 40 idv 91 m/f 62 ua46 ltovssto 26 ivr 68 45 Hypothesis Study 1 H0: There is no statistical relationship between culture and NPTWDs. H1-6: A statistical relationship exists between culture and NPTWDs. 46 Study 2 Builds on previous research. Sample, 2013. Follow-on study moves from inferential to correlational. Determine if a correlation exists between number of NPTWDs and culture. 47 Hypothesis Study 2 H0: There is no statistical relationship between culture and NPTWDs. H1: A statistical relationship exists between culture and NPTWDs. H2: There is no correlation between NPTWDs and PDI or any other cultural dimension. H3: There is a correlation between NPTWDs and PDI or any other cultural dimension. 48 Variables Independent variable • Culture • Six dimensions defined by Hofstede et al. (2010) — PDI (11-104) — IVC (6-91) — M/F (5-110) — UAI (8-112) — LTO — IVR (0-100) (0-100) Dependent variable: NPTWDs. 49 Results – PDI (Useable Data) PDI With Israel 10 9 8 7 6 5 4 3 2 1 0 low pdi neutral high pdi PDI Without Israel 10 9 8 7 6 5 4 3 2 1 0 low pdi neutral high pdi 50 Results – All Data PDI PDI With Israel PDI Without Israel 10 10 9 9 8 8 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 low 0 low neutral neutral high high 51 Results – IVR (Useable Data) • Data for this dimension characteristics • Z Test Results z: 0.0307 • Mann-Whitney Results: 0.0655 Sample Data IVR Scores 8 7 6 5 4 3 2 1 0 Restrained Neutral Indulgent 52 Results - UAI All Data Control Data Actual Results All Data Control Group UAI UAI All Data 27.5 9 27 8 26.5 7 6 26 5 25.5 4 3 25 2 24.5 1 24 0 low uai neutral high uai low uai neutral high uai 53 Study 1 Results Peer Reviewed Data - Il Results of Question One Test Without Israel _______________________________________________________________________ Hypothesis # Test Tool Z= p-value Accept/Reject _______________________________________________________________________ (PDI) H10, H11 μ <= 59 Mann-Whitney 2.42 0.0078 Reject (IVC) H10, H12 μ >= 45 Mann-Whitney -2.35 0.0094 Reject (M/F) H10, H13 μ >= 50 Mann-Whitney 0.5714 0.4247 Accept (UAI) H10, H14 μ <= 68 Mann-Whitney -1.33 0.0918 Accept (LTO) H10, H15 μ <= 45 Mann-Whitney 1.15 0.1251 Accept (IVR) H10, H16 μ >= 45 Mann-Whitney -1.51 0.0655 Accept _______________________________________________________________________ 54 Study 1 Results All Data - Il Results of Research Question One Tests without Israel _______________________________________________________________________ Hypothesis # Test Tool Z= p-value Accept/Reject _______________________________________________________________________ (PDI) H10, H11 μ <= 59 Mann-Whitney 2.54 0.0055 Reject (IVC) H10, H12 μ >=45 Mann-Whitney -2.45 0.0071 Reject (M/F) H10, H13 μ <= 50 Mann-Whitney - 0.19 0.4247 Accept (UAI) H10, H14 μ <= 68 Mann-Whitney 1.04 0.1492 Accept (LTO) H10, H15 μ <= 45 Mann-Whitney -0.35 0.3632 Accept (IVR) H10,H16 μ >= 45 Mann-Whitney 0.74 0.2297 Accept _______________________________________________________________________ 55 Results – PDI (Useable Data – IL) Control Data Attack Data Hofstede PDI Distribution 7 6 5 4 3 2 1 0 Actual PDI Results without Israel 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 100-109 90-99 80-89 70-79 60-69 50-59 40-49 30-39 20-29 10-19 4 3 2 1 0 56 Control Data Hofstede PDI Distribution 8 6 4 2 0 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 110-119 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 Results – PDI (All Data – Il) Attack Data PDI All Data - Israel 5 4 3 2 1 0 57 Results IVC (All Data - Il) Control Group Actual Results IVC All Data - Il IVC - Israel 6 Hofstede IVC Distribution 5 4 3 2 1 0 5 4 3 2 0-9 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 1 0 58 Results – UAI (Useable Data) Hofstede UAI Distribution 6 5 4 3 2 1 0 Sample Data Actual UAI Results Without Israel 4 3 3 2 2 1 1 0 0-9 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 110-119 Control Data 59 Results – IVC (Useable Data) Control Data Hofstede IVC Distribution Attack Data Actual IVC Results without Israel 6 5 5 4 3 2 1 0 4 3 2 90-99 80-89 70-79 60-69 50-59 40-49 30-39 20-29 10-19 0 0-9 0-9 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 1 60 Standard CERT Disclaimer NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free governmentpurpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. 61 Study 1 Results – All Data Results of Research Question One Tests _______________________________________________________________________ Hypothesis # Test Tool Z= p-value Accept/Reject _______________________________________________________________________ (PDI) H10, H11 μ <= 59 Mann-Whitney 2.08 0.0188 Reject (IVC) H10, H12 μ >=45 Mann-Whitney -2.3 0.0107 Reject (M/F) H10, H13 μ <= 50 Mann-Whitney 0.16 0.4364 Accept (UAI) H10, H14 μ <= 68 Mann-Whitney 0.9 0.1841 Accept (LTO) H10, H15 μ <= 45 Mann-Whitney -0.31 0.3783 Accept (IVR) H10,H16 μ >= 45 Mann-Whitney 0.74 0.2297 Accept _______________________________________________________________________ 62 Control Data Hofstede PDI Distribution 8 6 4 2 0 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 Study 1 Results – PDI All Data Attack Data PDI All Data 5 4 3 2 1 0 63 Study 1 Results IVC (All Data) Control Group Actual Results IVC All Data IVC Hofstede IVC Distribution 5 4 3 2 1 0-9 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 0 6 5 4 3 2 1 0 64 Study 1 Results – Peer Reviewed Data Results of Research Question One Tests _______________________________________________________________________ Hypothesis # Test Tool Z(u) p(u) Z(a) p(a) Accept/Reject _______________________________________________________________________ (PDI) H10, H11 μ <= 59 Mann-Whitney 1.91 0.0281 2.08 0.0188 Reject (IVC) H10, H12 μ >=45 Mann-Whitney -2.17 0.015 -2.3 0.0107 Reject (M/F) H10, H13 μ <= 50 Mann-Whitney 0.5753 0.4247 0.16 0.4364 Accept (UAI) H10, H14 μ <= 68 Mann-Whitney -1.16 0.123 0.9 0.1841 Accept (LTO) H10, H15 μ <= 45 Mann-Whitney 1.15 0.1251 -0.31 0.3783 Accept (IVR) H10,H16 μ >= 45 Mann-Whitney -1.51 0.0655 0.74 0.2297 Accept _______________________________________________________________________ 65
